Linux disk partition layout / scheme. Best practice explained.
You will be able in 5 minutes:
- How to partition disk to install Linux OS in a secure manner.
If you need to know more about directory names like /var, /opt etc
and what for they intended -
read about Linux FHS (Filesystem Hierarchy Standard).
and what for they intended -
read about Linux FHS (Filesystem Hierarchy Standard).
Linux disk partition layout.
This is the real example:
No matter if you prefer RAID/LVM or not.
Also it is up to you what FS type you choose.
Some moments needed to be emphasized below.
<---you can scroll here---> [root@server ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 8.2G 817M 7.0G 11% / tmpfs 16G 0 16G 0% /dev/shm /dev/sda1 510M 110M 374M 23% /boot tmpfs 64M 32K 64M 1% /tmp /dev/sda6 8.2G 1.8G 6.0G 23% /var /dev/sda7 17G 702M 16G 5% /usr /dev/sda8 4.1G 9.8M 3.8G 1% /opt /dev/sda9 162G 71G 83G 47% /space /dev/sdb2 1.8T 1.2T 504G 71% /mnt/backupYou can use this partition table as a reference for your installs.
No matter if you prefer RAID/LVM or not.
Also it is up to you what FS type you choose.
Some moments needed to be emphasized below.
/tmp
nosuid,nodev,noexec,mode=1777,size=64M
Note, that tmpfs is type for FS in RAM. You can tune size.
nosuid,nodev,noexec - for a security reasons.
The most common vector to exploit vulnerabilities in web scripts is to upload
some data via the vulnerable web script and execute it on server.
By default all files uploads into tmp directory,
so we need to disable execution on tmp filesystem.
Also you have to disable SUID functionality and creating devices here.
nosuid,nodev,noexec - for a security reasons.
The most common vector to exploit vulnerabilities in web scripts is to upload
some data via the vulnerable web script and execute it on server.
By default all files uploads into tmp directory,
so we need to disable execution on tmp filesystem.
Also you have to disable SUID functionality and creating devices here.
/boot
noauto,nosuid,noexec,nodev,data=journal,noatime,nodiratime
This is partition with number 1 - 1st partition.
We can use legacy boot for this server.
You can also use noauto - usually you don't have to mount /boot partition.
But take care if you have unattended upgrades which can upgrades kernel and boot configs.
Also, do not forget to mount it when you need to upgrade something,
since some packages can triggers boot loader (like grub) and/or initramfs upgrades.
We can use legacy boot for this server.
You can also use noauto - usually you don't have to mount /boot partition.
But take care if you have unattended upgrades which can upgrades kernel and boot configs.
Also, do not forget to mount it when you need to upgrade something,
since some packages can triggers boot loader (like grub) and/or initramfs upgrades.
/ (root)
dev,noatime,nodiratime
Set enough space depends on disk size.
Note, that partitions like /opt and /usr are separated from root partition.
Note, that partitions like /opt and /usr are separated from root partition.
/var
nosuid,nodev,noexec,noatime,nodiratime
This directory usually can hold many web server logs, so you need to
select it's size in accordance to your needs.
select it's size in accordance to your needs.
/usr
nodev,noatime,nodiratime
Usually holds many executable programs / software.
/opt
dev,noatime,nodiratime
All soft build by you with --prefix=/opt/some-ver/ should goes here .
Note that device files can be present here.
Note that device files can be present here.
/space
dev,noatime,nodiratime
Big partition to symlink into this dir. Some data directory.
This can be virtualization containers or files from virtualization
supervisor like qemu / OpenVZ etc.
This can be virtualization containers or files from virtualization
supervisor like qemu / OpenVZ etc.
/mnt/backup
dev,noatime,nodiratime
This is separate backup disk. Slow and reliable.
Please be sure that this disk have SATA power cord connected from
the different power line that goes out from your ATX power supply.
Never connect two disks on the same ATX power line.
Use separate power line for each server's disk if it is possible.
Please be sure that this disk have SATA power cord connected from
the different power line that goes out from your ATX power supply.
Never connect two disks on the same ATX power line.
Use separate power line for each server's disk if it is possible.