blallo
/
mafalda_how_to
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

merge into: blallo:zfs
Branches Tags
blallo:master
blallo:zfs
...
pull from: blallo:master
Branches Tags
blallo:master
blallo:zfs

2 Commits
zfs ... master

Author SHA1 Message Date
blallo 6bc49fed98 Clean zfs-related files 2020-10-03 01:01:56 +02:00
blallo a543387976 Old school 2020-10-03 00:59:38 +02:00
6 changed files with 126 additions and 492 deletions
Show Stats Expand all files Collapse all files

75
create_pools.sh
View File

@ -1,75 +0,0 @@
#!/bin/bash
BY_ID=/dev/disk/by-id
DISK1=${BY_ID}/wwn-0x5000c5004fdf987b
DISK2=${BY_ID}/wwn-0x5000c5004fdfcad4
# Pre-clean
sgdisk --zap-all ${DISK1}
sgdisk --zap-all ${DISK2}
# Partitioning
sgdisk -n1:1M:+512M -t1:EF00 ${DISK1}
sgdisk -n2:0:+512M -t2:BF01 ${DISK1}
sgdisk -n3:0:0 -t3:BF01 ${DISK1}
sgdisk -n1:+512M:+512M -t1:BF01 ${DISK2}
sgdisk -n2:0:0 -t2:BF01 ${DISK2}
mkfs.vfat ${DISK1}-part1
# Verify
sgdisk --print ${DISK1}
sgdisk --print ${DISK2}
read -p "Are you sure? " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
fi
# Env
set -x
encryption_options=(-O encryption=on -O keylocation=prompt -O keyformat=passphrase)
bpool_mirror_arg=${DISK2}-part1
rpool_mirror_arg=${DISK2}-part2
#set +x
# Create ZFS pools
rm -rf /mnt/*
zpool create -f \
"${encryption_options[@]}" \
-o ashift=12 \
-O acltype=posixacl \
-O compression=off \
-O dnodesize=auto \
-O relatime=on \
-O xattr=sa \
-O normalization=formD \
-O devices=off \
-O mountpoint=/ \
-R /mnt \
rpool mirror ${DISK1}-part3 ${rpool_mirror_arg}
zfs create -o canmount=noauto -o mountpoint=/ rpool/root
mkdir -p /mnt/boot
zpool create \
-d -o ashift=12 \
-O devices=off \
-O mountpoint=/boot \
-R /mnt/ \
bpool mirror ${DISK1}-part2 ${bpool_mirror_arg}
mkdir -p /mnt/boot/efi
mount ${DISK1}-part1 /mnt/boot/efi

218
guide_rosa.txt
View File

@ -1,218 +0,0 @@
-------------------------------------
## HOST
Permit root login, disable ipv6, keyfile, install dropbear e configure (porta, fix ip) e upgrade initraf, script dentro initramfs blocca riavvio e fa partire bear, console su kernel
check backport in repository debian
# Install zfs
Site: https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html#step-1-prepare-the-install-environment
Site: https://saveriomiroddi.github.io/Installing-Ubuntu-on-a-ZFS-root-with-encryption-and-mirroring/#procedure
echo "deb http://deb.debian.org/debian buster main contrib" >> /etc/apt/sources.list
echo "deb http://deb.debian.org/debian buster-backports main contrib" >> /etc/apt/sources.list
apt-get update
apt install --yes gdisk dkms dpkg-dev linux-headers-$(uname -r)
apt install --yes -t buster-backports --no-install-recommends zfs-dkms
modprobe zfs
apt install --yes -t buster-backports zfsutils-linux
# Dropbear install
# Site: https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x-server-and-enable-remote-unlocking/
# Site: https://matt.ucc.asn.au/dropbear/dropbear.html
apt-get --yes install dropbear-initramfs
echo 'DROPBEAR_OPTIONS="-s -j -k -p 4747"' >> /etc/dropbear-initramfs/config
# Generate local key with ssh-keygen -t rsa -b 4096 and copy to machine
COPY_LOCAL_SSH_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLkDWpZ9MfP47Q9gzapCRxwXCLdYT6zOid5ras7cdmuHZEDtCA/sSpn6Ro3g/EF8FaDNltG26NMnTV1q3hWY19hK1ukL6QMnCQ+SxeowQ7RcPV9kHuybA9VtIhfEBN3hyWmzm7S2G4tDZlF2cKRe9G6yTHiNVcQLoCSYULo6gFPw== hank@joe"
#echo "no-port-forwarding,no-agent-forwarding,no-x11-forwarding ssh-rsa $COPY_LOCAL_SSH_KEY" >> /etc/dropbear-initramfs/authorized_keys
echo "$COPY_LOCAL_SSH_KEY" >> /etc/dropbear-initramfs/authorized_keys
# IP-GATEWAY-NETMASK-DEVINAME (Insert network static ip server value)
echo 'IP="192.168.69.116::192.168.69.1:255.255.255.0::enp1s0:off"' >> /etc/initramfs-tools/initramfs.conf
file: /usr/share/initramfs-tools/scripts/local
search: local_mount_root
file: /usr/share/initramfs-tools/init
search: local_bottom
count_steps=0
max_steps=60 #Wait 1 hour and boot
while [ ! -f "/condor" ] && [ "$count_steps" -lt "$max_steps" ]
do
count_steps=$(( count_steps + 1))
sleep 60
echo "DROPBEAR ACTIVE $count_steps min."
done
echo "End"
update-initramfs -u
--- REBOOT --- (Access with dropbear)
## initramfs
mkdir /mnt
cd /root
cp -a bin boot etc home initrd.img initrd.img.old lib lib32 lib64 libx32 media mnt opt root sbin srv tmp usr var vmlinuz vmlinuz.old /mnt/
cd /
umount /root
mkdir /mnt/proc
mkdir /mnt/sys
mkdir /mnt/run
#mkdir /mnt/tmp
mkdir /mnt/dev
mount -o rbind /proc/ /mnt/proc/
mount -o rbind /sys/ /mnt/sys/
mount -o rbind /run/ /mnt/run/
mount -o rbind /dev/ /mnt/dev/
## chroot mode
chroot /mnt /bin/bash --login
modprobe zfs
# !!! Remember to copy boot directory
mount /dev/vda2 /mnt/
cp -a /mnt/* /boot/
umount /mnt
# !!! SET GOOD NAME DEVICE HD
first_disk_id="/dev/vda"
second_disk_id="/dev/vdb"
# Delete data on disk
sgdisk --zap-all $first_disk_id
sgdisk --zap-all $second_disk_id
# Partion Disk with uefi space
sgdisk -n1:1M:+512M -t1:EF00 $first_disk_id # EFI boot
sgdisk -n2:0:+512M -t2:BF01 $first_disk_id # Boot pool
sgdisk -n3:0:0 -t3:BF01 $first_disk_id # Root pool
sgdisk -n1:+512M:+512M -t1:BF01 $second_disk_id # Boot pool
sgdisk -n2:0:0 -t2:BF01 $second_disk_id # Root pool
# Check partition
sgdisk --print /dev/vda
sgdisk --print /dev/vdb
#Install manager fat file system for UEFI boot and format
apt-get install dosfstools
modprobe vfat
modprobe nls_cp437
modprobe nls_ascii
mkfs.fat -F 32 -n EFI ${first_disk_id}1
#Set variables
bpool_mirror_arg=${second_disk_id}1
encryption_options=(-O encryption=on -O keylocation=prompt -O keyformat=passphrase)
rpool_mirror_arg=${second_disk_id}2
zpool create "${encryption_options[@]}" -o ashift=12 -O acltype=posixacl -O compression=off -O dnodesize=auto -O relatime=on -O xattr=sa -O normalization=formD -O devices=off -O mountpoint=/ -R /mnt rpool mirror ${first_disk_id}3 $rpool_mirror_arg
zfs create -o canmount=noauto -o mountpoint=/ rpool/root
mkdir /mnt/boot
zpool create -d -o ashift=12 -O devices=off -O mountpoint=/boot -R /mnt/ bpool mirror ${first_disk_id}2 $bpool_mirror_arg
cp -rf --preserve=all bin boot etc home initrd.img initrd.img.old lib lib32 lib64 libx32 media opt root sbin srv usr var vmlinuz vmlinuz.old tmp /mnt/
mkdir /mnt/{dev,proc,sys,run}
exit # Esci da chroot
mount -o rbind /dev/ /mnt/mnt/dev/
mount -o rbind /sys/ /mnt/mnt/sys/
mount -o rbind /proc/ /mnt/mnt/proc/
mount -o rbind /run/ /mnt/mnt/run/
chroot /mnt/mnt/ /bin/bash --login
first_disk_id="/dev/vda"
# !!! Comment line /etc/fstab
sed -i "s/^/#/g" /etc/fstab
apt install --yes zfs-initramfs zfs-dkms grub-efi-amd64-signed shim-signed
echo PARTUUID=$(blkid -s PARTUUID -o value ${first_disk_id}1) /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 >> /etc/fstab
mkdir /boot/efi
# note modprobe nls_cp437 modprobe nls_ascii modprobe vfat
mount /dev/vda1 /boot/efi/
grub-install
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck
perl -i -pe 's/(GRUB_CMDLINE_LINUX=")/${1}root=ZFS=rpool /' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
cat > /etc/systemd/system/zfs-import-bpool.service <<UNIT
[Unit]
DefaultDependencies=no
Before=zfs-import-scan.service
Before=zfs-import-cache.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/zpool import -N -o cachefile=none bpool
[Install]
WantedBy=zfs-import.target
UNIT
systemctl enable zfs-import-bpool.service
# !!! grub.cfg remove quiet and console="ttyS0"
chmod u+w /boot/grub/grub.cfg
sed -i 's/quiet/console="ttyS0"/g' /boot/grub/grub.cfg
umount /boot/efi
umount /boot
zfs set mountpoint=legacy bpool
echo "bpool /boot zfs nodev,relatime,x-systemd.requires=zfs-import-bpool.service 0 0" >> /etc/fstab
echo RESUME=none > /etc/initramfs-tools/conf.d/resume
mount /boot
mount /boot/efi
# reconfigure initramfs
# clean script code from vi /usr/share/initramfs-tools/init
# modify /usr/share/initramfs-tools/scripts/zfs
ZFS_CMD="${ZPOOL} import -N ${ZPOOL_FORCE} ${ZPOOL_IMPORT_OPTS}"
ZFS_STDERR="$($ZFS_CMD "$pool" 2>&1)"
ZFS_ERROR="$?"
log_begin_msg "\nWait for Passowrd Encrypt Pool!!!\n"
#/sbin/zpool import -f rpool
#/sbin/zfs load-key -L prompt rpool
while [ ! -f "condor" ]
do
echo -e "Wathing for Key!\n"
sleep 60
done
/sbin/zfs set mountpoint=/root rpool
/sbin/zfs mount rpool
/sbin/zpool import -f bpool
/sbin/zfs set mountpoint=/root/boot bpool
KERNEL=`ls /usr/lib/modules/ | cut -d/ -f1 | sed 's/linux-image-//'`
update-initramfs -u -k $KERNEL
exit
# initramfs
sync
umount -l -r /boot/efi
umount -l -r /boot
umount -l -r /mnt/mnt/dev/
umount -l -r /mnt/mnt/proc
umount -l -r /mnt/mnt/sys
umount -l -r /mnt/mnt/run
umount -l -r /mnt/dev/
umount -l -r /mnt/proc
umount -l -r /mnt/sys
umount -l -r /mnt/run
umount -l -r /mnt/mnt
==== REBOOT AND LOGIN WITH DROPBEAR
ssh -c aes256-ctr -p 4747 root@HOST-IP
/sbin/zfs load-key -L prompt rpool && touch /condor

30
install_zfsonlinux.sh
View File

@ -1,30 +0,0 @@
#!/bin/bash
echo -e "\e[31m\e[1mATTENTION\e[0m
This script will attempt to install the current ZFSonLinux release
which is available in the ZFSonLinux git repository to the Rescue
System. \e[31m\e[1mIf this script fails, do not contact Hetzner Support, as
it is provided AS-IS and Hetzner will not support the installation
or usage of ZFSonLinux due to License imcompatiblity (see below)\e[0m.
"
echo -e "\e[31m\e[1mLicenses of ZFS and Linux are incompatible\e[0m
ZFS is licensed under the Common Development and Distribution License (CDDL),
and the Linux kernel is licensed under the GNU General Public License Version 2
(GPL-2). While both are free open source licenses they are restrictive
licenses. The combination of them causes problems because it prevents using
pieces of code exclusively available under one license with pieces of code
exclusively available under the other in the same binary.
Please be aware that distributing of the binaries may lead to infringing.
Press \e[31m\e[1my\e[0m to accept this."
read -p "" -n 1 ;echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
exit 1
fi
cd $(mktemp -d)
wget $(curl -Ls https://api.github.com/repos/zfsonlinux/zfs/releases/latest| grep "browser_download_url.*tar.gz"|grep -E "tar.gz\"$"| cut -d '"' -f 4)
apt update && apt install libssl-dev uuid-dev zlib1g-dev libblkid-dev -y && tar xfv zfs*.tar.gz && rm *.tar.gz && cd zfs* && ./configure && make -j $(nproc) && make install && ldconfig && modprobe zfs || echo -e "\e[31m\e[1mInstall failed, please fix manually!\e[0m"

202
installazione.md
View File

@ -1,153 +1,138 @@
### ZFS
# How to rosa
Installiamo zfs nel sistema live (lo script è fornito direttamente da hetzner,
l'ho copiato in questa repo)
```
./install_zfsonlinux.sh
```
Lanciamo lo script `create_pools.sh`
```
./create_pools.sh
```
(per importare delle pool già esistenti, facciamo `zfs import -f <nome_pool>`).
## ATTENZIONE:
Se vuoi solo loggarti sulla macchina, vai [qui](./login.md).
### Installazione debian base
Dal live system, ci segnamo l'output del seguente comando
Dal live system, usiamo `imageinstall -e` provvisto da Hetzner per installare un
sistema debian buster base, in cui configuriamo i dischi con il seguente layout:
```
blkid -s PARTUUID -o value <path/to/efi/partition>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 2.7T 0 disk
├─sda1 8:1 0 1G 0 part
│ └─md0 9:0 0 1022M 0 raid1 /boot
├─sda2 8:2 0 2.7T 0 part
│ └─md1 9:1 0 2.7T 0 raid1
│ └─vg0-root 253:1 0 300G 0 lvm /
└─sda3 8:3 0 1M 0 part
sdb 8:16 0 2.7T 0 disk
├─sdb1 8:17 0 1G 0 part
│ └─md0 9:0 0 1022M 0 raid1 /boot
├─sdb2 8:18 0 2.7T 0 part
│ └─md1 9:1 0 2.7T 0 raid1
│ └─vg0-root 253:1 0 300G 0 lvm /
└─sdb3 8:19 0 1M 0 part
```
dove `<path/to/efi/partition>` corrisponde al valore puntato da `${DISK1}-part1`
nello script lanciato nello step precedente. Installiamo nella directory target
il sistema base
Il sistema provvede ad installare un sistema con ssh già avviato e l'utente root
con la chiave ssh già configurata (se l'abbiamo impostata nel pannello del
rescue system).
### Cryptoroot
A questo punto, riavviamo di nuovo nel rescue system. Creiamo un disco in ram
abbastanza grande da contenere il tarball di tutto il contenuto della root:
```
debootstrap buster /mnt
mkdir /ramdisk
mount -t tmpfs -o size=10G /ramdisk
```
Entriamo in chroot con systemd-nspawn
Montiamo la root
```
systemd-nspawn -D /mnt
mount /dev/vg0/root /mnt
```
Modificare le `/etc/apt/sources.list` per includere i seguenti
Facciamo un backup della root
```
deb http://deb.debian.org/debian buster main non-free contrib
deb http://deb.debian.org/debian buster-updates main non-free contrib
deb http://deb.debian.org/debian buster-backports main non-free contrib
deb http://security.debian.org buster/updates main non-free contrib
cd /mnt
tar czvf /ramdisk/root.tar.gz /mnt/*
```
Facciamo il pinning (ovvero diciamo ad apt di prendere certi pacchetti da una
specifica repository) per i pacchetti relativi a ZFS, mettendo questo contenuto
in `/etc/apt/preferences.d/90_zfs`
Eliminiamo il contenitore vg0 (un volume group LVM) in questa brutale maniera,
creando così uno strato di cifratura
```
Package: libnvpair1linux libuutil1linux libzfs2linux libzfslinux-dev libzpool2linux python3-pyzfs pyzfs-doc spl spl-dkms zfs-dkms zfs-dracut zfs-initramfs zfs-test zfsutils-linux zfsutils-linux-dev zfs-zed
Pin: release n=buster-backports
Pin-Priority: 990
cryptsetup luksFormat /dev/md1
```
Per lo scopo dell'installazione
Ci viene chiesta la conferma, e di immettere due volte la nuova passphrase. Dopo
di questo, montiamo il nuovo contenitore cifrato
```
ln -s /proc/self/mounts /etc/mtab
apt update
cryptsetup open /dev/md1 crypta
```
Configurare il locale e la timezone (io ho selezionato `en_US.UTF-8` e locale
`Europe/Berlin`)
creiamo un nuovo volume group e un logical group per la partizione di root
```
apt install --yes locales
dpkg-reconfigure locales
dpkg-reconfigure tzdata
vgcreate /dev/mapper/crypta vg0
lvcreate -L 300G --name root vg0
```
Installiamo i pacchetti relativi a ZFS nel nuovo sistema
lo montiamo e ci riversiamo dentro il backup della root
```
apt install --yes dpkg-dev linux-headers-amd64 linux-image-amd64
apt install --yes zfs-initramfs
apt install --yes console-setup
echo REMAKE_INITRD=yes > /etc/dkms/zfs.conf
mount /dev/vg0/root /mnt
tar xzvf /ramdisk/root.tar.gz -C /mnt
```
Aggiungiamo la seguente riga nell'`/etc/fstab`
Il nuovo layout dovrebbe essere questo
```
PARTUUID=<uuid_da_primo_step> /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 2.7T 0 disk
├─sda1 8:1 0 1G 0 part
│ └─md0 9:0 0 1022M 0 raid1 /boot
├─sda2 8:2 0 2.7T 0 part
│ └─md1 9:1 0 2.7T 0 raid1
│ └─crypta 253:0 0 2.7T 0 crypt
│ └─vg0-root 253:1 0 300G 0 lvm /
└─sda3 8:3 0 1M 0 part
sdb 8:16 0 2.7T 0 disk
├─sdb1 8:17 0 1G 0 part
│ └─md0 9:0 0 1022M 0 raid1 /boot
├─sdb2 8:18 0 2.7T 0 part
│ └─md1 9:1 0 2.7T 0 raid1
│ └─crypta 253:0 0 2.7T 0 crypt
│ └─vg0-root 253:1 0 300G 0 lvm /
└─sdb3 8:19 0 1M 0 part
```
(dove `<uuid_da_primo_step>` è la stringa ottenuta nel primo passo di questa
sezione) e preoccupiamoci di ciò che riguarda il boot
(dove `<uuid_di_dev_md0>` si può ottenere da `lsblk -o +UUID`, alla riga
corrispondente di `/dev/md0`).
Montiamo tutto insieme e facciamo il chroot dentro
```
apt install dosfstools
apt install --yes grub-efi-amd64 shim-signed
dpkg --purge os-prober
mount /dev/vg0/root /mnt
mount /dev/md0 /mnt/boot
mount -t proc /proc /mnt/proc
for fs in dev sys run; do mount --rbind /${fs} /mnt/${fs}; done
chroot /mnt /bin/bash --login
```
Impostiamo la password root
Ci assicuriamo che `/etc/fstab` abbia questa forma
```
passwd
proc /proc proc defaults 0 0
UUID=<uuid_di_dev_md0> /boot ext3 defaults 0 0
UUID= none swap sw 0 0
/dev/vg0/root / ext4 defaults 0 0
```
(Forse non serve) creiamo e abilitiamo questa unit systemd (in
`/etc/systemd/system/zfs-import-bpool.service`) per forzare l'import della pool
di `/boot`
```ini
[Unit]
DefaultDependencies=no
Before=zfs-import-scan.service
Before=zfs-import-cache.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/zpool import -N -o cachefile=none bpool
[Install]
WantedBy=zfs-import.target
```
Adesso installiamo e configuriamo grub
e che `/etc/crypttab` sia fatto così
```
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=debian --recheck
perl -i -pe 's/(GRUB_CMDLINE_LINUX=")/${1}root=ZFS=rpool /' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
update-grub
# <target name> <source device> <key file> <options>
crypta /dev/md1 none luks
```
I seguenti passi servono a configurare il boot
```
umount /boot/efi
umount /boot
zfs set mountpoint=legacy bpool
echo "bpool /boot zfs nodev,relatime,x-systemd.requires=zfs-import-bpool.service 0 0" >> /etc/fstab
```
e disabilitiamo il suspend/resume (questo è un server)
```
echo RESUME=none > /etc/initramfs-tools/conf.d/resume
```
### Dropbear
### Dropbear nell'initram
Installiamo dropbear nell'initramfs
@ -165,6 +150,7 @@ echo 'DROPBEAR_OPTIONS="-s -j -k -p 4747"' >> /etc/dropbear-initramfs/config
disabilita il remote port forwarding; `-p` è la porta a cui bindarsi)
Copiamo la chiave pubblica generata in `/etc/dropbear-initramfs/authorized_keys`
(ATTENZIONE: **non** può essere una chiave ellittica, usate una RSA)
```
cat <LA_CHIAVE_PUBLICA> >> /etc/dropbear-initramfs/authorized_keys
@ -176,27 +162,9 @@ Configuriamo la rete
echo 'IP="144.76.80.140::144.76.80.129:255.255.255.224:::off"' >> /etc/initramfs-tools/initramfs.conf
```
### Stunt per far funzionare zfs al boot in dropbear
Copiamo lo script da [qui][zfsunlock] e mettiamolo in
`/usr/share/initramfs-tools/scripts/zfsunlock` e diamogli l'eseguibilità:
```
chmod +x /usr/share/initramfs-tools/scripts/zfsunlock
```
Poi modifichiamo `/usr/share/initramfs-tools/scripts/zfs` come in [questo
commit][commit] (si può usare la patch in `zfs.patch`, copiandola in
`/tmp/zfs.patch` e invocando `patch < /tmp/zfs.patch`).
Infine, aggiorniamo l'initramfs
Infine, aggiorniamo l'initramfs e grub
```
update-initramfs -u -v
update-grub
```
[zfsunlock]: https://raw.githubusercontent.com/openzfs/zfs/1cc635a2dd0379181950a1458255ea8ae8b9c1e0/contrib/initramfs/zfsunlock
[commit]: https://github.com/openzfs/zfs/commit/1cc635a2dd0379181950a1458255ea8ae8b9c1e0#diff-98a21a3fd74b681e806ecbd958c2352bL409

41
login.md 100644
View File

@ -0,0 +1,41 @@
# How to login
Per loggarti devi avere accesso a due chiavi ssh diverse. Si trovano entrambe
nel pass condiviso. Quella per loggarsi al boot è `unit/rosa_dropbear_key` e
quella per loggarsi sul sistema avviato è `unit/server_common_key`.
Queste vanno decifrate e messe in un posto adeguato
```
pass unit/rosa_dropbear_key >> $HOME/.ssh/rosa_boot
pass unit/server_common_key >> $HOME/.ssh/unit
chmod 600 $HOME/.ssh/rosa_boot
chmod 600 $HOME/.ssh/unit
```
### Decifrare il disco cifrato
Alla partenza, la macchina non è in uno stato utilizzabile: la partizione di
root è ancora cifrata. Il server espone ssh sulla porta `4747`, quindi per
loggarsi
```
ssh -i $HOME/.ssh/rosa_boot -p 4747 root@144.76.80.140
```
A questo punto, per decifrare il disco e avviare definitivamente la macchina si
può usare lo script
```
cryptroot-unlock
```
che chiede la passphrase del disco (`pass unit/rosa_root_passphrase`). Una volta
immessa e premuto invio, la connessione ssh si chiude e il server termina il
processo di avvio.
### Per loggarsi normalmente
```
ssh -i $HOME/.ssh/unit root@144.76.80.140
```

52
zfs.patch
View File

@ -1,52 +0,0 @@
diff --git a/tmp/zfs.script b/usr/share/initramfs-tools/scripts/zfs
index dbc4e253f11..a795fd39f60 100644
--- a/tmp/zfs.script
+++ b/usr/share/initramfs-tools/scripts/zfs
@@ -405,6 +405,8 @@ decrypt_fs()
ENCRYPTIONROOT="$(get_fs_value "${fs}" encryptionroot)"
KEYLOCATION="$(get_fs_value "${ENCRYPTIONROOT}" keylocation)"
+ echo "${ENCRYPTIONROOT}" > /run/zfs_fs_name
+
# If root dataset is encrypted...
if ! [ "${ENCRYPTIONROOT}" = "-" ]; then
KEYSTATUS="$(get_fs_value "${ENCRYPTIONROOT}" keystatus)"
@@ -418,6 +420,7 @@ decrypt_fs()
# Prompt with plymouth, if active
elif [ -e /bin/plymouth ] && /bin/plymouth --ping 2>/dev/null; then
+ echo "plymouth" > /run/zfs_console_askpwd_cmd
while [ $TRY_COUNT -gt 0 ]; do
plymouth ask-for-password --prompt "Encrypted ZFS password for ${ENCRYPTIONROOT}" | \
$ZFS load-key "${ENCRYPTIONROOT}" && break
@@ -426,6 +429,7 @@ decrypt_fs()
# Prompt with systemd, if active
elif [ -e /run/systemd/system ]; then
+ echo "systemd-ask-password" > /run/zfs_console_askpwd_cmd
while [ $TRY_COUNT -gt 0 ]; do
systemd-ask-password "Encrypted ZFS password for ${ENCRYPTIONROOT}" --no-tty | \
$ZFS load-key "${ENCRYPTIONROOT}" && break
@@ -434,7 +438,8 @@ decrypt_fs()
# Prompt with ZFS tty, otherwise
else
- # Setting "printk" temporarily to "7" will allow prompt even if kernel option "quiet"
+ # Temporarily setting "printk" to "7" allows the prompt to appear even when the "quiet" kernel option has been used
+ echo "load-key" > /run/zfs_console_askpwd_cmd
storeprintk="$(awk '{print $1}' /proc/sys/kernel/printk)"
echo 7 > /proc/sys/kernel/printk
$ZFS load-key "${ENCRYPTIONROOT}"
@@ -964,6 +969,11 @@ mountroot()
mount_fs "$fs"
done
+ touch /run/zfs_unlock_complete
+ if [ -e /run/zfs_unlock_complete_notify ]; then
+ read zfs_unlock_complete_notify < /run/zfs_unlock_complete_notify
+ fi
+
# ------------
# Debugging information
if [ -n "${ZFS_DEBUG}" ]