Date: Fri, 17 Dec 1999 17:02:57 -0500 From: "Matthew B. Henniges" <matt@axl.net> To: <freebsd-isp@freebsd.org> Subject: RE: partition sizes and securelevel questions Message-ID: <NDBBJIOBFAJNKGAGLICJGEMIDOAA.matt@axl.net> In-Reply-To: <19991217124743.A141@comcen.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings All- I just finished setting up a new mail server, and this is what I ended up with: Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/da0s1a 127023 21254 95608 18% / /dev/da0s1e 2032623 726774 1143240 39% /usr /dev/da0s1f 6533601 98938 5911975 2% /var /dev/da1s1e 1016303 5892 929107 1% /var/log /dev/da1s1f 7417626 807885 6016331 12% /usr/home mfs:31 254063 1 233737 0% /tmp procfs 4 4 0 100% /proc 512M swap /dev/da0s1a on / (ufs, local, writes: sync 223 async 6804) /dev/da0s1e on /usr (ufs, local, writes: sync 160 async 6582) /dev/da0s1f on /var (ufs, local, noatime, writes: sync 216646 async 321229) /dev/da1s1e on /var/log (ufs, local, noatime, writes: sync 141 async 10413) /dev/da1s1f on /usr/home (ufs, local, noatime, writes: sync 9844 async 14146) mfs:31 on /tmp (mfs, asynchronous, local, writes: sync 2 async 16) procfs on /proc (procfs, local) This is a qmail server, this logic probably does not apply to sendmail servers, but here was my reasoning. I wanted the highest performance possible, so I tried to think of things that HAVE to happen at the same time tried to arrange things so they affect different disks. mail coming in smtpd: connect has to get logged, mail has to get logged and queued. This is why /var and /var/log are on different disks locally generated mail: mail has to be queued and logged. /var and /var/log on different disks; mail going out from queue to remote hosts: mail has do be dequeued, and logged. /var and /var/log on different disks; mail going from queue to local addresses: mail has to be dequeued, logged and written to /usr/home; Can't optimize this without 3 disks. I decided to put /var and /var/log on different disks to make the remote delivery as fast as possible, as that is most of the mail we handle (mailing lists unbalance this so much) It seems to be performing well, and the is virtually no activity on / or /usr, so it should be relatively safe during unplanned shutdowns. Any comments? Also, has anybody out there struck a happy balance between running in securelevel > -1 and still being able to upgrade the machine? I was thinking of having all my servers check some sort of master machine (via scp) for an upgrade tarfile for them. something like this: securehost.axl.net is the server running in a high securelevel master.axl.net is the master server. during boot, before the securelevel raise, securehost would try to scp securehost.tar.gz from master.axl.net. If it failed, just continue with the boot. If it succeeded, untar it and run and the included file 'runme' or whatever. This would make whatever changes you need to be made, and then continue with the boot. In any case, I'm just trying to get the benefits of securelevels without being screwed if say a local root whole was found in /sbin/ping. (couldn't update the binary due to immutable flag), and log rotation(append only) Anyone have any better ideas? Matthew B. Henniges Axl.net Communications http://www.axl.net (203) 552-1714 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBJIOBFAJNKGAGLICJGEMIDOAA.matt>