Hi list!

I'm building a new Gentoo system (notebook) and want to rearrange a few
things. I thought it would be good to have the following layout:

- boot on a normal partition
- root on a normal partition
- one big encrypted partition (dmcrypt / LUKS)
- on that partition an LVM volume group
- on that volume group all stuff not necessary for booting: home, var,
tmp, etc.

AFAIK, the Gentoo boot process is organized so that LVM gets stated
before dmcrypt is started. I would need it vice versa.

Is that possible with baselayout-1? Do I need to switch to baselayout-2?

Thanks in advance!
Florian Philipp

Florian Philipp writes:

> I'm building a new Gentoo system (notebook) and want to rearrange a few
> things. I thought it would be good to have the following layout:
>
> - boot on a normal partition
> - root on a normal partition
> - one big encrypted partition (dmcrypt / LUKS)
> - on that partition an LVM volume group
> - on that volume group all stuff not necessary for booting: home, var,
> tmp, etc.
>
> AFAIK, the Gentoo boot process is organized so that LVM gets stated
> before dmcrypt is started. I would need it vice versa.
>
> Is that possible with baselayout-1? Do I need to switch to
> baselayout-2?

I don't know yet if this is possible with baselayout-2. I am using both
methods, but the way you like it had to be hacked a little. Look for the
thread "Self created initramfs cannot work" from June 2009, Dirk Heinrichs
talks about his initfs approach. It's similar to an initramfs, but all the
stuff is simply on the boot partition. It did not work out of the box (for
me), and I never got around to really debug this, but it's sort of
working, and has support for opening LUKS partitions. I think it's a cool
idea, simpler than an initramfs and no need for cpio and its options I
always have to look up. Having the root partition encrypted is also not
problem with this setup.

The advantage is that only one LUKS partiton has to be opened. My desktop
system does it the Gentoo way, but it has 23 encrypted LVMs (nicluding
root), which takes quite a while to open. I made it a lot faster by
opening them all in parallel (addig a & at the right location in
/lib/rcscripts/addons/dm-crypt-start.sh), still it's much longer than with
a single LUKS partition. I don't care much about it as the PC is running
all the time, or uses tuxonice, so I seldomly reboot.

But apart from the longer boot time, I find this approach simpler. Why do
you like it the other way around?

Wonko

Dnia 2010-08-07, o godz. 11:48:34
Florian Philipp <lists@f_philipp.fastmail.net> napisał(a):

> Hi list!
>
> I'm building a new Gentoo system (notebook) and want to rearrange a
> few things. I thought it would be good to have the following layout:
>
> - boot on a normal partition
> - root on a normal partition
> - one big encrypted partition (dmcrypt / LUKS)
> - on that partition an LVM volume group
> - on that volume group all stuff not necessary for booting: home,
> var, tmp, etc.
>
> AFAIK, the Gentoo boot process is organized so that LVM gets stated
> before dmcrypt is started. I would need it vice versa.
>
> Is that possible with baselayout-1? Do I need to switch to
> baselayout-2?
>
> Thanks in advance!
> Florian Philipp
>

I've made my own initramfs to boot.

/boot is a separate partition with ext2, grub, bzImage and
initramfs
/ is ext4 on logical volume on encrypted container
[ext4:lvm:luks:sda2]
swap is on another logical volume, next to /

I used two links as hints to build it:
http://jootamam.net/howto-initramfs-image.htm
http://jootamam.net/howto-basic-cryptsetup.htm

It's important to have all libraries copied to initramfs or to make all
binaries static (ldd). Some time ago I had dropbear in initramfs to
help booting headless server. Watch out for pivot_root restriction of
PID == 1.

--
Kacper Kopczyński

On Sat, 07 Aug 2010 11:48:34 +0200, Florian Philipp wrote:

> - boot on a normal partition
> - root on a normal partition
> - one big encrypted partition (dmcrypt / LUKS)
> - on that partition an LVM volume group
> - on that volume group all stuff not necessary for booting: home, var,
> tmp, etc.

Just use a small (300MB-ish) root partition with no separate boot and
everything else on the LVM.


--
Neil Bothwick

If you think that there is good in everybody, you haven't met everybody.

Am 07.08.2010 11:48, schrieb Florian Philipp:
> Hi list!
>
> I'm building a new Gentoo system (notebook) and want to rearrange a few
> things. I thought it would be good to have the following layout:
>
> - boot on a normal partition
> - root on a normal partition
> - one big encrypted partition (dmcrypt / LUKS)
> - on that partition an LVM volume group
> - on that volume group all stuff not necessary for booting: home, var,
> tmp, etc.
>
> AFAIK, the Gentoo boot process is organized so that LVM gets stated
> before dmcrypt is started. I would need it vice versa.
>
> Is that possible with baselayout-1? Do I need to switch to baselayout-2?
>
> Thanks in advance!
> Florian Philipp
>

Thanks everyone for your suggestions! However, I decided against using
them for basically two reasons:

1. I want to keep it simple and safe and there are few things more
troublesome than a system which cannot even mount its root.

Therefore I keep root on a normal partition while everything with
possibly valuable information (tmp, var, home, srv) gets encrypted. opt
and usr/local will follow, if necessary.

It is also my reason for not using an initrd.

2. I want as few single points of failure as possible on my system. A
key file would be such a point. Granted, a single volume with a
passphrase is also a SPOF - but one which is less likely to fall prey to
an rm -rf *. (Okay, I have a backup, but I would like to avoid using it )

Long story short: In the end, I tried baselayout-2 and it works like a
charm. I just configured /etc/conf.d/dmcrypt, added dmcrypt to runlevel
sysinit and then (just for good measure, don't think it's necessary)
added 'rc_dmcrypt_before="lvm"' to /etc/rc.conf.