Saturday, July 26, 2008

Creating tmpfs and swap space after partitions have already been written

This how-to describes a process of creating a tmpfs and swap file system on your existing server, after the partition table has been written. I'll start off with a little history first. I was presented with a production server where there was only a / root partition and 500MB of swap allocated. We need to bump up RAM to 1GB, and I wanted to allocate more swap space. Also, I wanted to add an extra layer of security by making the /tmp directory noexec,nosuid. This is a nice method to counter script-kiddie attacks. It's by no means 'rock-solid', but can really help you on automated attacks. The solution is to use some disk space and create a file system. Once the file system has been created, you would mount it with special privileges.

First let's work on swap

dd if=/dev/zero of=/.swap bs=1024 count=500000
mkswap /.swap
swapon /.swap

This created a 500 MB file using dd. Once our .swap file has been created we make the swap file system and activated the swap space.

The original /etc/fstab looked like this:

/dev/hda1 /boot ext3 noauto,noatime 1 2
/dev/hda3 / reiserfs noatime 0 1
/dev/hda2 none swap sw 0 0

Now, we're going to add our additional swap space to /etc/fstab

/.swap swap swap defaults 0 0

Issuing a `top` command, we can see our swap now has: 1006028k (1GB).

Next, we're going to create a tmpfs file system

dd if=/dev/zero of=/.tmpfs bs=1024 count=250000
mkfs -t ext3 /.tmpfs
mount -o loop,noexec,nosuid,rw /.tmpfs /tmp
chmod 0777 /tmp
chmod +t /tmp

This created a 250 MB file using dd, and mounted it to our /tmp mount point. Also, we added our permissions (noexec, nosuid) options. Now, no programs can be executed in /tmp. All we need to do now is adjust /etc/fstab

/.tmpfs /tmp ext3 loop,rw,nosuid,noexec 0 0


This isn't the ideal solution, but since this was a production box, rebuilding the partition table from scratch was an extremely ugly option.

1 comment:

Anonymous said...

Thank you for this posting. It really helped me out when I encountered an "Insufficient Virtual Memory" problem.

xfan