Andrew David Wong:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 31/08/2019 11.23 AM, Claudia wrote:
The "Custom Installation" doc gives instructions about how to
create a non-default dm-crypt partition, or other custom setup, and
install Qubes to it. But when I follow these instructions on
R4.0.1, and try to assign my dm-crypt device to "/", I get a
message something like
"You must create a new filesystem for the root filesystem."
That's odd. I don't remember getting a message like that when I
installed 4.0 this way
First, thanks for your reply!
BTW, the actual message is "You must create a new file system on the
root device." (I was going from memory.)
Okay, so I think I might have figured it out: The tutorial should work
for any filesystem other than btrfs, provided you check the "Reformat"
option. Upon closer examination, your tutorial covers creation of
dm-crypt and LVM containers, but not any filesystems. The installer does
create the actual filesystem, so that's why the tutorial doesn't cause
the message about creating a new filesystem. It's just that btrfs isn't
one of the options.
When there is an empty dm-crypt partition on the disk, under "Unknown"
category it shows up as "luks-<uuid>" and asks for a password. Once
unlocked, all options are greyed out, including Mountpoint, except Label
and Reformat. When check Reformat, the File System drop down is enabled,
but btrfs is not an option. So at this point I could use another
filesystem, just not btrfs. The "Encrypt" checkbox is also enabled and
checked by default.
When I manually format that partition with btrfs, it shows up under
"Unknown" as "Encrypted (LUKS)" and asks for a password. Once unlocked,
it shows under "Unknown" as "btrfs" and all options are greyed out
except Mountpoint and Label. But when I enter "/" as mountpoint I get
that message. I would be fine with replacing the filesystem in the
container, but the "Reformat" box is unchecked and greyed out.
Like I said, I thought I got around it somehow, but I don't remember for
sure. I might have given up and used the default cryptsetup options.
Well, the Qubes installer is mostly just the upstream Fedora
installer, so you might want to file bug reports with them about these
issues.
I was afraid of that. I may try to look into it some more and perhaps
see if it's a reportable bug. But the more I'm looking at it, I think
they would call it a "feature" of this deranged installer. (See below.)
I really just want to get past it.
I remember running into this before, and I thought I eventually
got around it somehow after playing with it for an hour or two. But
I don't remember. I might have just ended up using the default
dm-crypt parameters.
Idea 1: LUKS allows you to change some, but not all, parameters
after installation. So you can change the iter-time, for example,
but not the key size, cipher, or hash size(?). Not great, but might
work for some situations.
Idea 2: In my case I want to use btrfs, so I'm thinking I can
create a small standard partition at the end of the disk, install
to that, then once installed, `btrfs device add` my custom dm-crypt
root partition and `btrfs device remove` the original, and
optionally delete the temporary partition and grow the real one. I
don't yet know what changes will have to be made to the
bootloader/dracut config, but I'm assuming the UUID at the very
least.
Aside from dm-crypt and btrfs, there are also plenty of situations
where someone might want to install to an existing device or
filesystem.
Some of this has been talked about in #2294, but it's not quite the
same thing.
So I guess this is mostly just a rant. But I was also wondering 1)
Am I doing something wrong? Should I not be seeing this message?
Is it a bug?
Could be. As mentioned above, I don't remember seeing this when I went
through it myself.
2) Why isn't this addressed in the custom installation tutorial?
Why do we have a tutorial that cannot be followed?
I wrote this version of the tutorial because I couldn't find any
information about how to do this sort of thing on R4 anywhere. I went
through the trial-and-error and documented my findings for the benefit
of others (and my future self). But I'm certainly not an expert in all
the underlying technologies. It worked for me when I wrote it, and no
one else has contributed to it since then. I'm honestly sorry to hear
that it didn't work for you, but I don't know why it didn't. I can
simply remove it from the documentation if it's no longer working.
Did you happen to do any testing with btrfs when you wrote the tutorial?
At this point I don't think the tutorial is faulty, I think it just
cannot be used with btrfs.
Like I said, though, bug #2294 talks about this very problem. So I'm at
least not imagining things. Although it doesn't mention the exact error
message (I could have sworn it did).
In #2294, under "General Notes" > "Not Workarounds:"
"If you also manually create a new btrfs filesystem inside the LUKS
container, the installer will unselect and gray out the Reformat check
box and then complain that reformatting the root mountpoint is required
to continue..."
That pretty much exactly describes what I'm running into.
The bug itself apparently was fixed in R4.0-rc4, but I'm assuming the
btrfs problem has not.
3) Is there a way around it that doesn't involve the hacky
post-installation migration?
Not that I know of.
4) Does qubes provide any way to sidestep the graphical installer,
i.e. something akin to debootstrap or arch-bootstrap?
Not that I know of. (Again, it's mostly the stock Fedora installer.)
- --
So I think the real problem here is that the installer doesn't treat
btrfs the same way as the rest of the filesystems. Btrfs is a "Device
Type" not a "File System". i.e. You can't put btrfs on an existing
device, you have to choose "Btrfs" for "Device Type". Thus, it can't be
installed to a preexisting dm-crypt container.
Note that when you select Btrfs for Device Type, Encrypt will be greyed
out and unchecked. You have to click Modify, select the device, and
check the Encrypt checkbox, and click save. Then the Encrypt checkbox
will be checked next to Device Type on the previous screen. However this
will be created using cryptsetup defaults!
There are several workaround ideas which after much testing and
reconfiguration eventually may or may not work. But right now I don't
have that kind of time, and I just want something to work. So for now I
think I'll just accept defeat: settle for cryptsetup defaults and just
let the installer do its thing. You can't always get what you want.
Thanks again for your input. If you get the chance to try the tutorial
using btrfs on a custom dm-crypt container, I'd be interested in your
results. You might have better luck, or perhaps a whole new tutorial.
-------------------------------------------------
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/8cc500b6-326b-d89f-44e4-f202aff373de%40vfemail.net.
