Root filesystem over LVM2, DM-Crypt and RAID

From Gentoo Linux Wiki

Filesystems TOC

Filesystem overview
Journaling filesystems
- Ext4
- Reiser4
Proprietary filesystems
- Mounting Windows Partitions
- NTFS-3G
Virtual filesystems
- Initramfs
Network filesystems
Encrypted filesystems
- TrueCrypt
- LVM2, DM-Crypt and RAID root
- DM-Crypt with LUKS
- AES-encrypted root partition using LVM2
Compressed filesystems
- Squashed Portage Tree (squashfs)
Volume management
- LVM
- RAID
Filesystems tricks
- Using Graphics Card Memory as Swap
- Automount Swap Early

This howto aims to explain how to mix RAID, DM-Crypt and LVM2, and how to boot on it. It is written for users with some experience as it does not get into details about RAID, DM-Crypt or LVM2, check the linked howtos for more informations.

To help with the comprehension, this howto will assume the following target system.

Target System
100M /boot	20G /	5G swap	75G /home
	20G LVM2 Logical Volume "root" (/dev/mapper/vg-root)	5G LVM2 Logical Volume "swap" (/dev/mapper/vg-swap)	75G LVM2 Logical Volume "home" (/dev/mapper/vg-home)
	100G LVM2 Volume Group "vg"
	100G DM-Crypt "vault" (/dev/mapper/vault)
100M RAID1 Array (/dev/md1)	100G RAID1 Array (/dev/md2)
2x100M Partitions (/dev/sda1 /dev/sdb1)	2x100G Partitions (/dev/sda2 /dev/sdb2)
2x100G Disks (/dev/sda /dev/sdb)

[edit] Requirements

You will need :

A kernel with RAID,device-mapper and LVM2 support
RAID,DM-Crypt and LVM2 user-space tools (on Gentoo that would be : sys-fs/mdadm, sys-fs/lvm2 and sys-fs/cryptsetup)

All of this is present on the Gentoo Universal install CD.

[edit] Partitions

Create the two partitions on the first disk

cfdisk /dev/sda

Then just copy the partition table to the other disk

sfdisk -d /dev/sda | sfdisk /dev/sdb

[edit] RAID

Create the two RAID1 Arrays

mdadm --create --verbose /dev/md1 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1
mdadm --create --verbose /dev/md2 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2

Wait for them to sync (optional)

cat /proc/mdstat

More about RAID here

[edit] DM-Crypt

First you need to randomise the disk (optional, really long but recommended for improved security, you may want to look at frandom to speed things up)

Note: It greatly speeds things up to increase the size of bs to 100M

(with urandom)
dd if=/dev/urandom of=/dev/md2 bs=100M
(with frandom)
dd if=/dev/frandom of=/dev/md2 bs=100M

Then create the encrypted device

cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/md2

Warning: Use a key you can remember or you will lose all your data

And map the encrypted device

cryptsetup luksOpen /dev/md2 vault

More about DM-Crypt here

[edit] LVM2

Create a Physical Volume containing the encrypted device

pvcreate /dev/mapper/vault

Create a Volume Group

vgcreate vg /dev/mapper/vault

Create Logical Volumes that will become your final partitions

lvcreate -L20G -nroot vg
lvcreate -L5G -nswap vg
lvcreate -l100%FREE -nhome vg

More about LVM2 here

[edit] Formating

Format your partitions with your favorite FS

mkreiserfs /dev/md1
mkreiserfs /dev/mapper/vg-root
mkreiserfs /dev/mapper/vg-home
mkswap /dev/mapper/vg-swap

[edit] Installation

You are now all set to install gentoo, refer to the handbook and don't forget to configure your kernel correctly.

Some things you need in the Kernel are:

 Device Drivers ---> Multiple device drivers -> Device mapper support
 Device Drivers ---> Multiple device drivers -> Crypt target suport
 Cryptographic API ---> <used algorithms>

Packages needed : sys-fs/mdadm, sys-fs/lvm2 and sys-fs/cryptsetup

[edit] Access

Commands to regain access to your partitions (in case you need to)

mdadm --assemble /dev/md2 /dev/sda2 /dev/sdb2
cryptsetup luksOpen /dev/md2 vault
vgchange -ay vg
mount /dev/mapper/vg-* /mount/points

Just for your information, the opposite of these commands are :

umount /dev/mapper/vg-*
vgchange -an vg
cryptsetup luksClose vault
mdadm --stop /dev/md2

[edit] Initram

[edit] Packages

To simplify the rest of the procedure, some packages need the static USE flag

File: /etc/portage/package.use

sys-fs/lvm2 static
sys-fs/mdadm static
sys-apps/busybox static

Re-emerge them if needed

emerge mdadm lvm2 busybox -pv

cryptsetup needs to be installed to make it available in the initramfs

emerge cryptsetup

[edit] Hierarchy

An initram is just a small hierarchy compressed in a single file, you won't need a lot of files.

mkdir initram
cd initram

A few directories first

mkdir bin dev dev/mapper dev/vc etc newroot proc sys

Now you can copy the binaries needed

cp /bin/busybox /sbin/cryptsetup /sbin/lvm.static /sbin/mdadm bin
mv bin/lvm.static bin/lvm
ln -s busybox bin/cat 
ln -s busybox bin/mount 
ln -s busybox bin/sh
ln -s busybox bin/switch_root
ln -s busybox bin/umount
ln -s busybox bin/sleep
ln -s lvm bin/vgscan
ln -s lvm bin/vgchange

Now for the devices

cp -a /dev/console /dev/sda2 /dev/sdb2 /dev/null /dev/urandom dev
cp -a /dev/mapper/vg-root dev/mapper
ln -s ../console dev/vc/0

Optional Step : If you don't have a qwerty keyboard, you will need a custom keymap.

mkdir /dev/vc
ln -s ../console /dev/vc/0
busybox dumpkmap > etc/kmap-fr
ln -s busybox bin/loadkmap

Optional Step: put a message in ASCII-ART

mkdir etc/
cp msg etc/

Optional Step: you can put fbsplash stuff if you follow the steps on the wiki, uncompress that initramfs and mix it with this.

And to finish this initram: an init script. By default, the kernel will start the /init file.

File: init

#!/bin/sh

mount -t proc proc /proc
CMDLINE=`cat /proc/cmdline`

mount -t sysfs sysfs /sys

#wait a little to avoid trailing kernel output
sleep 3

#If you don't have a qwerty keyboard, uncomment the next line 
#loadkmap < /etc/kmap-fr

#raid
/bin/mdadm --assemble /dev/md2 /dev/sda2 /dev/sdb2

#If you have a msg, show it: 
#cat /etc/msg

#dm-crypt
/bin/cryptsetup luksOpen /dev/md2 vault

#lvm
#/bin/vgscan
/bin/vgchange -ay vg

#root filesystem
mount -r /dev/mapper/vg-root /newroot

#unmount pseudo FS
umount /sys
umount /proc

#root switch
exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE}

Make sure the init file is executable:

chmod u+x init

Now you can create the initramfs file

find . | cpio --quiet -o -H newc | gzip -9 > /boot/initramfs

[edit] GRUB

The last thing needed is a bootloader.
The configuration file

File: /boot/grub/grub.conf

default 0
timeout 3

title=linux
root (hd0,0)
kernel /boot/linux-2.6.27-4
initrd /boot/initramfs

And the installation on both disks (so you can boot on the second if the first fails)

grub

device (hd0) /dev/sda
root (hd0,0)
setup (hd0)
device (hd0) /dev/sdb
root (hd0,0)
setup (hd0)

[edit] Reboot

Note: If your version of LVM2 is 2.02.70 or newest and you use baselayout-2, you have to put lvm to execute at boot runlevel

You should now be able to boot on your system, the passphrase will be asked just after the kernel finishes initialising and then the normal boot will occur

Root filesystem over LVM2, DM-Crypt and RAID

From Gentoo Linux Wiki

Contents

[edit] Requirements

[edit] Partitions

[edit] RAID

[edit] DM-Crypt

[edit] LVM2

[edit] Formating

[edit] Installation

[edit] Access

[edit] Initram

[edit] Packages

[edit] Hierarchy

[edit] GRUB

[edit] Reboot

Views

Personal tools

Navigation

support

Search

indexes

development

Toolbox