Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
root on two (2!) luks+lvm partitions. (SOLVED)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
sabitov
n00b
n00b


Joined: 17 Aug 2004
Posts: 6
Location: Novosibirsk, Russia

PostPosted: Fri Sep 28, 2018 4:54 pm    Post subject: root on two (2!) luks+lvm partitions. (SOLVED) Reply with quote

Hi!

I've got a host with 2 HDDs and I'd like to install gentoo on it in such way:
  • sda1 -- /boot
  • sda2 -- swap
  • sda3 and sdb1 -- encrypted lvm physical volumes

sda3 and sdb1 should be merged into one volume group, and this VG should contain root fs.

There is no problem to install gentoo on plain lvm PVs. I installed gentoo such way many times. There is no problem to install gentoo on ONE encrypted PV also. And yes, I've installed it already, and it boots ;) But how can I extend VG on two PVs? The exact question is what should I set in crypt_root argument for genkernel generated initramfs?

At this moment my boot options are (for single PV installation):
GRUB_CMDLINE_LINUX="dolvm udev crypt_root=UUID=b17ec904-7974-411e-88c5-fcb89d0cf268 root_key=hostname.key root_keydev=UUID=A5EB-BADF"


Last edited by sabitov on Mon Oct 08, 2018 3:24 pm; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13830

PostPosted: Sat Sep 29, 2018 12:31 am    Post subject: Reply with quote

Yes, this is possible. When the volume group spans physical volumes, the logical volumes within the volume group will have access to the combined space. The only quirk is that you need to unlock both LUKS volumes before scanning for LVM physical volumes. Everything else should be unaware of the distinction and work normally. This configuration may or may not be supported by genkernel's initramfs. You might need to patch it or find some other way to create the initramfs. Look at how crypt_root is processed in the initramfs to see if you can pass other values to cause multiple volumes to be unlocked.
Back to top
View user's profile Send private message
sabitov
n00b
n00b


Joined: 17 Aug 2004
Posts: 6
Location: Novosibirsk, Russia

PostPosted: Sun Oct 07, 2018 5:16 pm    Post subject: Solved! :) Reply with quote

Well, below is my personal success story how to solve a problem describe in my first post.
At the begin I have to say: genkernel does not support multiple crypto root devices. "crypt_root" kernel parameter accepts the only one device. And we have to teach genkernel to understand configurations with multiple crypto roots.

So, kernel parameter name will be crypt_roots, and this parameter should be a list of column separated device names.
Kernel parameters in /etc/default/grub are:

Code:
GRUB_CMDLINE_LINUX="dolvm udev crypt_roots=UUID=b17ec904-7974-411e-88c5-fcb89d0cf268:UUID=889a3eb1-c454-47a2-b08d-4a951356d18c root_key=server_name-rootfs.key root_keydev=UUID=A5EB-BADF"


Then, genkernel has a command line argument "--linuxrc". This arg allows us to use custom init-script instead of vanila one.

I built my custom script in this way:

1 merged default linuxrc-file and it's "include"-files:

Code:
cat /usr/share/genkernel/defaults/{initrd.defaults,initrd.scripts,linuxrc} > myrc


2 removed lines 1909-1912 (these were the 4 first lines of linuxrc), also removed lines 100-102 (these were the 3 first lines of initrd.scripts)

3 looked for a line "crypt_root=*)" and added a new section, so I got:

Code:
                # Crypto
                crypt_root=*)
                        CRYPT_ROOT=${x#*=}
                ;;
                crypt_roots=*)
                        CRYPT_ROOTS=${x#*=}
                ;;
                crypt_swap=*)
                        CRYPT_SWAP=${x#*=}
                ;;


4 looked for the definition of startLUKS function, added a new if-block to supprot new option:

Code:
        if [ -n "${CRYPT_ROOT}" ]; then
                openLUKS "root"
                if [ -n "${REAL_ROOT}" ]
                then
                        # Rescan volumes
                        startVolumes
                else
                        REAL_ROOT="/dev/mapper/root"
                fi
        fi

        if [ -n "${CRYPT_ROOTS}" ]; then
                multiOpenLUKS "root"
                if [ -n "${REAL_ROOT}" ]
                then
                        # Rescan volumes
                        startVolumes
                else
                        REAL_ROOT="/dev/mapper/root"
                fi
        fi


5 function multiOpenLUKS must be defined just before startLUKS, and the definition is:

Code:
# Open multiple  LUKS devices
# It occures, if root FS is placed on LVM VG based on top of several encrypted partitions.
# $1 - root
multiOpenLUKS() {

        case $1 in
                root)
                        local TYPE=ROOT
                        ;;
        esac

        eval local LUKS_DEVICES='"${CRYPT_'${TYPE}'S}"'

#set -x

        local idx=0
        while [ ! -z "${LUKS_DEVICES}" ] ; do
                idx=$((idx+1))
                local dev=${LUKS_DEVICES%%:*} ;
                local rest="${LUKS_DEVICES#*:}" ;
                if [ $rest == $dev ] ; then
                        LUKS_DEVICES='' ;
                else
                        LUKS_DEVICES="${rest}" ;
                fi
                eval "CRYPT_${TYPE}${idx}"="${dev}"
                export "CRYPT_${TYPE}${idx}"
                openLUKS "$1" ${idx}
        done

#set +x

}


6 function openLUKS should be modified a bit:
6.1 local vars definitions should be changed:

Code:
        local idx="$2"
        eval local LUKS_DEVICE='"${CRYPT_'${TYPE}${idx}'}"' LUKS_NAME="${1}${idx}" LUKS_KEY='"${CRYPT_'${TYPE}'_KEY}"' LUKS_KEYDEV='"${CRYPT_'${TYPE}'_KEYDEV}"' LUKS_TRIM='"${CRYPT_'${TYPE}'_TRIM}"'
        local DEV_ERROR=0 KEY_ERROR=0 KEYDEV_ERROR=0
        local mntkey="/mnt/key/" cryptsetup_options='' flag_opened="/${TYPE}${idx}.decrypted"


6.2 there is a small delay now before luks device activation, and my script prints what dev will be decrypted now and a name of this
decrypted device.

Code:
                else
                        LUKS_DEVICE=$(find_real_device "${LUKS_DEVICE}")

                        echo Current crypto device: "${LUKS_DEVICE}"
                        echo Decrypted device name: "${LUKS_NAME}"
                        sleep 3

                        setup_md_device ${LUKS_DEVICE}
                        cryptsetup isLuks ${LUKS_DEVICE}



7 That's all! So, let's rebuild initramfs/kernel and update grub config:

Code:
        genkernel --luks --lvm --disklabel --linuxrc=/usr/local/etc/myrc --menuconfig all
#or just genkernel --luks --lvm --disklabel --linuxrc=/usr/local/etc/myrc initramfs


        tail -n ... /etc/default/grub
############# Local settings #####################

GRUB_CMDLINE_LINUX="dolvm udev crypt_roots=UUID=b17ec904-7974-411e-88c5-fcb89d0cf268:UUID=889a3eb1-c454-47a2-b08d-4a951356d18c root_key=server_name-rootfs.key root_keydev=UUID=A5EB-BADF"
GRUB_ENABLE_CRYPTODISK=y
GRUB_PRELOAD_MODULES="ext2 reiserfs lvm"
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=10
GRUB_GFXMODE=console
GRUB_GFXPAYLOAD_LINUX=text
GRUB_FONT="/boot/grub/fonts/unicode.pf2"
GRUB_DISABLE_SUBMENU=y

        grub-mkconfig -o /boot/grub/grub.cfg
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum