FAI with RAID+CRYPT+LVM

Alexandros Afentoulis alexaf at noc.grnet.gr
Tue Aug 23 12:33:35 CEST 2016 

On 08/22/2016 09:56 AM, Paul Schulz wrote:
> (Repeated as first attempt didn't go through.)
>
> Greetings,
> I have been asked to setup some systems with an encrypted disk
> configuration (see below for FAI setup-storage format), essentially two
> disks with:
>    RAID1(/boot+other) < Crypt(other) < LVM((Root,Home,Swap)
>
> Should I expect this to work? If not, what would need to be done to
> include this support in LVM.  Can I run setup-storage multiple times(3
> confiig files)?

Hello there,

yes the disk scheme you aim for is feasible. In fact I did setup a node 
like that a couple of days ago.

>
> The man page on the website for setup-storage has some formatting
> issues:  http://fai-project.org/doc/man/setup-storage.html
>
> The following is my attempt at a configuration file to do this. I have
> installed the mdadm,cryptsetup and lvm2 packages in the nfsroot and as
> packages to be installed.
>
> What have I missed.
> Cheers,
> Paul
> -----
> # Disks: 2x 1TB
> # Configuration: RAID1+CRYPTO+LVM
>
> disk_config sda disklabel:msdos bootable:1 fstabkey:uuid
> primary -      2G        -     -
> logical -      200G-     -     -
>
> disk_config sdb disklabel:msdos bootable:1 fstabkey:uuid
> primary -      2G        -     -
> logical -      200G-     -     -
>
> disk_config raid
> raid1   /boot  sda1,sdb1 ext2 rw,noatime
> raid1   -      sda2,sdb2 -    -
>

Given that /boot is on raid1, make sure GRUB or the bootloader of your 
choice does indeed understand where to find /boot .

Also if an extended partition is created for sda and sdb, maybe the 
usable logical partition will be sda3 and not sda2? You can check what's 
going on with 'lsblk' and modify accordingly the partitions taking part 
in raid, if needed.

> # Assumes that previous step created /dev/md0,/dev/md1
> disk_config cryptsetup                                     luks md1_crypt /dev/md1 lvm - -

I assume you intended to write

> disk_config cryptsetup
> luks md1_crypt /dev/md1 lvm - -

I am not really sure if the above syntax will create 
/dev/mapper/md1_crypt _or_ /dev/md1_crypt. Perhaps try specify the full 
path just to be sure. If you don't specify any preferred name 
'/dev/mapper/crypt_dev_md1' will be created.

> # Assumes the previous step created /dev/mapper/md1_crypt   disk_config lvm
> vg Base mapper/md1_crypt
> Base-Swap   swap   8G    swap sw
> Base-Root   /      40G   ext4 rw,noatime
> Base-Home   /home  100G- ext4 rw,noatime

I also assume you intended to write

> disk_config lvm
> vg Base mapper/md1_crypt
> Base-Swap   swap   8G    swap sw
> Base-Root   /      40G   ext4 rw,noatime
> Base-Home   /home  100G- ext4 rw,noatime

This seems like a working syntax to me, as long as you make sure 
'/dev/mapper/md1_crypt' is really created.

Based on a working disk_config of mine, I argue that the following would 
work for you:


> disk_config sda disklabel:msdos bootable:1 fstabkey:uuid
> primary -      2G        -     -
> logical -      200G-     -     -
>
> disk_config sdb disklabel:msdos bootable:1 fstabkey:uuid
> primary -      2G        -     -
> logical -      200G-     -     -
>
> disk_config raid fstabkey:uuid
> raid1   /boot  sda1,sdb1 ext2 rw,noatime
> raid1   -      sda3,sdb3 -    -
>
> disk_config cryptsetup
> luks - md1 lvm - -
>
> disk_config lvm
> vg Base md1
> Base-Swap   swap   8G    swap sw
> Base-Root   /      40G   ext4 rw,noatime
> Base-Home   /home  100G- ext4 rw,noatime

Hope I helped,
Greetings

More information about the linux-fai mailing list