I'm trying to set up a mirrored, encrypted LUKS partition that will contain
ext3 LVM volumes. I'm using FAI 3.2.16 and setup-storage is enabled in Debian
Lenny on AMD64. Lenny's interactive installer is able to do what I want with no
issues, however I'd like to utilize FAI to automate the procedure. My goal is
to contain all file systems other than /boot on a redundant, encrypted
partition. This is my first project utilizing FAI, but I have used other
automation methods previously.
So far, I got the mirrored LVM working after hacking the FAI GRUB install
script so GRUB would boot correctly with md devices. The setup-storage command
doesn't seem to allow encryption to be specified on an md device, particularly
since Parser.pm requires a mountpoint be specified, which isn't relevant on a
RAID1 disk_config setting.
I can do what I want manually as follows:
cryptsetup luksFormat /dev/md1
cryptsetup luksOpen /dev/md1 md1_crypt
pvcreate /dev/mapper/md1_crypt
and creating the VG's and LV's within that LVM PV.
Here's the config I'm using that works for the bootable RAID1 LVM, but doesn't
set up encryption.
disk_config sda bootable:1
primary - 500 - -
primary - 4096- - -
disk_config sdb bootable:1
primary - 500 - -
primary - 4096- - -
disk_config raid
raid1 /boot sda1,sdb1 ext3 rw
raid1 - sda2,sdb2 - -
disk_config lvm
vg vg0 md1
vg0-swaplv swap 8192 swap sw
vg0-rootlv / 3072 ext3 rw,errors=remount-ro createopts="-m15"
tuneopts="-c 0 -i 0"
vg0-tmplv /tmp 8192 ext3 defaults createopts="-m15" tuneopts="-c 0
-i 0"
vg0-usrlv /usr 4096 ext3 defaults createopts="-m15" tuneopts="-c 0
-i 0"
vg0-varlv /var 6144 ext3 defaults createopts="-m15" tuneopts="-c 0
-i 0"
Basically, what I would like to do is something similar to the following:
disk_config sda bootable:1
primary - 500 - -
primary - 4096- - -
disk_config sdb bootable:1
primary - 500 - -
primary - 4096- - -
disk_config raid
raid1 /boot sda1,sdb1 ext3 rw
raid1 -:encrypt sda2,sdb2 - -
disk_config lvm
vg vg0 mapper/md1_crypt
vg0-swaplv swap 8192 swap sw
vg0-rootlv / 3072 ext3 rw,errors=remount-ro createopts="-m15"
tuneopts="-c 0 -i 0"
vg0-tmplv /tmp 8192 ext3 defaults createopts="-m15" tuneopts="-c 0
-i 0"
vg0-usrlv /usr 4096 ext3 defaults createopts="-m15" tuneopts="-c 0
-i 0"
vg0-varlv /var 6144 ext3 defaults createopts="-m15" tuneopts="-c 0
-i 0"
Basically, encrypt the /dev/md1 device which would then be utilized as either
/dev/dm-0 or /dev/mapper/md1_crypt
Parser.pm appears to explicitly disallow the configuration I want this section
of code:
mountpoint: '-'
{
# this partition should not be mounted
$FAI::partition_pointer->{mountpoint} = "-";
$FAI::partition_pointer->{encrypt} = 0;
}
| 'swap'
{
# this partition is swap space, not mounted
$FAI::partition_pointer->{mountpoint} = "none";
$FAI::partition_pointer->{encrypt} = 0;
}
| m{^/\S*}
{
# set the mount point, may include encryption-request
if ($item[ 1 ] =~ m{^(/[^:]*):encrypt$}) {
&FAI::in_path("cryptsetup") or die "cryptsetup not found in PATH\n";
$FAI::partition_pointer->{mountpoint} = $1;
$FAI::partition_pointer->{encrypt} = 1;
} else {
$FAI::partition_pointer->{mountpoint} = $item[ 1 ];
$FAI::partition_pointer->{encrypt} = 0;
}
}
The FAI installer seems to do things out of order if I try working with
encryption on a RAID1 block device in the way I'm attempting. For instance, it
tries to setup the LVM items before setting up the md devices and crashes out
as a result.
Assuming I'm looking at the right pieces to try to resolve this issue and this
capability doesn't exist within the FAI code, I'll suggest it would be more
flexible to have the configuration resources depend on a previous resource
being completed. Since the source code is in Perl already, an XML configuration
file may be a reasonable option for resource group settings and dependencies.
It would be similar to a Linux-HA configuration, where tasks have to be done in
a particular order during a cluster failover to bring resources online
correctly. Perhaps some of the Linux-HA code could be utilized for this task,
since it is GPL and LGPL code?
If I'm just overlooking something obvious in setting up the disk configuration
with encrypted RAID1, I'll be glad to discover how it should be set up within
the FAI system.
Thanks,
Doug
