- New fstab Configuration
- Implementation Procedure
- Professional Assistance
- Linode Referral
- Copyright and Republishing
I recently found myself in need of a procedure to repartition a newly installed Linode server. The server was a fresh install of CentOS 7, with the default root and swap partitions. I had recently become aware of the possibility to set extra security options on partitions, and wanted to implement this while setting up a new server. I also wanted to contain disk usage for separate areas of the system.
So I found myself in a difficult situation. I wasn't clear on how to go about this, and didn't have a thorough understanding of how partitioning and mounting worked on Linux, particularly with it being integrated within Linode's setup. As it turned out, it was all very simple, but it took a bit of research to find that out. This article shares what I learned, including a simple procedure for mounting and defining your modified partitioning. If you just want the procedure, please go right to it or give the background a quick skim first.
The majority of the procedure described here could be used with other hosts, and any part specific to Linode clearly references that. If you are repartitioning system directories, or other parts of the system which could be in use, you would need some way to access the server in single user mode, which means no SSH. Linode provide this through their Lish feature which offers console access, and that is what is used here.
You would also need to have a way to create the devices for assigning to the partitions. Linode provide this through their configuration manager. You could use utilities like
mkfs which are not covered here, or your host may provide options for this. It depends on your server setup. I use Linode so that is what is covered here. Please let us know how you get on in the comments, to help others and I will also consider adding more information to the article to cover other setups.
There are two essential features to mounting partitions on Linux that are worth understanding. These are mounting filesystems and defining them for the system to mount. It is worth understanding the system utility
mount (its companion
fstab (the syntac for the
/etc/fstab file). I strongly suggest you read at least the first part of the man pages for
fstab to improve your understanding of how these features of the system operate. Here is the introduction to fstab from
The file fstab contains descriptive information about the various filesystems. fstab is only read by programs, and not written; it is the duty of the system administrator to properly create and maintain this file. Each filesystem is described on a separate line; fields on each line are separated by tabs or spaces. Lines starting with '#' are comments, blank lines are ignored. The order of records in fstab is important because fsck(8), mount(8), and umount(8) sequentially iterate through fstab doing their thing.
A fresh CentOS 7 install on Linode will have something like this as the default
# /etc/fstab # Created by anaconda on Thu Feb 2 14:49:35 2017 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info /dev/sda / ext4 defaults 1 1 /dev/sdb swap swap defaults 0 0
This defines a single root partition to contain everything, and a swap partition. This is not desirable. The reason is that there is no way to set different options for areas of the system that can benefit from them. The main benefits are security and containing expansion so one area of the system can't cause another to run out of disk space. You can find some links discussing options for this at the end of this article.
My chosen partitioning scheme, mostly for security on this web and email server, was to separate things out as follows:
/ /home /var nosuid /var/log nosuid,nodev,noexec /var/www nosuid,nodev /tmp nosuid,nodev,noexec /var/tmp nosuid,nodev,noexec
If you're wondering what "nosuid", "nodev" and "noexec" mean, then you didn't go and read the man pages for
mount now, did you? Well here's what you missed:
Do not allow set-user-identifier or set-group-identifier bits to take effect.
Do not interpret character or block special devices on the file system.
Do not allow direct execution of any binaries on the mounted filesystem. (Until recently it was possible to run binaries anyway using a command like /lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.)
I also wanted to set some extra security on
/dev/shm over and above the default provided by CentOS 7, and make
/var/tmp server from the same partition. More on that later.
In other situations it would have been sensible for me to set
nodev on the
/home partition, but in this case nobody will have access to log in to the server except technicians, so it is better to keep home the directories open.
If you want to see what is currently mounted, simply enter
mount on the command line to get a full list. But you already knew that from reading the man page for mount.
In order to provide the disk partitions themselves, so they are available to be mounted, Linode provide a great system. It is simply a case of logging in to your Linode Manager and going to the dashboard for your Linode. You can define a configuration for your disk space and also reuse it on multiple servers. All of the details for that can be found in their article:
Disks and Configuration Profiles
- Getting Started
- Finding Your Way Around
- Creating a Disk with a Linux Distribution Installed
- Creating a Blank Disk
- Resizing a Disk
- Duplicating a Disk
- Removing a Disk
- Configuration Profiles
- Creating a Configuration Profile
- Editing a Configuration Profile
- Selecting and Using a Configuration Profile
- Removing a Configuration Profile
- Cloning Disks and Configuration Profiles
- Potential Uses
Of particular interest for defining devices to mount is the section Creating a Configuration Profile, but you will need to create disks first in order to assign them within your configuration profile.
The temporary filesystem on CentOS 7 runs with
nodev options configured. The only world-writable area it is used for is
/dev/shm. I wanted to add
/dev/shm and also use all three options for
/var/tmp was simply a case of adding them to the list of partitions to be configured, with both serving from the same partition, which can be done using the
bind option provided by
mount. Details for this soon. Securing
/dev/shm is a slightly different case, since it is using the temporary file sysetm,
/dev/shm is not shown in the default
/etc/fstab file, it is being configured automatically anyway. So to make changes to that configuration, it is simple a case of adding an entry with the options specified. All of the option have to be specified, and not just the ones that are wanted to be added. Here is the entry I added to
/etc/fstab to ensure all three options were in place:
tmpfs /dev/shm tmpfs nosuid,nodev,noexec 0 0
With this in place, and of course after a reboot, executing the
mount command in the shell clearly showed that
/dev/shm now had all three options enabled. Great!
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec)
So my new configuration for
/etc/fstab needed to look like this:
# /etc/fstab # Created by anaconda on Thu Feb 2 14:49:35 2017 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info /dev/sda / ext4 defaults 1 1 /dev/sdb swap swap defaults 0 0 tmpfs /dev/shm tmpfs nosuid,nodev,noexec 0 0 # suid and dev are allowed for /home because only # technicians are allowed to log in to this server /dev/sdc /home ext4 defaults 1 2 /dev/sdd /var/www ext4 defaults,nosuid,nodev 1 2 /dev/sde /var ext4 defaults,nosuid 1 2 /dev/sdf /var/log ext4 defaults,nosuid,noexec,nodev 1 2 /dev/sdg /var/tmp ext4 defaults,nosuid,nodev,noexec 1 2 # /tmp is bound to /var/tmp /var/tmp /tmp none bind 1 2
The first three entries we have already looked at. They are the two default entries and the configuration of the temporary filesystem for
/dev/shm. The options for the root filesystem, and therefore anything not placed in its own partition, are left as the default with everything enabled. Anything that needs restricting must then be added below on its own partition.
The rest of the file contains the partition setup I intended to implement. It includes separate partitions for
/var/log and the two world-writable temporary directories
I wanted to use the same partition for the temporary directories, so I made use of the
bind feature provided by
mount. Here are the relevant details from the man pages for
The bind mounts.
Since Linux 2.4.0 it is possible to remount part of the file hierarchy somewhere else. The call is
mount --bind olddir newdir
mount -B olddir newdir
or fstab entry is:
/olddir /newdir none bind
After this call the same contents is accessible in two places.
Note that the filesystem mount options will remain the same as those on the original mount point.
Now that we have been through all the preparation for implementing changes to the partitioning, and the partitions have been configured in the Linode manager, the procedure for carrying out the changes was as follows. I will give you the procedure first, and then explain the steps.
/dev/sdX is the block device configured for the partition.
/XXX is the directory to mount the partition on.
- init 1 (warning: access to the server will stop)
- Log in through Lish
- mv /XXX /XXX.old
- mkdir /XXX
- mount /dev/sdX /XXX
- cp -ax /XXX.old/* /XXX
- Add entry to /etc/fstab
If you keep Lish open when you reboot, your connection to the server will remain open and the server boot process will be visible when it starts, allowing you to log in again once complete and issue
init 1 from there.
The first step is to drop the operating system to single user mode. This will stop all access to the server except through the console. This means you will no longer be able to access the server through SSH and will have to make use of the Linode Shell feature, called Lish, to access the server. This is only necessary for parts of the filesystem that already exist and are in use by the system. In my case, I only needed to do this for
/var/log. The other areas,
/var/www and the temporary directories were all empty and not in use (it being a fresh install), so they could be changed over without dropping to single user mode.
I recommend following the whole procedure through for one partition at a time, and checking each one carefully before moving on to the next. You can check the current situation by issuing a
mount command to check all current mounts that are active, or I like to use
df -h to see all filesystems including their mount points.
The procedure is simply to rename the existing directory to a new location (appending ".old"). Now create an empty copy of the directory ready to be mounted on. It needs to exist, and it needs to be empty, since anything that is in it would not be visible after the partition is mounted there. The partition is then mounted to its new location and the contents copied over to it. Steps 3 to 6. Easy.
The permanent mounting is then done by adding the entry to the
/etc/fstab file and rebooting. Steps 7 and 8. When you feel happy with it, you can delete the ".old" location.
And that's about it. I hope the information in the article is useful. If there is anything that is unclear, I would love to help and that will in turn help me to improve the article. Please use the comments form below, indicating if you would prefer the comment to be private, or use one of the other contact options available.
18 March 2017. A section was added to the introduction explaining how the procedure can be used on other hosts. An info box was added at the top drawing attention to the procedure for those in a hurry.
19 March 2017. Added info below the procedure, explaining that Lish can be kept open.
- Linode forum: Possible to move /var to separate partition after install?
- Linode forum: Repartitioning
- Moving /var, /home to separate partition
- Most secure way to partition linux?
- 9.15.5. Recommended Partitioning Scheme
- CentOS: HowTos / OS Protection
- Security Harden CentOS 7 - Secure Partition Mount Options
- Increasing Linux server security with nodev, nosuid and no exec options
- Explanation of nodev and nosuid in fstab
- Effect of nosuid on executables inside the mounted filesystem
If you are in need of professional assistance to carry out a procedure similar to that outlined in this article, or have another system administration issue you need help with, please contact us and we will be happy to discuss options for assisting you.
The links to Linode contained in this article include a referral code so that I will get some benefit if you should decide to sign up after using one of those links. Here is a referral link to the Linode homepage should you wish to use it.
We would love to hear from you about your experiences relating to the information in this article. If you have seen something here that needs correcting, please let us know so we can improve the information.
Comments can be made using the form above, and will be posted here if appropriate for us to do so. Please let us know in your comment if you would prefer us not to publish it, in which case we will of course honour that request. Your email address will only be used to contact you regarding your comment, and will not be passed on to third parties or used in any other way. Any web address you provide will be used as a link from your name introducing your comment, if appropriate for us to do so.
This article is copyright Nigel Peck 2017. All rights reserved. Please contact us if you would like to republish this article, in whole or in part, and we will be happy to discuss options for that. Quoting from the article is permitted. Please provide a link back to the article, adjacent to the quote, and clearly indicate any modifications. Quoting anything more than two or three sentences should be discussed with us first.