Mailinglist Archive: opensuse-factory (331 mails)

< Previous Next >
[opensuse-factory] Heads-Up: New Partitioning & firewall/sshd defaults on the way
  • From: Richard Brown <RBrownCCB@xxxxxxxxxxxx>
  • Date: Fri, 16 Nov 2018 16:35:33 +0100
  • Message-id: <CAA0b23waK=zW2mN69OchH0a=8agHrCyQRC2P0Mqy7oCrkFYB2g@mail.gmail.com>
Hi everyone,

For a while there has been a significant amount of feedback that some
of our installers defaults could do with improvement. I've decided to
try and tackle some of them.

We have seen a number of users receiving smaller / (rootfs)
filesystems than ideal with our default feature set of snapshots and
rollback.
This results in their systems filling up with snapshots before the
space-aware cleanup even has a chance to take effect.
A number of users have asked why we mix xfs and btrfs by default, and
we've seen bugs where that mixing results in a /home partition that is
unusably small.

Therefore I've proposed the following PR to both Leap 15.1 and
Tumbleweed's installers

https://github.com/yast/skelcd-control-openSUSE/pull/153

The changes from the current behaviour as follows:

- / will aim to be at least 40GiB by default, and will not be allowed
to be smaller than 20GiB
- If snapshots are disabled in either the Guided or Expert
partitioner, / will aim to be at least 10GiB, and will not be allowed
to be smaller than 5GiB
- / will try and use all other available space
- By default we will NOT propose a separate /home partition
- If a separate /home is requested in either the Guided or Expert
partitioner, /home will aim to be at least 40GiB and no smaller than
10GiB
- If enabled, /home will try to use all other available space at a
rate twice as large as /
- swap will not grow to the size of RAM by default (but this can still
be enabled in the Guided or Expert partitioners)
- Unlike previously, all of the above also applies to the
"Transactional Server" system role, with the exception that you cannot
disable snapshots.

All together this means that most users will have a much simpler
straightforward partitioning of their systems, be it a VM with a small
disk, a laptop with an SSD, or a massive server/workstation with
dozens of GB of RAM.

In addition to the above I took the opportunity to fix a bug that's
been lingering in my backlog for most of the year:
https://bugzilla.opensuse.org/show_bug.cgi?id=1090372

As we now have clear "Server" and "Transactional Server" system roles,
the firewall & sshd configuration for those roles will now be
optimised by default

- sshd will be enabled by default
- firewalld will be disabled by default

I've discussed logic of disabling the firewall was discussed at length
with a number of people, especially our Leap release manager Ludwig
who's opinion on security I consider very highly.

Given that servers are not general purpose machines and will have a
limited number of services installed, each manually by the user, we
feel that the firewall is a needless complication for that role which
users should be saved from by default.

The firewall & sshd configuration will not be changed for any of the
other system roles. The firewall will remain enabled by default for
desktop roles, where there is a much larger risk of software opening
up ports without the user being aware of it.

Users will of course still be able to modify these settings from their
defaults on the "Installation Summary" screen before the install, just
as they can today.

If there are any significant improvements you see to the above, please
speak up quickly as the pull request is on the way already.

Regards,
Richard
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >