Use fdisk and parted to resize a 100Gb custom image of Ubuntu for Digital Ocean to prepare for a 320Gb SecurityOnion install

Digital Ocean cannot deploy a Custom Image larger than 100Gb. Security Onion requires 200Gb to install. To workaround the Digital Ocean limitation, create a 100Gb custom image of Ubuntu, configured with only three partitions: /boot, /, and /tmp. (Leaving out /nsm and swap requirements for the moment). After the image is deployed as a 320Gb Digital Ocean custom image droplet (or larger), you can resize it easily using parted. Then you can use fdisk to add these final two partitions (or you can use parted, but I find fdisk's mostly-automatic prompts make it the easiest approach for this purpose).

NOTE: after I documented all this, I discovered Security Onion prefers 100Gb FREE on the "/" partition, not 100Gb total. Since the OS takes up multiple gigabytes, this leaves Security Onion with less than 100Gb. Fortunately, you can ignore the Security Onion installation request for a larger volume, but you'll probably want more eventually. Readers who are already familiar with parted and fdisk could conceivably delete the "/" partition, then re-add it at 120Gb while doing the following steps, and correspondingly modify the 210Gb "/nsm" mentioned below down to 190Gb.

UPDATE: I had a chance to try this idea and it works. You can resize the current "/" if you do it like this: Use "sudo fdisk /dev/vda" and d,d,d,d(elete) partitions 6,5,4,and 3 (which is "/"). Then create a n(ew) partition. Fdisk will default to the same start point of the existing "/" partition. For size, use +120G instead of the existing 98G. When fdisk asks to "keep ext4 signature?" keep it, do not overwrite! This is the key step! Then create another partition with size +185G, another at +2.5G, and create the last one with default size which will be 12G -- the swap drive. Then use t(ype) to change type for partition 6 to type 19 for swap. You can p(rint) the table to see it if you want. Finally, w(rite) the new table. At this point you'll see some notices saying "failed to remove partitions/device busy" but you can safely ignore them. This will exit you from fdisk. After exiting, use "sudo nano /etc/fstab," comment out all but /boot and /. Reboot. Use "sudo resize2fs /dev/vda3" to adjust the size of the "/" partition. It takes a few seconds. Then format the others; do "sudo mkfs.ext4 /dev/vda4", then again "sudo mkfs.ext4 /dev/vda5", and finally "sudo mkswap /dev/vda6". Then use "lsblk -fs" to collect the UUIDs (using same techniques as shown below) and modify /etc/fstab with the new UUIDs. Reboot once more, and you have what you need. Seems like a lot but all this can be done in 5 minutes.

Or also, you could deploy into a full terabyte drive, etc. Any way you go, the basic techniques you'll use are all below:

Log in to the new host using SSH key you configured when deploying the image:

user@laptop:~$ ssh soadmin@193.214.171.165
The authenticity of host '193.214.171.165 (193.214.171.165)' can't be established.
ECDSA key fingerprint is SHA256:PpQE5H7SzX76UwOryM55TluS7+ocDF5cwv63ikxkAQz.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '193.214.171.165' (ECDSA) to the list of known hosts.
Last login: Wed Jul 21 03:10:27 2021
soadmin@securityonion:~$ 

Run lsblk to see that you have 3 partitions, /boot, /, and /tmp. Ignore the vda1 and vdb devices.

soadmin@securityonion:~$ lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
vda    252:0    0  320G  0 disk 
├─vda1 252:1    0    1M  0 part 
├─vda2 252:2    0  500M  0 part /boot
├─vda3 252:3    0   98G  0 part /
└─vda4 252:4    0  1.5G  0 part /tmp
vdb    252:16   0  452K  1 disk 
soadmin@securityonion:~$ 

When you run fdisk it will complain that "GPT PMBR size mismatch (209715199 != 671088639) will be corrected by w(rite)."

soadmin@securityonion:~$ sudo fdisk -l
[sudo] password for soadmin: 
GPT PMBR size mismatch (209715199 != 671088639) will be corrected by w(rite).
Disk /dev/vda: 320 GiB, 343597383680 bytes, 671088640 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: AE99BAB9-D11B-42AD-953B-AE6EFD395064

Device         Start       End   Sectors  Size Type
/dev/vda1       2048      4095      2048    1M BIOS boot
/dev/vda2       4096   1028095   1024000  500M Linux filesystem
/dev/vda3    1028096 206548991 205520896   98G Linux filesystem
/dev/vda4  206548992 209713151   3164160  1.5G Linux filesystem

Disk /dev/vdb: 452 KiB, 462848 bytes, 904 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
soadmin@securityonion:~$ 

Use parted to fix this issue. Type "Fix" when prompted to Fix/Ignore. Then quit, we'll go back to fdisk because it makes the next part very easy.

soadmin@securityonion:~$ sudo parted
GNU Parted 3.2
Using /dev/vdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print list                                                       
Error: /dev/vdb: unrecognised disk label
Model: Virtio Block Device (virtblk)                                      
Disk /dev/vdb: 463kB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags: 

Warning: Not all of the space available to /dev/vda appears to be used, you can fix the GPT to use all of the space
(an extra 461373440 blocks) or continue with the current setting? 
Fix/Ignore? Fix                                                           
Model: Virtio Block Device (virtblk)
Disk /dev/vda: 344GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name  Flags
 1      1049kB  2097kB  1049kB                     bios_grub
 2      2097kB  526MB   524MB   ext4
 3      526MB   106GB   105GB   ext4
 4      106GB   107GB   1620MB  ext4

(parted) quit
soadmin@securityonion:~$

Start fdisk pointed at the /dev/vda. Use the following sequence to "p" (print) the current device table, create a "n" (new) partition of 210Gb, then another "n" using the remaining free space. Then use "t" (type) to change the type of the SWAP device. Then "w" to (write). Most of the time, you'll hit "enter" to accept the defaults being offered:

soadmin@securityonion:~$ sudo fdisk /dev/vda

Welcome to fdisk (util-linux 2.31.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): p
Disk /dev/vda: 320 GiB, 343597383680 bytes, 671088640 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: AE99BAB9-D11B-42AD-953B-AE6EFD395064

Device         Start       End   Sectors  Size Type
/dev/vda1       2048      4095      2048    1M BIOS boot
/dev/vda2       4096   1028095   1024000  500M Linux filesystem
/dev/vda3    1028096 206548991 205520896   98G Linux filesystem
/dev/vda4  206548992 209713151   3164160  1.5G Linux filesystem

Command (m for help): n
Partition number (5-128, default 5): 
First sector (209713152-671088606, default 209713152): 
Last sector, +sectors or +size{K,M,G,T,P} (209713152-671088606, default 671088606): +210G

Created a new partition 5 of type 'Linux filesystem' and of size 210 GiB.

Command (m for help): n
Partition number (6-128, default 6): 
First sector (650115072-671088606, default 650115072): 
Last sector, +sectors or +size{K,M,G,T,P} (650115072-671088606, default 671088606): 

Created a new partition 6 of type 'Linux filesystem' and of size 10 GiB.

Command (m for help): t
Partition number (1-6, default 6): 
Partition type (type L to list all types): 19

Changed type of partition 'Linux filesystem' to 'Linux swap'.

Command (m for help): p
Disk /dev/vda: 320 GiB, 343597383680 bytes, 671088640 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: AE99BAB9-D11B-42AD-953B-AE6EFD395064

Device         Start       End   Sectors  Size Type
/dev/vda1       2048      4095      2048    1M BIOS boot
/dev/vda2       4096   1028095   1024000  500M Linux filesystem
/dev/vda3    1028096 206548991 205520896   98G Linux filesystem
/dev/vda4  206548992 209713151   3164160  1.5G Linux filesystem
/dev/vda5  209713152 650115071 440401920  210G Linux filesystem
/dev/vda6  650115072 671088606  20973535   10G Linux swap

Command (m for help): w
The partition table has been altered.
Syncing disks.

soadmin@securityonion:~$ 

Now when you run lsblk you see the two new devices, but they haven't been formatted or mounted yet:

soadmin@securityonion:~$ lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
vda    252:0    0  320G  0 disk 
├─vda1 252:1    0    1M  0 part 
├─vda2 252:2    0  500M  0 part /boot
├─vda3 252:3    0   98G  0 part /
├─vda4 252:4    0  1.5G  0 part /tmp
├─vda5 252:5    0  210G  0 part 
└─vda6 252:6    0   10G  0 part 
vdb    252:16   0  452K  1 disk 
soadmin@securityonion:~$ 

soadmin@securityonion:~$ lsblk -fs
NAME  FSTYPE  LABEL    UUID                                 MOUNTPOINT
vda1                                                        
└─vda                                                       
vda2  ext4             d78d36eb-2422-4d12-9ef6-2f3a9cc2bbc7 /boot
└─vda                                                       
vda3  ext4             d674d181-67d7-47e0-8279-c9b0d79a5812 /
└─vda                                                       
vda4  ext4             1ef99652-1637-41de-97ad-c2b6e5552f70 /tmp
└─vda                                                       
vda5                                                        
└─vda                                                       
vda6                                                        
└─vda                                                       
vdb   iso9660 config-2 2021-07-21-05-51-15-00               
soadmin@securityonion:~$ 

Format the two partitions; one with ext4 and the other as swap:

soadmin@securityonion:~$ sudo mkfs.ext4 /dev/vda5
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 55050240 4k blocks and 13762560 inodes
Filesystem UUID: f964ea40-5302-4295-897a-0dd21a01afc7
Superblock backups stored on blocks: 
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 
    4096000, 7962624, 11239424, 20480000, 23887872

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done     
soadmin@securityonion:~$ 

soadmin@securityonion:~$ sudo mkswap /dev/vda6 
Setting up swapspace version 1, size = 10 GiB (10738442240 bytes)
no label, UUID=06cd83dc-5f56-4d41-9563-d82951178b06
soadmin@securityonion:~$ 

Now when you run lsblk you can see the UUIDs:

soadmin@securityonion:~$ lsblk -fs
NAME  FSTYPE  LABEL    UUID                                 MOUNTPOINT
vda1                                                        
└─vda                                                       
vda2  ext4             d78d36eb-2422-4d12-9ef6-2f3a9cc2bbc7 /boot
└─vda                                                       
vda3  ext4             d674d181-67d7-47e0-8279-c9b0d79a5812 /
└─vda                                                       
vda4  ext4             1ef99652-1637-41de-97ad-c2b6e5552f70 /tmp
└─vda                                                       
vda5  ext4             f964ea40-5302-4295-897a-0dd21a01afc7 
└─vda                                                       
vda6  swap             06cd83dc-5f56-4d41-9563-d82951178b06 
└─vda                                                       
vdb   iso9660 config-2 2021-07-21-05-51-15-00               
soadmin@securityonion:~$ 

Use these UUIDs to populate /etc/fstab:

soadmin@securityonion:~$ sudo nano /etc/fstab
soadmin@securityonion:~$ sudo cat /etc/fstab
/dev/disk/by-uuid/d78d36eb-2422-4d12-9ef6-2f3a9cc2bbc7 /boot ext4 defaults 0 1
/dev/disk/by-uuid/d674d181-67d7-47e0-8279-c9b0d79a5812 / ext4 defaults 0 1
/dev/disk/by-uuid/1ef99652-1637-41de-97ad-c2b6e5552f70 /tmp ext4 defaults 0 1
/dev/disk/by-uuid/f964ea40-5302-4295-897a-0dd21a01afc7 /nsm ext4 defaults 0 1
/dev/disk/by-uuid/06cd83dc-5f56-4d41-9563-d82951178b06 none swap sw 0 0
/swap.img       none    swap    sw      0       0

That last line can be deleted, the swap file is no longer needed now that you have a full swap partition. The final fstab should look like this:

soadmin@securityonion:~$ sudo cat /etc/fstab
/dev/disk/by-uuid/d78d36eb-2422-4d12-9ef6-2f3a9cc2bbc7 /boot ext4 defaults 0 1
/dev/disk/by-uuid/d674d181-67d7-47e0-8279-c9b0d79a5812 / ext4 defaults 0 1
/dev/disk/by-uuid/1ef99652-1637-41de-97ad-c2b6e5552f70 /tmp ext4 defaults 0 1
/dev/disk/by-uuid/f964ea40-5302-4295-897a-0dd21a01afc7 /nsm ext4 defaults 0 1
/dev/disk/by-uuid/06cd83dc-5f56-4d41-9563-d82951178b06 none swap sw 0 0

You can see the no-longer-needed swap.img:

soadmin@securityonion:~$ ls /
bin   cdrom  etc   initrd.img      lib    lost+found  mnt  proc  run   snap  swap.img  tmp  var      vmlinuz.old
boot  dev    home  initrd.img.old  lib64  media       opt  root  sbin  srv   sys       usr  vmlinuz
soadmin@securityonion:~$ 

But if you try to delete it, you'll get an error because it's being used until you reboot:

soadmin@securityonion:~$ sudo rm /swap.img
rm: cannot remove '/swap.img': Operation not permitted
soadmin@securityonion:~$ 

So reboot. The new /etc/fstab will no longer refer to this file:

soadmin@securityonion:~$ sudo reboot
Connection to 193.214.171.165 closed by remote host.
Connection to 193.214.171.165 closed.
user@laptop:~$ 

After the reboot, login again:

user@laptop:~$ ssh soadmin@193.214.171.165
Last login: Wed Jul 21 05:54:37 2021 from 172.127.142.199
soadmin@securityonion:~$ 

Now if you look at lsblk and fdisk, you'll see the two new items are configured properly:

soadmin@securityonion:~$ lsblk -fs
NAME  FSTYPE  LABEL    UUID                                 MOUNTPOINT
vda1                                                        
└─vda                                                       
vda2  ext4             d78d36eb-2422-4d12-9ef6-2f3a9cc2bbc7 /boot
└─vda                                                       
vda3  ext4             d674d181-67d7-47e0-8279-c9b0d79a5812 /
└─vda                                                       
vda4  ext4             1ef99652-1637-41de-97ad-c2b6e5552f70 /tmp
└─vda                                                       
vda5  ext4             f964ea40-5302-4295-897a-0dd21a01afc7 /nsm
└─vda                                                       
vda6  swap             06cd83dc-5f56-4d41-9563-d82951178b06 [SWAP]
└─vda                                                       
vdb   iso9660 config-2 2021-07-21-05-51-15-00               
soadmin@securityonion:~$ 

soadmin@securityonion:~$ sudo fdisk -l
[sudo] password for soadmin: 
Disk /dev/vda: 320 GiB, 343597383680 bytes, 671088640 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: AE99BAB9-D11B-42AD-953B-AE6EFD395064

Device         Start       End   Sectors  Size Type
/dev/vda1       2048      4095      2048    1M BIOS boot
/dev/vda2       4096   1028095   1024000  500M Linux filesystem
/dev/vda3    1028096 206548991 205520896   98G Linux filesystem
/dev/vda4  206548992 209713151   3164160  1.5G Linux filesystem
/dev/vda5  209713152 650115071 440401920  210G Linux filesystem
/dev/vda6  650115072 671088606  20973535   10G Linux swap

Disk /dev/vdb: 452 KiB, 462848 bytes, 904 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
soadmin@securityonion:~$ 

Again, take a look and see the old swap.img is still there. But it can be deleted. Use rm to remove it, and ls again to verify it is gone:

soadmin@securityonion:~$ ls /
bin   cdrom  etc   initrd.img      lib    lost+found  mnt  opt   root  sbin  srv       sys  usr  vmlinuz
boot  dev    home  initrd.img.old  lib64  media       nsm  proc  run   snap  swap.img  tmp  var  vmlinuz.old
soadmin@securityonion:~$ sudo rm /swap.img 
soadmin@securityonion:~$ ls /
bin   cdrom  etc   initrd.img      lib    lost+found  mnt  opt   root  sbin  srv  tmp  var      vmlinuz.old
boot  dev    home  initrd.img.old  lib64  media       nsm  proc  run   snap  sys  usr  vmlinuz
soadmin@securityonion:~$ 

You can run df -h to verify all is well:

soadmin@securityonion:~$ df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            7.9G     0  7.9G   0% /dev
tmpfs           1.6G  688K  1.6G   1% /run
/dev/vda3        96G  1.7G   90G   2% /
tmpfs           7.9G     0  7.9G   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           7.9G     0  7.9G   0% /sys/fs/cgroup
/dev/vda4       1.5G  4.6M  1.4G   1% /tmp
/dev/vda2       477M   79M  369M  18% /boot
/dev/vda5       206G   61M  196G   1% /nsm
tmpfs           1.6G     0  1.6G   0% /run/user/1000
soadmin@securityonion:~$ 

Now your hard drives are partitioned ready for Security Onion.

But before installing, let's do a similar fix to the network to prepare for Security Onion's very particular network requirements.

Posted in Developing Software on Jul 21, 2021

Post New Comment