On 08/22/2016 09:56 AM, Paul Schulz wrote:
(Repeated as first attempt didn't go through.)
Greetings,
I have been asked to setup some systems with an encrypted disk
configuration (see below for FAI setup-storage format), essentially two
disks with:
RAID1(/boot+other) < Crypt(other) < LVM((Root,Home,Swap)
Should I expect this to work? If not, what would need to be done to
include this support in LVM. Can I run setup-storage multiple times(3
confiig files)?
Hello there,
yes the disk scheme you aim for is feasible. In fact I did setup a node
like that a couple of days ago.
The man page on the website for setup-storage has some formatting
issues: http://fai-project.org/doc/man/setup-storage.html
The following is my attempt at a configuration file to do this. I have
installed the mdadm,cryptsetup and lvm2 packages in the nfsroot and as
packages to be installed.
What have I missed.
Cheers,
Paul
-----
# Disks: 2x 1TB
# Configuration: RAID1+CRYPTO+LVM
disk_config sda disklabel:msdos bootable:1 fstabkey:uuid
primary - 2G - -
logical - 200G- - -
disk_config sdb disklabel:msdos bootable:1 fstabkey:uuid
primary - 2G - -
logical - 200G- - -
disk_config raid
raid1 /boot sda1,sdb1 ext2 rw,noatime
raid1 - sda2,sdb2 - -
Given that /boot is on raid1, make sure GRUB or the bootloader of your
choice does indeed understand where to find /boot .
Also if an extended partition is created for sda and sdb, maybe the
usable logical partition will be sda3 and not sda2? You can check what's
going on with 'lsblk' and modify accordingly the partitions taking part
in raid, if needed.
# Assumes that previous step created /dev/md0,/dev/md1
disk_config cryptsetup luks md1_crypt
/dev/md1 lvm - -
I assume you intended to write
disk_config cryptsetup
luks md1_crypt /dev/md1 lvm - -
I am not really sure if the above syntax will create
/dev/mapper/md1_crypt _or_ /dev/md1_crypt. Perhaps try specify the full
path just to be sure. If you don't specify any preferred name
'/dev/mapper/crypt_dev_md1' will be created.
# Assumes the previous step created /dev/mapper/md1_crypt disk_config lvm
vg Base mapper/md1_crypt
Base-Swap swap 8G swap sw
Base-Root / 40G ext4 rw,noatime
Base-Home /home 100G- ext4 rw,noatime
I also assume you intended to write
disk_config lvm
vg Base mapper/md1_crypt
Base-Swap swap 8G swap sw
Base-Root / 40G ext4 rw,noatime
Base-Home /home 100G- ext4 rw,noatime
This seems like a working syntax to me, as long as you make sure
'/dev/mapper/md1_crypt' is really created.
Based on a working disk_config of mine, I argue that the following would
work for you:
disk_config sda disklabel:msdos bootable:1 fstabkey:uuid
primary - 2G - -
logical - 200G- - -
disk_config sdb disklabel:msdos bootable:1 fstabkey:uuid
primary - 2G - -
logical - 200G- - -
disk_config raid fstabkey:uuid
raid1 /boot sda1,sdb1 ext2 rw,noatime
raid1 - sda3,sdb3 - -
disk_config cryptsetup
luks - md1 lvm - -
disk_config lvm
vg Base md1
Base-Swap swap 8G swap sw
Base-Root / 40G ext4 rw,noatime
Base-Home /home 100G- ext4 rw,noatime
Hope I helped,
Greetings
