[Snort-users] Free Inodes

Matt Kettler mkettler at ...4108...
Wed Jun 8 08:57:40 EDT 2005


Dan Mahoney, System Admin wrote:
> On Wed, 8 Jun 2005, Jason wrote:
> 
>>
>>
>> Dan Mahoney, System Admin wrote:
>>
>>> I know the whole "I'm running out of inodes" thing is in the FAQ.
>>>
>>> What I don't understand is why a potentially large directory is put
>>> in what is one of the typically smallest directories.
>>
>>
>> I'm confused by this statement. Why wouldn't the logs be placed under
>> /var/log?
> 
> 
> Just to clarify, because under most systems with a separate /var
> partition (the BSD default install included), this directory is on the
> smaller size, and has an inode count to match.
> 

And IMHO, such setups make for good workstations, are tolerable as servers, but
make really lousy firewalls, mailservers, or IDS boxes. (I usually find that I
want a bit more /var/log space on my servers than default setups do)

The default partition setup in most OS distributions tries to split a balance,
but it's not appropriate for all situations. Most of these default setups have
large /home and /usr partitions too. That's fine for a multi-user personal
webpage server or workstation, but is useless on a dedicated DNS server.

When setting up a box, treat the default partitions as a baseline, but consider
the usage of the box.

Is the box going to have local users? If not, drop the size of /home (unless
your chroot jails live there).

Is the box going to run a busy server that will log a lot? If so, increase /var.

Is it going to be a mailserver (smtp and pop/imap)? If so, increase /var
significantly for spool and mqueue space.

Is it going to have a lot of applications installed (ie: workstation)? If so,
increase /usr. If it's going to be a dedicated box you can probably cut back
/usr a bit from the default, but keep it reasonably large.

As an example, look at this mail/dns server. It's a no-logins box (other than
sysadmins) so /var is twice the size of /home:

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sda6              7060276   1155440   5546188  18% /
/dev/sda1               101089     13293     82577  14% /boot
/dev/sda5              5036284     50452   4730000   2% /var/chroot
/dev/sda7              4538124    338744   3968852   8% /home
/dev/sda8              1510032     32892   1400432   3% /tmp
/dev/sda2             10080520   1361044   8207408  15% /usr
/dev/sda3              9068648    489652   8118336   6% /var

And note that the use percentages here are fairly even. A default install would
have a really small /var, maybe 1gb, and it would be 50% used. /home would be
10gb, and about 4% used. Clearly that space allocation would not be well suited
to what the box is used for.

Is that my MTA's fault? No. Mail spools belong in /var and take up a lot of
space. Partition appropriately.









More information about the Snort-users mailing list