Use fdisk and parted to resize a 100Gb custom image of Ubuntu for Digital Ocean to prepare for a 320Gb SecurityOnion install

By Clearhat, . Permalink Coding and Techy Stuff

Digital Ocean cannot deploy a Custom Image larger than 100Gb. Security Onion requires 200Gb to install. To workaround the Digital Ocean limitation, create a 100Gb custom image of Ubuntu, configured with only three partitions: /boot, /, and /tmp. (Leaving out /nsm and swap requirements for the moment). After the image is deployed as a 320Gb Digital Ocean custom image droplet (or larger), you can resize it easily using parted. Then you can use fdisk to add these final two partitions (or you can use parted, but I find fdisk's mostly-automatic prompts make it the easiest approach for this purpose).

NOTE: after I documented all this, I discovered Security Onion prefers 100Gb FREE on the "/" partition, not 100Gb total. Since the OS takes up multiple gigabytes, this leaves Security Onion with less than 100Gb. Fortunately, you can ignore the Security Onion installation request for a larger volume, but you'll probably want more eventually. Readers who are already familiar with parted and fdisk could conceivably delete the "/" partition, then re-add it at 120Gb while doing the following steps, and correspondingly modify the 210Gb "/nsm" mentioned below down to 190Gb.

UPDATE: I had a chance to try this idea and it works. You can resize the current "/" if you do it like this: Use "sudo fdisk /dev/vda" and d,d,d,d(elete) partitions 6,5,4,and 3 (which is "/"). Then create a n(ew) partition. Fdisk will default to the same start point of the existing "/" partition. For size, use +120G instead of the existing 98G. When fdisk asks to "keep ext4 signature?" keep it, do not overwrite! This is the key step! Then create another partition with size +185G, another at +2.5G, and create the last one with default size which will be 12G -- the swap drive. Then use t(ype) to change type for partition 6 to type 19 for swap. You can p(rint) the table to see it if you want. Finally, w(rite) the new table. At this point you'll see some notices saying "failed to remove partitions/device busy" but you can safely ignore them. This will exit you from fdisk. After exiting, use "sudo nano /etc/fstab," comment out all but /boot and /. Reboot. Use "sudo resize2fs /dev/vda3" to adjust the size of the "/" partition. It takes a few seconds. Then format the others; do "sudo mkfs.ext4 /dev/vda4", then again "sudo mkfs.ext4 /dev/vda5", and finally "sudo mkswap /dev/vda6". Then use "lsblk -fs" to collect the UUIDs (using same techniques as shown below) and modify /etc/fstab with the new UUIDs. Reboot once more, and you have what you need. Seems like a lot but all this can be done in 5 minutes.

Or also, you could deploy into a full terabyte drive, etc. Any way you go, the basic techniques you'll use are all below:

Log in to the new host using SSH key you configured when deploying the image:

user@laptop:~$ ssh soadmin@193.214.171.165
The authenticity of host '193.214.171.165 (193.214.171.165)' can't be established.
ECDSA key fingerprint is SHA256:PpQE5H7SzX76UwOryM55TluS7+ocDF5cwv63ikxkAQz.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '193.214.171.165' (ECDSA) to the list of known hosts.
Last login: Wed Jul 21 03:10:27 2021
soadmin@securityonion:~$

Run lsblk to see that you have 3 partitions, /boot, /, and /tmp. Ignore the vda1 and vdb devices.

soadmin@securityonion:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 320G 0 disk
+-vda1 252:1 0 1M 0 part
+-vda2 252:2 0 500M 0 part /boot
+-vda3 252:3 0 98G 0 part /
+-vda4 252:4 0 1.5G 0 part /tmp
vdb 252:16 0 452K 1 disk
soadmin@securityonion:~$

When you run fdisk it will complain that "GPT PMBR size mismatch (209715199 != 671088639) will be corrected by w(rite)."

soadmin@securityonion:~$ sudo fdisk -l
[sudo] password for soadmin:
GPT PMBR size mismatch (209715199 != 671088639) will be corrected by w(rite).
Disk /dev/vda: 320 GiB, 343597383680 bytes, 671088640 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: AE99BAB9-D11B-42AD-953B-AE6EFD395064

Device Start End Sectors Size Type
/dev/vda1 2048 4095 2048 1M BIOS boot
/dev/vda2 4096 1028095 1024000 500M Linux filesystem
/dev/vda3 1028096 206548991 205520896 98G Linux filesystem
/dev/vda4 206548992 209713151 3164160 1.5G Linux filesystem

Disk /dev/vdb: 452 KiB, 462848 bytes, 904 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
soadmin@securityonion:~$

Use parted to fix this issue. Type "Fix" when prompted to Fix/Ignore. Then quit, we'll go back to fdisk because it makes the next part very easy.

soadmin@securityonion:~$ sudo parted
GNU Parted 3.2
Using /dev/vdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print list
Error: /dev/vdb: unrecognised disk label
Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 463kB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:

Warning: Not all of the space available to /dev/vda appears to be used, you can fix the GPT to use all of the space
(an extra 461373440 blocks) or continue with the current setting?
Fix/Ignore? Fix
Model: Virtio Block Device (virtblk)
Disk /dev/vda: 344GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:

Number Start End Size File system Name Flags
1 1049kB 2097kB 1049kB bios_grub
2 2097kB 526MB 524MB ext4
3 526MB 106GB 105GB ext4
4 106GB 107GB 1620MB ext4

(parted) quit
soadmin@securityonion:~$

Start fdisk pointed at the /dev/vda. Use the following sequence to "p" (print) the current device table, create a "n" (new) partition of 210Gb, then another "n" using the remaining free space. Then use "t" (type) to change the type of the SWAP device. Then "w" to (write). Most of the time, you'll hit "enter" to accept the defaults being offered:

soadmin@securityonion:~$ sudo fdisk /dev/vda

Welcome to fdisk (util-linux 2.31.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Command (m for help): p
Disk /dev/vda: 320 GiB, 343597383680 bytes, 671088640 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: AE99BAB9-D11B-42AD-953B-AE6EFD395064

Device Start End Sectors Size Type
/dev/vda1 2048 4095 2048 1M BIOS boot
/dev/vda2 4096 1028095 1024000 500M Linux filesystem
/dev/vda3 1028096 206548991 205520896 98G Linux filesystem
/dev/vda4 206548992 209713151 3164160 1.5G Linux filesystem

Command (m for help): n
Partition number (5-128, default 5):
First sector (209713152-671088606, default 209713152):
Last sector, +sectors or +size{K,M,G,T,P} (209713152-671088606, default 671088606): +210G

Created a new partition 5 of type 'Linux filesystem' and of size 210 GiB.

Command (m for help): n
Partition number (6-128, default 6):
First sector (650115072-671088606, default 650115072):
Last sector, +sectors or +size{K,M,G,T,P} (650115072-671088606, default 671088606):

Created a new partition 6 of type 'Linux filesystem' and of size 10 GiB.

Command (m for help): t
Partition number (1-6, default 6):
Partition type (type L to list all types): 19

Changed type of partition 'Linux filesystem' to 'Linux swap'.

Command (m for help): p
Disk /dev/vda: 320 GiB, 343597383680 bytes, 671088640 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: AE99BAB9-D11B-42AD-953B-AE6EFD395064

Device Start End Sectors Size Type
/dev/vda1 2048 4095 2048 1M BIOS boot
/dev/vda2 4096 1028095 1024000 500M Linux filesystem
/dev/vda3 1028096 206548991 205520896 98G Linux filesystem
/dev/vda4 206548992 209713151 3164160 1.5G Linux filesystem
/dev/vda5 209713152 650115071 440401920 210G Linux filesystem
/dev/vda6 650115072 671088606 20973535 10G Linux swap

Command (m for help): w
The partition table has been altered.
Syncing disks.

soadmin@securityonion:~$

Now when you run lsblk you see the two new devices, but they haven't been formatted or mounted yet:

soadmin@securityonion:~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 320G 0 disk
+-vda1 252:1 0 1M 0 part
+-vda2 252:2 0 500M 0 part /boot
+-vda3 252:3 0 98G 0 part /
+-vda4 252:4 0 1.5G 0 part /tmp
+-vda5 252:5 0 210G 0 part
+-vda6 252:6 0 10G 0 part
vdb 252:16 0 452K 1 disk
soadmin@securityonion:~$

soadmin@securityonion:~$ lsblk -fs
NAME FSTYPE LABEL UUID MOUNTPOINT
vda1
+-vda
vda2 ext4 d78d36eb-2422-4d12-9ef6-2f3a9cc2bbc7 /boot
+-vda
vda3 ext4 d674d181-67d7-47e0-8279-c9b0d79a5812 /
+-vda
vda4 ext4 1ef99652-1637-41de-97ad-c2b6e5552f70 /tmp
+-vda
vda5
+-vda
vda6
+-vda
vdb iso9660 config-2 2021-07-21-05-51-15-00
soadmin@securityonion:~$

Format the two partitions; one with ext4 and the other as swap:

soadmin@securityonion:~$ sudo mkfs.ext4 /dev/vda5
mke2fs 1.44.1 (24-Mar-2018)
Creating filesystem with 55050240 4k blocks and 13762560 inodes
Filesystem UUID: f964ea40-5302-4295-897a-0dd21a01afc7
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872

Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done
soadmin@securityonion:~$

soadmin@securityonion:~$ sudo mkswap /dev/vda6
Setting up swapspace version 1, size = 10 GiB (10738442240 bytes)
no label, UUID=06cd83dc-5f56-4d41-9563-d82951178b06
soadmin@securityonion:~$

Now when you run lsblk you can see the UUIDs:

soadmin@securityonion:~$ lsblk -fs
NAME FSTYPE LABEL UUID MOUNTPOINT
vda1
+-vda
vda2 ext4 d78d36eb-2422-4d12-9ef6-2f3a9cc2bbc7 /boot
+-vda
vda3 ext4 d674d181-67d7-47e0-8279-c9b0d79a5812 /
+-vda
vda4 ext4 1ef99652-1637-41de-97ad-c2b6e5552f70 /tmp
+-vda
vda5 ext4 f964ea40-5302-4295-897a-0dd21a01afc7
+-vda
vda6 swap 06cd83dc-5f56-4d41-9563-d82951178b06
+-vda
vdb iso9660 config-2 2021-07-21-05-51-15-00
soadmin@securityonion:~$

Use these UUIDs to populate /etc/fstab:

soadmin@securityonion:~$ sudo nano /etc/fstab
soadmin@securityonion:~$ sudo cat /etc/fstab
/dev/disk/by-uuid/d78d36eb-2422-4d12-9ef6-2f3a9cc2bbc7 /boot ext4 defaults 0 1
/dev/disk/by-uuid/d674d181-67d7-47e0-8279-c9b0d79a5812 / ext4 defaults 0 1
/dev/disk/by-uuid/1ef99652-1637-41de-97ad-c2b6e5552f70 /tmp ext4 defaults 0 1
/dev/disk/by-uuid/f964ea40-5302-4295-897a-0dd21a01afc7 /nsm ext4 defaults 0 1
/dev/disk/by-uuid/06cd83dc-5f56-4d41-9563-d82951178b06 none swap sw 0 0
/swap.img none swap sw 0 0

That last line can be deleted, the swap file is no longer needed now that you have a full swap partition. The final fstab should look like this:

soadmin@securityonion:~$ sudo cat /etc/fstab
/dev/disk/by-uuid/d78d36eb-2422-4d12-9ef6-2f3a9cc2bbc7 /boot ext4 defaults 0 1
/dev/disk/by-uuid/d674d181-67d7-47e0-8279-c9b0d79a5812 / ext4 defaults 0 1
/dev/disk/by-uuid/1ef99652-1637-41de-97ad-c2b6e5552f70 /tmp ext4 defaults 0 1
/dev/disk/by-uuid/f964ea40-5302-4295-897a-0dd21a01afc7 /nsm ext4 defaults 0 1
/dev/disk/by-uuid/06cd83dc-5f56-4d41-9563-d82951178b06 none swap sw 0 0

You can see the no-longer-needed swap.img:

soadmin@securityonion:~$ ls /
bin cdrom etc initrd.img lib lost+found mnt proc run snap swap.img tmp var vmlinuz.old
boot dev home initrd.img.old lib64 media opt root sbin srv sys usr vmlinuz
soadmin@securityonion:~$

But if you try to delete it, you'll get an error because it's being used until you reboot:

soadmin@securityonion:~$ sudo rm /swap.img
rm: cannot remove '/swap.img': Operation not permitted
soadmin@securityonion:~$

So reboot. The new /etc/fstab will no longer refer to this file:

soadmin@securityonion:~$ sudo reboot
Connection to 193.214.171.165 closed by remote host.
Connection to 193.214.171.165 closed.
user@laptop:~$

After the reboot, login again:

user@laptop:~$ ssh soadmin@193.214.171.165
Last login: Wed Jul 21 05:54:37 2021 from 172.127.142.199
soadmin@securityonion:~$

Now if you look at lsblk and fdisk, you'll see the two new items are configured properly:

soadmin@securityonion:~$ lsblk -fs
NAME FSTYPE LABEL UUID MOUNTPOINT
vda1
+-vda
vda2 ext4 d78d36eb-2422-4d12-9ef6-2f3a9cc2bbc7 /boot
+-vda
vda3 ext4 d674d181-67d7-47e0-8279-c9b0d79a5812 /
+-vda
vda4 ext4 1ef99652-1637-41de-97ad-c2b6e5552f70 /tmp
+-vda
vda5 ext4 f964ea40-5302-4295-897a-0dd21a01afc7 /nsm
+-vda
vda6 swap 06cd83dc-5f56-4d41-9563-d82951178b06 [SWAP]
+-vda
vdb iso9660 config-2 2021-07-21-05-51-15-00
soadmin@securityonion:~$

soadmin@securityonion:~$ sudo fdisk -l
[sudo] password for soadmin:
Disk /dev/vda: 320 GiB, 343597383680 bytes, 671088640 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: AE99BAB9-D11B-42AD-953B-AE6EFD395064

Device Start End Sectors Size Type
/dev/vda1 2048 4095 2048 1M BIOS boot
/dev/vda2 4096 1028095 1024000 500M Linux filesystem
/dev/vda3 1028096 206548991 205520896 98G Linux filesystem
/dev/vda4 206548992 209713151 3164160 1.5G Linux filesystem
/dev/vda5 209713152 650115071 440401920 210G Linux filesystem
/dev/vda6 650115072 671088606 20973535 10G Linux swap

Disk /dev/vdb: 452 KiB, 462848 bytes, 904 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
soadmin@securityonion:~$

Again, take a look and see the old swap.img is still there. But it can be deleted. Use rm to remove it, and ls again to verify it is gone:

soadmin@securityonion:~$ ls /
bin cdrom etc initrd.img lib lost+found mnt opt root sbin srv sys usr vmlinuz
boot dev home initrd.img.old lib64 media nsm proc run snap swap.img tmp var vmlinuz.old
soadmin@securityonion:~$ sudo rm /swap.img
soadmin@securityonion:~$ ls /
bin cdrom etc initrd.img lib lost+found mnt opt root sbin srv tmp var vmlinuz.old
boot dev home initrd.img.old lib64 media nsm proc run snap sys usr vmlinuz
soadmin@securityonion:~$

You can run df -h to verify all is well:

soadmin@securityonion:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 7.9G 0 7.9G 0% /dev
tmpfs 1.6G 688K 1.6G 1% /run
/dev/vda3 96G 1.7G 90G 2% /
tmpfs 7.9G 0 7.9G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
/dev/vda4 1.5G 4.6M 1.4G 1% /tmp
/dev/vda2 477M 79M 369M 18% /boot
/dev/vda5 206G 61M 196G 1% /nsm
tmpfs 1.6G 0 1.6G 0% /run/user/1000
soadmin@securityonion:~$

Now your hard drives are partitioned ready for Security Onion.

But before installing, let's do a similar fix to the network to prepare for Security Onion's very particular network requirements.

Add a comment

HTML code is displayed as text and web addresses are automatically converted.

Page top