Crypto during FAI install
Michael Tautschnig
mt at debian.org
Sun Feb 8 13:52:19 CET 2009
Hi!
[...]
> So far, I got the mirrored LVM working after hacking the FAI GRUB install script so GRUB would boot correctly with md devices. The setup-storage command doesn't seem to allow encryption to be specified on an md device, particularly since Parser.pm requires a mountpoint be specified, which isn't relevant on a RAID1 disk_config setting.
>
Ok, that has been fixed in 3.2.17+experimental4 (see
http://faiwiki.debian.net/index.php/Main_Page#getting_FAI for more information
about the experimental builds).
[...]
>
> The FAI installer seems to do things out of order if I try working with encryption on a RAID1 block device in the way I'm attempting. For instance, it tries to setup the LVM items before setting up the md devices and crashes out as a result.
>
> Assuming I'm looking at the right pieces to try to resolve this issue and this capability doesn't exist within the FAI code, I'll suggest it would be more flexible to have the configuration resources depend on a previous resource being completed. Since the source code is in Perl already, an XML configuration file may be a reasonable option for resource group settings and dependencies. It would be similar to a Linux-HA configuration, where tasks have to be done in a particular order during a cluster failover to bring resources online correctly. Perhaps some of the Linux-HA code could be utilized for this task, since it is GPL and LGPL code?
>
I don't really like the idea that the users write XML files. XML is nice for
machine processing, but writing it by hand is cumbersome. And even more so, the
user should not need to make those dependencies explicit, instead ...
> If I'm just overlooking something obvious in setting up the disk configuration with encrypted RAID1, I'll be glad to discover how it should be set up within the FAI system.
>
... setup-storage should detect the dependencies. In fact, setup-storage already
has facilities for reordering commands and it should have taken care of your
special situation. But apparently it didn't, so there's some bug to be fixed.
Could you please try out the above experimental version, do export debug=1 in
one of your .var scripts in class/ and mail fai.log (private mail is ok)?
Thanks,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20090208/ac938fec/attachment.bin
More information about the linux-fai
mailing list