Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.


Vorhergehende Überarbeitung
Nächste Überarbeitung
content:serverbasics [2023/07/24 12:30] – [Raided LVM- Volumes] Daniel
Zeile 1: Zeile 1:
 +====== Linux: Basic Server Configuration ======
 +
 +These setting here are an advice to think about when setting up a new linux- machine (here on an opensuse distrubution, which i really like).
 +
 +===== Mountpoints =====
 +
 +By default openSuSE will set some conservative mountoptions, that are save, but not best choice for homeoffice use and maybe could also improve company servers. Here are some proposals to think about.
 +
 +==== Raided EFIBOOT ====
 +
 +There are some problems when raiding the efi-boot. I would suggest to use:
 +
 +<code>
 +~ # mdadm --create --verbose /dev/md/efiboot --level=1 --raid-devices=2 --metadata=1.0 --name=efiboot --homehost=system /dev/sda1 /dev/sdb1
 +
 +</code>
 +
 +The important part is metadata=1.0 - this format has especially designed to fit the needs of raid1 of fat/efi- systems.
 +
 +
 +==== LVM ====
 +
 +LVM is a powerful partition-management-layer and should always be used, when there is some none low-end hardware present. If you can use the **KDE Partitioning- Tool** (which means having Plasma=KDE Desktop compatible support), the support is very inuitive and opens a lot of flexibility whne handling partitions, like adding more disk space or moving partitions, but also on console this offers good functionality. OpenSuSE offer to create LVM- Styled system setup in installation optionally (not by default). If you can: use it.
 +=== Raided LVM- Volumes ===
 +
 +Noadays, raid1 or raid5 for system without LVM is outdated. Those things are integrated in LVM - so use it!
 +
 +First, creat a volume group with two same size partitions on two discs, than create a raid1 on it (for example):
 +
 +<code>
 +vgcreate vgsystem /dev/sdX1 /dev/sdY1
 +lvcreate -m1 --type raid1 -l 100%FREE -n lvroot vgsystem
 +
 +</code>
 +
 +where 100%FREE means 100% of Free Space used…
 +
 +To check if raid1 works, use:
 +
 +<code>
 +lvs -a -o name,copy_percent,devices vg_xxx
 +
 +</code>
 +
 +If this has not worked, use:
 +
 +<code>
 +lvconvert --type raid1 -m1 vg_xxx/lvol1
 +
 +</code>
 +
 +Or - you can do raid5 with:
 +
 +<code>
 +lvcreate -n lvdata --type raid5 -l 100%FREE -i 2 vgdata
 +
 +</code>
 +
 +where i equals the number of devices with Data (not including parity- storage)
 +
 +
 +=== Useful Commands ===
 +
 +The KDE- Partitionmanager is still not perfect. LVM is mor powerful in these things:
 +
 +== Moving logical Volumes to physical Devices ==
 +
 +Usually Partitions or Devices are only assigned to Volume-Groups (VG) and Logical Volumes (LV) are using them dynamically as needed. This makes it sometimes hard to understand, where the Data really is located right now. Especially when you are having different physical Devices, you may want one LV to use one Device.
 +
 +For an overview how the Data is split, you can use:
 +
 +<code>
 +# lvs -o+devices
 +LV     VG     Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert Devices
 +  home   system -wi-ao----  78.63g                                                     /dev/sdb2(8013)
 +  root   system -wi-ao----  97.89g                                                     /dev/sda4(0)
 +  shared system -wi-ao---- 786.64g                                                     /dev/sdb2(130893)
 +
 +</code>
 +
 +You can also move them to single Devices if needed. Here i wanted my home to also be on the faster Device sda. As sda4 had enough free space, i could do:
 +
 +<code>
 +# pvmove -n system/home /dev/sdb2 /dev/sda4
 +
 +</code>
 +
 +
 +==== Filesystem ====
 +
 +Brtfs is the way to go everywhere. There are some disadvanteges while it is still in developement and sometime a bit oversized for homeoffice, but no other filesystem is that good in general usage. Only use other Filesystems, if there are reasons for - e.g. when exchanging files with another windows on that pc.
 +
 +==== Mountoptions ====
 +
 +BTRFs has a lot of Mountoptions and some here are really odd ones for every linux. I would suggest at least those:
 +
 +For **Desktopusage**: compress=zstd:3,noatime,nodiratime,autodefrag
 +
 +While autodefrag should not be necessary on ssd- harddiscs.
 +
 +For **Databases** or files that need speed and __**are well backed up otherwise**__  : nodatacow,nodatasum,noatime,nodiratime
 +
 +
 +=== Sources: ===
 +
 +  * [[https://fedoraproject.org/wiki/Changes/BtrfsTransparentCompression|https://fedoraproject.org/wiki/Changes/BtrfsTransparentCompression]]
 +  * [[https://btrfs.readthedocs.io/en/latest/Administration.html|https://btrfs.readthedocs.io/en/latest/Administration.html]]
 +
 +===== Quotas =====
 +
 +Brief: Quotas should be disabled
 +
 +==== What is it for? ====
 +
 +BTRFS comes with included support of disk quotas. It is enabled by default if a btrfs-volume is created. Disk quotas are useful to mangage diskspace, as they store informations of directory sizes in the filesystem. There may be programs, that calculate disk usage of directories only that way. One example is snapper: It will automatically delete old snapshots, if the space is running low on a device using snapshots. This is done, by checking the qoutas. Running snapper without qoutas will make this not working anymore. Instead other functions will be used - e.g. the maximum number of old snapshots to keep.
 +
 +To find out, if quoutas are enabled, do:
 +<code>
 +
 +btrfs qgroup show /
 +
 +</code>
 +
 +==== What is the problem? ====
 +
 +Quotas are complicated to manage by btrfs. As there are many situations, where the qoutas may get incorrect, they will often be invalidated and will need to be recalculated from scratch. Furthermore checking if they are correct is often needed - e.g. at startup or after some time. This process consumes a lot of cpu and disc utilisation and makes the hardware slow, sometimes rendering a computer useless for some time.
 +
 +==== Solution ====
 +
 +Because of this, the kernel.org- team recommends to turn disk quotas off if not needed.
 +
 +This can be done by:
 +
 +<code>
 +btrfs quota disable /
 +
 +</code>
 +
 +=== Snapper ===
 +
 +After that, /etc/snapper/configs/root should be checked:
 +
 +<code>
 +# limit for number cleanup
 +NUMBER_MIN_AGE="1800"
 +NUMBER_LIMIT="10"
 +NUMBER_LIMIT_IMPORTANT="10"
 +
 +</code>
 +
 +===== Swappiness =====
 +
 +If you have a lot of Ram, you may adjust the swappiness to better fit your needs - or turn off swap completely.
 +
 +e.g. /etc/sysctl.conf:
 +
 +<code>
 +vm.swappiness = 60
 +
 +</code>
 +
 +===== Filesystem and User rights in Linux =====
 +
 +While linux itself is a very secure system (when set up the right way), the rights given to files by default are not secure at all. Setting good rights is not an intuive process and is mostly not well done. So it needs some attention.
 +
 +==== Why care about rights ====
 +
 +If you are the only user on your pc, or your linux pc is a machine for the net, then you maybe fine. But if your pc is shared between some users e.g. in your family and used by some other persons, then you may wish, that personal informations of the one user is not accessible to the other one.
 +
 +Even if your pc is not used by others, there maybe other users on your pc by services running in different accounts, so maybe you want Data not to be visible to any user.
 +
 +==== Test the rights ====
 +
 +Lets start with a simple new file, let's say "~\securedata.txt" with text "secure data" in it. Let say we are user named testuser:
 +
 +New File ~\securedata.txt :
 +
 +<file>
 +testuser@xubuntu-stick:~$ echo secure data> ~/securedata.txt
 +
 +</file>
 +
 +Then become someone else, maybe user testuser2 and read that file:
 +
 +<code>
 +testuser@xubuntu-stick:~$ su -l testuser2
 +Passwort:
 +testuser2@xubuntu-stick:~$
 +
 +</code>
 +
 +Now lets see what the other user has written in its secure file:
 +
 +<code>
 +testuser2@xubuntu-stick:~$ cat ../testuser/securedata.txt
 +cat: ../testuser/securedata.txt: Keine Berechtigung
 +
 +</code>
 +
 +So everything right? No - not quite. Lets say horst decides to store is secure data in another location and do it again:
 +
 +<code>
 +testuser@xubuntu-stick:~$ mv securedata.txt /tmp
 +testuser@xubuntu-stick:~$ su -l testuser2
 +Passwort:
 +testuser2@xubuntu-stick:~$ cat /tmp/securedata.txt
 +secure data
 +
 +</code>
 +
 +So now the data the one user created is not secure any more. Well ok this sounds fine, because the data was moved to an insecure directory.
 +
 +But: Can you make sure that everybody knows which directories are secure and which aren't? Can you be really sure, that no personal information saved by any user-context-program is written only to secure directories and not visible to the other? I guess not.
 +
 +So it may be a better approach to not make the files created by someone readable by other user by default.
 +
 +==== UMask- Approach ====
 +
 +There ist a tool for this called umask. This tool defines the permission for new created files.
 +
 +By default the umask is 0002 or 0022. Those values are substracted from 0777, which would mean full access for everyone. You can check out the docs in the net how they work. I won't explain here, cause there is a big problem with umask: The value can only be changed on process level or user or systemwide. This means you cannot set them per directory - which would be intentional to the user.
 +
 +So forget about umask.
 +
 +==== FACLs ====
 +
 +F… what??? Yes: facl is the tool to do so. with that tool you can very much expand the rights per directory an on every file in detail. It ist also possible to have multiple group- access definitions, which are not possible otherwise.
 +
 +So lets do some facl- work:
 +
 +<code>
 +testuser@xubuntu-stick:~$ mkdir temp
 +testuser@xubuntu-stick:~$ getfacl temp
 +# file: temp
 +# owner: testuser
 +# group: testuser
 +user::rwx
 +group::rwx
 +other::r-x
 +
 +</code>
 +
 +As you can see, that directory has been created quite insecure. There is only the above permission preventing everyone to read the informations in it. Creating a new file in it, would make it the same way insecure, as it would have been before.
 +
 +But now lets set the mode to better fit our needs:
 +
 +<code>
 +testuser@xubuntu-stick:~$ setfacl -m d:o::--- temp
 +testuser@xubuntu-stick:~$ getfacl temp
 +# file: temp
 +# owner: testuser
 +# group: testuser
 +user::rwx
 +group::rwx
 +other::r-x
 +default:user::rwx
 +default:group::rwx
 +default:other::---
 +
 +</code>
 +
 +Note, that we only changed the DEFAULT permissions to be more secure (d:).
 +
 +Now lets again create a file there as we did before just in that - safe - directory. Also we can use getfacl on that file to check if it works:
 +
 +<code>
 +testuser@xubuntu-stick:~$ echo secure data> ~/temp/securedata.txt
 +testuser@xubuntu-stick:~$ getfacl temp/securedata.txt
 +# file: temp/securedata.txt
 +# owner: testuser
 +# group: testuser
 +user::rw-
 +group::rw-
 +other::---
 +
 +</code>
 +
 +As you can see, that file is more secure than before. So lets check, what happens now if we move that file as before.
 +
 +<code>
 +testuser@xubuntu-stick:~$ rm /tmp/securedata.txt
 +testuser@xubuntu-stick:~$ mv temp/securedata.txt /tmp
 +
 +</code>
 +
 +And check if it is accessible by another one:
 +
 +<code>
 +testuser@xubuntu-stick:~$ su -l testuser2
 +Passwort:
 +testuser2@xubuntu-stick:~$ cat /tmp/securedata.txt
 +cat: /tmp/securedata.txt: Keine Berechtigung
 +
 +</code>
 +
 +You can also check the rights now:
 +
 +<code>
 +testuser2@xubuntu-stick:~$ getfacl /tmp/securedata.txt
 +getfacl: Entferne führende '/' von absoluten Pfadnamen
 +# file: tmp/securedata.txt
 +# owner: testuser
 +# group: testuser
 +user::rw-
 +group::rw-
 +other::---
 +
 +</code>
 +
 +Now "Testuser2" knows, that he has to ask "Testuser" to tell him the secret he wrote in that file.
 +
 +That way you can also have one or more default group(s) assigned and to give only those groups access to the file(s), which is very powerful. As for the user perspective i would rate that approach more secure, than the default one.
 +
 +Its up to you to decide if this is more usable or not.
 +
 +==== Last words ====
 +
 +Some other intersting aspects:
 +
 +  * There are some interesting usages of the sticky bits for a. the user and group- bit and b. to files and directories in seperate
 +  * Mind, that only the user of the file can change its ownership. Per default all files created by the user are owned by the user.
 +  * That means: If you don't want a user be able to change the ownership of a file into insecure permissions, it may be a good way to set the default user of files in the directory to root and only allow group- access to it. That way directories can be read and written, but not the content will not be opened to everyone by some hacky user (or virus in the last mail of that user?)
 +
 +All in all thinking about permissions is a basic one whenever there is personal data that needs to be secured somehow. One cannot rely on the defaults and hope its all fine.
 +
 +And with FACLs there are powerful tools that should cover everything an administrator needs.
 +
  
  • content/serverbasics.txt
  • Zuletzt geändert: 2024/01/08 18:59
  • von Daniel