What's best partitioning practices for Solaris 10

sunhux
sunhux used Ask the Experts™
on
What's the best practice for partitioning a Solaris 10 x86?

AIX & Solaris hardening benchmarks by CIS do not indicate
separate partitions for /var, /var/log, /tmp, /var/tmp (with the last
2 being world-writeable) but they're indicated for RHEL/CentOS.

Solaris 10 patches are often 2GB nowadays so is this
something we should cater for?

I'm on UFS (not ZFS).

Also, what's the swap size?  16GB?  In the days of
Solaris 2.2-2.5, Sun used to recommend double the
size of RAM for swap but this doesn't hold anymore
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Fractional CTO
Distinguished Expert 2018
Commented:
1) What's the best practice for partitioning a Solaris 10 x86?

Just a matter of preference.

Different people have different approaches.

I personally create only /boot + / (all other files).

Other people have other approaches.

2) AIX & Solaris hardening benchmarks by CIS do not indicate
separate partitions for /var, /var/log, /tmp, /var/tmp (with the last
2 being world-writeable) but they're indicated for RHEL/CentOS.

There is no benefit to separate partitions. Ownership/Permissions/ACLs determine security, not partitions.

Creating partitions for all these separate directories creates a massive problem, because if a partition is small + fills up, then you have a set of problems which crash systems.

Tip: A crashed system is just as bad + non-functional as a hacked system.

3) Solaris 10 patches are often 2GB nowadays so is this
something we should cater for?

Make / take up all your file system space + this becomes a non-issue.

Tip: Some patches exceed 2G, so you'll have to plan for this eventuality regards /tmp + /var/tmp as different patches will use /tmp + /var/tmp differently.

4) I'm on UFS (not ZFS).

Has no bearing on anything. Filesystems have no effect on security.

5) Also, what's the swap size?  16GB?  In the days of
Solaris 2.2-2.5, Sun used to recommend double the
size of RAM for swap but this doesn't hold anymore

I normally make swap size 10M (you read that correctly), because any time swapping begins, a system crash will potentially occur.

Anytime I see any machine/container swap become >0 bytes used, to me, that's an indicator some applications should be moved to another machine/container, if the machine/container is expected to survive.
Slowaris 10?  You should have upgraded to 11 when you had that change and before Oracle took over.  11 fixed much of the slowness of the OS.

The original reasoning for all those partitions was likely that the disks were much smaller way back.  You partitioned them separately so that user space getting filled up would not hose your server.  You would also have multiple disks on your system to get more space and you needed to mount them.  Unix systems behave rather poorly when disk is used up.  The OS will happily keep writing into the file handle, which just appends into null, eventually becoming a system crash as race conditions between system file wirtes cause them to becomes 0 bytes.

Since it's still a server, you should still partition off user space from system space.

/tmp
/var
/home

And depending on your needs, you can also separate these.
/var/log
/var/tmp

On a single user system, such as ubuntu for a user's desktop, you could just do a single partition, but I would put the home directory on something separate if you have multiple users log in.  Linux is modeled after Unix and the filling up the system partition can cause system file corruption.

As for Swap, that was created at a time when RAM was super expensive and the OS needed swap to make up for the lack of RAM, mainly during the 90s for desktops, but servers were doing swap well before then.  When RAM was up to 2 GB, I was setting swap to 1 or 2 GB.  Anyone setting 4GB for swap didn't know what they were doing.  That slowed the system down a whole lot more than 1GB.  By the time RAM reached a standard 4 GB on a 32 bit system, you really did not need swap.  By the time 8 GB RAM standard (well over 10+ years ago) came out, you should have phased out swap.

You should be buying your server with enough RAM to support your needs and not really have swap.  If your server needs swap the moment you bought it, it means that you didn't plan correctly.  RAM is random access.  There is no appreciable speed detriment for fragmented RAM in the vast majority of applications.  There is a major bottleneck when you write to disk.

P.S.  When you google about swap and find that one stupid article about swap was done by one guy on a single user system that didn't do intensive server testing,  he's wrong about swap, when it comes to multi-user server systems.

Author

Commented:
>The original reasoning for all those partitions was likely that the disks were much smaller way back.  
Now that disks are much bigger/cheaper, then why is CIS RHEL 6/7 (& I'm sure RHEL 8 as well)
recommends separate partitions for /tmp, /var/tmp, /var/log/audit, citing we need to set them
to 'nodev, nosuid, ...' in case of malicious attempts to fill them up.

Solaris 10, 11, AIX 7 benchmarks did not recommend these.

David, reason I mention zfs is the ease of expanding/resizing on-the-fly without downtime as
UFS is harder to resize

Author

Commented:
Btw, which directory does patches get installed into on Solaris 10?

Author

Commented:
> You should be buying your server with enough RAM to support your needs and not really have swap
Reckon in 'vmstat' output under 'swap rate' column, it should always show as less than 1 & if
it's above 1, we need to increase RAM: this still holds true?

Certainly we should upgrade to Solaris 11 or even move to Linux but our Linux/UNIX admins (we have
2 only) staff turnover is extremely high;  anyway, we have a direction to move out of Solaris in next
couple of years (subject to staff resources)
...staff turnover is extremely high
That's indicative of something very wrong at the company.

Btw, which directory does patches get installed into on Solaris 10?
Where do you download it to?  https://docs.oracle.com/cd/E19683-01/806-4073/6jd67r9bu/index.html

Now that disks are much bigger/cheaper, then why is CIS RHEL 6/7 (& I'm sure RHEL 8 as well)
recommends separate partitions for /tmp, /var/tmp, /var/log/audit, citing we need to set them
to 'nodev, nosuid, ...' in case of malicious attempts to fill them up.
Again, that is due to "ancient" server wisdom.  On servers, it does make sense to keep those separate, so that filling them up doesn't bring down the system.  You need the 'nodev, nosuid, ...' because those listed systems still have "users" log in directly as root for management.  It prevents files in there from executing as root.

Modern linux "wisdom" is to have a user account that's an "admin" (meaning it's still a regular account and you have to use sudo to run root commands, allowing some minor root command tracking in the logs - although you can easily bypass that - and limiting direct root access).  Even Windows has implemented their own version of a sudo with UAC.

Solaris 10, 11, AIX 7 benchmarks did not recommend these.
What sort of benchmarks?  Speed?  If you partition a single spinning disk that way, it would slow disk access as it swings the arm to the different partitions to seek the tracks.  For a server, you probably, mainly want to separate the user home directories to some other disk and just /tmp and /var, as those contain temporary files and logs.  You may want to separate /var/log.  It all depends on how you want that data isolated.
Again, as I said previously:
Unix systems behave rather poorly when disk is used up.  The OS will happily keep writing into the file handle, which just appends into null, eventually becoming a system crash as race conditions between system file writes cause them to becomes 0 bytes.
You don't want important system files to became 0 bytes, essentially deleting them while the system is running.
Distinguished Expert 2017
Commented:
The solaris has had the option to combine multiple disks into a logical volume  (software tad) to  counter the single disk combinations as the reason for the multiple mount points.

Back to the original response that much is a preference and habit. If one used disks that had rw/read-only switches.
/, /usr, /var, /var/log, /hone
Partitions were created to mitigate a run away nom-critical mechanism for ... Often dealt with logs that were not properly managed
Logrotate manages ones logs these days when setup.

Much depends on what and how the system is used.
User accessible versus ...

Author

Commented:
Last question:
if the folder that holds the patches (ie /var/sadm) is made a
separate partition, should we need to increase it's size in
future, can it be done without downtime (& its ufs)?
Distinguished Expert 2017
Commented:
not easily. Usually you would need a new partition with the larger space, using cpio to copy the data from the current to the new. and then convert the mount points in vfstab
/var/sadm
mount new partiton as /mnt
cd /var/sadm
find . | cpio -pdvmu /mnt
this will copy the data as it exists to the destination.
....
make adjustments to the vfstab
unmount -f /var/sadm
and
run mount which will reprocess the vfstab and will mount /var/sadm that is currently not mounted. you will miss some of the .....
You could do this in single user more/maintenance mode though while you are doing this, the system will only be accessible on the console....... not service will be running....

There is no dynamic way to expand a UFS partition. a ZFS resource is a different story.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial