[gentoo-user] LVM on LUKS

[gentoo-user] LVM on LUKS

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 634 bytes --]

Hi list!

I'm building a new Gentoo system (notebook) and want to rearrange a few
things. I thought it would be good to have the following layout:

 - boot on a normal partition
 - root on a normal partition
 - one big encrypted partition (dmcrypt / LUKS)
 - on that partition an LVM volume group
 - on that volume group all stuff not necessary for booting: home, var,
tmp, etc.

AFAIK, the Gentoo boot process is organized so that LVM gets stated
before dmcrypt is started. I would need it vice versa.

Is that possible with baselayout-1? Do I need to switch to baselayout-2?

Thanks in advance!
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] LVM on LUKS

[Alex Schuster]

Florian Philipp writes:

> I'm building a new Gentoo system (notebook) and want to rearrange a few
> things. I thought it would be good to have the following layout:
> 
>  - boot on a normal partition
>  - root on a normal partition
>  - one big encrypted partition (dmcrypt / LUKS)
>  - on that partition an LVM volume group
>  - on that volume group all stuff not necessary for booting: home, var,
> tmp, etc.
> 
> AFAIK, the Gentoo boot process is organized so that LVM gets stated
> before dmcrypt is started. I would need it vice versa.
> 
> Is that possible with baselayout-1? Do I need to switch to
> baselayout-2?

I don't know yet if this is possible with baselayout-2. I am using both 
methods, but the way you like it had to be hacked a little. Look for the 
thread "Self created initramfs cannot work" from June 2009, Dirk Heinrichs 
talks about his initfs approach. It's similar to an initramfs, but all the 
stuff is simply on the boot partition. It did not work out of the box (for 
me), and I never got around to really debug this, but it's sort of 
working, and has support for opening LUKS partitions. I think it's a cool 
idea, simpler than an initramfs and no need for cpio and its options I 
always have to look up. Having the root partition encrypted is also not 
problem with this setup.

The advantage is that only one LUKS partiton has to be opened. My desktop 
system does it the Gentoo way, but it has 23 encrypted LVMs (nicluding 
root), which takes quite a while to open. I made it a lot faster by 
opening them all in parallel (addig a & at the right location in 
/lib/rcscripts/addons/dm-crypt-start.sh), still it's much longer than with 
a single LUKS partition. I don't care much about it as the PC is running 
all the time, or uses tuxonice, so I seldomly reboot.

But apart from the longer boot time, I find this approach simpler. Why do 
you like it the other way around?

	Wonko

Re: [gentoo-user] LVM on LUKS

[Kacper Kopczyński]

Dnia 2010-08-07, o godz. 11:48:34
Florian Philipp <lists@f_philipp.fastmail.net> napisał(a):

> Hi list!
> 
> I'm building a new Gentoo system (notebook) and want to rearrange a
> few things. I thought it would be good to have the following layout:
> 
>  - boot on a normal partition
>  - root on a normal partition
>  - one big encrypted partition (dmcrypt / LUKS)
>  - on that partition an LVM volume group
>  - on that volume group all stuff not necessary for booting: home,
> var, tmp, etc.
> 
> AFAIK, the Gentoo boot process is organized so that LVM gets stated
> before dmcrypt is started. I would need it vice versa.
> 
> Is that possible with baselayout-1? Do I need to switch to
> baselayout-2?
> 
> Thanks in advance!
> Florian Philipp
> 

I've made my own initramfs to boot.

/boot	is a separate partition with ext2, grub, bzImage and
	initramfs
/	is ext4 on logical volume on encrypted container
	[ext4:lvm:luks:sda2]
swap	is on another logical volume, next to /

I used two links as hints to build it:
http://jootamam.net/howto-initramfs-image.htm
http://jootamam.net/howto-basic-cryptsetup.htm

It's important to have all libraries copied to initramfs or to make all
binaries static (ldd). Some time ago I had dropbear in initramfs to
help booting headless server. Watch out for pivot_root restriction of
PID == 1.

-- 
Kacper Kopczyński

Re: [gentoo-user] LVM on LUKS

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 513 bytes --]

On Sat, 07 Aug 2010 11:48:34 +0200, Florian Philipp wrote:

>  - boot on a normal partition
>  - root on a normal partition
>  - one big encrypted partition (dmcrypt / LUKS)
>  - on that partition an LVM volume group
>  - on that volume group all stuff not necessary for booting: home, var,
> tmp, etc.

Just use a small (300MB-ish) root partition with no separate boot and
everything else on the LVM.


-- 
Neil Bothwick

If you think that there is good in everybody, you haven't met everybody.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] LVM on LUKS

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1753 bytes --]

Am 07.08.2010 11:48, schrieb Florian Philipp:
> Hi list!
> 
> I'm building a new Gentoo system (notebook) and want to rearrange a few
> things. I thought it would be good to have the following layout:
> 
>  - boot on a normal partition
>  - root on a normal partition
>  - one big encrypted partition (dmcrypt / LUKS)
>  - on that partition an LVM volume group
>  - on that volume group all stuff not necessary for booting: home, var,
> tmp, etc.
> 
> AFAIK, the Gentoo boot process is organized so that LVM gets stated
> before dmcrypt is started. I would need it vice versa.
> 
> Is that possible with baselayout-1? Do I need to switch to baselayout-2?
> 
> Thanks in advance!
> Florian Philipp
> 

Thanks everyone for your suggestions! However, I decided against using
them for basically two reasons:

1. I want to keep it simple and safe and there are few things more
troublesome than a system which cannot even mount its root.

Therefore I keep root on a normal partition while everything with
possibly valuable information (tmp, var, home, srv) gets encrypted. opt
and usr/local will follow, if necessary.

It is also my reason for not using an initrd.

2. I want as few single points of failure as possible on my system. A
key file would be such a point. Granted, a single volume with a
passphrase is also a SPOF - but one which is less likely to fall prey to
an rm -rf *. (Okay, I have a backup, but I would like to avoid using it ;) )

Long story short: In the end, I tried baselayout-2 and it works like a
charm. I just configured /etc/conf.d/dmcrypt, added dmcrypt to runlevel
sysinit and then (just for good measure, don't think it's necessary)
added 'rc_dmcrypt_before="lvm"' to /etc/rc.conf.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]