On Wed, Aug 31, 2005 at 08:01:53AM +0200, Thana Jordan wrote:

> Thank you for your reply about partitioning - ime not really a home
> user - i would like to know how to partition it like a pro focused on
> security and stability - thanx

Here's how I split things up:

/	I like to make this partition relatively small.  On this box
        (bl.org), a NetBSD/i386 2.0 system, I have / at 64 megs.  This
        should be a mostly static partition, very little, if any changes
        over the long term.  My philosophy is that this partition should
        be able to survive a power-loss and the resulting fsck and still
        be able to boot the system enough to work on anything else that
        needs to be addressed.

<swap>	The rule of thumb for this has generally been 2x RAM.

/var	Here you mostly have log files, mail spools, and the defaults
        locations for some stuff like mysql & apache, though I put that
        data on other partitions.  My /var is 2 gigs and with about a
        dozen users and 3 years of compressed log files, It's about 40%
        full.

/usr	Most of what is covered by what we call 'userland,' which
        includes a bulk of the shipped binaries, libraries, header
        files, etc.  If you're going to be building your own kernels or
        full-releases of NetBSD, your src trees are here too.

        I have the kernel src and pkgsrc under /usr, my 4 gig partition
        is at 40% usage.

/home	This really depends on how much you're going to be doing on this
        box and how much disk you've got.  I put the bulk of my apache
        webfiles under /home, all my personal stuff, etc.

/tmp	If you've got the RAM, some people like to make this a mfs
        (memory filesystem) carved out of RAM.  When I do this, I never
        make it more than 50% of RAM.  Otherwise, this can be a real
        disk partition, it doesn't need to be all that large, as long as
        people use it properly.  I have mine set to 256 megs.

other partitions some people (like myself) tend to build.

I also have /usr/local set aside as a separate partition and have set
pkgsrc set to install pkgs to there instead of /usr/pkg.

If this box's primary job is as a mail server, you might want to set
/var/spool off on it's own as well.

Now, WHY do old farts like me separate things out like this?

1.  Backups.

The old classic UNIX backup scheme of dump & restore only backs up
filesystems on partition (slice) boundaries.  Breaking things up like
this lets me back up my home directories separate from the system
binaries, etc.

2.  Security.

NetBSD, and other UNIX variants can run in different secure levels
where you can do things like mount / read-only in such a way that
requires console access to drop into single-user mode to change that
mount.  Having stuff like your mail and home directories off on another
partition makes that a little easier.

3.  Stability.

I touched on this a little earlier.  The more active a filesystem is
when the box goes down hard, like a power-loss, the more likely you
are to have corruption on that filesystem.  Keeping / mostly read-only
limits the amount of potential damage to such a failure.


Are there other ways to address what I've outlined above?  Sure, but
that's what I do with my low-budget 1U colo-ed rack-mount box and how
I've tried to run my systems over the course of my career.