Re: bin, sbin, etc as seperate LVM volumes
- From: Rick DeBay <Rick_member@xxxxxxxxxxx>
- Date: 21 Mar 2006 12:59:59 -0800
In article <52be$442048f9$cb248f0$26344@xxxxxxxxxxxxxxxxxxxxx>, Robert Heller
says...
Rick DeBay <Rick_member@xxxxxxxxxxx>,
In a message on 21 Mar 2006 08:54:37 -0800, wrote :
RD> In article
<slrne1uh23.ldj.danSPANceswitTRAPhcrows@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
RD> Dances With Crows says...
RD> >
RD> >On 20 Mar 2006 14:57:40 -0800, Rick DeBay staggered into the Black Sun
RD> >and said:
RD> >> Does anyone have a how-to on creating all the root directories as
RD> >> separate LVM volumes?
RD> >
RD> >"All the" root directories? There's one / .
RD> >
RD> >> The Suse install will allow you to create / as an LVM and set up the
RD> >> initrd for you, but it won't allow you to make a seperate volume for
RD> >> each directory [such as /bin , /sbin , /etc , etcetera].
RD> >
RD> >/bin , /sbin , and /etc must be on the same filesystem as / unless you
RD> >do a fair amount of tricky, fiddly hacking around with boot scripts.
RD> >When the kernel's finished loading itself, it mounts / , then executes
RD> >/sbin/init , which reads /etc/inittab . /bin is necessary because
RD> >that's where mount lives, and you almost certainly need to mount
RD> >filesystems other than / . You *can* make it possible to have /bin and
RD> >/sbin and /etc on separate filesystems from / . It's just a really,
RD> >really long run for a short slide, and it requires screwing around with
RD> >init so it looks for its config file in /inittab not /etc/inittab , and
RD> >it's just usually not worth it.
RD>
RD> I thought the boot process executed from initrd, then mount volumes
read-only,
RD> then mount read-write, then continue? Any good docs that detail the boot
RD> process w/ GRUB, LVM, and a 2.6 kernel?
Initrd has little actual code (user mode programs), mostly just the
driver modules needed to get to the root file system(s). There might
be a minimal static version of mount also there. Not enough to really
do more than mount one file system and then swap in in for /. Not
enough there to mount *several* file systems. So, the first file
system mounted *has* to have enough stuff on it to complete the init
process. That is it *must* include /bin, /sbin, /etc, /lib, and /dev,
to start with -- these all must be all on the same file system. Unless
you really want to go through extreme hassle. Generally not worth it,
even for the most paranoid. You can mount the whole thing RO though.
We remounted / as RO for a quick test. TightVNC couldn't connect, as it writes
to root. I symlink what it's writing to the /var hierarchy.
I've heard about read-only root for a while, but at
http://www.seifried.org/lasg/installation/ I read about mounting each directory
with different permissions. Hopefully Kurt tried it before writing about it.
Another hack: have two incarnations of /etc: a minimal one on the base
root file system, and another one mounted later *on top of* the root
/etc, which could be mounted RW (which has the 'live'
I was thinking about this, but wouldn't that cause support headaches? You're
looking at configuration files in the live /etc wondering why there's an issue,
and it's because the service started using the old /etc files, before the new
/etc was mounted. You'd tear your hair out changing the 'live' version, but
whenever the system was rebooted it's use the old one.
/etc/{passwd,shadow,group} files. Mounting everything under the base
root directory RO is perfectly fine (even /etc, although that makes
adding and removing users and file systems etc. a pain, which in fact
could be the point). If your sysadmins don't need to mess with creating
Exactly the point. If someone comes to me asking why they're having a problem
adding a new employee to the production server, or installing Tux Racer, I want
to be able to kick them.
users or updating anything else in /etc/, you can just mount it RO. You
can change this *on the fly* if you need to ('man mount', see the
remount option).
RD>
RD> Part of this is disk management, and part is paranoia. I was planning on
RD> mounting these volumes (except for /etc) as read-only, along with noexec,
RD> nosuid, etcetera as applicable.
RD> We store HIPAA data which while boring to the world in general, can get us
sued
RD> into extinction if it's compromised. This SEEMED like a simple task to add
RD> another speedbump, and then it tweaked my curiosity.
RD>
RD> >Why do you think you need /bin and /sbin on separate LVM volumes,
RD> >anyway? Those directories are pretty dang small and they don't change
RD> >much. /bin is 8.5M here, /sbin is 6.6M, and /etc is 39M (stupid GNOME
RD> >library databases are inflating that.)
RD>
RD> Yeah, I'd get rid of Gnome but these systems have to be maintainable by a
RD> Windows admin or in a pinch a talented Windows user.
Don't give them the root password. Instead give them sudo and be real
clever with /etc/sudoers. 'man sudoers'
Yep, and I was going to put them in the Wheel group.
You don't need the Gnome system installed (just the X11 and Gnome
*libraries* and a few of the applications), if these mess-windows
people have an X11 server installed on their mess-windows boxes and the
machine is on the (local, behind a solid firewall) network.
RD>
RD> Thanks, Rick DeBay
Robert Heller -- 978-544-6933
Deepwoods Software -- Linux Installation and Administration
http://www.deepsoft.com/ -- Web Hosting, with CGI and Database
heller@xxxxxxxxxxxx -- Contract Programming: C/C++, Tcl/Tk
--
NewsGuy.Com 30Gb $9.95 Carry Forward and On Demand Bandwidth
.
- References:
- Re: bin, sbin, etc as seperate LVM volumes
- From: Rick DeBay
- bin, sbin, etc as seperate LVM volumes
- From: Rick DeBay
- Re: bin, sbin, etc as seperate LVM volumes
- From: Dances With Crows
- Re: bin, sbin, etc as seperate LVM volumes
- From: Robert Heller
- Re: bin, sbin, etc as seperate LVM volumes
- Prev by Date: Re: What size for the swap with a kernel 2.4x and 8GB RAM
- Next by Date: Re: Is Windows with Cygwin Unix?
- Previous by thread: Re: bin, sbin, etc as seperate LVM volumes
- Next by thread: transcode and mpeg2_accel
- Index(es):
Relevant Pages
|
|
