On Sun, 8 Feb 2009 13:52:19 +0100 Michael Tautschnig <[email protected]> wrote:
> Hi! > > [...] > > So far, I got the mirrored LVM working after hacking the FAI GRUB install > > script so GRUB would boot correctly with md devices. The setup-storage > > command doesn't seem to allow encryption to be specified on an md device, > > particularly since Parser.pm requires a mountpoint be specified, which > > isn't relevant on a RAID1 disk_config setting. > > > > Ok, that has been fixed in 3.2.17+experimental4 (see > http://faiwiki.debian.net/index.php/Main_Page#getting_FAI for more information > about the experimental builds). > > [...] > Thanks, > Michael Michael - I just tried 3.2.17+experimental4 and I see Parser.pm has some updated code if I search for :encrypt. Unfortunately, it still shows: ERROR (line 17): Invalid file: Was expecting /\Z/ but found "raid1 -:encrypt sda2,sdb2 - -" instead I will run in debug mode and send you a private follow up message with that. Also, my suggestion regarding XML, or some type of dependency ability, is due to the increase flexibility it would allow. For instance, if you wanted to setup DRBD replication, CLVM, GFS, or any of the other storage possibilities you could define it with a dependency tree. It allows you to stack your storage in any way you want, such as encrypted storage backing a DRBD device with LVM or CLVM running on it. I currently have a workaround for the encryption issue as follows: # cat ./scripts/LAST/70-encryptmd2 #! /bin/bash error=0 ; trap "error=$((error|1))" ERR yes 'PassPhrase' | cryptsetup -q luksFormat /dev/md2 -c aes-cbc-essiv:sha256 -s 256 yes 'PassPhrase' | cryptsetup luksOpen /dev/md2 md2_crypt pvcreate /dev/mapper/md2_crypt vgcreate XenVM /dev/mapper/md2_crypt printf "md2_crypt /dev/md2 none luks\n" >> $target/etc/crypttab exit $error Which works for the XenVM VG. I haven't implemented it for the root partition yet, which is also my goal. I'm thinking another way to implement the root encryption is to create a 1 device root LVM VG, then create a md device that I encrypt, add the encrypted device to the LVM PV, then move all the LV resources to that encrypted device and add the original device back as a mirror to the encrypted md device. It would work, but is a bit time consuming when this process can be done with the right initial processing. Thanks, Doug
