[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using anaconda over an existing LUKS-encrypted partition

On Thu, 2010-05-27 at 17:37 -0400, rh 30 miller_2555 spamgourmet com
> Hi - 
>     I've scoured the web to find an answer for this, but haven't found
> an answer: Is anaconda able to install into LVM logical volumes over a
> LUKS-encrypted partition?

Is it a requirement that the LVM setup be configured prior to install,
as opposed to using anaconda/kickstart to create it? If not,
anaconda/kickstart can create such a setup for you -- all you need to do
is add --encrypted to the pv line in your kickstart (provided you did
not also pass --noformat). If you require that the LVM configuration
exist prior to running kickstart, read on.

> The Detail:
>      - One drive (sda) divided into two partitions /boot (sda1) and
> the reamainder (sda2) using gparted (formatted in ext4)
>      - Ran: `cryptsetup luksFormat /dev/sda2` with customized hash/
> cipher (also tried using "aes-xts-plain" cipher w/ key-size of 512 and
> sha1 hash)

The cipher/hash used by preexisting encrypted devices shouldn't matter,
as long as the kernel modules are present in the installer's runtime
environment (which they should be).

>      - Created a LVM2 physical volume and volume group (named
> vg_primary) encompassing all of sda2
>      - Created four logical volumes (lv_root, lv_home, lv_log, and
> lv_swap), formatted with ext4, except lv_swap -- formatted in mkswap)
> The current kickstart script (abridged) contains the following:
>      # Identify /boot
>      part /boot --onpart=sda1 --asprimary

The --asprimary option won't do anything here -- that's for partitions
you're creating from kickstart.

>      # Identify the LVM physical volume (on the encrypted device)
>      part pv.0 --onpart=mapper/dm-root --noformat

The above line should be omitted.

>      # Identify the LVM volume group
>      volgroup vg_primary pv.0 --noformat

The above line should also be omitted. As long as you don't have any
clearpart commands anaconda will find your encrypted PV and, if you
provide a passphrase to unlock it, find the VG and the LVs it contains.
All that's left for you to do is specify the filesystems and/or
mountpoints for the LVs, as below.

>      # Identify the LVM logical volumes
>      logvol / --vgname=vg_primary --name=lv_root --noformat

Are you sure you don't want to reformat the root filesystem? You're
begging for trouble here.

>      logvol /var/log --vgname=vg_primary --name=lv_log --noformat
>      logvol /home --vgname=vg_primary --name=lv_home --noformat
>      # Pre-script
>      %pre
>           #!/bin/bash
>           #  Cycle LUKS/ LVM to ensure mountings
>           # - - - - Unmount
>           umount /media/*
>           umount /mnt/*
>           vgchange --available n --ignorelockingfailure
>           cryptsetup luksClose dm-root
>           # - - - - Mount
>           echo -ne "fakepw" | cryptsetup --key-file=-
> luksOpen /dev/sda2 dm-root
>           dmsetup mknodes
>           vgscan --ignorelockingfailure
>           vgchange --available y --ignorelockingfailure
>      %end

The above script won't work. There's no way to use preexisting encrypted
devices without interactively entering the passphrase.

> However, the anaconda script fails with:
>      "No preexisting partition with the name "mapper/dm-root" was
> found
> Is the kickstart script incorrect, or is installation in this manner
>  feasible? Also  - Is there an option to script the unattended unlock
> of storage media in anaconda (as opposed to typing it in during the
> install)

There is currently no way to specify the key/passphrase other than
through the installer's graphical or text user interface.


> Thanks! 
> _______________________________________________
> Anaconda-devel-list mailing list
> Anaconda-devel-list redhat com
> https://www.redhat.com/mailman/listinfo/anaconda-devel-list

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]