setup-storage news: cryptsetup support and sameas option
Julien BLACHE
jblache at debian.org
Mon Nov 23 21:18:02 CET 2009
Hi,
Michael just merged into experimental two patches I contributed a few
days ago. Here is a summary of what they bring and how they work. I'll
give sample before/after configs for each, they are real working
configurations in use in my systems. Sorry if that makes this mail a bit
longer ;)
Feedback is welcome, especially on the cryptsetup support.
Let's get the "small one" out of the way first ;) The first patch adds a
"sameas" option; I found myself doing a couple RAID1 setups and having
to repeat the exact same partitioning scheme for two (or more) devices
seemed error prone, now and in the future.
So, instead of:
disk_config /dev/sda
primary - 250M - -
primary - 20G - -
logical - 8G - -
logical - 4G - -
logical - 5G - -
disk_config /dev/sdb
primary - 250M - -
primary - 20G - -
logical - 8G - -
logical - 4G - -
logical - 5G - -
disk_config raid
raid1 /boot sda1,sdb1 ext3 defaults
raid1 / sda2,sdb2 ext3 defaults,errors=remount-ro
raid1 swap sda5,sdb5 swap defaults
raid1 /tmp sda6,sdb6 ext3 defaults createopts="-m 1"
raid1 /var sda7,sdb7 ext3 defaults
You now get to write:
disk_config /dev/sda
primary - 250M - -
primary - 20G - -
logical - 8G - -
logical - 4G - -
logical - 5G - -
disk_config /dev/sdb sameas:/dev/sda
disk_config raid
raid1 /boot sda1,sdb1 ext3 defaults
raid1 / sda2,sdb2 ext3 defaults,errors=remount-ro
raid1 swap sda5,sdb5 swap defaults
raid1 /tmp sda6,sdb6 ext3 defaults createopts="-m 1"
raid1 /var sda7,sdb7 ext3 defaults
Which is a clear win both in terms of maintenance and clarity. You can
use diskN or sdX instead of /dev/sdX. The referenced device (/dev/sda
here) must have been defined before the "clone" device.
Internally, it's the *config* that is copied from the reference device,
not the final partitioning scheme. That means you can use the sameas
option even when the underlying devices do not have the same size. It
also means your config will bomb out if the config can't be applied on
the "clone" device because it's smaller than the reference device and
the config's minimal size is bigger than the device.
So, unless you know what you're doing, it's probably best to limit this
option's usage to devices of the same size as pointed out in the
manpage.
The second patch introduces a new disk encryption facility, which works
in a way similar to the RAID and LVM facilities.
Compared to the current :encrypt hack, it supports encrypted swap and
/tmp partitions with a random key and will be able to support more
encryption options as needed, all the while decluttering the config
syntax. Let's not repeat the ";" hack from setup_harddisks!
So, before, with the :encrypt hack:
disk_config /dev/sdb
primary / 21750 ext3 defaults,errors=remount-ro
primary /boot 250 ext3 defaults
logical swap 4000 swap defaults
logical /tmp 2000 ext2 defaults
logical /local00:encrypt 10- ext3 defaults,errors=remount-ro createopts="-m 0"
NOT SHOWN: hook(s) to set up encrypted swap and /tmp partitions
manually, one way or another.
And now, with the new cryptsetup facility:
disk_config /dev/sdb
primary / 21750 ext3 defaults,errors=remount-ro
primary /boot 250 ext3 defaults
logical - 4000 - -
logical - 2000 - -
logical - 10- - -
disk_config cryptsetup
swap swap /dev/sdb5 swap defaults
tmp /tmp /dev/sdb6 ext2 defaults
luks /local00 /dev/sdb7 ext3 defaults,errors=remount-ro createopts="-m 0"
If you want initialization with random data, just add the randinit
option, like this:
disk_config cryptsetup randinit
swap swap /dev/sdb5 swap defaults
tmp /tmp /dev/sdb6 ext2 defaults
luks /local00 /dev/sdb7 ext3 defaults,errors=remount-ro createopts="-m 0"
The option is global, as there's probably not much point in performing
random init on some partitions and not the others.
With this new cryptsetup facility, the :encrypt hack is marked as
deprecated and will be removed at some point in the not too distant
future.
I hope those patches will make life easier for other FAI users;
setup-storage is a lot more capable than setup_harddisks and extending
it has been a lot easier than I had first thought.
JB.
--
Julien BLACHE <jblache at debian.org> | Debian, because code matters more
Debian & GNU/Linux Developer | <http://www.debian.org>
Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169
More information about the linux-fai-devel
mailing list