The CIS Security Benchmark is a great starting place to secure any linux instance.  In this post we are going to cover LVM creation and management in order to partition out our install.  I will be using a Amazon Linux 2 instance with an extra 115GB drive mapped to /dev/xvdb

To create our LVM we must first flag a device for later use so that LVM knows which drive(s) it is able to use.

Setup physical volumes

To find our available devices we can run lsblk to list the physical dives available to us.

[ec2-user@ip-10-0-6-240 ~]$ lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvda    202:0    0   50G  0 disk 
└─xvda1 202:1    0   50G  0 part /
xvdb    202:16   0  100G  0 disk 

Here we can see the disk xvdb is unused, lets mark it available so the LVM is able to use this disk.

Mark physical volume for use

sudo pvcreate /dev/xvdb

[ec2-user@ip-10-0-6-158 ~]$ sudo pvcreate /dev/xvdb
  Physical volume "/dev/xvdb" successfully created.

Show created volumes

We can verify that the drive has been added with pvdisplay

sudo pvdisplay

Now its time to actually create the volume group on the new device that we set up in the last step.  Setting this will give our LVM group a tangible name (in this case i'm using the name alpha_lvm but it can be anything).

Create volume group

sudo vgcreate alpha_lvm /dev/xvdb

[ec2-user@ip-10-0-6-158 ~]$ sudo vgcreate alpha_lvm /dev/xvdb
  Volume group "alpha_lvm" successfully created

We can also make sure the new volume group is seen by pvdisplay

Show volume groups

sudo pvdisplay

Its now time to scan in our new volume group and build some caches that the LVM will need later.

Scan in new volume group

sudo vgscan

[ec2-user@ip-10-0-6-158 ~]$ sudo vgscan
  Reading volume groups from cache.
  Found volume group "alpha_lvm" using metadata type lvm2

Here you can see that the alpha_lvm tag we made is being registered.

Now its time to actually create our volumes, in this example I will be making a handful.  This also happens to be with the CIS Benchmark recommends.

Create volumes

sudo lvcreate --name var --size 40GB alpha_lvm
sudo lvcreate --name home --size 40GB alpha_lvm
sudo lvcreate --name vartmp --size 10GB alpha_lvm
sudo lvcreate --name varlog --size 10GB alpha_lvm
sudo lvcreate --name varlogaudit --size 10GB alpha_lvm

You can see that I'm running larger /home and /var directories as docker stores all its images in /var

We can confirm that all the volumes were registered with lvdisplay

Display volumes

sudo lvdisplay

Now that our volumes have been created we need to clean out any existing data and give them a filesystem.  The obvious choice for this will be ext4

Format new volumes

sudo mkfs.ext4 /dev/alpha_lvm/var
sudo mkfs.ext4 /dev/alpha_lvm/home
sudo mkfs.ext4 /dev/alpha_lvm/vartmp
sudo mkfs.ext4 /dev/alpha_lvm/varlog
sudo mkfs.ext4 /dev/alpha_lvm/varlogaudit

Now we are going to mount these to a temporary directory so we can copy over existing data.  I am going to be using /mnt but you can use any directory you would like.

Mount volumes

sudo mkdir -p /mnt/var /mnt/home
sudo mount /dev/alpha_lvm/var /mnt/var
sudo mount /dev/alpha_lvm/home /mnt/home
sudo mkdir -p /mnt/var/tmp /mnt/var/log
sudo mount /dev/alpha_lvm/vartmp /mnt/var/tmp
sudo mount /dev/alpha_lvm/varlog /mnt/var/log
sudo mkdir -p /mnt/var/log/audit
sudo mount /dev/alpha_lvm/varlogaudit /mnt/var/log/audit

You can see me using mkdir to create the directories that don't exist as well.

We can see our new volumes in action with lsblk

View devices

[ec2-user@ip-10-0-6-158 ~]$ lsblk
NAME                    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
xvda                    202:0    0   50G  0 disk 
└─xvda1                 202:1    0   50G  0 part /
xvdb                    202:16   0  115G  0 disk 
├─alpha_lvm-var         253:0    0   40G  0 lvm  /mnt/var
├─alpha_lvm-home        253:1    0   40G  0 lvm  /mnt/home
├─alpha_lvm-vartmp      253:2    0   10G  0 lvm  /mnt/var/tmp
├─alpha_lvm-varlog      253:3    0   10G  0 lvm  /mnt/var/log
└─alpha_lvm-varlogaudit 253:4    0   10G  0 lvm  /mnt/var/log/audit

We can now use rsync to move over the data into our newly creates logical volumes.  When we get ready to reboot at the end of this, the data will persist over to the volumes.

Copy existing data

sudo rsync -av /var/ /mnt/var/
sudo rsync -av /home/ /mnt/home/

If you want to verify that the data made it across you can cd into /mnt and verify

Setup fstab

The final task we have is to mount the LVM on boot that way we can actually use our new LVM setup.  To do this we can edit /etc/fstab (or use echo in my case, this is all scripted for me).  The following entries have the proper filesystem options set to satisfy the CIS Benchmark document.

echo "tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0" | sudo tee -a /etc/fstab
echo "/dev/alpha_lvm/var /var ext4 defaults 1 1" | sudo tee -a /etc/fstab
echo "/dev/alpha_lvm/home /home ext4 defaults,noatime,acl,user_xattr,nodev,nosuid 0 2" | sudo tee -a /etc/fstab
echo "tmpfs   /dev/shm    tmpfs   defaults,rw,nosuid,nodev,noexec,relatime        0 0" | sudo tee -a /etc/fstab
echo "/dev/alpha_lvm/vartmp /var/tmp ext4 defaults,rw,nosuid,nodev,noexec,relatime 1 1" | sudo tee -a /etc/fstab
echo "/dev/alpha_lvm/varlog /var/log ext4 defaults 1 1" | sudo tee -a /etc/fstab
echo "/dev/alpha_lvm/varlogaudit /var/log/audit ext4 defaults 1 1" | sudo tee -a /etc/fstab

Along with the volumes that we made we can add a /tmp partition, but since it uses a temp filesystem called tmpfs we dont have to stick it in the LVM as it doesn't use ext4.

Reboot

Now that we have our fstab set up with the drive information we can reboot and start using our new LVM setup!