[Snort-users] Free Inodes

Matt Kettler mkettler at ...4108...
Wed Jun 8 08:57:40 EDT 2005

Dan Mahoney, System Admin wrote:
> On Wed, 8 Jun 2005, Jason wrote:
>> Dan Mahoney, System Admin wrote:
>>> I know the whole "I'm running out of inodes" thing is in the FAQ.
>>> What I don't understand is why a potentially large directory is put
>>> in what is one of the typically smallest directories.
>> I'm confused by this statement. Why wouldn't the logs be placed under
>> /var/log?
> Just to clarify, because under most systems with a separate /var
> partition (the BSD default install included), this directory is on the
> smaller size, and has an inode count to match.

And IMHO, such setups make for good workstations, are tolerable as servers, but
make really lousy firewalls, mailservers, or IDS boxes. (I usually find that I
want a bit more /var/log space on my servers than default setups do)

The default partition setup in most OS distributions tries to split a balance,
but it's not appropriate for all situations. Most of these default setups have
large /home and /usr partitions too. That's fine for a multi-user personal
webpage server or workstation, but is useless on a dedicated DNS server.

When setting up a box, treat the default partitions as a baseline, but consider
the usage of the box.

Is the box going to have local users? If not, drop the size of /home (unless
your chroot jails live there).

Is the box going to run a busy server that will log a lot? If so, increase /var.

Is it going to be a mailserver (smtp and pop/imap)? If so, increase /var
significantly for spool and mqueue space.

Is it going to have a lot of applications installed (ie: workstation)? If so,
increase /usr. If it's going to be a dedicated box you can probably cut back
/usr a bit from the default, but keep it reasonably large.

As an example, look at this mail/dns server. It's a no-logins box (other than
sysadmins) so /var is twice the size of /home:

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sda6              7060276   1155440   5546188  18% /
/dev/sda1               101089     13293     82577  14% /boot
/dev/sda5              5036284     50452   4730000   2% /var/chroot
/dev/sda7              4538124    338744   3968852   8% /home
/dev/sda8              1510032     32892   1400432   3% /tmp
/dev/sda2             10080520   1361044   8207408  15% /usr
/dev/sda3              9068648    489652   8118336   6% /var

And note that the use percentages here are fairly even. A default install would
have a really small /var, maybe 1gb, and it would be 50% used. /home would be
10gb, and about 4% used. Clearly that space allocation would not be well suited
to what the box is used for.

Is that my MTA's fault? No. Mail spools belong in /var and take up a lot of
space. Partition appropriately.

More information about the Snort-users mailing list