Partitioning script #28
Conversation
|
Awesome. This is the thing I think our team understands the least about. Which brings to mind: we don't have any docs anywhere about what the "hardening process" does or how one might expect it to impact their day-to-day work on the result. Would you be up for kicking it off with a paragraph or so describing what the partitioning process does, and how, if at all, it makes using the created instance different from a vanilla Ubuntu box? |
|
@konklone - Sure. I'm going to update some bits in the guide itself that are incomplete / out of date to better match the produced image then I'll work on building some context to the steps. |
|
Note, what I've put together here is a roughly a direct translation of what's in the current hardening guide. I have another PR in prep to address a few small bugs in and updates to the process described there. However, there are parts of that guide that I believe are redundant or could be simplified while achieving the same results. I intend to file a new PR for those changes. I'm thinking separate threads of PRs (updates & automation vs. process changes) results in some redundant work, but keeps things clean and stable. |
|
👍 |
Addressing #4
This script mounts the new larger disk configuration at build time and creates equal size partitions, completes LVM configuration and mounts per the hardening guide. I did this all in shell as chef would have required a handful of cookbooks to the same end.
It expects a blank disk and will fail friendly otherwise.
This should handle disk sizes changes fine as all sizing is relative, but needs more work for alternative partitioning schemes which would be straightforward to add.
I added an apt configuration to remount the newly created noexec /tmp in order to allow package management.