setup-storage news: cryptsetup support and sameas option

Julien BLACHE jblache at debian.org
Mon Nov 23 21:18:02 CET 2009 

Hi,

Michael just merged into experimental two patches I contributed a few
days ago. Here is a summary of what they bring and how they work. I'll
give sample before/after configs for each, they are real working
configurations in use in my systems. Sorry if that makes this mail a bit
longer ;)

Feedback is welcome, especially on the cryptsetup support.


Let's get the "small one" out of the way first ;) The first patch adds a
"sameas" option; I found myself doing a couple RAID1 setups and having
to repeat the exact same partitioning scheme for two (or more) devices
seemed error prone, now and in the future.

So, instead of:

disk_config /dev/sda
primary  -  250M  -  -
primary  -  20G   -  -
logical  -  8G    -  -
logical  -  4G    -  -
logical  -  5G    -  -

disk_config /dev/sdb
primary  -  250M  -  -
primary  -  20G   -  -
logical  -  8G    -  -
logical  -  4G    -  -
logical  -  5G    -  -

disk_config raid
raid1  /boot  sda1,sdb1  ext3  defaults
raid1  /      sda2,sdb2  ext3  defaults,errors=remount-ro
raid1  swap   sda5,sdb5  swap  defaults
raid1  /tmp   sda6,sdb6  ext3  defaults createopts="-m 1"
raid1  /var   sda7,sdb7  ext3  defaults

You now get to write:

disk_config /dev/sda
primary  -  250M  -  -
primary  -  20G   -  -
logical  -  8G    -  -
logical  -  4G    -  -
logical  -  5G    -  -

disk_config /dev/sdb sameas:/dev/sda

disk_config raid
raid1  /boot  sda1,sdb1  ext3  defaults
raid1  /      sda2,sdb2  ext3  defaults,errors=remount-ro
raid1  swap   sda5,sdb5  swap  defaults
raid1  /tmp   sda6,sdb6  ext3  defaults createopts="-m 1"
raid1  /var   sda7,sdb7  ext3  defaults

Which is a clear win both in terms of maintenance and clarity. You can
use diskN or sdX instead of /dev/sdX. The referenced device (/dev/sda
here) must have been defined before the "clone" device.

Internally, it's the *config* that is copied from the reference device,
not the final partitioning scheme. That means you can use the sameas
option even when the underlying devices do not have the same size. It
also means your config will bomb out if the config can't be applied on
the "clone" device because it's smaller than the reference device and
the config's minimal size is bigger than the device.

So, unless you know what you're doing, it's probably best to limit this
option's usage to devices of the same size as pointed out in the
manpage.


The second patch introduces a new disk encryption facility, which works
in a way similar to the RAID and LVM facilities.

Compared to the current :encrypt hack, it supports encrypted swap and
/tmp partitions with a random key and will be able to support more
encryption options as needed, all the while decluttering the config
syntax. Let's not repeat the ";" hack from setup_harddisks!

So, before, with the :encrypt hack:

disk_config /dev/sdb
primary  /                 21750  ext3  defaults,errors=remount-ro
primary  /boot             250    ext3  defaults
logical  swap              4000   swap  defaults
logical  /tmp              2000   ext2  defaults
logical  /local00:encrypt  10-    ext3  defaults,errors=remount-ro  createopts="-m 0"

NOT SHOWN: hook(s) to set up encrypted swap and /tmp partitions
manually, one way or another.

And now, with the new cryptsetup facility:

disk_config /dev/sdb
primary  /      21750  ext3  defaults,errors=remount-ro
primary  /boot  250    ext3  defaults
logical  -      4000   -     -
logical  -      2000   -     -
logical  -      10-    -     -

disk_config cryptsetup
swap  swap      /dev/sdb5  swap  defaults
tmp   /tmp      /dev/sdb6  ext2  defaults
luks  /local00  /dev/sdb7  ext3  defaults,errors=remount-ro  createopts="-m 0"

If you want initialization with random data, just add the randinit
option, like this:

disk_config cryptsetup randinit
swap  swap      /dev/sdb5  swap  defaults
tmp   /tmp      /dev/sdb6  ext2  defaults
luks  /local00  /dev/sdb7  ext3  defaults,errors=remount-ro  createopts="-m 0"

The option is global, as there's probably not much point in performing
random init on some partitions and not the others.

With this new cryptsetup facility, the :encrypt hack is marked as
deprecated and will be removed at some point in the not too distant
future.


I hope those patches will make life easier for other FAI users;
setup-storage is a lot more capable than setup_harddisks and extending
it has been a lot easier than I had first thought.

JB.

-- 
 Julien BLACHE <jblache at debian.org>  |  Debian, because code matters more 
 Debian & GNU/Linux Developer        |       <http://www.debian.org>
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169

More information about the linux-fai-devel mailing list