Crypto during FAI install

Doug Spencer doug at securitybulletins.com
Thu Feb 5 05:19:48 CET 2009


I'm trying to set up a mirrored, encrypted LUKS partition that will contain ext3 LVM volumes. I'm using FAI 3.2.16 and setup-storage is enabled in Debian Lenny on AMD64. Lenny's interactive installer is able to do what I want with no issues, however I'd like to utilize FAI to automate the procedure. My goal is to contain all file systems other than /boot on a redundant, encrypted partition. This is my first project utilizing FAI, but I have used other automation methods previously.

So far, I got the mirrored LVM working after hacking the FAI GRUB install script so GRUB would boot correctly with md devices. The setup-storage command doesn't seem to allow encryption to be specified on an md device, particularly since Parser.pm requires a mountpoint be specified, which isn't relevant on a RAID1 disk_config setting. 

I can do what I want manually as follows:

cryptsetup luksFormat /dev/md1 
cryptsetup luksOpen /dev/md1 md1_crypt
pvcreate /dev/mapper/md1_crypt
and creating the VG's and LV's within that LVM PV. 

Here's the config I'm using that works for the bootable RAID1 LVM, but doesn't set up encryption. 

disk_config sda  bootable:1
primary - 500  - -
primary -       4096-   -       -

disk_config sdb  bootable:1
primary - 500  - -
primary -       4096-   -       -

disk_config raid
raid1   /boot sda1,sdb1 ext3 rw
raid1   -  sda2,sdb2    - -

disk_config lvm
vg vg0        md1
vg0-swaplv     swap    8192    swap    sw
vg0-rootlv     /       3072    ext3 rw,errors=remount-ro createopts="-m15" tuneopts="-c 0 -i 0"
vg0-tmplv      /tmp    8192    ext3 defaults createopts="-m15" tuneopts="-c 0 -i 0"
vg0-usrlv      /usr    4096    ext3 defaults createopts="-m15" tuneopts="-c 0 -i 0"
vg0-varlv      /var    6144    ext3 defaults createopts="-m15" tuneopts="-c 0 -i 0"


Basically, what I would like to do is something similar to the following:

disk_config sda  bootable:1
primary - 500  - -
primary -       4096-   -       -

disk_config sdb  bootable:1
primary - 500  - -
primary -       4096-   -       -

disk_config raid
raid1   /boot sda1,sdb1 ext3 rw
raid1   -:encrypt  sda2,sdb2    - -

disk_config lvm
vg vg0        mapper/md1_crypt
vg0-swaplv     swap    8192    swap    sw
vg0-rootlv     /       3072    ext3 rw,errors=remount-ro createopts="-m15" tuneopts="-c 0 -i 0"
vg0-tmplv      /tmp    8192    ext3 defaults createopts="-m15" tuneopts="-c 0 -i 0"
vg0-usrlv      /usr    4096    ext3 defaults createopts="-m15" tuneopts="-c 0 -i 0"
vg0-varlv      /var    6144    ext3 defaults createopts="-m15" tuneopts="-c 0 -i 0"

Basically, encrypt the /dev/md1 device which would then be utilized as either /dev/dm-0 or /dev/mapper/md1_crypt 

Parser.pm appears to explicitly disallow the configuration I want this section of code:

    mountpoint: '-'
        {
          # this partition should not be mounted
          $FAI::partition_pointer->{mountpoint} = "-";
          $FAI::partition_pointer->{encrypt} = 0;
        }
        | 'swap'
        {
          # this partition is swap space, not mounted
          $FAI::partition_pointer->{mountpoint} = "none";
          $FAI::partition_pointer->{encrypt} = 0;
        }
        | m{^/\S*}
        {
          # set the mount point, may include encryption-request
          if ($item[ 1 ] =~ m{^(/[^:]*):encrypt$}) {
            &FAI::in_path("cryptsetup") or die "cryptsetup not found in PATH\n";
            $FAI::partition_pointer->{mountpoint} = $1;
            $FAI::partition_pointer->{encrypt} = 1;
          } else {
            $FAI::partition_pointer->{mountpoint} = $item[ 1 ];
            $FAI::partition_pointer->{encrypt} = 0;
          }
        }

The FAI installer seems to do things out of order if I try working with encryption on a RAID1 block device in the way I'm attempting. For instance, it tries to setup the LVM items before setting up the md devices and crashes out as a result.

Assuming I'm looking at the right pieces to try to resolve this issue and this capability doesn't exist within the FAI code, I'll suggest it would be more flexible to have the configuration resources depend on a previous resource being completed. Since the source code is in Perl already, an XML configuration file may be a reasonable option for resource group settings and dependencies. It would be similar to a Linux-HA configuration, where tasks have to be done in a particular order during a cluster failover to bring resources online correctly. Perhaps some of the Linux-HA code could be utilized for this task, since it is GPL and LGPL code?

If I'm just overlooking something obvious in setting up the disk configuration with encrypted RAID1, I'll be glad to discover how it should be set up within the FAI system. 

Thanks,
Doug


More information about the linux-fai mailing list