# # fai's setup-storage won't do btrfs on luks,
# # so we do it ourself :)
-partition=false
-
-
-letters=(a)
+#### begin configuration
if ifclass VM; then
- d=/dev/vd
+ d=vd
else
- d=/dev/sd
+ d=sd
fi
+
if ifclass TWO_DISK; then
- skiptask partition
- devs=(${d}{a,b})
- [[ -e /dev/md127 ]] || partition=true
+ letters=(a b)
elif ifclass ONE_DISK; then
- skiptask partition
- devs=(${d}a)
+ letters=(a)
else
exit
fi
+##### end configuration
+skiptask partition
+devs=(${letters[@]/#//dev/${d}})
+crypt_devs=(${letters[@]/#//dev/mapper/crypt_dev_${d}})
+
+# we can set this manually to force partitioning
+#partition=false
-# somewhat crude detection of wehter to partition
+# somewhat crude detection of whether to partition
for dev in ${devs[@]}; do
+ x=($dev[0-9])
+ [[ ${#x[@]} == 4 ]] || partition=true
for part in ${dev}{1,2,3,4}; do
[[ -e $part ]] || partition=true
done
+ # type tells us it's not totally blank
+ for part in ${dev}{1,3}; do
+ blkid | grep "^$part:.*TYPE=" &>/dev/null || partition=true
+ done
done
+partition=true # override temporarily
+
# keyfiles generated like:
# head -c 2048 /dev/urandom | od | s dd of=/q/root/luks/host-demohost
luks_dir=/var/lib/fai/config/distro-install-common/luks
else
lukspw=$(cat $luks_dir/ian)
fi
+if ifclass demohost; then
+ lukspw=x
+fi
boot_end=504
-! ifclass tp || letters=(a b)
-
-md() { ((${#letters[@]} > 1)); }
-
-if md; then
- # if partition with md0, then reboot into the installer,
- # it becomes md127. So might as well start with 127 for simplicity.
- crypt=md127
-else
- crypt=${d##/dev/}a3
-fi
+crypt=/dev/mapper/crypt_dev_${d##/dev/}a3
# 1.5 x based on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-disk-partitioning-setup-x86.html#sect-custom-partitioning-x86
-swap_end=$(( $(grep ^MemTotal: /proc/meminfo| awk '{print $2}') * 3/(${#letters[@]} * 2 ) / 1000 + boot_end ))MiB
+swap_end=$(( $(grep ^MemTotal: /proc/meminfo| awk '{print $2}') * 3/(${#devs[@]} * 2 ) / 1000 + boot_end ))
create_subvols() {
cd /mnt
if $partition; then
mkdir -p /tmp/fai
for dev in ${devs[@]}; do
- for x in /dev/md*; do [[ -d $x ]] || mdadm --stop $x; done
for x in $dev[0-9]; do wipefs -a $x; done
parted -s $dev mklabel gpt
# gpt ubuntu cloud image uses ~4. fai uses 1 MiB. ehh, i'll do 4.
# also, using MB instead of MiB causes complains about alignment.
parted -s $dev mkpart primary "ext3" 4MB ${boot_end}MiB
parted -s $dev set 1 boot on
- parted -s $dev mkpart primary "linux-swap" ${boot_end}MiB $swap_end
- parted -s -- $dev mkpart primary "" $swap_end -0
- parted -s $dev set 3 raid on
+ parted -s $dev mkpart primary "linux-swap" ${boot_end}MiB ${swap_end}MiB
+ parted -s -- $dev mkpart primary "" ${swap_end}MiB -0
parted -s $dev mkpart primary "" 1MiB 4MiB
parted -s $dev set 4 bios_grub on
# the mkfs failed randomly on a vm, so I threw a sleep in here.
sleep .1
mkfs.ext4 -F ${dev}1
+ # 3 is device which simply holds a key for the 4's,
+ # so we can unlock multi-device btrfs fs with 1 manually entered passphrase.
+ #
+ # Background: It's of course possible modify the initramfs to
+ # put the input from a passphrase prompt into a variable and use
+ # it to unlock multiple devices, but that would require figuring
+ # more things out.
+ #
+ for luks_dev in ${dev}3; do
+ yes YES | cryptsetup luksFormat $luks_dev $luks_dir/host-$HOSTNAME \
+ -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
+ yes "$lukspw" | \
+ cryptsetup luksAddKey --key-file $luks_dir/host-$HOSTNAME \
+ $luks_dev || [[ $? == 141 ]]
+ # background: Keyfile and password are treated just
+ # like 2 ways to input a passphrase, so we don't actually need to have
+ # different contents of keyfile and passphrase, but it makes some
+ # security sense to a really big randomly generated passphrase
+ # as much as possible, so we have both.
+ #
+ # This would remove the keyfile.
+ # yes 'test' | cryptsetup luksRemoveKey /dev/... \
+ # /key/file || [[ $? == 141 ]]
+
+ cryptsetup luksOpen $luks_dev crypt_dev_${luks_dev##/dev/} \
+ --key-file $luks_dir/host-$HOSTNAME
+ done
done
- if md; then
- yes | mdadm --create /dev/$crypt --level=raid0 --force --run \
- --raid-devices=${#devs[@]} ${devs[@]/%/3} || [[ $? == 141 ]]
- fi
-
- yes YES | cryptsetup luksFormat /dev/$crypt $luks_dir/host-$HOSTNAME \
- -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
- yes "$lukspw" cryptsetup luksAddKey --key-file \
- $luks_dir/host-$HOSTNAME /dev/$crypt || [[ $? == 141 ]]
- # this would remove the keyfile. we will do that manually later.
- # yes 'test' | cryptsetup luksRemoveKey /dev/... \
- # /key/file || [[ $? == 141 ]]
- cryptsetup luksOpen /dev/$crypt crypt_dev_$crypt --key-file \
- $luks_dir/host-$HOSTNAME
+ mkfs.btrfs -f ${crypt_devs[@]/%/3}
parted ${devs[0]} set 1 boot on
- mkfs.btrfs -f /dev/mapper/crypt_dev_$crypt
- mount /dev/mapper/crypt_dev_$crypt /mnt
+ mount $crypt /mnt
create_subvols
else
for dev in ${devs[@]}; do
mkfs.ext4 -F ${dev}1
+ cryptsetup luksOpen ${dev}3 crypt_dev_${dev##/dev/}3 \
+ --key-file $luks_dir/host-$HOSTNAME || [[ $? == 141 ]]
done
- yes "$lukspw" | \
- cryptsetup luksOpen /dev/$crypt crypt_dev_$crypt || [[ $? == 141 ]]
sleep 1
- mount -o subvolid=0 /dev/mapper/crypt_dev_$crypt /mnt
+ mount -o subvolid=0 $crypt /mnt
# systemd creates subvolumes we want to delete.
s=($(btrfs subvolume list --sort=-path /mnt |
sed -rn 's#^.*path\s*(root/\S+)\s*$#\1#p'))
create_subvols
fi
-cat > /tmp/fai/crypttab <<EOF
-crypt_dev_$crypt /dev/$crypt none keyscript=/root/keyscript,discard,luks
+
+for dev in ${devs[@]}; do
+ cat >>/tmp/fai/crypttab <<EOF
+crypt_dev_${dev##/dev/}3 ${dev}3 none keyscript=/root/keyscript,discard,luks
EOF
+done
for dev in ${devs[@]}; do
- cat >> /tmp/fai/crypttab <<EOF
+ cat >>/tmp/fai/crypttab <<EOF
swap ${dev}2 /dev/urandom swap,cipher=aes-xts-plain64,size=256,hash=ripemd160
EOF
done
# this is duplicated in arch-init
cat > /tmp/fai/fstab <<EOF
-/dev/mapper/crypt_dev_$crypt / btrfs noatime,subvol=/root 0 0
-/dev/mapper/crypt_dev_$crypt /a btrfs noatime,subvol=/a 0 0
-/dev/mapper/crypt_dev_$crypt /home btrfs noatime,subvol=/home 0 0
+$crypt / btrfs noatime,subvol=/root 0 0
+$crypt /a btrfs noatime,subvol=/a 0 0
+$crypt /home btrfs noatime,subvol=/home 0 0
${devs[0]}1 /boot ext4 noatime 0 2
EOF
cat >/tmp/fai/disk_var.sh <<EOF
-ROOT_PARTITION=\${ROOT_PARTITION:-/dev/mapper/crypt_dev_$crypt}
+ROOT_PARTITION=\${ROOT_PARTITION:-$crypt}
BOOT_PARTITION=\${BOOT_PARTITION:-${devs[0]}1}
BOOT_DEVICE=\${BOOT_DEVICE:-"${devs[0]}"}
SWAPLIST=\${SWAPLIST:-"${devs[@]/%/2}"}
iankelling.org / git / automated-distro-installer / commitdiff