Hardware RAID and Security Onion

[Rennilon]

I am trying to stand up a SO on some old hardware that I have. I have 3 servers and am deploying in a distributed architecture on the latest version and using the ISO.

The Forward and Sensor Servers each have 4 drives. 1x 150GB SSD and 3x 4TB HDDs.

I planned on getting the 3 HDDs into a RAID 5 and use that for /nsm, but I can't seem to get that working.

I'm trying to determine if my issue is on the hardware/Intel RAID controller side, or on the SO installer/OS side (I'm a novice when it comes to RAIDs).

So I guess my first question is: Does SO and Oracle Linux support detecting and installing /nsm on a BIOS setup RAID?

What I am seeing now is that I boot, go to the RAID configuration screen, put the 3 HDDs into a RAID 5 (Also tried RAID 0), then boot to a USB with the ISO. During the install, it doesn't show the 3 drives in a RAID, but shows all 4 drives.

In the past, I had just installed /NSM wherever, then once installation was complete, I'd go into the OS and virtualize the 3 disks and move /nsm to span them all. Am I going to have to do something like that here? I assume the RAID being configured beneath the OS would be preferred.

Any help appreciated!

[petiepooo]

I have been running a similar setup on Dell hardware for several years. Dell uses the PERC (PowerEdge RAID Controller), which is really just a rebranded LSI card. I use the Linux perccli64 command to configure it at the command-line. When installing the OS, it shows the RAID volume as a device, not the individual drives.

You mentioned your RAID controller is by Intel. They have full featured and entry level cards, and I suspect the entry level card is FakeRAID, requiring drivers on the OS for it to work. This would be similar to the soft-modems from years back that required OS support to work but were cheaper than a fully capable serial modem. Is your controller model a RMS3HC080 or RS3WC080, one of the two shown as entry level here?

FakeRAID is supposed to be well supported on Linux. Perhaps there's a way to install those drivers during the ISO installation following something similar to this RHEL doc.

[Rennilon]

Learning and still info gathering on this. I believe I've been trying to use the embedded raid controller. I didn't see a card in the server other than the NICs. The boot menu even sees the raid drive as a single one, just not the SO installer. So that is a driver issue on the linux side?

[petiepooo]

I'm not sure. I've had mixed luck with those kinds of RAID controllers and try to stick to the full featured ones with NVRAM.

You may want to skip FakeRAID entirely, configure your disks as non-RAID in BIOS, and use the installer to create your RAID volume via mdadm. There's a guide for installing to RAID1 here, but it isn't clear if it also works for other RAID levels, and you'd have different mountpoints than what they say anyway.

Software RAID can have issues with parity RAID levels like RAID5 if you lose power. Read what this guide says about the "write hole" for further details. I cannot say if FakeRAID avoids that; AFAIK, the only way to avoid it entirely is to use a RAID controller with NVRAM for caching writes.

Assuming you're using the SSD for the OS, and that's not redundant, you may want to forego disk redundancy all together and stripe (RAID0) the three HDDs into a 12TB volume for /nsm.

[Rennilon]

I went down this route. Installed everything on SDD, then used MDADM after installation to create the RAID and move nsm over to it.