scrap mdadm, various fixes

[automated-distro-installer] / fai / config / hooks / partition.DEFAULT

diff --git a/fai/config/hooks/partition.DEFAULT b/fai/config/hooks/partition.DEFAULT
index e3cd178e173f0970e73d50de27b656d80e07e29c..e2a32caea9814ab497ed8ebb67be80052cdd5fe8 100755 (executable)
--- a/fai/config/hooks/partition.DEFAULT
+++ b/fai/config/hooks/partition.DEFAULT
@@ -6,35 +6,45 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
 # # fai's setup-storage won't do btrfs on luks,
 # # so we do it ourself :)
 
-partition=false
-
-
-letters=(a)
 
+#### begin configuration
 if ifclass VM; then
-    d=/dev/vd
+    d=vd
 else
-    d=/dev/sd
+    d=sd
 fi
 
+
 if ifclass TWO_DISK; then
-    skiptask partition
-    devs=(${d}{a,b})
-    [[ -e /dev/md127 ]] || partition=true
+    letters=(a b)
 elif ifclass ONE_DISK; then
-    skiptask partition
-    devs=(${d}a)
+    letters=(a)
 else
     exit
 fi
+##### end configuration
+skiptask partition
+devs=(${letters[@]/#//dev/${d}})
+crypt_devs=(${letters[@]/#//dev/mapper/crypt_dev_${d}})
+
+# we can set this manually to force partitioning
+#partition=false
 
-# somewhat crude detection of wehter to partition
+# somewhat crude detection of whether to partition
 for dev in ${devs[@]}; do
+    x=($dev[0-9])
+    [[ ${#x[@]}  == 4 ]] || partition=true
     for part in ${dev}{1,2,3,4}; do
         [[ -e $part ]] || partition=true
     done
+    # type tells us it's not totally blank
+    for part in ${dev}{1,3}; do
+        blkid | grep "^$part:.*TYPE=" &>/dev/null || partition=true
+    done
 done
 
+partition=true # override temporarily
+
 # keyfiles generated like:
 # head -c 2048 /dev/urandom | od | s dd of=/q/root/luks/host-demohost
 luks_dir=/var/lib/fai/config/distro-install-common/luks
@@ -43,25 +53,18 @@ if ifclass tp; then
 else
     lukspw=$(cat $luks_dir/ian)
 fi
+if ifclass demohost; then
+    lukspw=x
+fi
 
 boot_end=504
 
-! ifclass tp || letters=(a b)
-
-md() { ((${#letters[@]} > 1)); }
-
-if md; then
-    # if partition with md0, then reboot into the installer,
-    # it becomes md127. So might as well start with 127 for simplicity.
-    crypt=md127
-else
-    crypt=${d##/dev/}a3
-fi
+crypt=/dev/mapper/crypt_dev_${d##/dev/}a3
 
 
 
 # 1.5 x based on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-disk-partitioning-setup-x86.html#sect-custom-partitioning-x86
-swap_end=$(( $(grep ^MemTotal: /proc/meminfo| awk '{print $2}') * 3/(${#letters[@]} * 2 ) / 1000 + boot_end ))MiB
+swap_end=$(( $(grep ^MemTotal: /proc/meminfo| awk '{print $2}') * 3/(${#devs[@]} * 2 ) / 1000 + boot_end ))
 
 create_subvols() {
     cd /mnt
@@ -78,48 +81,59 @@ shopt -s nullglob
 if $partition; then
     mkdir -p /tmp/fai
     for dev in ${devs[@]}; do
-        for x in /dev/md*; do [[ -d $x ]] || mdadm --stop $x; done
         for x in $dev[0-9]; do wipefs -a $x; done
         parted -s $dev mklabel gpt
         # gpt ubuntu cloud image uses ~4. fai uses 1 MiB. ehh, i'll do 4.
         # also, using MB instead of MiB causes complains about alignment.
         parted -s $dev mkpart primary "ext3" 4MB ${boot_end}MiB
         parted -s $dev set 1 boot on
-        parted -s $dev mkpart primary "linux-swap" ${boot_end}MiB $swap_end
-        parted -s -- $dev mkpart primary "" $swap_end -0
-        parted -s $dev set 3 raid on
+        parted -s $dev mkpart primary "linux-swap" ${boot_end}MiB ${swap_end}MiB
+        parted -s -- $dev mkpart primary "" ${swap_end}MiB -0
         parted -s $dev mkpart primary "" 1MiB 4MiB
         parted -s $dev set 4 bios_grub on
         # the mkfs failed randomly on a vm, so I threw a sleep in here.
         sleep .1
         mkfs.ext4 -F ${dev}1
+        # 3 is device which simply holds a key for the 4's,
+        # so we can unlock multi-device btrfs fs with 1 manually entered passphrase.
+        #
+        # Background: It's of course possible modify the initramfs to
+        # put the input from a passphrase prompt into a variable and use
+        # it to unlock multiple devices, but that would require figuring
+        # more things out.
+        #
+        for luks_dev in ${dev}3; do
+            yes YES | cryptsetup luksFormat $luks_dev $luks_dir/host-$HOSTNAME \
+                                 -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
+            yes "$lukspw" | \
+                cryptsetup luksAddKey --key-file $luks_dir/host-$HOSTNAME \
+                           $luks_dev || [[ $? == 141 ]]
+            # background: Keyfile and password are treated just
+            # like 2 ways to input a passphrase, so we don't actually need to have
+            # different contents of keyfile and passphrase, but it makes some
+            # security sense to a really big randomly generated passphrase
+            # as much as possible, so we have both.
+            #
+            # This would remove the keyfile.
+            #    yes 'test' | cryptsetup luksRemoveKey /dev/... \
+                #                            /key/file || [[ $? == 141 ]]
+
+            cryptsetup luksOpen $luks_dev crypt_dev_${luks_dev##/dev/} \
+                       --key-file $luks_dir/host-$HOSTNAME
+        done
     done
-    if md; then
-        yes | mdadm --create /dev/$crypt --level=raid0 --force --run \
-                    --raid-devices=${#devs[@]} ${devs[@]/%/3} || [[ $? == 141 ]]
-    fi
-
-    yes YES | cryptsetup luksFormat /dev/$crypt $luks_dir/host-$HOSTNAME \
-                         -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
-    yes "$lukspw" cryptsetup luksAddKey --key-file \
-                   $luks_dir/host-$HOSTNAME /dev/$crypt || [[ $? == 141 ]]
-    # this would remove the keyfile. we will do that manually later.
-    #    yes 'test' | cryptsetup luksRemoveKey /dev/... \
-        #                            /key/file || [[ $? == 141 ]]
-    cryptsetup luksOpen /dev/$crypt crypt_dev_$crypt --key-file \
-               $luks_dir/host-$HOSTNAME
+    mkfs.btrfs -f ${crypt_devs[@]/%/3}
     parted ${devs[0]} set 1 boot on
-    mkfs.btrfs -f /dev/mapper/crypt_dev_$crypt
-    mount /dev/mapper/crypt_dev_$crypt /mnt
+    mount $crypt /mnt
     create_subvols
 else
     for dev in ${devs[@]}; do
         mkfs.ext4 -F ${dev}1
+        cryptsetup luksOpen ${dev}3 crypt_dev_${dev##/dev/}3 \
+                   --key-file $luks_dir/host-$HOSTNAME || [[ $? == 141 ]]
     done
-    yes "$lukspw" | \
-        cryptsetup luksOpen /dev/$crypt crypt_dev_$crypt || [[ $? == 141 ]]
     sleep 1
-    mount -o subvolid=0 /dev/mapper/crypt_dev_$crypt /mnt
+    mount -o subvolid=0 $crypt /mnt
     # systemd creates subvolumes we want to delete.
     s=($(btrfs subvolume list --sort=-path /mnt |
                 sed -rn 's#^.*path\s*(root/\S+)\s*$#\1#p'))
@@ -129,27 +143,30 @@ else
     create_subvols
 fi
 
-cat > /tmp/fai/crypttab <<EOF
-crypt_dev_$crypt  /dev/$crypt  none  keyscript=/root/keyscript,discard,luks
+
+for dev in ${devs[@]}; do
+    cat >>/tmp/fai/crypttab <<EOF
+crypt_dev_${dev##/dev/}3  ${dev}3  none  keyscript=/root/keyscript,discard,luks
 EOF
+done
 
 for dev in ${devs[@]}; do
-    cat >> /tmp/fai/crypttab <<EOF
+    cat >>/tmp/fai/crypttab <<EOF
 swap ${dev}2  /dev/urandom  swap,cipher=aes-xts-plain64,size=256,hash=ripemd160
 EOF
 done
 
 # this is duplicated in arch-init
 cat > /tmp/fai/fstab <<EOF
-/dev/mapper/crypt_dev_$crypt  /  btrfs  noatime,subvol=/root  0 0
-/dev/mapper/crypt_dev_$crypt  /a  btrfs  noatime,subvol=/a  0 0
-/dev/mapper/crypt_dev_$crypt  /home  btrfs  noatime,subvol=/home  0 0
+$crypt  /  btrfs  noatime,subvol=/root  0 0
+$crypt  /a  btrfs  noatime,subvol=/a  0 0
+$crypt  /home  btrfs  noatime,subvol=/home  0 0
 ${devs[0]}1  /boot  ext4  noatime  0 2
 EOF
 
 
 cat >/tmp/fai/disk_var.sh <<EOF
-ROOT_PARTITION=\${ROOT_PARTITION:-/dev/mapper/crypt_dev_$crypt}
+ROOT_PARTITION=\${ROOT_PARTITION:-$crypt}
 BOOT_PARTITION=\${BOOT_PARTITION:-${devs[0]}1}
 BOOT_DEVICE=\${BOOT_DEVICE:-"${devs[0]}"}
 SWAPLIST=\${SWAPLIST:-"${devs[@]/%/2}"}