LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware > Slackware - Installation
User Name
Password
Slackware - Installation This forum is for the discussion of installation issues with Slackware.

Notices

Reply
 
Search this Thread
Old 06-21-2008, 01:58 PM   #1
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 804

Rep: Reputation: 157Reputation: 157
12.1 LUKS and LVM install on system with multiple SATA and IDE HDD


Alien Bob, thank you very much for your excellent detailed description of how to install Slackware 12.1 with LUKS encryption and LVM - README_CRYPT.TXT. I followed it step by step for a clean install of 12.1 on my Thinkpad T43 laptop. It worked perfectly, and I'm posting from that system now.

I want to do the same on my desktop, but my hardware configuration is more complex there, and I'm having some trouble. My laptop had a single hard drive. My desktop has two IDE drives and two SATA drives. I have an existing 12.0 install on my IDE drive (not LUKS or LVM) that I want to preserve for now, and I'm trying to do a clean install of 12.1 with LUKS and LVM on a new SATA drive. I can get the system installed, I just can't boot into it.

My configuration is as follows:
Code:
/dev/hda1 - IDE 100MB GRUB partition, EXT3
/dev/hda2 - IDE 2GB SWAP
/dev/hda5 - IDE 250GB Slackware 12.0 system, ReiserFS
/dev/hdb1 - IDE 80GB NTFS drive (Win XP)
/dev/hdc - CDROM
/dev/hdd - DVD
/dev/sda1 - SATA 100MB for 12.1 /boot directory, EXT3
/dev/sda5 - SATA 300GB LVM PV in VG group vg00, LUKS EXT3
/dev/sdb1 - SATA 100MB unused
/dev/sdb5 - SATA 300GB LVM PV in VG group vg00, LUKS EXT3
From my existing 12.0 system, I ran cfdisk to create the partitions on the two new SATA drives, then initialized them with random data. (Note: This took almost 2 days to complete running simultaneously against two 300GB drives!)
Code:
dd if=/dev/urandom of=/dev/sda5   
dd if=/dev/urandom of=/dev/sdb5
I booted the Slackware 12.1 installation DVD on the default hugesmp.s kernel and pretty much followed Alien Bob's instructions exactly, except that I included an extra drive:
Code:
cryptsetup -s 256 -y luksFormat /dev/sda5
cryptsetup -s 256 -y luksFormat /dev/sdb5

cryptsetup luksOpen /dev/sda5 zero
cryptsetup luksOpen /dev/sdb5 one

pvcreate /dev/mapper/zero /dev/mapper/one

vgcreate vg00 /dev/mapper/zero /dev/mapper/one

lvcreate -L 18G -n root vg00
lvcreate -L 2G -n swap0 vg00
lvcreate -L 300GB -n home vg00
lvcreate -L 2G -n swap1 vg00

vgscan --mknodes
vgchange -ay
mkswap /dev/vg00/swap0
mkswap /dev/vg00/swap1
All of the above seems to work. I get no errors from pvscan, lvscan, cryptsetup commands to list volumes, luks attributes, etc.

Then I proceed with setup. I tell the installer to map /dev/vg00/swap0 and /dev/vg00/swap1 for swap space, map /dev/vg00/root to /, map /dev/vg00/home to /home, and map /dev/sda1 to /boot. I do a full install of everything except kdei.

I have tried to install LILO to a floppy, but it failed. I was afraid to install it to the MBR of "the first drive" because setup doesn't tell you what drive that is, and I was afraid it would go to /dev/hda1, which is where I have GRUB installed for booting my unencrypted non-LVM 12.0 system. I would want to install LILO to the MBR on /dev/sda1, if possible for a test, but I prefer GRUB.

After setup:

Code:
chroot /mnt
mkinitrd -c -k 2.6.24.5-smp -m ext3 -f ext3 -r /dev/vg00/root -C /dev/sda5 -L
mount /dev/hda1 /mnt/hd
cp /boot/initrd.gz /mnt/hd/boot/initrd-2.6.24.5-smp.gz
cp /boot/vmlinuz-generic-smp-2.6.24.5-smp /mnt/hd/boot/.
For the above mkinitrd, I've tried /dev/sda5 and /dev/sdb5 for the -C parameter.

My grub configuration in /dev/hda1/boot/grub/grub.conf has this entry:

Code:
title Slackware 12.1 kernel 2.6.24.5
   root (hd0,0)
   kernel /boot/vmlinuz-generic-smp-2.6.24.5-smp ro root=/dev/vg00/root
   initrd /boot/initrd-smp-2.6.24.5-smp.gz
When I boot it, I get to the point where LUKS asked me for the passphrase. I enter that, and it is successful. Then I get:

Code:
Reading all physical volumes.  THis may take a while...
 Couldn't find device with uuid 'H6TNIc-0rha-fk2i-cgUU-0EhR-hT03-23cvpD'.
 Couldn't find all physical volumes for volume group vg00.
 Couldn't find device with uuid 'H6TNIc-0rha-fk2i-cgUU-0EhR-hT03-23cvpD'.
 Couldn't find all physical volumes for volume group vg00.
 Volume group "vg00" not found
 Couldn't find device with uuid 'H6TNIc-0rha-fk2i-cgUU-0EhR-hT03-23cvpD'.
 Couldn't find all physical volumes for volume group vg00.
 Couldn't find device with uuid 'H6TNIc-0rha-fk2i-cgUU-0EhR-hT03-23cvpD'.
 Couldn't find all physical volumes for volume group vg00.
 Volume group "vg00" not found
 Couldn't find device with uuid 'H6TNIc-0rha-fk2i-cgUU-0EhR-hT03-23cvpD'.
 Couldn't find all physical volumes for volume group vg00.
 Couldn't find device with uuid 'H6TNIc-0rha-fk2i-cgUU-0EhR-hT03-23cvpD'.
 Couldn't find all physical volumes for volume group vg00.
 Volume group "vg00" not found
mount: mounting /dev/vg00/root on /mnt failed: No such file or directory
ERROR: No /sbin/init found on rootdev (or not mounted). Trouble ahead.
       You can try to fix it.  Type 'exit' when things are done.

/bin/sh: can't access tty; job control turned off
/ $ _
So I'm stumped. This worked fine on my laptop with a single drive and no other operating systems installed.
 
Old 06-22-2008, 12:03 AM   #2
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 804

Original Poster
Rep: Reputation: 157Reputation: 157
I unplugged the two IDE drives /dev/hda and /dev/hdb, then re-installed with only one of my SATA drives in the LVM volume group. Then I was able to install LILO and boot the system.

This is progress of sorts, but is is not what I want. I want both of my SATA drives to be in the volume group, and I want to be able to access my IDE drives too.
 
Old 06-22-2008, 09:05 AM   #3
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,313

Rep: Reputation: Disabled
Yes, very interesting.
The current initrd does not support an encrypted root partition that spans across more than one LUKS volume...

This may be something to look at for the next release, but there is no quickfix I can help you with at the moment. I'll have to dive into it and currently I have no time available.
Because it may take some time to see progress on this, perhaps you can contact me through email sometime later, so that I do not forget.

Eric
 
Old 06-22-2008, 11:44 AM   #4
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 804

Original Poster
Rep: Reputation: 157Reputation: 157
Thanks Eric. I'll check back with you in six or eight months then. I appreciate it. For now I'll just see if I can add the other SATA drive as a separate encrypted volume group and mount it in fstab.
 
Old 06-22-2008, 12:09 PM   #5
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,313

Rep: Reputation: Disabled
Quote:
Originally Posted by Z038 View Post
I'll check back with you in six or eight months then.
Heh. If I were you I'd try a bit earlier than that... this kind of stuff should not be left until the end of a slackware-current development cycle.

Eric
 
Old 06-24-2008, 11:24 AM   #6
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 804

Original Poster
Rep: Reputation: 157Reputation: 157
Ok, I won't wait that long. I'll contact you soon.

In the meantime, I created a second encrypted volume group for the secomd drive. I created a swap partition on it, ran mkswap then added it to fstab, then ran swapon to make it active and confirmed that it was there by cat /proc/swaps.

Code:
root@i1:~# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/mapper/vg00-swap0                  partition       2097144 0       -1
/dev/mapper/vg01-swap1                  partition       2097144 0       -2
However, when I reboot, it is not automatically added even though it is in fstab. I have to issue the cryptsetup luksOpen and vgchange commands manually then issue swapon to make it active.
 
Old 02-02-2010, 08:01 PM   #7
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 804

Original Poster
Rep: Reputation: 157Reputation: 157
Eric, I forgot about this issue since I managed to do without it, but I came across this thread again and thought I'd ask. I probably won't want to change my current system to utilize this capability if support for it has been worked in, but I might if I build another system. Is there support now at boot time for an encrypted root partition that spans across more than one LUKS volume?

Barring that, how would you recommend getting another LUKS volume that contains a SWAP file to mount during boot?
 
Old 02-03-2010, 03:07 AM   #8
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,313

Rep: Reputation: Disabled
No, this is not supported in the initrd.

Eric
 
Old 02-03-2010, 12:17 PM   #9
GazL
Senior Member
 
Registered: May 2008
Posts: 3,440

Rep: Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959
I've reworked the initrd this afternoon to support this. It's something I've been meaning to do for a while as I also had a system with 2 encrypted lvm volumes. You'll have to enter the password for each encrypted device, but at least it means you can use more than 1.

Anyway, here's my patch if anyone is interested:

Code:
--- mkinitrd/init	2009-04-02 23:13:59.000000000 +0100
+++ mkinitrd.new/init	2010-02-03 15:48:40.057727815 +0000
@@ -136,33 +136,33 @@
     /sbin/mdadm -E -s >/etc/mdadm.conf
     /sbin/mdadm -A -s
   fi
-  
-  # Find root device if a label was given:
-  if echo $ROOTDEV | grep -q "LABEL=" ; then
-    ROOTDEV=`findfs $ROOTDEV`
-  fi
 
-  # Make encrypted root partition available:
-  # The useable device will be under /dev/mapper/
-  # Three scenarios for the commandline exist:
-  # 1- ROOTDEV is on a LUKS volume, and LUKSDEV is a real block device
-  # 2- ROOTDEV is on a LVM volume, and LUKSDEV is a real block device
-  # 3- ROOTDEV is on a LUKS volume, and LUKSDEV is on a LVM volume
-  # Case (3) will have to wait until we initialize the LVM.
-  # Test if ROOTDEV is "/dev/someting" or just "something" - the first means
-  # ROOTDEV is on a LVM volume (scenario 2); we don't need to rewrite ROOTDEV.
-  # The second means that ROOTDEV is on a LUKS volume (scenario 1).
-  CRYPTDEV=""
+  # Unlock any encrypted partitions necessary to access the 
+  # root filesystem, such as encrypted LVM Physical volumes, disk 
+  # partitions or mdadm arrays.
+  # Unavailable devices such as LVM Logical Volumes will need to be 
+  # deferred until they become available after the vgscan.
+
   if [ -x /sbin/cryptsetup ]; then
-    # If we find a LUKS device now, it is on a real block device: 
-    if /sbin/cryptsetup isLuks ${LUKSDEV} 1>/dev/null 2>/dev/null ; then
-      CRYPTDEV=$(basename $ROOTDEV)
-      echo "Unlocking LUKS crypt volume '${CRYPTDEV}' on device '$LUKSDEV':"
-      /sbin/cryptsetup luksOpen ${LUKSDEV} $CRYPTDEV </dev/systty >/dev/systty 2>&1
-      if [ "$CRYPTDEV" == "$ROOTDEV" ]; then # scenario 1
-        ROOTDEV="/dev/mapper/${CRYPTDEV}"
-      fi
-    fi
+     sleep 2 #  Brief pause to Prevent usb keyboard activation from 
+             #  obscuring the cryptsetup prompt on the console.
+     LUKSLIST_DEFERRED=''
+     LUKSLIST=`echo $LUKSDEV | tr ':' ' '`
+     for LUKSDEV in $LUKSLIST
+       do
+         if /sbin/cryptsetup isLuks ${LUKSDEV} 1>/dev/null 2>/dev/null ; then
+            CRYPTDEV=luks$(basename $LUKSDEV)
+            echo "Unlocking LUKS encrypted device '${LUKSDEV}'" \
+                 "as luks mapped device '$CRYPTDEV':"
+            /sbin/cryptsetup luksOpen ${LUKSDEV} $CRYPTDEV \
+               </dev/systty >/dev/systty 2>&1
+            if [ "$ROOTDEV" = "$LUKSDEV" ] ; then 
+               ROOTDEV="/dev/mapper/$CRYPTDEV"
+            fi
+         else
+            LUKSLIST_DEFERRED="${LUKSLIST_DEFERRED} ${LUKSDEV}"
+         fi
+       done
   fi
 
   # Initialize LVM:
@@ -172,17 +172,31 @@
     /sbin/vgchange -ay --ignorelockingfailure
   fi
   
-  # Make encrypted root partition available (scenario 3):
-  # We have to handle cases here where the LUKS volume is created on a LV
-  if [ -x /sbin/cryptsetup ]; then
-    if /sbin/cryptsetup isLuks ${LUKSDEV} 1>/dev/null 2>/dev/null ; then
-      # Only act if we could not open the LUKS device before (i.e. is on a LV):
-      if [ "x$CRYPTDEV" == "x" ]; then
-        echo "Unlocking LUKS crypt volume '${ROOTDEV}' on device '$LUKSDEV':"
-        /sbin/cryptsetup luksOpen ${LUKSDEV} $ROOTDEV </dev/systty >/dev/systty 2>&1
-        ROOTDEV="/dev/mapper/${ROOTDEV}"
-      fi
-    fi
+  # Unlock any LUKS encrypted devices that were deferred above which 
+  # have now become available due to the vgscan.
+  #   i.e. Filesystems on LVM Logical Volumes.
+
+  if [ -x /sbin/cryptsetup -a -n "${LUKSLIST_DEFERRED}"]; then
+     for LUKSDEV in ${LUKSLIST_DEFERRED}
+       do
+         if /sbin/cryptsetup isLuks ${LUKSDEV} 1>/dev/null 2>/dev/null ; then
+            CRYPTDEV=luks$(basename $LUKSDEV)
+            echo "Unlocking LUKS encrypted device '${LUKSDEV}'" \
+                 "as luks mapped device '$CRYPTDEV':"
+            /sbin/cryptsetup luksOpen ${LUKSDEV} $CRYPTDEV \
+               </dev/systty >/dev/systty 2>&1
+            if [ "$ROOTDEV" = "$LUKSDEV" ] ; then 
+               ROOTDEV="/dev/mapper/$CRYPTDEV"
+            fi
+         else
+           echo "LUKS device $LUKSDEV unavailable for unlocking" 
+         fi
+       done
+  fi
+  
+  # Find root device if a label was given:
+  if echo $ROOTDEV | grep -q "LABEL=" ; then
+    ROOTDEV=`findfs $ROOTDEV`
   fi
 
   # Resume state from swap
It's a complete reorganisation of the bits surrounding luks and lvm in the initrd-tree/init. IMO it's actually simpler than the existing code and has the advantage of adding the new feature.

The way it works is that it'll allow you to use a list, similar to how you specify modules with the -m option e.g. "-C /dev/sda1:/dev/sda2:/dev/sda3" on your mkinitrd or on the luksdev= kernel option for all the disks you want to be unlocked during the initrd.

Each luks device will automatically be given the name /dev/mapper/luksnnnn where nnnn is the underlying basename of the device so the above would result in lukssda1, lukssda2, lukssda3 which results in a consistent naming and a clear correlation of what device it actually relates to.

As before -r option is used to specify the rootfs, but has also been reworked a little. It works in a more consistent manner than the way it works currently. You no longer use the short luks name for a luks setup and a the full device path for a lvm logical volume, Instead you simply use whatever your root fs is on whether its an encrypted partition or logical volume.

e.g.

If your rootfs was on an encrypted /dev/sda1, in the current version you'd have to use "-C /dev/sda1 -r cryptroot"

With mine you'd use "-C /dev/sda1 -r /dev/sda1" (the init will work out that it needs to use /dev/mapper/lukssda1 itself, though you could explicitly specify "-r /dev/mapper/lukssda1" yourself if you prefer.


If you have an encrypted root on sda1 and an encrypted home on sda2 you can use "-C /dev/sda1:/dev/sda2 -r /dev/sda1" though in this case you'd probably be best off just using crypttab. Still, it'll work.


For a LVM setup where your physical volumes are encrypted, such as described in the CRYPT and LVM READMEs on the install disk, you'd use
"-C /dev/sda1 -r /dev/vgname/lvname"

What's new is that you can now have more than one pv and do something like "-C /dev/sda1:/dev/sda2:/dev/sda3 -r /dev/vgname/lvname"


For root fs on an encrypted LVM logical volume on a non-encrypted lvm physical volume you use "-C /dev/vgname/lvname -r /dev/vgname/lvname"



I couldn't get the mkinitrd.SlackBuild from Slackware64-current to work, it bombs out building busybox, so to install the patch to a running system you have to go through a little bit of a hack. (remember that if you update the slackware mkinitrd package you'll lose this).

Code:
oot@nix:/root# cd /tmp
root@nix:/tmp# mkdir initrd-tree
root@nix:/tmp# cd initrd-tree
root@nix:/tmp/initrd-tree# tar -zxf /usr/share/mkinitrd/initrd-tree.tar.gz
root@nix:/tmp/initrd-tree# patch -p1 <mkinitrd.diff 
patching file init
root@nix:/tmp/initrd-tree# mv /usr/share/mkinitrd/initrd-tree.tar.gz /usr/share/mkinitrd/initrd-tree.tar.gz.orig
root@nix:/tmp/initrd-tree# tar -zcf /usr/share/mkinitrd/initrd-tree.tar.gz .
To implement this properly then the /sbin/mkinitrd really should be made to match, but it does work as it is (at least on my config).

I'd be interested in any feedback, especially from eric on this, especially so if I've missed a 'nasty' in here anywhere.
If anyone thinks they'd like to test it then I'll be happy to answer questions, but be aware that it's only been tested on my box, so it's not had exposure to many different configs yet.
Use at your own risk!!!.
 
Old 02-03-2010, 03:55 PM   #10
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,313

Rep: Reputation: Disabled
Very nice.
When I have some time and hardware, I am going to try it out for sure.

Eric
 
Old 02-03-2010, 05:05 PM   #11
GazL
Senior Member
 
Registered: May 2008
Posts: 3,440

Rep: Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959Reputation: 959
Glad you like it.

I'll have another go at building busybox tomorrow. Looks like the error I hit is a kernel header issue with if_tunnel.h. Hopefully a later version of busybox will build ok.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows on LUKS LVM Post Slackware 12.1 Install -{Jester}- Slackware 4 05-23-2008 01:10 AM
LVM: IDE + SATA not possible? cabe Linux - Software 5 11-25-2006 08:39 AM
Installing ATA/IDE HDD on SATA HDD System Drahcir Linux - Hardware 10 05-31-2006 02:32 AM
move linux from IDE HDD to SATA HDD markmalcolm Linux - Hardware 2 05-07-2005 02:24 AM
Dual HDD Interface Problem, Linux on SATA, NTFS Part on IDE HDD LILO Not Loading Blade44 Linux - Hardware 2 02-01-2005 06:56 PM


All times are GMT -5. The time now is 04:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration