I think usually separating things into different file systems doesn't help/improve security. If someone breaks into the system while it's running, anyway everything is mounted and there is no logical difference to having everything in one file system. What reasons were given in the material you studied?
That said, it can help performance (different file systems or different hardware beneath these mount points) and shorten how long a disaster recovery takes (e.g. if only the SSD that held /var went up in smoke, you only have to restore that backup and the rest stays running).
You were asking about recommended partition sizes:
- For
/ you're good with 15-20 GB. I've never needed more for a server (running a web server + mail server).
swap I usually put on its own volume / partition which has the same size as the RAM - simply so that suspend-to-disk can work. People used to recommend 2xRAM size, but with nowadays' RAM sizes, when you run into a situation where you need a serious amount of swap, you're anyway in trouble. You'll notice it from a massive slowdown, and you should then quickly increase the available RAM./boot just needs 500 MB, which gives it space for 8+ kernel+initrd versions. Make sure to run apt autoremove frequently, to keep it trimmed after kernel upgrades.- I would keep
/usr and /opt as directories on /, just don't see a benefit in moving them to their own filesystems.
- As described in this hardening guide, having a separate volume for
/tmp does make sense, as it allows you to make that world-writable directory more restricted - both in how much space it can use of the totally available space, and what can be done with the files that are stored there. The guide recommends to use the nodev, nosuid and noexec options when mounting the filesystem. The guide only gives the mount commands for "one-time use". Translating this into a line in /etc/fstab would mean that you place nodev,nosuid,noexec into the 4th (options) column of the line where you mount the dedicated /tmp volume onto /tmp.
- That leaves us with
/home and /var - that's usually the "important" stuff. On my servers /home is pretty much empty, but /var holds public_html, the logs, the databases, etc. So I keep /home as a directory on /, but /var definitely gets its own volume, and is backed up most frequently. Give it all remaining space after the above was done.
Then you asked how to make the transition:
- In the running system, where everything is on
/, attach the new disk (VDI file, ...), prepare it with pvcreate, lvcreate and then the file systems of your choice (mkfs.ext4 for example).
- Then make temporary mount points under /mnt, e.g. /mnt/newroot, /mnt/newvar, ... and mount the file systems there.
- Then use
rsync -xaP <source>/ <destination>/ for each of your file systems. The '-x' option will prevent rsync from crossing file system boundaries, i.e. if you do rsync -xaP / /mnt/newroot/ it won't also copy /var, /home or even all the new filesystems mounted under /mnt. '-a' will make sure permissions etc. will be taken over without modification, and '-P' shows progress. For details, please refer to man rsync.
After that's done, edit the /mnt/newroot/etc/fstab and make sure you list all file systems at the appropriate mount points. If you've gotten that far, this shouldn't be too hard (as you chose all the /dev/mapper/... names, file systems, etc.).
You will also have to use grub-install and maybe update-grub to make the new disk bootable, but there I'm not so sure about the exact procedure. With VMs you can easily try it out and if it doesn't boot, attach the old disk again and fix it.
For reference, here is a shell session that gives you some specific commands on the partitioning + LVM + formatting + referencing in fstab topics. Please note that you most likely will have to modify them, for example if your device isn't /dev/sda, if you want different file systems, etc. - it's merely an example.
# After using fdisk to create one partition that covers the whole device,
# it looks like this:
root@ubuntu:~# fdisk -l /dev/sda
Disk /dev/sda: 100 GiB, 107374182400 bytes, 209715200 sectors
Disk model: VBOX HARDDISK
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 18ACB4C9-3F33-7041-8BEB-D819F138A809
Device Start End Sectors Size Type
/dev/sda1 2048 209715166 209713119 100G Linux LVM
Create a physical volume for LVM
root@ubuntu:~# pvcreate /dev/sda1
Physical volume "/dev/sda1" successfully created.
Create a volume group with the name "vg1" for LVM that will
hold all our logical volumes
root@ubuntu:~# vgcreate vg1 /dev/sda1
Volume group "vg1" successfully created
Create the logical volumes as described above
root@ubuntu:~# lvcreate --name root --size 20G vg1
Logical volume "root" created.
root@ubuntu:~# lvcreate --name swap --size 8G vg1
Logical volume "swap" created.
root@ubuntu:~# lvcreate --name boot --size 500M vg1
Logical volume "boot" created.
root@ubuntu:~# lvcreate --name tmp --size 5G vg1
Logical volume "tmp" created.
Have a look at the logical volumes
root@ubuntu:~# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
boot vg1 -wi-a----- 500.00m
root vg1 -wi-a----- 20.00g
swap vg1 -wi-a----- 8.00g
tmp vg1 -wi-a----- 5.00g
Have a look at the volume group and see how much space is left
root@ubuntu:~# vgs
VG #PV #LV #SN Attr VSize VFree
vg1 1 4 0 wz--n- <100.00g <66.51g
Use the remaining space for the last logical volume, var
root@ubuntu:~# lvcreate --name var --size 66.5G vg1
Logical volume "var" created.
Have another look at the volumes
root@ubuntu:~# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
boot vg1 -wi-a----- 500.00m
root vg1 -wi-a----- 20.00g
swap vg1 -wi-a----- 8.00g
tmp vg1 -wi-a----- 5.00g
var vg1 -wi-a----- 66.50g
Format all volumes with ext4 file system
for i in /dev/mapper/vg1-*; do mkfs.ext4 $i; done
Turn vg1-swap into swap space
mkswap /dev/mapper/vg1-swap
Create fstab entries that look like this
/dev/mapper/vg1-root / ext4 defaults 0 1
/dev/mapper/vg1-boot /boot ext4 defaults 0 2
/dev/mapper/vg1-var /var ext4 defaults 0 2
/dev/mapper/vg1-tmp /tmp ext4 nosuid,nodev,noexec 0 0
/dev/mapper/vg1-swap none swap sw 0 0
