Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
Nächste ÜberarbeitungBeide Seiten der Revision
content:serverbasics [2023/03/05 16:21] Danielcontent:serverbasics [2024/01/08 18:59] – [Raided EFI-BOOT] Daniel
Zeile 2: Zeile 2:
  
 These setting here are an advice to think about when setting up a new linux- machine (here on an opensuse distrubution, which i really like). These setting here are an advice to think about when setting up a new linux- machine (here on an opensuse distrubution, which i really like).
 +
 +===== Subpages =====
 +
 +<catlist content:serverbasics -nohead -noNSInBold -sortAscending -sortByTitle -noAddPageButton -maxDepth:1>
  
 ===== Mountpoints ===== ===== Mountpoints =====
  
 By default openSuSE will set some conservative mountoptions, that are save, but not best choice for homeoffice use and maybe could also improve company servers. Here are some proposals to think about. By default openSuSE will set some conservative mountoptions, that are save, but not best choice for homeoffice use and maybe could also improve company servers. Here are some proposals to think about.
 +
 +Basically i would recommend to use UEFI only in Bios and GPT- Partitiontable on at least two Harddrives. The Linux- Root- System AND the EFI- Partitions should be mirrored (raid1) for failsafe and mak it possible to have the system booting from ONE disk (which is not possible with raid5).
 +
 +The Data (like Home and program data) can have raid5 with 3 or more disks.
 +
 +Always use LVM, as this has many benefits. On OpenSuSE btrfs is the best Filesystem if you disable Quotas on datapartitions.
 +
 +
 +==== Raided EFI-BOOT ====
 +
 +Nowadays, UEFI is always the best choice to boot. UEFI- Boot is quite straight forward: You first take some device, make it gpt- partitioned, create a partition (i would at least take 500 MB today, better 1GB in size), format that partition with FAT32 and mark the partition as efi-boot via the partition flag. Thats all. After some OS installed to that partition in a UEFI- way, the bios can load those files and start the OS.
 +
 +Unfortunatelly, the designers of UEFI forgot, that if your not using hardware- raid (which i don't recommend, as your losing the ability to switch harddisks between your hardware), there is no standard way to raid the partition as FAT32 is not suitable for that (way too old filesystem).
 +
 +Fortunatelly the designers of OSS software- raid were smarter: They found a way to work around that.
 +
 +So I would suggest to use two disks both partioned with gpt and same sized efi-partitions and before creating the FAT32 filesystem do software raid on it. E.g.:
 +
 +<code>
 +~ # mdadm --create --verbose /dev/md/efiboot --level=1 --raid-devices=2 --metadata=1.0 --name=efiboot --homehost=system /dev/sda1 /dev/sdb1
 +
 +</code>
 +
 +The important part is metadata=1.0 - this format has especially designed to fit the needs of raid1 of fat/efi- systems.
 +
 +You than install your Linux to that md- Device. If its not found in the beginning of the installation, scan for raid- devices or just create it while installing.
 +
  
 ==== LVM ==== ==== LVM ====
  
 LVM is a powerful partition-management-layer and should always be used, when there is some none low-end hardware present. If you can use the **KDE Partitioning- Tool** (which means having Plasma=KDE Desktop compatible support), the support is very inuitive and opens a lot of flexibility whne handling partitions, like adding more disk space or moving partitions, but also on console this offers good functionality. OpenSuSE offer to create LVM- Styled system setup in installation optionally (not by default). If you can: use it. LVM is a powerful partition-management-layer and should always be used, when there is some none low-end hardware present. If you can use the **KDE Partitioning- Tool** (which means having Plasma=KDE Desktop compatible support), the support is very inuitive and opens a lot of flexibility whne handling partitions, like adding more disk space or moving partitions, but also on console this offers good functionality. OpenSuSE offer to create LVM- Styled system setup in installation optionally (not by default). If you can: use it.
 +=== Raided LVM- Volumes ===
 +
 +Noadays, raid1 or raid5 for system without LVM is outdated. Those things are integrated in LVM - so use it!
 +
 +First, creat a volume group with two same size partitions on two discs, than create a raid1 on it (for example):
 +
 +<code>
 +vgcreate vgsystem /dev/sdX1 /dev/sdY1
 +lvcreate -m1 --type raid1 -l 100%FREE -n lvroot vgsystem
 +
 +</code>
 +
 +where 100%FREE means 100% of Free Space used…
 +
 +To check if raid1 works, use:
 +
 +<code>
 +lvs -a -o name,copy_percent,devices vg_xxx
 +
 +</code>
 +
 +If this has not worked, use:
 +
 +<code>
 +lvconvert --type raid1 -m1 vg_xxx/lvol1
 +
 +</code>
 +
 +Or - you can do raid5 with:
 +
 +<code>
 +lvcreate -n lvdata --type raid5 -l 100%FREE -i 2 vgdata
 +
 +</code>
 +
 +where i equals the number of devices with Data (not including parity- storage)
 +
 +=== Useful Commands ===
 +
 +The KDE- Partitionmanager is still not perfect. LVM is mor powerful in these things:
 +
 +== Moving logical Volumes to physical Devices ==
 +
 +Usually Partitions or Devices are only assigned to Volume-Groups (VG) and Logical Volumes (LV) are using them dynamically as needed. This makes it sometimes hard to understand, where the Data really is located right now. Especially when you are having different physical Devices, you may want one LV to use one Device.
 +
 +For an overview how the Data is split, you can use:
 +
 +<code>
 +# lvs -o+devices
 +LV     VG     Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert Devices
 +  home   system -wi-ao----  78.63g                                                     /dev/sdb2(8013)
 +  root   system -wi-ao----  97.89g                                                     /dev/sda4(0)
 +  shared system -wi-ao---- 786.64g                                                     /dev/sdb2(130893)
 +
 +</code>
 +
 +You can also move them to single Devices if needed. Here i wanted my home to also be on the faster Device sda. As sda4 had enough free space, i could do:
 +
 +<code>
 +# pvmove -n system/home /dev/sdb2 /dev/sda4
 +
 +</code>
 +
 +== Resizing logical Volumes with mounted Filesystem ==
 +
 +can be done by e.g.
 +
 +<code>
 +lvresize --size 20G /dev/vgfast/lvfast --resizefs
 +
 +</code>
 +
 ==== Filesystem ==== ==== Filesystem ====
  
Zeile 18: Zeile 121:
 BTRFs has a lot of Mountoptions and some here are really odd ones for every linux. I would suggest at least those: BTRFs has a lot of Mountoptions and some here are really odd ones for every linux. I would suggest at least those:
  
-For **Desktopusage**: compress=zstd:1,noatime,nodiratime,autodefrag+For **Desktopusage**: compress=zstd:3,noatime,nodiratime,autodefrag
  
 While autodefrag should not be necessary on ssd- harddiscs. While autodefrag should not be necessary on ssd- harddiscs.
Zeile 148: Zeile 251:
 F… what??? Yes: facl is the tool to do so. with that tool you can very much expand the rights per directory an on every file in detail. It ist also possible to have multiple group- access definitions, which are not possible otherwise. F… what??? Yes: facl is the tool to do so. with that tool you can very much expand the rights per directory an on every file in detail. It ist also possible to have multiple group- access definitions, which are not possible otherwise.
  
-So lets do some facl- work:+So lets do some facl- work 
 + 
 +=== FACLget infos about settings ===
  
 <code> <code>
Zeile 163: Zeile 268:
  
 As you can see, that directory has been created quite insecure. There is only the above permission preventing everyone to read the informations in it. Creating a new file in it, would make it the same way insecure, as it would have been before. As you can see, that directory has been created quite insecure. There is only the above permission preventing everyone to read the informations in it. Creating a new file in it, would make it the same way insecure, as it would have been before.
 +
 +=== FACL: set default permissions ===
  
 But now lets set the mode to better fit our needs: But now lets set the mode to better fit our needs:
Zeile 182: Zeile 289:
  
 Note, that we only changed the DEFAULT permissions to be more secure (d:). Note, that we only changed the DEFAULT permissions to be more secure (d:).
 +
 +=== FACL: check new settings ===
  
 Now lets again create a file there as we did before just in that - safe - directory. Also we can use getfacl on that file to check if it works: Now lets again create a file there as we did before just in that - safe - directory. Also we can use getfacl on that file to check if it works:
Zeile 234: Zeile 343:
  
 Its up to you to decide if this is more usable or not. Its up to you to decide if this is more usable or not.
 +
 +=== FACL: full ACL- Sytnax ===
 +
 +The full Syntax is:
 +
 +<code>
 +      [d[efault]:] [u[ser]:]uid [:perms]
 +             Permissions of a named user. Permissions of the file owner if uid is empty.
 +
 +      [d[efault]:] g[roup]:gid [:perms]
 +             Permissions of a named group. Permissions of the owning group if gid is empty.
 +
 +      [d[efault]:] m[ask][:] [:perms]
 +             Effective rights mask
 +
 +      [d[efault]:] o[ther][:] [:perms]
 +             Permissions of others.
 +
 +</code>
 +
 +That means you can only set the defaults per user or per group and only files or directories at once.
 +
 +
 +=== FACL: use in batch and recursively ===
 +
 +FACLs do also have good ways to be used for whole directories, chek out:
 +
 +''setfacl'' has a //recursive// option (''-R'') just like ''chmod'':
 +
 +-R, –recursive Apply operations to all files and directories recursively. This option cannot be mixed with `–restore'.
 +
 +=== FACL: handle execute-bit with files and directories ===
 +
 +…it also allows for the use of the capital-x ''X'' **permission**, which means: execute only if the file is a directory or already has execute permission for some user (X)
 +
 +so doing the following should work:
 +
 +Set all Files AND the directories recursively to be readwriteable by user colleague and only give X to all Directories and only those Files, that already have x set:
 +
 +''setfacl -R -m u:colleague:rwX .''
 +
 +For setting the default permissions to be like that:
 +
 +''setfacl -R -m **d**:u:colleague:rwX .''
 +
  
 ==== Last words ==== ==== Last words ====
  • content/serverbasics.txt
  • Zuletzt geändert: 2024/04/20 13:02
  • von Daniel