Re: [gentoo-user] LVM on LUKS
Am 07.08.2010 11:48, schrieb Florian Philipp: Hi list! I'm building a new Gentoo system (notebook) and want to rearrange a few things. I thought it would be good to have the following layout: - boot on a normal partition - root on a normal partition - one big encrypted partition (dmcrypt / LUKS) - on that partition an LVM volume group - on that volume group all stuff not necessary for booting: home, var, tmp, etc. AFAIK, the Gentoo boot process is organized so that LVM gets stated before dmcrypt is started. I would need it vice versa. Is that possible with baselayout-1? Do I need to switch to baselayout-2? Thanks in advance! Florian Philipp Thanks everyone for your suggestions! However, I decided against using them for basically two reasons: 1. I want to keep it simple and safe and there are few things more troublesome than a system which cannot even mount its root. Therefore I keep root on a normal partition while everything with possibly valuable information (tmp, var, home, srv) gets encrypted. opt and usr/local will follow, if necessary. It is also my reason for not using an initrd. 2. I want as few single points of failure as possible on my system. A key file would be such a point. Granted, a single volume with a passphrase is also a SPOF - but one which is less likely to fall prey to an rm -rf *. (Okay, I have a backup, but I would like to avoid using it ;) ) Long story short: In the end, I tried baselayout-2 and it works like a charm. I just configured /etc/conf.d/dmcrypt, added dmcrypt to runlevel sysinit and then (just for good measure, don't think it's necessary) added 'rc_dmcrypt_before=lvm' to /etc/rc.conf. signature.asc Description: OpenPGP digital signature
[gentoo-user] LVM on LUKS
Hi list! I'm building a new Gentoo system (notebook) and want to rearrange a few things. I thought it would be good to have the following layout: - boot on a normal partition - root on a normal partition - one big encrypted partition (dmcrypt / LUKS) - on that partition an LVM volume group - on that volume group all stuff not necessary for booting: home, var, tmp, etc. AFAIK, the Gentoo boot process is organized so that LVM gets stated before dmcrypt is started. I would need it vice versa. Is that possible with baselayout-1? Do I need to switch to baselayout-2? Thanks in advance! Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] LVM on LUKS
Florian Philipp writes: I'm building a new Gentoo system (notebook) and want to rearrange a few things. I thought it would be good to have the following layout: - boot on a normal partition - root on a normal partition - one big encrypted partition (dmcrypt / LUKS) - on that partition an LVM volume group - on that volume group all stuff not necessary for booting: home, var, tmp, etc. AFAIK, the Gentoo boot process is organized so that LVM gets stated before dmcrypt is started. I would need it vice versa. Is that possible with baselayout-1? Do I need to switch to baselayout-2? I don't know yet if this is possible with baselayout-2. I am using both methods, but the way you like it had to be hacked a little. Look for the thread Self created initramfs cannot work from June 2009, Dirk Heinrichs talks about his initfs approach. It's similar to an initramfs, but all the stuff is simply on the boot partition. It did not work out of the box (for me), and I never got around to really debug this, but it's sort of working, and has support for opening LUKS partitions. I think it's a cool idea, simpler than an initramfs and no need for cpio and its options I always have to look up. Having the root partition encrypted is also not problem with this setup. The advantage is that only one LUKS partiton has to be opened. My desktop system does it the Gentoo way, but it has 23 encrypted LVMs (nicluding root), which takes quite a while to open. I made it a lot faster by opening them all in parallel (addig a at the right location in /lib/rcscripts/addons/dm-crypt-start.sh), still it's much longer than with a single LUKS partition. I don't care much about it as the PC is running all the time, or uses tuxonice, so I seldomly reboot. But apart from the longer boot time, I find this approach simpler. Why do you like it the other way around? Wonko
Re: [gentoo-user] LVM on LUKS
Dnia 2010-08-07, o godz. 11:48:34 Florian Philipp li...@f_philipp.fastmail.net napisał(a): Hi list! I'm building a new Gentoo system (notebook) and want to rearrange a few things. I thought it would be good to have the following layout: - boot on a normal partition - root on a normal partition - one big encrypted partition (dmcrypt / LUKS) - on that partition an LVM volume group - on that volume group all stuff not necessary for booting: home, var, tmp, etc. AFAIK, the Gentoo boot process is organized so that LVM gets stated before dmcrypt is started. I would need it vice versa. Is that possible with baselayout-1? Do I need to switch to baselayout-2? Thanks in advance! Florian Philipp I've made my own initramfs to boot. /boot is a separate partition with ext2, grub, bzImage and initramfs / is ext4 on logical volume on encrypted container [ext4:lvm:luks:sda2] swapis on another logical volume, next to / I used two links as hints to build it: http://jootamam.net/howto-initramfs-image.htm http://jootamam.net/howto-basic-cryptsetup.htm It's important to have all libraries copied to initramfs or to make all binaries static (ldd). Some time ago I had dropbear in initramfs to help booting headless server. Watch out for pivot_root restriction of PID == 1. -- Kacper Kopczyński
Re: [gentoo-user] LVM on LUKS
On Sat, 07 Aug 2010 11:48:34 +0200, Florian Philipp wrote: - boot on a normal partition - root on a normal partition - one big encrypted partition (dmcrypt / LUKS) - on that partition an LVM volume group - on that volume group all stuff not necessary for booting: home, var, tmp, etc. Just use a small (300MB-ish) root partition with no separate boot and everything else on the LVM. -- Neil Bothwick If you think that there is good in everybody, you haven't met everybody. signature.asc Description: PGP signature
