How and why to break the disk in the Nix

One of the fairly frequent questions on various near-nix resources is the question of which disk partitioning scheme to use. It looks like a simple question is actually fraught with many pitfalls. If, of course, business concerns servers. On desktops everything is much duller and grayer.

There is no universal solution in this matter, there are just some aspects that should guide the choice of the breakdown scheme.

User Restriction

All sections where a regular user has write permissions (/ home; / tmp; / var / tmp) should be moved to separate sections. With this step we kill immediately the whole family of hares:

• when reinstalling the system, there is no need to hurry to transfer user data to other media / restore what was dug out of the foul back year-old backups
• we get the ability to mount these partitions with noexec, so that malicious coolers do not run all sorts of rubbish on your system. I remind you that noexec does not save from shell scripts.
• We are saved from a hard-link attack (this is when a vulnerability is detected in a package, you successfully demolish it, and the vulnerability remains, because the attacker created a hard link to the vulnerable file). Here and here you can read more.
• we can use the ext2 file system in / tmp (logging is useless here, since you don’t need to restore anything in case of a failure)

We protect the system from failure in the work due to lack of disk space

It is worth remembering that we have a wonderful / var / log, which loves to be clogged with logs to the eye, insatiable users who always lack disk space and temporary folders that love to be clogged with millions of temporary files that no one deletes. All similar sections (/ var; / home; / tmp) it is also desirable to move beyond the root.
')

Sticks in the wheel intruders

Very doubtful measure, but not once met a similar recommendation: mount / usr in readonly.
However, we also create some inconveniences to ourselves: it is not so easy to upgrade the system now. However, for example in GNU / Debian this is by adding to /etc/apt/apt.conf:
DPkg
{
Pre-Invoke { "mount /usr -o remount,rw" };
Post-Invoke { "mount /usr -o remount,ro" };
};
True post-invoke does not always work. Sometimes you have to use lsof + L1 to figure out who is at fault, that / usr is busy and cannot be remounted to ro.

swap. Need or not?

Very often, recommendations to make a swap equal to double the size of RAM. On servers, where it happens on 64-128GB (or even more) of RAM, it even sounds silly. There is no special need for swap on systems today. Well, only if you do not want to use hibernation. But it is the prerogative of laptops, not servers.

Mount options

A very important point to pay attention to. In addition to the aforementioned noexec, nosuid and nodev should be placed on user partitions. You can also reduce the load on the disk using the noatime or relatime options and using commit time = 60 (the default is 5 seconds).

Results

These aspects are advisory in nature, there are no strict rules on this issue. It all depends on personal preference.
However, I would still like to draw a certain line:

• Try to take out of the root into separate sections / boot, / home, / tmp, / var.
• Use lvm, in order not to bite your elbows in the future, if suddenly some section urgently needs to be increased.
• Do not forget the mount option, sparing drives. We do not want them to fly out.
• Do not forget to remove the reserve for the root on the sections made, since it is no longer necessary (tune2fs -m 0 / section)