Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
gentoo, zfs, luks
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
Essence_of_War
n00b
n00b


Joined: 17 Sep 2015
Posts: 7

PostPosted: Mon Oct 19, 2015 3:42 am    Post subject: gentoo, zfs, luks Reply with quote

Hey, I've worked through a non-exotic Gentoo installation up to and including a desktop environment previously on this same hardware.

I tried to do something a little more interesting, this time installing gentoo on a Luks-encrypted ZFS root.

I have a single disk that I split into:
/dev/sda1 - 32M Bios Boot partition
/dev/sda2 - 1 GB linux ext2 formatted /boot
/dev/sda3 - 1TB solaris root

I'm following ryao's guide mostly, with some additions to account for recent changes (splitting of services into 4 init scripts, for example) and to account for the fact that I'm using LUKS.

From a sysrescue-cd w/ ZFS added I did the following:
Code:

# Format /boot
mkfs.ext2 -m 1 /dev/sda2
mount /dev/sda2 /boot

#Build and open the luks volume
cryptsetup luksFormat -l 512 -c aes-xts-plain64 -h sha512 /dev/sda3
cryptsetup luksOpen /dev/sda3 cryptroot

# Make the pool
zpool create -f -o ashift=12 -o cachefile=/tmp/zpool.cache -O normalization=formD -m none -R /mnt/gentoo rpool /dev/mapper/cryptroot
zfs set compression=lz4 rpool
zfs set atime=off rpool

# Make a bunch of datasets
zfs create -o mountpoint=none rpool/ROOT
zfs create -o mountpoint=/ rpool/ROOT/gentoo

zfs create -o mountpoint=/home rpool/HOME
zfs create -o mountpoint=/root rpool/HOME/root

zfs create -o mountpoint=/home/EssenceOfWar rpool/HOME/EssenceOfWar

zfs create -o mountpoint=none rpool/GENTOO
zfs create -o mountpoint=/usr/portage rpool/GENTOO/portage
zfs create -o mountpoint=/usr/portage/distfiles rpool/GENTOO/distfiles

zfs create -o mountpoint=/usr/portage/packages rpool/GENTOO/packages

zfs create -o mountpoint=/var/tmp/portage -o sync=disabled rpool/GENTOO/build-dir
zfs create -o mountpoint=/var/tmp/ccache -o rpool/GENTOO/ccache

# Get a stage-3
cd /mnt/gentoo
wget ftp://gentoo.osuosl.org/pub/gentoo/releases/amd64/autobuilds/current-stage3-amd64/stage3-amd64-20151015.tar.bz2

tar -xvjpf stage3-amd64-*.tar.bz2 --xattrs

# Prepare for Chroot
mkdir -p /mnt/gentoo/etc/zfs
cp /tmp/zpool.cache /mnt/gentoo/etc/zfs/zpool.cache
cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
mount -t proc none /mnt/gentoo/proc
mount --rbind /dev /mnt/gentoo/dev
mount --rbind /sys /mnt/gentoo/sys

# Chroot in
chroot /mnt/gentoo /bin/bash
env-update; source /etc/profile; export PS1="(chroot) $PS1"; cd

# Get portage snapshot
emerge --sync

# Install genkernel
# Before installing genkernel or gentoo-sources, I added "symlink" to my make.conf
emerge sys-kernel/genkernel
emerge sys-kernel/gentoo-sources


# Build initial kernel (required for checks in sys-kernel/spl and sys-fs/zfs)
genkernel kernel --no-clean --no-mountboot

# Install ZFS
echo "sys-kernel/spl ~amd64" >> /etc/portage/package.accept_keywords
echo "sys-fs/zfs-kmod ~amd64" >> /etc/portage/package.accept_keywords
echo "sys-fs/zfs ~amd64" >> /etc/portage/package.accept_keywords
emerge sys-fs/zfs

# Add services to run levels
rc-update add zfs-zed boot
rc-update add zfs-import boot
rc-update add zfs-mount boot
rc-update add zfs-share default

emerge sys-apps/gptfdisk
emerge sys-fs/cryptsetup



Everything seemed to be fine up to this point! But I ran into trouble in the next step:

Code:

exit
umount -l /mnt/gentoo/proc /mnt/gentoo/dev /mnt/gentoo/sys
zpool export rpool


When I tried to export rpool, even with the "-f" flag, I got a warning about /mnt/gentoo being busy and export failed.

This was probably dumb, but I just chroot'd back in and continued:
Code:

mount -t proc none /mnt/gentoo/proc
mount --rbind /dev /mnt/gentoo/dev
mount --rbind /sys /mnt/gentoo/sys
chroot /mnt/gentoo /bin/bash
env-update; source /etc/profile; export PS1="(chroot) $PS1"; cd


I edited my fstab to show only:

Code:
/dev/sda2 /boot ext2 defaults,noatime 0 2


Then installed grub2:
Code:

echo "sys-boot/grub:2 libzfs" >> /etc/portage/package.accept_keywords
echo "sys-boot/grub:2 ~amd64" >> /etc/portage/package.accept_keywords
emerge sys-boot/grub:2
touch /etc/mtab
grub2-install /dev/sda

genkernel all --no-clean --no-mountboot --zfs --luks --lvm --bootloader=grub2 --callback="emerge @module-rebuild"


Everything looked fine up to this point, but when I checked out /boot, I didn't have a grub.cfg file, so I tried to re-generate it:

Code:
grub2-mkconfig -o /boot/grub/grub.cfg


and I got hit with an error:
Quote:
error: failed to get canonical path of /dev/cryptroot


It can't get a path to cryptroot of course, because cryptroot is on /dev/mapper/cryptroot not /dev/cryptroot. I figure that I must have done something wrong or out of order to mess up the pathing? Either that or grub is being silly by slapping the name of the zpool device (cryptroot) onto /dev/ when it looks for paths. Any advice?
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2970
Location: Germany

PostPosted: Mon Oct 19, 2015 11:52 am    Post subject: Reply with quote

Can't help with your issue but you probably meant -s 512 not -l 512?
Back to top
View user's profile Send private message
Essence_of_War
n00b
n00b


Joined: 17 Sep 2015
Posts: 7

PostPosted: Mon Oct 19, 2015 1:34 pm    Post subject: Reply with quote

Yeah, I think that was a transcription error. I was scribbling notes as I went so I could reproduce this later, and I was probably thinking "key-length, must be -l" when it's actually "key-size, -s"

At any rate, I don't think "-l" is a flag for cryptsetup, at least not with luksFormat.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2970
Location: Germany

PostPosted: Mon Oct 19, 2015 1:38 pm    Post subject: Reply with quote

It is a flag, but it is simply ignored (in this particular case), so it works but if you check cryptsetup luksDump, you have 256 bits (the default) and not 512. If that was important to you, you would end up having to re-encrypt everything.
Back to top
View user's profile Send private message
Essence_of_War
n00b
n00b


Joined: 17 Sep 2015
Posts: 7

PostPosted: Mon Oct 19, 2015 1:52 pm    Post subject: Reply with quote

Oh, I see. I'll double check the luksDump from live-media, and see if it was a transcription error, or if I actually made that mistake at the terminal. Thanks!
Back to top
View user's profile Send private message
Essence_of_War
n00b
n00b


Joined: 17 Sep 2015
Posts: 7

PostPosted: Mon Oct 19, 2015 2:15 pm    Post subject: Reply with quote

I think I found a potential work-around from Ubuntu's EncryptedZFS walkthrough:

Quote:

Preapre a symbolic link to the root LUKS container. Without this symbolic link update-grub will complain that is can't find the canonical path and error. (Replace root_crypt with your named root LUKS container).

Code:
ln -s /dev/mapper/root_crypt /dev/root_crypt


Assure that future kernel updates will succeed by always creating the symbolic link. (Replace root_crypt with your named root LUKS container).

Code:
echo 'ENV{DM_NAME}=="root_crypt", SYMLINK+="root_crypt"' > /etc/udev/rules.d/99-local.rules




I'm going to try to test that today, but it sounds like it works around the precise problem that I'm having.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Mon Oct 19, 2015 11:38 pm    Post subject: Reply with quote

@Essence_of_War:

any reason why you use that modified and possibly outdated guide instead of ryao's newer one ?

https://github.com/ryao/zfs-overlay/blob/master/zfs-install



I'm still hesitant to migrate all partitions (including root) to ZFS but that might be the best solution in the long run instead of

mixing up Btrfs, ZFS and other Filesystems - this also preempts issues with the Pagecache and ARC clashing with each other, ...
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
Essence_of_War
n00b
n00b


Joined: 17 Sep 2015
Posts: 7

PostPosted: Tue Oct 20, 2015 3:36 am    Post subject: Reply with quote

Yeah, originally, I went with the slightly older version because it included some hints as to where to put luks support.

I managed to get it working!
With the addition of the symlink I was able to get grub2-mkconfig to execute correctly, but I still had to edit the grub.cfg manually to make sure it knew where to find the cryptroot.

Code:

linux  /kernel-X.XX.X-gentoo root=ZFS=rpool/ROOT/gentoo crypt_root=/dev/sda3 dozfs=force ro
initrd /initramfs-genkernel-x86_64-X.XX.X


It correctly set-up the root=ZFS=rpool/ROOT, but it missed the /gentoo, and it also missed the crypt_root.

Is there a good way to automate this? Because since grub.cfg is created by scripts, I think I'll have to do this each time I run, update-grub, right?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum