commit 449df9ca038ebcbdad4ea78d0129cb39ede72413 Author: Blallo Date: Sun Sep 27 23:31:23 2020 +0200 Init diff --git a/create_pools.sh b/create_pools.sh new file mode 100755 index 0000000..c5419dd --- /dev/null +++ b/create_pools.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +BY_ID=/dev/disk/by-id +DISK1=${BY_ID}/wwn-0x5000c5004fdf987b +DISK2=${BY_ID}/wwn-0x5000c5004fdfcad4 + +# Pre-clean + +sgdisk --zap-all ${DISK1} +sgdisk --zap-all ${DISK2} + +# Partitioning + +sgdisk -n1:1M:+512M -t1:EF00 ${DISK1} +sgdisk -n2:0:+512M -t2:BF01 ${DISK1} +sgdisk -n3:0:0 -t3:BF01 ${DISK1} + +sgdisk -n1:+512M:+512M -t1:BF01 ${DISK2} +sgdisk -n2:0:0 -t2:BF01 ${DISK2} + +mkfs.vfat ${DISK1}-part1 + +# Verify + +sgdisk --print ${DISK1} +sgdisk --print ${DISK2} + +read -p "Are you sure? " -n 1 -r +echo +if [[ ! $REPLY =~ ^[Yy]$ ]] +then + [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 +fi + +# Env + +set -x +encryption_options=(-O encryption=on -O keylocation=prompt -O keyformat=passphrase) +bpool_mirror_arg=${DISK2}-part1 +rpool_mirror_arg=${DISK2}-part2 +#set +x + + +# Create ZFS pools + +rm -rf /mnt/* + +zpool create -f \ + "${encryption_options[@]}" \ + -o ashift=12 \ + -O acltype=posixacl \ + -O compression=off \ + -O dnodesize=auto \ + -O relatime=on \ + -O xattr=sa \ + -O normalization=formD \ + -O devices=off \ + -O mountpoint=/ \ + -R /mnt \ + rpool mirror ${DISK1}-part3 ${rpool_mirror_arg} + +zfs create -o canmount=noauto -o mountpoint=/ rpool/root + +mkdir -p /mnt/boot + +zpool create \ + -d -o ashift=12 \ + -O devices=off \ + -O mountpoint=/boot \ + -R /mnt/ \ + bpool mirror ${DISK1}-part2 ${bpool_mirror_arg} + +mkdir -p /mnt/boot/efi + +mount ${DISK1}-part1 /mnt/boot/efi diff --git a/guide_rosa.txt b/guide_rosa.txt new file mode 100644 index 0000000..c95d237 --- /dev/null +++ b/guide_rosa.txt @@ -0,0 +1,218 @@ +------------------------------------- +## HOST +Permit root login, disable ipv6, keyfile, install dropbear e configure (porta, fix ip) e upgrade initraf, script dentro initramfs blocca riavvio e fa partire bear, console su kernel +check backport in repository debian + +# Install zfs +Site: https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html#step-1-prepare-the-install-environment +Site: https://saveriomiroddi.github.io/Installing-Ubuntu-on-a-ZFS-root-with-encryption-and-mirroring/#procedure + +echo "deb http://deb.debian.org/debian buster main contrib" >> /etc/apt/sources.list +echo "deb http://deb.debian.org/debian buster-backports main contrib" >> /etc/apt/sources.list +apt-get update +apt install --yes gdisk dkms dpkg-dev linux-headers-$(uname -r) +apt install --yes -t buster-backports --no-install-recommends zfs-dkms +modprobe zfs +apt install --yes -t buster-backports zfsutils-linux + +# Dropbear install +# Site: https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/ +# Site: https://matt.ucc.asn.au/dropbear/dropbear.html + +apt-get --yes install dropbear-initramfs +echo 'DROPBEAR_OPTIONS="-s -j -k -p 4747"' >> /etc/dropbear-initramfs/config +# Generate local key with ssh-keygen -t rsa -b 4096 and copy to machine +COPY_LOCAL_SSH_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLkDWpZ9MfP47Q9gzapCRxwXCLdYT6zOid5ras7cdmuHZEDtCA/sSpn6Ro3g/EF8FaDNltG26NMnTV1q3hWY19hK1ukL6QMnCQ+SxeowQ7RcPV9kHuybA9VtIhfEBN3hyWmzm7S2G4tDZlF2cKRe9G6yTHiNVcQLoCSYULo6gFPw== hank@joe" +#echo "no-port-forwarding,no-agent-forwarding,no-x11-forwarding ssh-rsa $COPY_LOCAL_SSH_KEY" >> /etc/dropbear-initramfs/authorized_keys +echo "$COPY_LOCAL_SSH_KEY" >> /etc/dropbear-initramfs/authorized_keys + +# IP-GATEWAY-NETMASK-DEVINAME (Insert network static ip server value) +echo 'IP="192.168.69.116::192.168.69.1:255.255.255.0::enp1s0:off"' >> /etc/initramfs-tools/initramfs.conf + +file: /usr/share/initramfs-tools/scripts/local +search: local_mount_root + +file: /usr/share/initramfs-tools/init +search: local_bottom + +count_steps=0 +max_steps=60 #Wait 1 hour and boot +while [ ! -f "/condor" ] && [ "$count_steps" -lt "$max_steps" ] +do + count_steps=$(( count_steps + 1)) + sleep 60 + echo "DROPBEAR ACTIVE $count_steps min." +done +echo "End" + +update-initramfs -u + +--- REBOOT --- (Access with dropbear) +## initramfs +mkdir /mnt +cd /root +cp -a bin boot etc home initrd.img initrd.img.old lib lib32 lib64 libx32 media mnt opt root sbin srv tmp usr var vmlinuz vmlinuz.old /mnt/ +cd / +umount /root +mkdir /mnt/proc +mkdir /mnt/sys +mkdir /mnt/run +#mkdir /mnt/tmp +mkdir /mnt/dev +mount -o rbind /proc/ /mnt/proc/ +mount -o rbind /sys/ /mnt/sys/ +mount -o rbind /run/ /mnt/run/ +mount -o rbind /dev/ /mnt/dev/ + + +## chroot mode +chroot /mnt /bin/bash --login +modprobe zfs + +# !!! Remember to copy boot directory +mount /dev/vda2 /mnt/ +cp -a /mnt/* /boot/ +umount /mnt + +# !!! SET GOOD NAME DEVICE HD +first_disk_id="/dev/vda" +second_disk_id="/dev/vdb" +# Delete data on disk +sgdisk --zap-all $first_disk_id +sgdisk --zap-all $second_disk_id + +# Partion Disk with uefi space +sgdisk -n1:1M:+512M -t1:EF00 $first_disk_id # EFI boot +sgdisk -n2:0:+512M -t2:BF01 $first_disk_id # Boot pool +sgdisk -n3:0:0 -t3:BF01 $first_disk_id # Root pool + +sgdisk -n1:+512M:+512M -t1:BF01 $second_disk_id # Boot pool +sgdisk -n2:0:0 -t2:BF01 $second_disk_id # Root pool + +# Check partition +sgdisk --print /dev/vda +sgdisk --print /dev/vdb + +#Install manager fat file system for UEFI boot and format +apt-get install dosfstools +modprobe vfat +modprobe nls_cp437 +modprobe nls_ascii +mkfs.fat -F 32 -n EFI ${first_disk_id}1 + +#Set variables +bpool_mirror_arg=${second_disk_id}1 + +encryption_options=(-O encryption=on -O keylocation=prompt -O keyformat=passphrase) +rpool_mirror_arg=${second_disk_id}2 + +zpool create "${encryption_options[@]}" -o ashift=12 -O acltype=posixacl -O compression=off -O dnodesize=auto -O relatime=on -O xattr=sa -O normalization=formD -O devices=off -O mountpoint=/ -R /mnt rpool mirror ${first_disk_id}3 $rpool_mirror_arg + +zfs create -o canmount=noauto -o mountpoint=/ rpool/root + +mkdir /mnt/boot +zpool create -d -o ashift=12 -O devices=off -O mountpoint=/boot -R /mnt/ bpool mirror ${first_disk_id}2 $bpool_mirror_arg + +cp -rf --preserve=all bin boot etc home initrd.img initrd.img.old lib lib32 lib64 libx32 media opt root sbin srv usr var vmlinuz vmlinuz.old tmp /mnt/ +mkdir /mnt/{dev,proc,sys,run} + +exit # Esci da chroot + +mount -o rbind /dev/ /mnt/mnt/dev/ +mount -o rbind /sys/ /mnt/mnt/sys/ +mount -o rbind /proc/ /mnt/mnt/proc/ +mount -o rbind /run/ /mnt/mnt/run/ + +chroot /mnt/mnt/ /bin/bash --login + +first_disk_id="/dev/vda" +# !!! Comment line /etc/fstab +sed -i "s/^/#/g" /etc/fstab + +apt install --yes zfs-initramfs zfs-dkms grub-efi-amd64-signed shim-signed + +echo PARTUUID=$(blkid -s PARTUUID -o value ${first_disk_id}1) /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 >> /etc/fstab + +mkdir /boot/efi +# note modprobe nls_cp437 modprobe nls_ascii modprobe vfat +mount /dev/vda1 /boot/efi/ + +grub-install +grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck + +perl -i -pe 's/(GRUB_CMDLINE_LINUX=")/${1}root=ZFS=rpool /' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub +update-grub + + +cat > /etc/systemd/system/zfs-import-bpool.service <> /etc/fstab + +echo RESUME=none > /etc/initramfs-tools/conf.d/resume + +mount /boot +mount /boot/efi + +# reconfigure initramfs +# clean script code from vi /usr/share/initramfs-tools/init +# modify /usr/share/initramfs-tools/scripts/zfs + ZFS_CMD="${ZPOOL} import -N ${ZPOOL_FORCE} ${ZPOOL_IMPORT_OPTS}" + ZFS_STDERR="$($ZFS_CMD "$pool" 2>&1)" + ZFS_ERROR="$?" + log_begin_msg "\nWait for Passowrd Encrypt Pool!!!\n" + #/sbin/zpool import -f rpool + #/sbin/zfs load-key -L prompt rpool + while [ ! -f "condor" ] + do + echo -e "Wathing for Key!\n" + sleep 60 + done + /sbin/zfs set mountpoint=/root rpool + /sbin/zfs mount rpool + /sbin/zpool import -f bpool + /sbin/zfs set mountpoint=/root/boot bpool + +KERNEL=`ls /usr/lib/modules/ | cut -d/ -f1 | sed 's/linux-image-//'` +update-initramfs -u -k $KERNEL +exit + +# initramfs +sync +umount -l -r /boot/efi +umount -l -r /boot +umount -l -r /mnt/mnt/dev/ +umount -l -r /mnt/mnt/proc +umount -l -r /mnt/mnt/sys +umount -l -r /mnt/mnt/run +umount -l -r /mnt/dev/ +umount -l -r /mnt/proc +umount -l -r /mnt/sys +umount -l -r /mnt/run +umount -l -r /mnt/mnt + +==== REBOOT AND LOGIN WITH DROPBEAR +ssh -c aes256-ctr -p 4747 root@HOST-IP +/sbin/zfs load-key -L prompt rpool && touch /condor diff --git a/installazione.md b/installazione.md new file mode 100644 index 0000000..d1d47cc --- /dev/null +++ b/installazione.md @@ -0,0 +1,189 @@ +### ZFS + +Lanciamo lo script `create_pools.sh` + + +### Installazione debian base + +Dal live system, ci segnamo l'output del seguente comando + +``` +blkid -s PARTUUID -o value +``` + +dove `` corrisponde al valore puntato da `${DISK1}-part1` +nello script lanciato nello step precedente. Installiamo nella directory target +il sistema base + +``` +debootstrap buster /mnt +``` + +Entriamo in chroot con systemd-nspawn + +``` +systemd-nspawn -D /mnt +``` + +Modificare le `/etc/apt/sources.list` per includere i seguenti + +``` +deb http://deb.debian.org/debian buster main non-free contrib +deb http://deb.debian.org/debian buster-updates main non-free contrib +deb http://deb.debian.org/debian buster-backports main non-free contrib +deb http://security.debian.org buster/updates main non-free contrib +``` + +Facciamo il pinning (ovvero diciamo ad apt di prendere certi pacchetti da una +specifica repository) per i pacchetti relativi a ZFS, mettendo questo contenuto +in `/etc/apt/preferences.d/90_zfs` + +``` +Package: libnvpair1linux libuutil1linux libzfs2linux libzfslinux-dev libzpool2linux python3-pyzfs pyzfs-doc spl spl-dkms zfs-dkms zfs-dracut zfs-initramfs zfs-test zfsutils-linux zfsutils-linux-dev zfs-zed +Pin: release n=buster-backports +Pin-Priority: 990 +``` + +Per lo scopo dell'installazione + +``` +ln -s /proc/self/mounts /etc/mtab +apt update +``` + +Configurare il locale e la timezone (io ho selezionato `en_US.UTF-8` e locale +`Europe/Berlin`) + +``` +apt install --yes locales +dpkg-reconfigure locales +dpkg-reconfigure tzdata +``` + +Installiamo i pacchetti relativi a ZFS nel nuovo sistema + +``` +apt install --yes dpkg-dev linux-headers-amd64 linux-image-amd64 +apt install --yes zfs-initramfs +apt install --yes console-setup +echo REMAKE_INITRD=yes > /etc/dkms/zfs.conf +``` + +Aggiungiamo la seguente riga nell'`/etc/fstab` + +``` +PARTUUID= /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 +``` + +(dove `` è la stringa ottenuta nel primo passo di questa +sezione) e preoccupiamoci di ciò che riguarda il boot + +``` +apt install dosfstools +apt install --yes grub-efi-amd64 shim-signed +dpkg --purge os-prober +``` + +Impostiamo la password root + +``` +passwd +``` + +(Forse non serve) creiamo e abilitiamo questa unit systemd (in +`/etc/systemd/system/zfs-import-bpool.service`) per forzare l'import della pool +di `/boot` + +```dosini +[Unit] +DefaultDependencies=no +Before=zfs-import-scan.service +Before=zfs-import-cache.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/sbin/zpool import -N -o cachefile=none bpool + +[Install] +WantedBy=zfs-import.target +``` + +Adesso installiamo e configuriamo grub + +``` +grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck + +perl -i -pe 's/(GRUB_CMDLINE_LINUX=")/${1}root=ZFS=rpool /' /etc/default/grub +echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub +update-grub")' +``` + +I seguenti passi servono a configurare il boot + +``` +umount /boot/efi +umount /boot +zfs set mountpoint=legacy bpool +echo "bpool /boot zfs nodev,relatime,x-systemd.requires=zfs-import-bpool.service 0 0" >> /etc/fstab +``` + +e disabilitiamo il suspend/resume (questo è un server) + +``` +echo RESUME=none > /etc/initramfs-tools/conf.d/resume +``` + +### Dropbear + +Installiamo dropbear nell'initramfs + +``` +apt install --yes dropbear-initramfs +``` + +Configuriamo dropbear per rispondere alla porta `4747` (morto-che-parla) + +``` +echo 'DROPBEAR_OPTIONS="-s -j -k -p 4747"' >> /etc/dropbear-initramfs/config +``` + +(`-s` disabilita password login; `-j` disabilita il local port forwarding; `-k` +disabilita il remote port forwarding; `-p` è la porta a cui bindarsi) + +Copiamo la chiave pubblica generata in `/etc/dropbear-initramfs/authorized_keys` + +``` +cat >> /etc/dropbear-initramfs/authorized_keys +``` + +Configuriamo la rete + +``` +echo 'IP="144.76.80.140::144.76.80.129:255.255.255.224:::off"' >> /etc/initramfs-tools/initramfs.conf +``` + + +### Stunt per far funzionare zfs al boot in dropbear + +Copiamo lo script da [qui][zfsunlock] e mettiamolo in +`/usr/share/initramfs-tools/hooks/zfsunlock` e diamogli l'eseguibilità: + +``` +chmod +x /usr/share/initramfs-tools/hooks/zfsunlock +``` + +Poi modifichiamo `/usr/share/initramfs-tools/scripts/zfs` come in [questo +commit][commit] (si può usare la patch in `zfs.patch`, copiandola in +`/tmp/zfs.patch` e invocando `patch < /tmp/zfs.patch`). + +Infine, aggiorniamo l'initramfs + +``` +update-initramfs -u -v +``` + + + +[zfsunlock]: https://raw.githubusercontent.com/openzfs/zfs/1cc635a2dd0379181950a1458255ea8ae8b9c1e0/contrib/initramfs/zfsunlock +[commit]: https://github.com/openzfs/zfs/commit/1cc635a2dd0379181950a1458255ea8ae8b9c1e0#diff-98a21a3fd74b681e806ecbd958c2352bL409 diff --git a/zfs.patch b/zfs.patch new file mode 100644 index 0000000..9457528 --- /dev/null +++ b/zfs.patch @@ -0,0 +1,52 @@ +diff --git a/tmp/zfs.script b/usr/share/initramfs-tools/scripts/zfs +index dbc4e253f11..a795fd39f60 100644 +--- a/tmp/zfs.script ++++ b/usr/share/initramfs-tools/scripts/zfs +@@ -405,6 +405,8 @@ decrypt_fs() + ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)" + KEYLOCATION="$(get_fs_value "${ENCRYPTIONROOT}" keylocation)" + ++ echo "${ENCRYPTIONROOT}" > /run/zfs_fs_name ++ + # If root dataset is encrypted... + if ! [ "${ENCRYPTIONROOT}" = "-" ]; then + KEYSTATUS="$(get_fs_value "${ENCRYPTIONROOT}" keystatus)" +@@ -418,6 +420,7 @@ decrypt_fs() + + # Prompt with plymouth, if active + elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then ++ echo "plymouth" > /run/zfs_console_askpwd_cmd + while [ $TRY_COUNT -gt 0 ]; do + plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \ + $ZFS load-key "${ENCRYPTIONROOT}" && break +@@ -426,6 +429,7 @@ decrypt_fs() + + # Prompt with systemd, if active + elif [ -e /run/systemd/system ]; then ++ echo "systemd-ask-password" > /run/zfs_console_askpwd_cmd + while [ $TRY_COUNT -gt 0 ]; do + systemd-ask-password "Encrypted ZFS password for ${ENCRYPTIONROOT}" --no-tty | \ + $ZFS load-key "${ENCRYPTIONROOT}" && break +@@ -434,7 +438,8 @@ decrypt_fs() + + # Prompt with ZFS tty, otherwise + else +- # Setting "printk" temporarily to "7" will allow prompt even if kernel option "quiet" ++ # Temporarily setting "printk" to "7" allows the prompt to appear even when the "quiet" kernel option has been used ++ echo "load-key" > /run/zfs_console_askpwd_cmd + storeprintk="$(awk '{print $1}' /proc/sys/kernel/printk)" + echo 7 > /proc/sys/kernel/printk + $ZFS load-key "${ENCRYPTIONROOT}" +@@ -964,6 +969,11 @@ mountroot() + mount_fs "$fs" + done + ++ touch /run/zfs_unlock_complete ++ if [ -e /run/zfs_unlock_complete_notify ]; then ++ read zfs_unlock_complete_notify < /run/zfs_unlock_complete_notify ++ fi ++ + # ------------ + # Debugging information + if [ -n "${ZFS_DEBUG}" ] +