未加星标

Booting Encrypted Mirror ZFS on Ubuntu 18.10

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二04 | 时间 2019 | 作者 红领巾 ] 0人收藏点击收藏

As I was setting up my new linux machine with two disks, I decided to forgo my favorite Linux Mint and give Ubuntu another try. Main reason? ZFS of course.

Ubuntu already has a quite decent guide for ZFS setup but it’s slightly lacking in the mirroring department. So, here I will list steps that follow their approach closely but with slight adjustments as not only I want encrypted setup but also a proper ZFS mirror setup. If you need a single disk ZFS setup, stick with the original guide .

After booting into installation, we can go for Try Ubuntu and open a terminal. My strong suggestion would be to install openssh-server package first and connect to it remotely because that allows for copy/paste:

$ passwd Changing password for ubuntu. (current) UNIX password: (empty) Enter new UNIX password: password Retype new UNIX password: password passwd: password updated successfully $ sudo apt install --yes openssh-server

Regardless if you continue directly or you connect via SSH (username is ubuntu ), the first task is to get onto root prompt and never leave it again. :)

$ sudo -i

To get the ZFS on, we need Internet connection and extra repository:

# sudo apt-add-repository universe # apt update

Now we can finally install ZFS, partitioning utility, and an installation tool:

# apt install --yes debootstrap gdisk zfs-initramfs

First we clean the partition table on disks followed by a few partition definitions (do change ID to match your disks):

# sgdisk --zap-all /dev/disk/by-id/ata_disk1 # sgdisk --zap-all /dev/disk/by-id/ata_disk2 # sgdisk -a1 -n2:34:2047 -t2:EF02 /dev/disk/by-id/ata_disk1 # sgdisk -a1 -n2:34:2047 -t2:EF02 /dev/disk/by-id/ata_disk2 # sgdisk -n3:1M:+512M -t3:EF00 /dev/disk/by-id/ata_disk1 # sgdisk -n3:1M:+512M -t3:EF00 /dev/disk/by-id/ata_disk2 # sgdisk -n4:0:+512M -t4:8300 /dev/disk/by-id/ata_disk1 # sgdisk -n4:0:+512M -t4:8300 /dev/disk/by-id/ata_disk2 # sgdisk -n1:0:0 -t1:8300 /dev/disk/by-id/ata_disk1 # sgdisk -n1:0:0 -t1:8300 /dev/disk/by-id/ata_disk2

After all these we should end up with both disks showing 4 distinct partitions:

# sgdisk --print /dev/disk/by-id/ata_disk1 … Number Start (sector) End (sector) Size Code Name 1 2099200 67108830 31.0 GiB 8300 2 34 2047 1007.0 KiB EF02 3 2048 1050623 512.0 MiB EF00 4 1050624 2099199 512.0 MiB 8300

With partitioning done, it’s time to encrypt our disks and mount them (note that we only encrypt the first partition, not the whole disk):

# cryptsetup luksFormat -c aes-xts-plain64 -s 256 -h sha256 /dev/disk/by-id/ata_disk1-part1 # cryptsetup luksFormat -c aes-xts-plain64 -s 256 -h sha256 /dev/disk/by-id/ata_disk2-part1 # cryptsetup luksOpen /dev/disk/by-id/ata_disk1-part1 luks1 # cryptsetup luksOpen /dev/disk/by-id/ata_disk2-part1 luks2

Finally we can create our pool ( rpool is a “standard” name) consisting of both encrypted devices:

# zpool create -o ashift=12 -O atime=off -O compression=lz4 \ -O normalization=formD -O xattr=sa -O mountpoint=/ -R /mnt/rpool \ rpool mirror /dev/mapper/luks1 /dev/mapper/luks2

There is advantage into creating fine grained datasets as the official guide instructs , but I personally don’t do it. Having one big free-for-all pile is OK for me anything of any significance I anyhow keep on my network drive where I have properly setup ZFS with rights, quotas, and all other goodies.

Since we are using LUKS encryption, we do need to mount 4th partition too. We’ll do it for both disks and deal with syncing them later:

# mkdir /mnt/rpool/boot # mke2fs -t ext2 /dev/disk/by-id/ata_disk1-part4 # mount /dev/disk/by-id/ata_disk1-part4 /mnt/rpool/boot # mkdir /mnt/rpool/boot2 # mke2fs -t ext2 /dev/disk/by-id/ata_disk2-part4 # mount /dev/disk/by-id/ata_disk2-part4 /mnt/rpool/boot2

Now we can finally start copying our Linux (do check for current release codename using lsb_release -a ). This will take a while:

# debootstrap cosmic /mnt/rpool/

Once done, turn off devices flag on pool and check if data has been written or we messed the paths up:

# zfs set devices=off rpool # zfs list NAME USED AVAIL REFER MOUNTPOINT rpool 218M 29.6G 217M /mnt/rpool

Since our system is bare, we do need to prepare a few configuration files:

# cp /etc/hostname /mnt/rpool/etc/hostname # cp /etc/hosts /mnt/rpool/etc/hosts # cp /etc/netplan/*.yaml /mnt/rpool/etc/netplan/ # sed '/cdrom/d' /etc/apt/sources.list > /mnt/rpool/etc/apt/sources.list

Finally we get to try our our new system:

# mount --rbind /dev /mnt/rpool/dev # mount --rbind /proc /mnt/rpool/proc # mount --rbind /sys /mnt/rpool/sys # chroot /mnt/rpool/ /bin/bash --login

Once in our new OS, a few further updates are in order:

# apt update # locale-gen --purge "en_US.UTF-8" # update-locale LANG=en_US.UTF-8 LANGUAGE=en_US # dpkg-reconfigure --frontend noninteractive locales # dpkg-reconfigure tzdata

Now we need to install linux image and headers:

# apt install --yes --no-install-recommends linux-image-generic linux-headers-generic

Then we configure booting ZFS:

# apt install --yes zfs-initramfs # echo UUID=$(blkid -s UUID -o value /dev/disk/by-id/ata_disk1-part4) /boot ext2 noatime 0 2 >> /etc/fstab # echo UUID=$(blkid -s UUID -o value /dev/disk/by-id/ata_disk2-part4) /boot2 ext2 noatime 0 2 >> /etc/fstab

And disk decryption:

# apt install --yes cryptsetup # echo "luks1 UUID=$(blkid -s UUID -o value /dev/disk/by-id/ata_disk1-part1) none luks,discard,initramfs" >> /etc/crypttab # echo "luks2 UUID=$(blkid -s UUID -o value /dev/disk/by-id/ata_disk2-part1) none luks,discard,initramfs" >> /etc/crypttab

And install grub bootloader (select both disks not partitions!):

# apt install --yes grub-pc

Followed by update of boot environment (some errors are ok):

# update-initramfs -u -k all update-initramfs: Generating /boot/initrd.img-4.18.0-12-generic cryptsetup: ERROR: Couldn't resolve device rpool cryptsetup: WARNING: Couldn't determine root device

Now we update the grub and fix its config (only needed if you are not using sub-datasets):

# update-grub # sed -i "s^root=ZFS=rpool/^root=ZFS=rpool^g" /boot/grub/grub.cfg

Now we get to copy all boot files to second disk:

# cp -rp /boot/* /boot2/

With grub install we’re getting close to the end of story:

# grub-install /dev/disk/by-id/ata_disk1 Installing for i386-pc platform. Installation finished. No error reported. # grub-install /dev/disk/by-id/ata_disk2 Installing for i386-pc platform. Installation finished. No error reported.

Now we install full GUI and upgrade whatever needs it (takes a while):

# sudo apt-get install --yes ubuntu-desktop samba # apt dist-upgrade --yes

As this probably updated grub, we need to both correct config (only if we have bare dataset) and copy files to the other boot partition (this has to be repeated on every grub update):

# sed -i "s^root=ZFS=rpool/^root=ZFS=rpool^g" /boot/grub/grub.cfg # cp -rp /boot/* /boot2/

Having some swap is always a good idea:

# zfs create -V 4G -b $(getconf PAGESIZE) -o compression=off -o logbias=throughput -o sync=always \ -o primarycache=metadata -o secondarycache=none rpool/swap # mkswap -f /dev/zvol/rpool/swap # echo /dev/zvol/rpool/swap none swap defaults 0 0 >> /etc/fstab # echo RESUME=none > /etc/initramfs-tools/conf.d/resume

Almost there, it’s time to set root password:

# passwd

And to create our user for desktop environment:

# adduser user # usermod -a -G adm,cdrom,dip,lpadmin,plugdev,sambashare,sudo user

Finally, we can reboot (don’t forget to remove CD) and enjoy our system:

# exit # reboot

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

代码区博客精选文章
分页:12
转载请注明
本文标题:Booting Encrypted Mirror ZFS on Ubuntu 18.10
本站链接:https://www.codesec.net/view/628547.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(129)