Package: fai-setup-storage
Version: 5.8.4
Severity: wishlist
File: /usr/sbin/setup-storage
I am trying to setup a fairly classic "RAID + LUKS + LVM"
configuration. The idea is to do the following steps:
1. format two disks identically, with a grub part, /boot and the rest
for the RAID/LUKS/LVM array
2. pick the third partition and create a RAID-1 array on it
3. luksFormat that RAID array
4. load that LUKS partition as a PV of a VG
5. create LVs in that VG
>From the manpage, it's not immediately obvious how this can be
done. There's a small note in the cryptsetup example about:
With a working RAID+LVM configuration, an encryption layer can
be added between the RAID and LVM device layers by adding the
following cryptsetup configuration. In this case, the encrypted
device will be called 'crypt_format_md1' and will be used as the
underlying physical device (PV) in LVM.
disk_config cryptsetup
luks - /dev/md1 - -
Reading this, I thought I should use this configuration:
disk_config cryptsetup
luks - /dev/md1 - -
luks - /dev/md2 - -
disk_config lvm fstabkey:uuid
vg vg_nvme crypt_format_md1
vg_nvme-root / 30G ext4 rw
vg_nvme-swap swap 1G swap sw
On IRC, MrFai correctly pointed out (thanks!) that the device name
should not be used in the vg directive there, it should instead read
like:
vg vg_nvme md1
But that was far from obvious to me. I would suggest adding the
following example in the manual page to work around that ambiguity:
disk_config disk1
primary - 0- - -
disk_config disk2
primary - 0- - -
disk_config raid fstabkey:uuid
raid1 - disk1,disk2 - -
disk_config cryptsetup
luks - /dev/md0 - -
disk_config lvm fstabkey:uuid
vg vg_nvme md0
vg_nvme-root / 30G ext4 rw
vg_nvme-swap swap 1G swap sw
That way users have a clear, unambiguous example of how to setup the
full stack.
Note that I haven't tested the above configuration, I distilled it
down from another configuration that I know works, but that's more
specific to our situation:
# open questions
# --align=optimal?
# leave keys in /tmp/fai or specify passphrase?
# use sameas: to set all disk names earlier?
# bios_grub flag?
disk_config nvme0n1 disklabel:gpt bootable:2
# bios grub second stage
primary - 8MiB - -
# /boot
primary - 512MiB - -
# rest is RAID+LUKS+LVM
primary - 0- - -
disk_config nvme1n1 disklabel:gpt bootable:2
# same as above
primary - 8MiB - -
primary - 512MiB - -
primary - 0- - -
disk_config sda disklabel:gpt
primary - 0- - -
disk_config sdb disklabel:gpt
primary - 0- - -
disk_config raid fstabkey:uuid
raid1 /boot nvme0n1p2,nvme1n1p2 ext4 rw,noatime,errors=remount-ro
raid1 - nvme0n1p3,nvme1n1p3 - -
raid1 - sda1,sdb1 - -
# FAI defaults to -c aes-xts-plain64 -s 256
disk_config cryptsetup
luks - /dev/md1 - -
luks - /dev/md2 - -
disk_config lvm fstabkey:uuid
# previous convention was "vg_$hostname"
vg vg_nvme md1
vg_nvme-root / 30G ext4 rw
vg_nvme-swap swap 1G swap sw
vg vg_hdd md2
# HDD disks config intentionally left blank
I'll finally note that the device created by cryptsetup is actually
*not* called "crypt_format_md1" as documented in the manpage, but
rather "crypt_dev_md1". This should probably be fixed as well,
although it's unclear if that device name can be used anywhere in the
configuration. That fact could also be made clearer.
Thanks for this tool, it's pretty neat!
-- System Information:
Debian Release: 10.2
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1,
'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages fai-setup-storage depends on:
ii e2fsprogs 1.44.5-1+deb10u2
ii liblinux-lvm-perl 0.17-2
ii libparse-recdescent-perl 1.967015+dfsg-2
ii parted 3.2-25
ii perl 5.28.1-6
Versions of packages fai-setup-storage recommends:
ii lvm2 2.03.02-3
ii mdadm 4.1-1
Versions of packages fai-setup-storage suggests:
pn cryptsetup <none>
ii dmsetup 2:1.02.155-3
ii dosfstools 4.1-2
pn jfsutils <none>
ii ntfs-3g 1:2017.3.23AR.3-3
ii reiserfsprogs 1:3.6.27-3
ii xfsprogs 4.20.0-1
-- debconf-show failed
