The CIS Security Benchmark is a great starting place to secure any linux instance. In this post we are going to cover LVM creation and management in order to partition out our install. I will be using a Amazon Linux 2 instance with an extra 115GB drive mapped to
To create our LVM we must first flag a device for later use so that LVM knows which drive(s) it is able to use.
Setup physical volumes
To find our available devices we can run
lsblk to list the physical dives available to us.
[ec2-user@ip-10-0-6-240 ~]$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 50G 0 disk └─xvda1 202:1 0 50G 0 part / xvdb 202:16 0 100G 0 disk
Here we can see the disk
xvdb is unused, lets mark it available so the LVM is able to use this disk.
Mark physical volume for use
sudo pvcreate /dev/xvdb
[ec2-user@ip-10-0-6-158 ~]$ sudo pvcreate /dev/xvdb Physical volume "/dev/xvdb" successfully created.
Show created volumes
We can verify that the drive has been added with
Now its time to actually create the volume group on the new device that we set up in the last step. Setting this will give our LVM group a tangible name (in this case i'm using the name
alpha_lvm but it can be anything).
Create volume group
sudo vgcreate alpha_lvm /dev/xvdb
[ec2-user@ip-10-0-6-158 ~]$ sudo vgcreate alpha_lvm /dev/xvdb Volume group "alpha_lvm" successfully created
We can also make sure the new volume group is seen by pvdisplay
Show volume groups
Its now time to scan in our new volume group and build some caches that the LVM will need later.
Scan in new volume group
[ec2-user@ip-10-0-6-158 ~]$ sudo vgscan Reading volume groups from cache. Found volume group "alpha_lvm" using metadata type lvm2
Here you can see that the
alpha_lvm tag we made is being registered.
Now its time to actually create our volumes, in this example I will be making a handful. This also happens to be with the CIS Benchmark recommends.
sudo lvcreate --name var --size 40GB alpha_lvm sudo lvcreate --name home --size 40GB alpha_lvm sudo lvcreate --name vartmp --size 10GB alpha_lvm sudo lvcreate --name varlog --size 10GB alpha_lvm sudo lvcreate --name varlogaudit --size 10GB alpha_lvm
You can see that I'm running larger
/var directories as docker stores all its images in
We can confirm that all the volumes were registered with
Now that our volumes have been created we need to clean out any existing data and give them a filesystem. The obvious choice for this will be
Format new volumes
sudo mkfs.ext4 /dev/alpha_lvm/var sudo mkfs.ext4 /dev/alpha_lvm/home sudo mkfs.ext4 /dev/alpha_lvm/vartmp sudo mkfs.ext4 /dev/alpha_lvm/varlog sudo mkfs.ext4 /dev/alpha_lvm/varlogaudit
Now we are going to mount these to a temporary directory so we can copy over existing data. I am going to be using
/mnt but you can use any directory you would like.
sudo mkdir -p /mnt/var /mnt/home sudo mount /dev/alpha_lvm/var /mnt/var sudo mount /dev/alpha_lvm/home /mnt/home sudo mkdir -p /mnt/var/tmp /mnt/var/log sudo mount /dev/alpha_lvm/vartmp /mnt/var/tmp sudo mount /dev/alpha_lvm/varlog /mnt/var/log sudo mkdir -p /mnt/var/log/audit sudo mount /dev/alpha_lvm/varlogaudit /mnt/var/log/audit
You can see me using
mkdir to create the directories that don't exist as well.
We can see our new volumes in action with
[ec2-user@ip-10-0-6-158 ~]$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvda 202:0 0 50G 0 disk └─xvda1 202:1 0 50G 0 part / xvdb 202:16 0 115G 0 disk ├─alpha_lvm-var 253:0 0 40G 0 lvm /mnt/var ├─alpha_lvm-home 253:1 0 40G 0 lvm /mnt/home ├─alpha_lvm-vartmp 253:2 0 10G 0 lvm /mnt/var/tmp ├─alpha_lvm-varlog 253:3 0 10G 0 lvm /mnt/var/log └─alpha_lvm-varlogaudit 253:4 0 10G 0 lvm /mnt/var/log/audit
We can now use
rsync to move over the data into our newly creates logical volumes. When we get ready to reboot at the end of this, the data will persist over to the volumes.
Copy existing data
sudo rsync -av /var/ /mnt/var/ sudo rsync -av /home/ /mnt/home/
If you want to verify that the data made it across you can
/mnt and verify
The final task we have is to mount the LVM on boot that way we can actually use our new LVM setup. To do this we can edit
/etc/fstab (or use echo in my case, this is all scripted for me). The following entries have the proper filesystem options set to satisfy the CIS Benchmark document.
echo "tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0" | sudo tee -a /etc/fstab echo "/dev/alpha_lvm/var /var ext4 defaults 1 1" | sudo tee -a /etc/fstab echo "/dev/alpha_lvm/home /home ext4 defaults,noatime,acl,user_xattr,nodev,nosuid 0 2" | sudo tee -a /etc/fstab echo "tmpfs /dev/shm tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0" | sudo tee -a /etc/fstab echo "/dev/alpha_lvm/vartmp /var/tmp ext4 defaults,rw,nosuid,nodev,noexec,relatime 1 1" | sudo tee -a /etc/fstab echo "/dev/alpha_lvm/varlog /var/log ext4 defaults 1 1" | sudo tee -a /etc/fstab echo "/dev/alpha_lvm/varlogaudit /var/log/audit ext4 defaults 1 1" | sudo tee -a /etc/fstab
Along with the volumes that we made we can add a
/tmp partition, but since it uses a temp filesystem called
tmpfs we dont have to stick it in the LVM as it doesn't use ext4.
Now that we have our fstab set up with the drive information we can reboot and start using our new LVM setup!