Re: Long life on SSD in a firewall environment

Tue, 21 Jun 2016 07:48:18 -0700 

On 21.06.16 16:55, Kenneth Gober wrote:

On Sun, Jun 19, 2016 at 5:56 AM, Sjöholm Per-Olov <p...@incedo.org> wrote:

Does anyone know if there exist any list of recommendations about how to

make

an SSD disk to live as long as possible when using it for firewall purpose

on

OpenBSD?

I don't know of a list, aside from what you find in this thread and similar
threads on this list from the past.

My own first recommendation is not to worry about it.

My second recommendation is: if you must worry about it, change as little
as possible.  you don't want to make updates difficult due to excessive
customization.

I am running OpenBSD 5.9 on an Internet-facing router, on Soekris hardware
with
4GB mSATA SSD storage.  My only concern about SSD durability relates to
/var/log and the potential for Internet traffic to cause constant writes
there.
So I have made minimal changes to guard against that:

DO NOT MAKE THESE CHANGES ON YOUR OWN SYSTEM UNLESS
YOU UNDERSTAND WHAT THEY DO.

1. when installing OpenBSD, put /var/log on its own 128MB partition.

2. after your first boot, convert /var/log to use MFS:
     mkdir -p /mfs/log
     cd /etc
     mv fstab fstab~
     sed -e's|/var/log|/mfs/log|' <fstab~ >fstab
     cat >>fstab
     swap /var/log mfs rw,nodev,nosuid,-s=128M,-P=/mfs/log 0 0
     ^D

3. reboot so that the above /etc/fstab changes take effect.

4. configure rsync to periodically checkpoint /var/log to /mfs/log:
     pkg_add rsync
     crontab -e
     (add the following lines)
     #
     # checkpoint log files
     10    */4    *    *    *    /usr/local/bin/rsync -ayH
--delete-after /var/log/ /mfs/log

5. also save /var/log to /mfs/log on shutdown:
     cat >>/etc/rc.shutdown
     /usr/local/bin/rsync -ayH --delete-after /var/log/ /mfs/log
     ^D

I sync /var/log to /mfs/log only every 4 hours because I have reliable power.
If you have unreliable power (or unreliable hardware) or your firewall
crashes
or reboots for unknown reasons you may want to sync more often.  Actually
in that case you probably shouldn't use an MFS /var/log at all.

When I first did this it was more than 2 years ago.  Today SSD storage has
improved enough that this shouldn't be needed (see my first recommendation
above not to worry about it).

-ken


well, but why not just settup syslogd to fan logs out to some other server?

Reply via email to