How To: Partition Rocky Linux 9 or Ubuntu LTS VMs for Container Workloads

How To: Partition Rocky Linux 9 or Ubuntu LTS VMs for Container Workloads

Purpose: Standardize new VM builds for containerized workloads with clean OS/data separation, LVM growth headroom, and Docker data isolated from the root filesystem.
Applies To: Rocky Linux 9, Ubuntu LTS, UEFI-booted VMs, single system disk starting at 128GB, optional secondary disk or LVM-backed data volume.
Last Updated: 2026-05-30
Difficulty: Intermediate to advanced

Overview

This layout assumes a UEFI VM with one primary system disk and a separate storage target for container data, either as a second virtual disk or as an LVM logical volume. The main design goal is to keep the OS stable and small while giving Docker a dedicated filesystem under /data/docker so container growth does not fill / or /var.12

The partitioning pattern below favors practical separation over maximal fragmentation. /var gets isolated because logs, package caches, and container-related state can grow quickly; /tmp gets hardening flags because it is a common abuse target; /home is separated mainly for user isolation and simpler rebuilds; and /data becomes the standardized landing zone for Docker and any adjacent app state. Mount hardening options like nodev, nosuid, and noexec are widely recommended for scratch-like filesystems such as /tmp, while noatime is a common performance-oriented choice for data volumes.34

Prerequisites

Before you start, assume the VM will have 8GB RAM initially and may later grow to 16GB or more. Use LVM so logical volumes can be expanded without redesigning the disk layout, and leave unallocated space in the volume group for future growth.5

Use XFS on Rocky Linux where that is the typical default, and use either ext4 or XFS on Ubuntu depending on site standard and operational preference. XFS remains a common default on RHEL-family systems and is a solid fit for VM and container-host filesystems.6

Have the following ready:

Step-by-Step Instructions

On the 128GB primary disk, keep boot partitions outside LVM and place everything else into one VG, such as vg0. A practical layout is:

A practical 128GB example for 8–16GB RAM is:

Mount Size Notes
/boot/efi 512MB UEFI system partition.
/boot 1GB Use 2GB if more kernel headroom is preferred.
lv_root 20GB Enough for a lean OS, agents, and base tooling.
lv_var 15GB Logs, package state, caches, and service runtime growth.
lv_tmp 4GB Scratch space with restrictive mount options.
lv_home 5GB Small because these VMs are not user workstations.
lv_swap 8GB Reasonable default for 8–16GB RAM VMs.
VG free space ~40–50GB Reserved for future growth.

If a separate data disk or dedicated lv_data is available, do not consume all remaining VG space for the initial build. Keeping a meaningful amount of VG free space makes it straightforward to extend /, /var, or /home later without touching partition tables.

2) Why these splits matter

Separating /var protects the root filesystem from log storms, package cache growth, and service state churn. Separating /tmp allows restrictive mount options and keeps temporary-file abuse away from /, while separating /home simplifies rebuilds, user isolation, and policy control.

This is not about blindly following a benchmark. It is about limiting blast radius on small-to-medium container hosts where operational failure is usually caused by uncontrolled growth in exactly these paths.

3) Data volume for Docker

Use either a second disk such as /dev/sdb1 or a dedicated LVM logical volume such as /dev/vg0/lv_data as the single storage backend for container data. Standardize on mounting this filesystem at /data, then place Docker data under /data/docker so the container graph, writable layers, and local volumes do not compete with the OS filesystem.12

Filesystem choice:

Recommended mount options:

⚠️ WARNING: Do not let Docker, image caches, and persistent volumes live on the root filesystem unless the VM is intentionally disposable.

4) Example /etc/fstab

Below is a concrete example using LVM paths. Use UUIDs for the EFI partition, /boot, and standalone partitions or disks; using /dev/vg0/lv_name for LVM logical volumes is common, readable, and operationally acceptable.

# <fs>                <mountpoint>  <type>  <options>                         <dump> <pass>
UUID=EFI-UUID          /boot/efi     vfat    umask=0077,shortname=winnt        0      2
UUID=BOOT-UUID         /boot         xfs     defaults                          0      2
/dev/vg0/lv_root       /             xfs     defaults                          0      1
/dev/vg0/lv_var        /var          xfs     defaults                          0      2
/dev/vg0/lv_tmp        /tmp          xfs     defaults,nodev,nosuid,noexec      0      2
/dev/vg0/lv_home       /home         xfs     defaults                          0      2
/dev/vg0/lv_swap       none          swap    sw                                0      0
/dev/vg0/lv_data       /data         xfs     defaults,noatime                  0      2

On Ubuntu, ext4 is equally reasonable for /boot, /, /var, /tmp, /home, and /data if that is the local standard. On Rocky Linux, XFS remains the conservative default for the main filesystems and for /data.6

Verification

Verify the filesystem layout after provisioning or first boot:

lsblk -f
findmnt / /var /tmp /home /data /boot /boot/efi
swapon --show

Confirm mount options and capacity where it matters:

findmnt /tmp
findmnt /data
df -h / /var /data
vgs
lvs -a -o +devices

Expected characteristics:

Troubleshooting

If the VM boots into emergency mode after editing /etc/fstab, the usual cause is an incorrect UUID, LV path, or filesystem type. Validate fstab entries with mount -a before rebooting, and confirm devices and filesystem signatures with lsblk -f and blkid.

On Rocky Linux, if SELinux is enforcing and a new mount under /data will host service-managed content, restore or define the appropriate context after creating directories. A conservative first step is:

restorecon -RFv /data

If /tmp is mounted with noexec, expect badly behaved installers or ad hoc scripts to fail when they try to execute from /tmp. That behavior is intentional; redirect temporary build or installer work to another path if necessary.

Security Considerations

Keep nodev, nosuid, and noexec on /tmp because temporary storage should not behave like a general execution surface.37 Do not apply noexec to /home by default unless there is a specific policy reason and a clear understanding of the operational impact.

The most useful security control in this layout is isolation by function. Separating /var and container data from / limits the blast radius of log floods, runaway cache growth, and storage abuse from application workloads.

Notes/Tips

Use swap conservatively on these VMs; 8GB is a good default for 8–16GB RAM unless workload-specific behavior suggests otherwise.5 Leave free space in the VG on day one instead of allocating everything immediately, because extending an LV later is easier than reclaiming badly sized filesystems.

For a repeatable homelab pattern, keep the system disk focused on the OS and use /data as the only approved landing zone for container persistence. That simplifies monitoring, backup targeting, growth planning, and migration across hypervisors.

89121011371213141516171841920216222324

  1. https://diegocarrasco.com/change-docker-data-directory-vps-optimization/  2 3

  2. https://www.reddit.com/r/docker/comments/16xg1j1/moving_root_directory_docker/  2 3

  3. https://www.ibm.com/docs/en/z-logdata-analytics/5.1.0?topic=software-relocating-docker-root-directory  2 3 4

  4. https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707  2 3

  5. https://oneuptime.com/blog/post/2026-03-04-noatime-nodiratime-mount-options-performance-rhel-9/view  2

  6. https://www.facebook.com/groups/linuxh/posts/6901273379934054/  2 3 4

  7. https://forums.rockylinux.org/t/why-is-most-of-my-ssd-lvm/13135  2 3

  8. https://forums.rockylinux.org/t/default-root-partition-size-in-cloud-image-lvm/14823 

  9. https://support-desk.iij.us/hc/en-us/articles/24252170440987-Extend-RockyLinux9-LVM-with-xfs-partition 

  10. https://www.youtube.com/watch?v=LBrjy4QiHuQ 

  11. https://community.opendronemap.org/t/how-to-specify-different-root-directory-for-docker-on-linux/12061 

  12. https://forums.rockylinux.org/t/cant-boot-after-moving-all-partitions/16052 

  13. https://stackoverflow.com/questions/43689271/wheres-dockers-daemon-json-missing 

  14. https://forum.endeavouros.com/t/setting-noexec-nodev-nosuid-mount-parameters-for-home-partition/7618 

  15. https://forum.openmediavault.org/index.php?thread%2F5959-mounting-tmp-with-nodev-nosuid-noexec%2F 

  16. https://www.baeldung.com/linux/etc-fstab-mount-options 

  17. https://www.tenable.com/audits/items/CIS_Ubuntu_18.04_LTS_Server_v2.1.0_L1.audit:e5449fe2177664ccb3fec4c4bd645f75 

  18. https://github.com/cockroachdb/docs/issues/10630 

  19. https://www.reddit.com/r/linuxadmin/comments/ekzbi0/should_i_set_security_mount_options_for/ 

  20. https://www.tenable.com/audits/items/CIS_Amazon_Linux_2_STIG_v2.0.0_L1_Server.audit:c63f57da161368c2192076e103a9d820 

  21. https://bbs.archlinux.org/viewtopic.php?id=79283 

  22. https://www.reddit.com/r/sysadmin/comments/1fjamf0/recommended_mount_flags_for_storage_devices_on/ 

  23. https://forums.rockylinux.org/t/need-to-migrate-all-logical-volumes-from-one-mbr-rocky-9-host-ssd-to-a-new-rocky-9-install-on-another-host-ssd-going-from-mbr-to-uefi-w-xfs/14142 

  24. https://forums.rockylinux.org/t/recommended-partition-scheme-for-rocky-linux-9-1/9616