parent
a543387976
commit
6bc49fed98
@ -1,75 +0,0 @@ |
||||
#!/bin/bash |
||||
|
||||
BY_ID=/dev/disk/by-id |
||||
DISK1=${BY_ID}/wwn-0x5000c5004fdf987b |
||||
DISK2=${BY_ID}/wwn-0x5000c5004fdfcad4 |
||||
|
||||
# Pre-clean |
||||
|
||||
sgdisk --zap-all ${DISK1} |
||||
sgdisk --zap-all ${DISK2} |
||||
|
||||
# Partitioning |
||||
|
||||
sgdisk -n1:1M:+512M -t1:EF00 ${DISK1} |
||||
sgdisk -n2:0:+512M -t2:BF01 ${DISK1} |
||||
sgdisk -n3:0:0 -t3:BF01 ${DISK1} |
||||
|
||||
sgdisk -n1:+512M:+512M -t1:BF01 ${DISK2} |
||||
sgdisk -n2:0:0 -t2:BF01 ${DISK2} |
||||
|
||||
mkfs.vfat ${DISK1}-part1 |
||||
|
||||
# Verify |
||||
|
||||
sgdisk --print ${DISK1} |
||||
sgdisk --print ${DISK2} |
||||
|
||||
read -p "Are you sure? " -n 1 -r |
||||
echo |
||||
if [[ ! $REPLY =~ ^[Yy]$ ]] |
||||
then |
||||
[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 |
||||
fi |
||||
|
||||
# Env |
||||
|
||||
set -x |
||||
encryption_options=(-O encryption=on -O keylocation=prompt -O keyformat=passphrase) |
||||
bpool_mirror_arg=${DISK2}-part1 |
||||
rpool_mirror_arg=${DISK2}-part2 |
||||
#set +x |
||||
|
||||
|
||||
# Create ZFS pools |
||||
|
||||
rm -rf /mnt/* |
||||
|
||||
zpool create -f \ |
||||
"${encryption_options[@]}" \ |
||||
-o ashift=12 \ |
||||
-O acltype=posixacl \ |
||||
-O compression=off \ |
||||
-O dnodesize=auto \ |
||||
-O relatime=on \ |
||||
-O xattr=sa \ |
||||
-O normalization=formD \ |
||||
-O devices=off \ |
||||
-O mountpoint=/ \ |
||||
-R /mnt \ |
||||
rpool mirror ${DISK1}-part3 ${rpool_mirror_arg} |
||||
|
||||
zfs create -o canmount=noauto -o mountpoint=/ rpool/root |
||||
|
||||
mkdir -p /mnt/boot |
||||
|
||||
zpool create \ |
||||
-d -o ashift=12 \ |
||||
-O devices=off \ |
||||
-O mountpoint=/boot \ |
||||
-R /mnt/ \ |
||||
bpool mirror ${DISK1}-part2 ${bpool_mirror_arg} |
||||
|
||||
mkdir -p /mnt/boot/efi |
||||
|
||||
mount ${DISK1}-part1 /mnt/boot/efi |
||||
@ -1,218 +0,0 @@ |
||||
------------------------------------- |
||||
## HOST |
||||
Permit root login, disable ipv6, keyfile, install dropbear e configure (porta, fix ip) e upgrade initraf, script dentro initramfs blocca riavvio e fa partire bear, console su kernel |
||||
check backport in repository debian |
||||
|
||||
# Install zfs |
||||
Site: https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html#step-1-prepare-the-install-environment |
||||
Site: https://saveriomiroddi.github.io/Installing-Ubuntu-on-a-ZFS-root-with-encryption-and-mirroring/#procedure |
||||
|
||||
echo "deb http://deb.debian.org/debian buster main contrib" >> /etc/apt/sources.list |
||||
echo "deb http://deb.debian.org/debian buster-backports main contrib" >> /etc/apt/sources.list |
||||
apt-get update |
||||
apt install --yes gdisk dkms dpkg-dev linux-headers-$(uname -r) |
||||
apt install --yes -t buster-backports --no-install-recommends zfs-dkms |
||||
modprobe zfs |
||||
apt install --yes -t buster-backports zfsutils-linux |
||||
|
||||
# Dropbear install |
||||
# Site: https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/ |
||||
# Site: https://matt.ucc.asn.au/dropbear/dropbear.html |
||||
|
||||
apt-get --yes install dropbear-initramfs |
||||
echo 'DROPBEAR_OPTIONS="-s -j -k -p 4747"' >> /etc/dropbear-initramfs/config |
||||
# Generate local key with ssh-keygen -t rsa -b 4096 and copy to machine |
||||
COPY_LOCAL_SSH_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLkDWpZ9MfP47Q9gzapCRxwXCLdYT6zOid5ras7cdmuHZEDtCA/sSpn6Ro3g/EF8FaDNltG26NMnTV1q3hWY19hK1ukL6QMnCQ+SxeowQ7RcPV9kHuybA9VtIhfEBN3hyWmzm7S2G4tDZlF2cKRe9G6yTHiNVcQLoCSYULo6gFPw== hank@joe" |
||||
#echo "no-port-forwarding,no-agent-forwarding,no-x11-forwarding ssh-rsa $COPY_LOCAL_SSH_KEY" >> /etc/dropbear-initramfs/authorized_keys |
||||
echo "$COPY_LOCAL_SSH_KEY" >> /etc/dropbear-initramfs/authorized_keys |
||||
|
||||
# IP-GATEWAY-NETMASK-DEVINAME (Insert network static ip server value) |
||||
echo 'IP="192.168.69.116::192.168.69.1:255.255.255.0::enp1s0:off"' >> /etc/initramfs-tools/initramfs.conf |
||||
|
||||
file: /usr/share/initramfs-tools/scripts/local |
||||
search: local_mount_root |
||||
|
||||
file: /usr/share/initramfs-tools/init |
||||
search: local_bottom |
||||
|
||||
count_steps=0 |
||||
max_steps=60 #Wait 1 hour and boot |
||||
while [ ! -f "/condor" ] && [ "$count_steps" -lt "$max_steps" ] |
||||
do |
||||
count_steps=$(( count_steps + 1)) |
||||
sleep 60 |
||||
echo "DROPBEAR ACTIVE $count_steps min." |
||||
done |
||||
echo "End" |
||||
|
||||
update-initramfs -u |
||||
|
||||
--- REBOOT --- (Access with dropbear) |
||||
## initramfs |
||||
mkdir /mnt |
||||
cd /root |
||||
cp -a bin boot etc home initrd.img initrd.img.old lib lib32 lib64 libx32 media mnt opt root sbin srv tmp usr var vmlinuz vmlinuz.old /mnt/ |
||||
cd / |
||||
umount /root |
||||
mkdir /mnt/proc |
||||
mkdir /mnt/sys |
||||
mkdir /mnt/run |
||||
#mkdir /mnt/tmp |
||||
mkdir /mnt/dev |
||||
mount -o rbind /proc/ /mnt/proc/ |
||||
mount -o rbind /sys/ /mnt/sys/ |
||||
mount -o rbind /run/ /mnt/run/ |
||||
mount -o rbind /dev/ /mnt/dev/ |
||||
|
||||
|
||||
## chroot mode |
||||
chroot /mnt /bin/bash --login |
||||
modprobe zfs |
||||
|
||||
# !!! Remember to copy boot directory |
||||
mount /dev/vda2 /mnt/ |
||||
cp -a /mnt/* /boot/ |
||||
umount /mnt |
||||
|
||||
# !!! SET GOOD NAME DEVICE HD |
||||
first_disk_id="/dev/vda" |
||||
second_disk_id="/dev/vdb" |
||||
# Delete data on disk |
||||
sgdisk --zap-all $first_disk_id |
||||
sgdisk --zap-all $second_disk_id |
||||
|
||||
# Partion Disk with uefi space |
||||
sgdisk -n1:1M:+512M -t1:EF00 $first_disk_id # EFI boot |
||||
sgdisk -n2:0:+512M -t2:BF01 $first_disk_id # Boot pool |
||||
sgdisk -n3:0:0 -t3:BF01 $first_disk_id # Root pool |
||||
|
||||
sgdisk -n1:+512M:+512M -t1:BF01 $second_disk_id # Boot pool |
||||
sgdisk -n2:0:0 -t2:BF01 $second_disk_id # Root pool |
||||
|
||||
# Check partition |
||||
sgdisk --print /dev/vda |
||||
sgdisk --print /dev/vdb |
||||
|
||||
#Install manager fat file system for UEFI boot and format |
||||
apt-get install dosfstools |
||||
modprobe vfat |
||||
modprobe nls_cp437 |
||||
modprobe nls_ascii |
||||
mkfs.fat -F 32 -n EFI ${first_disk_id}1 |
||||
|
||||
#Set variables |
||||
bpool_mirror_arg=${second_disk_id}1 |
||||
|
||||
encryption_options=(-O encryption=on -O keylocation=prompt -O keyformat=passphrase) |
||||
rpool_mirror_arg=${second_disk_id}2 |
||||
|
||||
zpool create "${encryption_options[@]}" -o ashift=12 -O acltype=posixacl -O compression=off -O dnodesize=auto -O relatime=on -O xattr=sa -O normalization=formD -O devices=off -O mountpoint=/ -R /mnt rpool mirror ${first_disk_id}3 $rpool_mirror_arg |
||||
|
||||
zfs create -o canmount=noauto -o mountpoint=/ rpool/root |
||||
|
||||
mkdir /mnt/boot |
||||
zpool create -d -o ashift=12 -O devices=off -O mountpoint=/boot -R /mnt/ bpool mirror ${first_disk_id}2 $bpool_mirror_arg |
||||
|
||||
cp -rf --preserve=all bin boot etc home initrd.img initrd.img.old lib lib32 lib64 libx32 media opt root sbin srv usr var vmlinuz vmlinuz.old tmp /mnt/ |
||||
mkdir /mnt/{dev,proc,sys,run} |
||||
|
||||
exit # Esci da chroot |
||||
|
||||
mount -o rbind /dev/ /mnt/mnt/dev/ |
||||
mount -o rbind /sys/ /mnt/mnt/sys/ |
||||
mount -o rbind /proc/ /mnt/mnt/proc/ |
||||
mount -o rbind /run/ /mnt/mnt/run/ |
||||
|
||||
chroot /mnt/mnt/ /bin/bash --login |
||||
|
||||
first_disk_id="/dev/vda" |
||||
# !!! Comment line /etc/fstab |
||||
sed -i "s/^/#/g" /etc/fstab |
||||
|
||||
apt install --yes zfs-initramfs zfs-dkms grub-efi-amd64-signed shim-signed |
||||
|
||||
echo PARTUUID=$(blkid -s PARTUUID -o value ${first_disk_id}1) /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 >> /etc/fstab |
||||
|
||||
mkdir /boot/efi |
||||
# note modprobe nls_cp437 modprobe nls_ascii modprobe vfat |
||||
mount /dev/vda1 /boot/efi/ |
||||
|
||||
grub-install |
||||
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck |
||||
|
||||
perl -i -pe 's/(GRUB_CMDLINE_LINUX=")/${1}root=ZFS=rpool /' /etc/default/grub |
||||
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub |
||||
update-grub |
||||
|
||||
|
||||
cat > /etc/systemd/system/zfs-import-bpool.service <<UNIT |
||||
[Unit] |
||||
DefaultDependencies=no |
||||
Before=zfs-import-scan.service |
||||
Before=zfs-import-cache.service |
||||
|
||||
[Service] |
||||
Type=oneshot |
||||
RemainAfterExit=yes |
||||
ExecStart=/sbin/zpool import -N -o cachefile=none bpool |
||||
|
||||
[Install] |
||||
WantedBy=zfs-import.target |
||||
UNIT |
||||
|
||||
systemctl enable zfs-import-bpool.service |
||||
|
||||
# !!! grub.cfg remove quiet and console="ttyS0" |
||||
chmod u+w /boot/grub/grub.cfg |
||||
sed -i 's/quiet/console="ttyS0"/g' /boot/grub/grub.cfg |
||||
|
||||
umount /boot/efi |
||||
umount /boot |
||||
zfs set mountpoint=legacy bpool |
||||
echo "bpool /boot zfs nodev,relatime,x-systemd.requires=zfs-import-bpool.service 0 0" >> /etc/fstab |
||||
|
||||
echo RESUME=none > /etc/initramfs-tools/conf.d/resume |
||||
|
||||
mount /boot |
||||
mount /boot/efi |
||||
|
||||
# reconfigure initramfs |
||||
# clean script code from vi /usr/share/initramfs-tools/init |
||||
# modify /usr/share/initramfs-tools/scripts/zfs |
||||
ZFS_CMD="${ZPOOL} import -N ${ZPOOL_FORCE} ${ZPOOL_IMPORT_OPTS}" |
||||
ZFS_STDERR="$($ZFS_CMD "$pool" 2>&1)" |
||||
ZFS_ERROR="$?" |
||||
log_begin_msg "\nWait for Passowrd Encrypt Pool!!!\n" |
||||
#/sbin/zpool import -f rpool |
||||
#/sbin/zfs load-key -L prompt rpool |
||||
while [ ! -f "condor" ] |
||||
do |
||||
echo -e "Wathing for Key!\n" |
||||
sleep 60 |
||||
done |
||||
/sbin/zfs set mountpoint=/root rpool |
||||
/sbin/zfs mount rpool |
||||
/sbin/zpool import -f bpool |
||||
/sbin/zfs set mountpoint=/root/boot bpool |
||||
|
||||
KERNEL=`ls /usr/lib/modules/ | cut -d/ -f1 | sed 's/linux-image-//'` |
||||
update-initramfs -u -k $KERNEL |
||||
exit |
||||
|
||||
# initramfs |
||||
sync |
||||
umount -l -r /boot/efi |
||||
umount -l -r /boot |
||||
umount -l -r /mnt/mnt/dev/ |
||||
umount -l -r /mnt/mnt/proc |
||||
umount -l -r /mnt/mnt/sys |
||||
umount -l -r /mnt/mnt/run |
||||
umount -l -r /mnt/dev/ |
||||
umount -l -r /mnt/proc |
||||
umount -l -r /mnt/sys |
||||
umount -l -r /mnt/run |
||||
umount -l -r /mnt/mnt |
||||
|
||||
==== REBOOT AND LOGIN WITH DROPBEAR |
||||
ssh -c aes256-ctr -p 4747 root@HOST-IP |
||||
/sbin/zfs load-key -L prompt rpool && touch /condor |
||||
@ -1,30 +0,0 @@ |
||||
#!/bin/bash |
||||
echo -e "\e[31m\e[1mATTENTION\e[0m |
||||
|
||||
This script will attempt to install the current ZFSonLinux release |
||||
which is available in the ZFSonLinux git repository to the Rescue |
||||
System. \e[31m\e[1mIf this script fails, do not contact Hetzner Support, as |
||||
it is provided AS-IS and Hetzner will not support the installation |
||||
or usage of ZFSonLinux due to License imcompatiblity (see below)\e[0m. |
||||
" |
||||
|
||||
echo -e "\e[31m\e[1mLicenses of ZFS and Linux are incompatible\e[0m |
||||
|
||||
ZFS is licensed under the Common Development and Distribution License (CDDL), |
||||
and the Linux kernel is licensed under the GNU General Public License Version 2 |
||||
(GPL-2). While both are free open source licenses they are restrictive |
||||
licenses. The combination of them causes problems because it prevents using |
||||
pieces of code exclusively available under one license with pieces of code |
||||
exclusively available under the other in the same binary. |
||||
|
||||
Please be aware that distributing of the binaries may lead to infringing. |
||||
|
||||
Press \e[31m\e[1my\e[0m to accept this." |
||||
read -p "" -n 1 ;echo |
||||
if [[ ! $REPLY =~ ^[Yy]$ ]]; then |
||||
exit 1 |
||||
fi |
||||
|
||||
cd $(mktemp -d) |
||||
wget $(curl -Ls https://api.github.com/repos/zfsonlinux/zfs/releases/latest| grep "browser_download_url.*tar.gz"|grep -E "tar.gz\"$"| cut -d '"' -f 4) |
||||
apt update && apt install libssl-dev uuid-dev zlib1g-dev libblkid-dev -y && tar xfv zfs*.tar.gz && rm *.tar.gz && cd zfs* && ./configure && make -j $(nproc) && make install && ldconfig && modprobe zfs || echo -e "\e[31m\e[1mInstall failed, please fix manually!\e[0m" |
||||
@ -1,52 +0,0 @@ |
||||
diff --git a/tmp/zfs.script b/usr/share/initramfs-tools/scripts/zfs
|
||||
index dbc4e253f11..a795fd39f60 100644
|
||||
--- a/tmp/zfs.script
|
||||
+++ b/usr/share/initramfs-tools/scripts/zfs
|
||||
@@ -405,6 +405,8 @@ decrypt_fs()
|
||||
ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)"
|
||||
KEYLOCATION="$(get_fs_value "${ENCRYPTIONROOT}" keylocation)"
|
||||
|
||||
+ echo "${ENCRYPTIONROOT}" > /run/zfs_fs_name
|
||||
+
|
||||
# If root dataset is encrypted...
|
||||
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
|
||||
KEYSTATUS="$(get_fs_value "${ENCRYPTIONROOT}" keystatus)"
|
||||
@@ -418,6 +420,7 @@ decrypt_fs()
|
||||
|
||||
# Prompt with plymouth, if active
|
||||
elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
|
||||
+ echo "plymouth" > /run/zfs_console_askpwd_cmd
|
||||
while [ $TRY_COUNT -gt 0 ]; do
|
||||
plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
|
||||
$ZFS load-key "${ENCRYPTIONROOT}" && break
|
||||
@@ -426,6 +429,7 @@ decrypt_fs()
|
||||
|
||||
# Prompt with systemd, if active
|
||||
elif [ -e /run/systemd/system ]; then
|
||||
+ echo "systemd-ask-password" > /run/zfs_console_askpwd_cmd
|
||||
while [ $TRY_COUNT -gt 0 ]; do
|
||||
systemd-ask-password "Encrypted ZFS password for ${ENCRYPTIONROOT}" --no-tty | \
|
||||
$ZFS load-key "${ENCRYPTIONROOT}" && break
|
||||
@@ -434,7 +438,8 @@ decrypt_fs()
|
||||
|
||||
# Prompt with ZFS tty, otherwise
|
||||
else
|
||||
- # Setting "printk" temporarily to "7" will allow prompt even if kernel option "quiet"
|
||||
+ # Temporarily setting "printk" to "7" allows the prompt to appear even when the "quiet" kernel option has been used
|
||||
+ echo "load-key" > /run/zfs_console_askpwd_cmd
|
||||
storeprintk="$(awk '{print $1}' /proc/sys/kernel/printk)"
|
||||
echo 7 > /proc/sys/kernel/printk
|
||||
$ZFS load-key "${ENCRYPTIONROOT}"
|
||||
@@ -964,6 +969,11 @@ mountroot()
|
||||
mount_fs "$fs"
|
||||
done
|
||||
|
||||
+ touch /run/zfs_unlock_complete
|
||||
+ if [ -e /run/zfs_unlock_complete_notify ]; then
|
||||
+ read zfs_unlock_complete_notify < /run/zfs_unlock_complete_notify
|
||||
+ fi
|
||||
+
|
||||
# ------------
|
||||
# Debugging information
|
||||
if [ -n "${ZFS_DEBUG}" ]
|
||||
|
||||
Loading…
Reference in new issue