Partitioning requirements for Freepbx 17 installs

FreePBX Installation / Upgrade
, ,
1

I need to build a CIS benchmarked image for FreePBX 17 installation.

What are the specific partitioning requirements for FreePBX 17? I know I can install it in a massive rootdir, that isn’t what I need.

I need to know what the minimum and recommended space requirements are for subdirectories under /var, /usr, /usr/local, et al. that FreePBX requires. If someone already knows this, it would save me some time having to profile several systems to get a general idea of what those requirements could be.

Are there directory permission requirements? I’ve had some applications choke when I restricted permissions in /var subdirectories.

2

From a base install of FreePBX 17 (Ubuntu 22.04 min)

root@freepbxdev17:~# du -sh /var/
4.5G    /var/
root@freepbxdev17:~# du -sh /usr --exclude=/usr/local
4.3G    /usr
root@freepbxdev17:~# du -sh /usr/local
3.1M    /usr/local
root@freepbxdev17:~# du -sh /boot
113M    /boot
root@freepbxdev17:~# du -sh /home
58M     /home
root@freepbxdev17:~# du -sh /
17G     /

This is a pretty bare minimum system so some of these numbers will be low. I have been bitten in the posterior a few times for under-sizing, but I tend to do a lot of dev work. I would say at a minimum you probably want 80G and there will be a good deal more in /var than I have above. That will contain all of your call recordings, voicemails, some temp files, your database, etc. So that is one place I would focus capacity.

Audio Storage

Estimate average audio storage of about 536KB/minute. Size depends on codec and could generally range from 150KB/minute on the conservative side and about 923Kb/minute on the higher end.

Permissions

For permissions, this was generally derived from “fwconsole chown” Note that command is hookable and other files will ask for their own files to be changed. These are just the baseline if no other modules add on.

Summary of Files and Permissions

Path Type Permissions Owner/Group Notes
/var/lib/asterisk/moh rdir 0755/0644 asterisk/asterisk Recursive, files lose execute bit
/var/lib/asterisk/sounds rdir 0755/0644 asterisk/asterisk Recursive, removes dangling symlinks
/var/log/asterisk rdir 0755/0644 asterisk/asterisk Recursive
/var/spool/asterisk rdir 0755/0644 asterisk/asterisk Recursive
/var/www/html rdir 0755/0644 asterisk/asterisk Recursive
/var/lib/php/session rdir 0774/0664 asterisk/asterisk Recursive
/etc/amportal.conf file 0660 asterisk/asterisk Single file
/etc/freepbx.conf file 0660 asterisk/asterisk Single file
/var/run/asterisk rdir 0775/0664 asterisk/asterisk Recursive
/var/lib/asterisk/keys rdir 0775/0664 asterisk/asterisk GPG directory
/etc/asterisk rdir 0775/0664 asterisk/asterisk Recursive
/var/lib/asterisk/.ssh/id_rsa file 0600 asterisk/asterisk SSH key
/var/log/asterisk/freepbx_dbug file 0664 asterisk/asterisk Debug log
/var/log/asterisk/freepbx.log file 0664 asterisk/asterisk Main log
/etc/obdc.ini file 0664 asterisk/asterisk ODBC config
/var/lib/asterisk/bin execdir 0775 asterisk/asterisk Recursive, retains execute bit
/var/lib/asterisk/agi-bin execdir 0775 asterisk/asterisk Recursive, retains execute bit
/var/www/html/admin/modules/<mod>/<bin> execdir 0755 asterisk/asterisk Per module, if exists
/home/asterisk rdir 0755/0644 asterisk/asterisk If exists
/home/asterisk/.ssh rdir 0700/0600 asterisk/asterisk If exists

Deriving permission changes

You can get a permission snapshot

find / -exec stat -c "%n %a %U %G" {} + > permissions_snapshot.txt 2>/dev/null

run fwconsole chown
Do a second snapshot

find / -exec stat -c "%n %a %U %G" {} + > permissions_snapshot2.txt 2>/dev/null

Then compare them

diff permissions_snapshot.txt permissions_snapshot2.txt
1 Like
3

Are you referring to the Center for Internet Security ?

Minimum in Sangoma’s new v17 FPBX ISO is 30G for a multi-partition install. But you could get by with less using the shell installer. Here’s a video from AstriCon last month, fast-forwarded to discussion at 18m48s about out-of-box drive space utilization on a v16 and v17 side-by-side slide:

But once the shrink wrap is off, things change! :wrapped_gift:

For example, if you do any call recording - even voicemail - then the first potential candidate for a partition that you’ll probably want to handle differently than a vanilla Linux installation would be /var/spool/. This attention to detail is precisely what we’ve demonstrated in the new FreePBX 17 ISO released last month. Below, you can see some of the details by reviewing the partman recipe portion of the Debian preseed setup we put together as part of Sangoma’s open source release of not only the new ISO but also the script used to generate the ISO:

…that might be hard to grok at first glance, but the “sngfd12” repo in the FreePBX GitHub contains an Ansible role that uses the above JINJA2 template to generate a number of partman recipe preseed files that are used to dynamically allocate partition sizes at installation time based on disk size, number of disks, and user choice of “spice level” at the GRUB/ISOLINUX bootloader screens; plus some lvresize adjustments near the end of the install in the sng_late_command. Here’s what that looks like practically as one example (as presented at AstriCon last month - same video as above, but fast-forwarded to a different start time 31m23s):

All of that said, and shown, the above does not seem to be CIS-related (?) Anyhow.

As you may have noticed in the above preseed_partman_recipe.j2 file, several partitions are mounted with reasonably-secure defaults such as “noexec” on /tmp and /var/tmp. This might be some of what you are looking for ?

As for directory permissions, FreePBX has a long history of providing integrated services at low levels between processes using standard user/group separation. When there are issues, such as too much separation in pursuit of more secure isolation of services :wink: the fwconsole chown command (official documentation) usually cleans that up sufficiently at the file and directory level to make things “just work.”