« June 2006 | Main | August 2006 »
July 25, 2006
Old Hard Drive: R.I.P.
Well, it finally happened. Over this past weekend, while working to finish migrating data from a failing drive to a new one, I found the end of the rope. I have been unable to recover enough data from the old drive to be able to do anything useful with it and since it was still part of the LVM Volume Group (or VG), the problems it was causing were just too much to deal with.
So, I wiped all of the hard drives for the data VG. I am rebuilding everything from my backups. Ha, I'm sure I got some of you. You thought that perhaps I was going through all those gyrations trying to save my data because I didn't have any backups. Well, I think I'm a little smarter than that :) .
Seriously, though, I had backed up all the stuff that would be difficult to replace/reconstruct as well as all the irreplaceable data. I had things like several Linux distributions' files and .iso images, to make it easy to burn discs and to do network installs (either whole installs or just to have the packages handy). There were mirrors of updates and other software. All of that is easy to replace, though, so I didn't bother backing it up.
The next thing I would like to do for my file server is to pick up another 320GB drive so that I can pair it with the one I have now and migrate everything into an LVM on RAID1 set. Later, I'll add more 320GB drives and convert the RAID1 to RAID5 or RAID6. In the meantime, the 45GB drive is now sitting in the target pile, waiting for the next target shooting outing and the 120GB drive is going to be an online backup store in the file server. That leaves me with only 299GB of storage on my file server.
How will I ever get by? :)
Posted by lamontp at 10:44 AM | Comments (0) | TrackBack
July 17, 2006
The LVM Advantage: Migrating Data
The Linux Logical Volume Management system (LVM) is a wonderful piece of technology. In a nutshell, you take disparate storage devices and place them under the control of LVM in a container called a Volume Group (or VG for short). You can then create Logical Volumes (or LV for short) in the VG, which can be formatted, mounted and used, just like any block device. The LVM code will manage everything.
Sometimes, when I'm first introducing students to LVM, they ask me something like, "Why would I ever want to do this? Add an extra layer of complexity and overhead, just to get some fancy looking partitions? No thanks; I'll stick to plain partitions."
First of all, LVM is very efficient, introducing almost zero overhead for most normal operations. Yes, there is a little, but it can be difficult to meassue, let alone notice. Second, there are many irritating storage management tasks that are downright child's play to accomplish with LVM in place but quite difficult with just plain partitions.
For example, you can add additional storage and move existing data into it, clearing out old devices without having to shut anything down. Let your programs and users continue to access and manipulate the data. In most cases, they won't even be able to tell your moving stuff to a new hard drive. Of course, if your system doesn't support hot-plugging of new hard drives, you will have to power down to add the drive physically to the system and again to remove (an) old one(s).
This is the case with my home file server, so I shut it down to add the new drive (read my recent posts to learn about that adventure). But while I'm moving the data, the entire system is running and available as normal. I can read and write data all over my LVM LVs without worry.
Here's the sequence of events:
- Insert new drive into the system; If you couldn't hot-swap, boot it back up
- Get to a
rootshell and create an LVM partition on the new drive (that's partition type 0x8E) - Run
pvcreate /dev/sdb1(change/dev/sdb1to the correct device, of course) - Add the new storage to the VG of your choice (they can only be in one VG) by running
vgextend vg0 /dev/sdb1(changevg0to an appropriate value) - Enjoy your expanded storage!
OK. In my case, I want to move everything from all old drives to the one new one, so I'll use a special form of the pvmove command. If I wasn't going to be removing all of the existing devices and was keeping more than just the one drive, I would not specify the second parameter to pvmove. Here is the output from my running of them: :
#time pvmove /dev/hde2 /dev/sda1/dev/hde2: Moved: 0.3% /dev/hde2: Moved: 0.7% /dev/hde2: Moved: 1.0% /dev/hde2: Moved: 1.4% /dev/hde2: Moved: 1.7% /dev/hde2: Moved: 2.1% . . . snip . . . real 72m23.484s user 0m4.812s sys 0m4.116s #time pvmove /dev/hdg1 /dev/sda1. . . snip . . . /dev/hdg1: Moved: 44.2% /dev/hdg1: Moved: 44.6% /dev/hdg1: Moved: 45.0% /dev/hdg1: read failed after 0 of 1024 at 4096: Input/output error /dev/hdg1: read failed after 0 of 2048 at 0: Input/output error Failed to read existing physical volume '/dev/hdg1' Physical volume /dev/hdg1 not found ABORTING: Can't reread PV /dev/hdg1 ABORTING: Can't reread VG for /dev/hdg1real 31m23.484s
user 0m2.072s
sys 0m1.772s
I'll talk about the errors in a minute.
As you can see, it can take a while to move that much data, so running them in a screen session is recommended.
With the two parameter form of pvmove, I'm telling LVM to migrate data off of the old drives only moving it to the new one. Again, except in these kinds of very narrow circumstances, it's better to only tell it the device to move off of and let LVM decide where to move the data to (it'll make things much more efficient that way).
OK, so there were some errors running pvmove and it bailed out. Let's see what wer're dealing with:
# pvdisplay /dev/hdc1 /dev/hdc1: read failed after 0 of 2048 at 0: Input/output error No physical volume label read from /dev/hdc1 Failed to read physical volume "/dev/hdc1"
Uh, oh. Looks like I'm going to have a little difficulty getting this one fixed. I ran a few other commands looking at data LVs that are already mounted and it seems that the corrupted portion of the disk is not affecting any existing data. I did have a /dev/data/up2date LV which I deleted during the installation of SUSE Linux 10.1 (I won't need that Red Hat specific item). Prior to the installation, it was not mountable and fsck couldn't recover it because of drive problems. This was one of the reasons that I decided to get the new drive in the first place.
Hopefully, I'll find a way to verify whether or not there is any other data on that drive that I need to worry about. Bat as it's getting late, I think I'm about to head off to bed.
Just to finish things off, run vgreduce /dev/hde2 (in my case). At this point, I can remove the 120GB drive and once I fix up and finish migrating from the 45GB drive, I'll be done. In my case, that means another powering down (so I'll wait till I can pull them both), but it is a home file server, so I don't mind.
It's very nice to have access to all of my data while I'm upgrading my storage system. There isn't even a performance penalty for other I/O, as the LVM code will submit the pvmove I/O operations as low priority to the kernel's I/O scheduler.
Posted by lamontp at 11:15 PM | Comments (0) | TrackBack
New Hard Drive? Test It First
As you may have read in my most recent entries, I am updating my home file server, replacing the two existing ATA data drives with a new larger, faster SATA drive.
The old drives are 45GB & 120GB in size, which works out to approximately 41GB and 111GB formatted capacity, for just over 152GB storage. The new drive is a 320GB model, which works out to just over 299GB formatted capcity.
Since the old drives are nearly full, I'm going to be moving a lot of data. As I'm using LVM, I can migrate the data to the new drive with ease, while I have everything online and in use, but I'll cover that later. But before I move the data over, I would like to know if the new drive is good. Although this technique won't tell you for sure (as in life, sometimes there is no certainty), but it's a good indication that things are OK and it gives the new drive a little bit of a workout.
I simply used the badblocks command to test the entire drive, like so:
# time badblocks -b 4096 /dev/sda > sda.badblocks real 95m41.158s user 0m1.764s sys 3m0.631s
I ran that after connecting remotely to the server from work via SSH. I used screen so that I could disconnect from the session, come home and reconnect later. When I did, I saw that the entire drive was checked in under 96 minutes. Not bad.
Of course, it's always a good sign when there are no error messages from STDERR, but I'll have to check the sda.badblocks created by my command:
# ls -l sda.badblocks -rw-r--r-- 1 root root 0 Jul 17 16:38 sda.badblocks
As you can see, the file is empty. So, it looks like my new drive is just fine. That means I'm ready to copy all of my data over to it, but you'll have to read my next post to learn how I'm doing that without interfering with normal operations.
Posted by lamontp at 8:08 PM | Comments (3) | TrackBack
July 16, 2006
PCI SATA Controller is Working
In my recent post about creating bootable CD images, I talked about the reasons why I was trying to build a bootable CD: I needed to install an updated BIOS to try and get my new ($19, BTW) PCI SATA controller to show up.
The new card is built using a lspci did show and identify the PCI SATA controller.
I decided to try it again in the file server box, so I put the whole thing back together and fired it up, entering a rescue mode using a RHEL 4 ES DVD that was lying close by. Nothing from lspci, so I decided to button up the box (I had it sitting on the back of my desk while working on it) and replace it in the server stack so that I could at least use the storage I had.
Boy, was I in for a pleasant surprise.
"Oh well,: I was thinking. "I tried. It just doesn't look like it's going to work on that motherboard. I guess I'll have to start planning on building the next file server. Let's see, I want to have PCIe in it and I want it to be and AMD Opteron, probably supporting multi core processors...2 or 4 ... or the new 8-way from Tyan? Yeah, that would be cool! Of course, RAM isn't an issue as any of the boards that I could use to build that system will support more than I need for a home file server." Wow, all that in the time it took me to get the panels back on and put in most of the screws. Then it hit me, "I forgot to put that Adaptec AHA-3940UW card back in. So I pulled off one panel, remounted the "omitted" card, replaced the panel and finished putting in the screws.
A few moments later, I had the server snugly back it's shelf (I'm not rack mounting, yet :( ) with the LVM cables plugged back in. I powered on the monitor and switched the LVM to the file server while pressing it's power button. I needed to select the second kernel to boot (I still haven't fixed the "newest" one), so I sat and watched. That's when it happened.
All of a sudden, there it was, on the screen ... the PCI STAT controller card's BIOS showing it had found the one drive plugged in and that there were no RAID arrays configured (it has some kind of "on-board RAID0/RAID1 capability, which I'm sure is actually FRAID). "It's ... working!?" Wow, cool. I hit <CTRL>+<ALT>+<DELETE> on the keyboard. "Let's see if it does that again. It did.
It's always nice when hardware starts working, but sometimes, it can be a little frustrating not knowing for certain why it suddenly started working. Oh, well, it's running! I'm not complaining one little bit.
The only thing I could think of was that after having initialized the card for it's first time in the dual Opteron box and replacing it in the file server system, it was still in the same slot, so the BIOS didn't try to "re scan" the PCI bus fully as it saw the same device list and, therefore, skipped the card when I had tried the rescue environment and the lspci command didn't show it listed. But when I added the SCSI controller back in (there are no drives on it, but I sometimes hook up external devices), the BIOS did rescan everything and decided it knew what to do with the SATA controller. Well, that's the only theory I have at this point.
So, I rebooted with a SUSE Linux 10.1 CD. When I reached the partitioning, it saw all 4 drives. Yipee! So, I configured the partitioning, reformatting all the partitions that had RHEL 3 on the system LVM VG and creating the mount points for all the data VG's LVs. In fact, I started writing this post before it started installing files and it's already finished, rebooted and been sitting there for at least 5 or 10 minutes until now, when I checked on it. I finished up the installation (there's going to be some more housecleaning and services configuration to do, of course) and then returned to finishing this post.
Posted by lamontp at 11:23 PM | Comments (0) | TrackBack
Creating a Bootable CD Image with mkisofs
I've been working on my home file server this weekend. It has had a little over 150GB of storage for about 2.5 years, running RHEL3. About 2 months ago, I picked up a 320GB SATA drive and a PCI SATA controller to upgrade the system.
Unfortunately, there have been a few bumps and bruises on the way to getting the new drive working in my server. To help you understand some of the issues, here are the specs on that box:
- 700MHz AMD Duron processor
- Syntax SV266AD motherboard
- 1GB RAM, 1 DIMM from Crucial
- 4GB Quantum Fireball hard drive (used for OS with separate LVM VG)
- 45GB hard drive (Western Digital WD450AA)
- 120GB hard drive (Western Digital WD1200BB
In case you were wondering, it was only about $2 more to get a 1GB DIMM than a 256MB DIMM when I bought it and the 45GB & 120GB drives provide the shared storage under LVM.
Not a bad system, but not terribly modern either. For example, my problems begin with the fact that SATA is a newer technology than the Duron boards or, for that matter, RHEL 3 (because it sports the 2.4 version of the kernel).
I've had that Duron processor for over 6 years, but the original motherboard died in April of 2004. That's why I built my dual Opteron workstation (in May, 2004). I let the Duron chip sit for about a year before I bought the new motherboard, which required me to get new RAM as the old one was too specific to the memory controller on the old, now dead, board. I decided the newly resurrected Duron system should be my file server and the old file server hardware now serves as a firewall/router. I was able to just move the 3 hard drives (and a couple of NICs) to the new system and everything came up just fine; no OS reinstall. Man, I love Linux.
Anyway, when I went to install the new SATA hard drive that I had picked up, I decided that I should rearrange the other drives so that when I pull the 120GB & 45GB drives from the box, that there will still be really good airflow around the new drive. As I shuffled the 4 hard drives around in the 6 drive hanging cage (this case has room for another 5 5-1/4 inch and 1 3.5 inch drives), I realized that I was just going to have to do it again, so I arranged things such that I should be able to get the most air over the 4 drives. I'll just move the new one when I pull the old drives out.
But when I hooked everything back up, the system (by which I mean the BIOS) could not see the new SATA controller. To make matters worse, it could no longer see the 4GB system drive either. At that point, however, I had to leave for a few business trips and didn't get around to working on the box again until this past weekend. It turns out that I merely had to reverse the IDE ribbon cable going to the 4GB drive and all is well, with it.
Then, when I booted the system up with the 4GB drive back in view, I got a kernel panic. Looks like the latest kernel which I have installed for RHEL4 (2.4.22-37.0.1) can't find the root partition at all. That was quickly fixed by editing /boot/grub/menu.lst in a rescue environment; it turned out that there was no value for the root= parameter on the kernel line. After rebooting I get a little different kernel panic. It seems there is misconfiguration in this kernel' initrd so that it can't do the pivot_root(8) properly (seems like the old_dir it's trying to use doesn't exist. So, I boot into the next previous (2.4.22-37) kernel, which also fails since it can't find anything in the /etc/fstab file.
OK, another trip into the rescue environment and, sure enough, there are zero bytes of content in the /etc/fstab file (/me shakes head). so, I reconstruct the basic lines needed to get the OS up and running, reboot again, and viola; I finally have a running system. I still had to add a few more lines to /etc/fstab before everything was ready for normal operation, but that only took about 3 minutes.
Still, the BIOS doesn't see the new SATA controller. Perhaps a BIOS update will get things going. I'm thinking that perhaps the BIOS just doesn't have the first clue what kind of card it is, so it doesn't initialize it into the PCI bus. To test this theory, I booted from a handy SUSE Linux 10.1 CD and checked some things out in the installer's partitioning tools and with the command line. No dice, there just is no /dev/sda device appearing at all.
All right, then, let's update the BIOS. Of course, it's a DOS program, so I decided to burn a CD as I don't even have a floppy drive installed on this box and didn't really want to dig one out. My first attempt at creating a bootable CD from a DOS floppy I have used for about a decade failed to boot. I did a little digging to find out what I needed to do to properly create a bootable CD with mkisofs. I came up with this command line:
mkisofs -r -b workdos95.img -c boot.cat -o SV266AD.iso SV266AD-BIOS/
The trick is that the workdos95.img file (created by running dd if=/dev/fd0 of=workdos95.img bs=512 with the working boot floppy in the drive) has to be placed in the SV266AD-BIOS (in my case, since that's what I named it on my hard drive while I was building the CD) directory. That isn't exactly clear from the mkisofs(8) man page.
Burning the resulting ISO9660 image to a blank CD-R produced a working, bootable DOS CD. The oakcdrom.sys DOS driver even works with my Pioneer slot loading DVD drive. I was able to change to the G:\ drive (the CD) and run the BIOS update utility. Sadly, rebooting showed that the newest BIOS still didn't bring up the PCI SATA controller. Nuts.
To satisfy those scratching their heads over the workdos95.img file, WorkDOS is a name I have used for utility boot disks that I have built. They are simply a DOS boot floppy with almost all of the main C:\DOS\ files, a couple of other tools and some CD-ROM & NIC drivers included on a 1.44MB floppy. They have been quite useful over the years, though I haven't used one in a long time.
The next test is to pull out the card and drive, plug them into my dual Opteron box (which has 4 SATA ports on board) and make sure the drive is good and see if the card is visible. I'm working on that now.
Perhaps I have a bad card. Maybe this BIOS will never be able to see it. Either way, the next iteration of my home file server will make use of a way cool SATA controller; the 3ware 9590SE-16ML. Oh, yeah :) !
Posted by lamontp at 7:55 PM | Comments (0) | TrackBack
July 11, 2006
Macromedia Flash on FC5
Last year, I wrote a post providing instructions on how to manually install the Macromedia Flash plugin for Linux so that it would work with all of your browsers.
As my good friend Doran Barton pointed out in a comment on my previous post, there are RPMs available to provide the Flash plugin. At the time I wrote that post, I had tried using that RPM for the current release of Fedora Core which I had recently installed, but it didn't work for me. Additionally, other instructions & HOWTOs that I had found on the Internet didn't work for all of my browsers. As I do some web stuff, I like to keep several working browsers around for testing.
When Fedora Core 4 came out (in May of 2005), I continued to use the instructions I had written to make Flash available in all of my browsers. A couple of months later, I found that the mplug yum repo (which Doran had suggested using) now worked for me and that it installs the Flash plugin such that it works with all the browsers I have installed.
When I upgraded to FC5, I found that the same RPM works there, too. You can download the .repo file, which should be placed into your /etc/yum.repos.d/ directory, then run yum install flash-plugin as root.
I did run into a website recently that required Flash 8, which is not available for Linux. It's doubtful that the complications in porting Flash Player 8 to Linux will be overcome, however, it looks like Flash Player 8.5 will be made available for Linux.
So, I would highly recommend using the mplug Macromedia yum repository. But if it doesn't work for you, refer back to my instructions for manually setting up Flash for all of your browsers.
If you experience any troubles with the Flash plugin in your browsers, check out the FAQ at mplug, which has some good tips for dealing with common issues. For those of you using FC5, there is a note in the FAQ about font issues that could apply to your situation. There are also notes regarding installing the flash plugin with other distributions.
Posted by lamontp at 9:25 AM | Comments (0) | TrackBack
July 10, 2006
Swap Happy NICs on FC5
When Red Hat's system-config-network or netconfig tools (on either RHEL or Fedora) create /etc/sysconfig/network-scripts/ifcfg-ethX files, they always add in the HWADDR=00:00:00:00:00:00 line. There have been a couple of times that I have run into trouble because of that line.
When ifup finds the HWADDR variable in an ifcfg-foo file, it uses the value to verify that it is configuring the correct interface. If it doesn't match, it bails out. Because of this, I have often told students that if they expect to be swapping NICs or if they run into a problem where ifup refuses to configure the interface, to try removing (or commenting out) the HWADDR line entirely. I have even gotten into the habit of just removing it on my own personal servers, workstations & notebooks.
However, not having HWADDR in my /etc/sysconfig/network-scripts/ifcfg-ethX files on my notebook actually caused me a little bit of trouble, today.
Running Fedora Core 5 (FC5), I saw my NICs swap places during bootup. This happened first a few weeks ago, and only happened once, so I figured it was probably a fluke. Then, Clint's new notbook did it several times to him. When it happened to me again this morning, I decided to dig a little deeper.
Looking at the changelog for the latest updated version of the initscripts package (which /etc/rc.sysinit is part of), shows:
* Fri Jul 07 2006 Bill Nottingham <HIDDEN EMAIL> 8.31.5-1
- backport cups startup fix (#189168)
* Fri Jun 30 2006 Bill Nottingham <HIDDEN EMAIL> 8.31.4-1
- backport bridge fixes (#187100)
- ignore alias devices in rename_device (#186355)
* Fri Mar 17 2006 Bill Nottingham <HIDDEN EMAIL> 8.31.2-1
- add udev helper to rename network devices on device creation
So, I checked out https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186355. Although the issues that bug's reporter (and others) were having was related to the use of Virtual Interfaces, it touched on things that could help explain the error I was seeing. A little more digging around on Bugzilla didn't produce any useful results right away, however, and as I'm teaching Guru Labs' GL510 Network Security course (which is rather in-depth), I didn't have time to do any more digging right then. So, I sent a quick little email to Bill Nottingham at Red Hat, asking if he's been seeing this problem. This was his response:
Lamont R. Peterson said:
> A couple of weeks ago, my notebook's two interfaces (eth0 3C920, eth1 IPW2915)
> came up swapped (wireless eth0 wired eth1). It only happened the once, until
> today, to me. One of my co-workers saw it several times last week. A couple
> of other people I know have seen this happen once in the last month or so,
> like I did.
>
> Looking at the changelog for initscripts, I see that /etc/rc.sysinit has seen
> some changes regarding udev and device renaming for NICs.
Yep. Stock answer is to make sure you have HWADDR= correct in all your
ifcfg-XXXX files, and upgrade to the current FC5 update (8.31.5) initscripts.
Basically, udev can load/initialize interfaces in random order, so we
need code to try and get them back in the order they're configured.
Bill
So, I've added the HWADDR lines back in on my notebook. Unfortunately, it'll be hard to test if that fixes such an intermittent issue, but, I think that this is the "right" fix for my notebook.
I'm also amending my advice to students in the future. Thanks to udev and the way things now work, it doesn't matter very much what alias lines you have in your /etc/modprobe.conf file; udev will start things up however seems fit.
Posted by lamontp at 3:37 PM | Comments (0) | TrackBack
July 7, 2006
Encrypting Partitions on a Fedora Core Notebook
(Ed. I originally wrote this in August of 2005, but never published it, planning on reworking it to use dm-crypt instead. Unfortunately, with all the traveling and other things keeping me busy here at Guru Labs, I've still not gotten around to it, so, I decided to publish this version as is. I should have the dm-crypt version written as a new Guru Guide, soon.
Working for Guru Labs, I travel many tens of thousands of miles per year. I go through airports and fly all over North America. In all this traveling, I have never had to deal with the loss or theft of a notebook computer. Hopefully, my luck will hold for many years (decades?) to come.
Of course, I'm not going to just say, "Well, I'll never have to worry about that!," and call it "security". I have data on my notebook that I would not want to lose. If my notebook was lost or stolen, I have all that data on other system and could reconstruct it (well, almost all that data).
However, some of it should never be allowed to fall into the "wrong" hands, either. Encryption is a good answer to this problem.
There are several different ways that one could use encryption to protect files on a system. Individual files could be encrypted and decrypted, as needed. This approach, while relatively simple to implement, is rather tedious for the user and error-prone; important files must be re-encrypted after each use in order to ensure they remain protected.
A better approach is to have the filesystem encrypt individual files, transparently. A user would "mark" those files that should be encrypted and the filesystem would provide transparent access. This approach would be ideal for many reasons, including the fact that only the important data is being encrypted, therefore minimizing the load on the system required to deal with encryption. Unfortunately, this approach also requires filesystem support, which is not very common. Also, other tools like standard file open/save dialog boxes would have to be altered to support this capability so users could (un)mark files for encryption.
The approach I have taken is to create a special, encrypted partition and place a filesystem on top of that. The Linux kernel has supported encrypted filesystems through a mechanism called cryptoloop for many years now. However, cryptoloop is deprecated and will be removed at some future point (of course, we've know this for quite some time and cryptoloop is still around, so it may or may not be a while before it is removed). The replacement is called dm-crypt, which is a devmapper module.
Before I get into how to add support for boot-time cryptoloop mounting to Fedora Core, it is important to note that there are some weaknesses in cryptoloop. These weaknesses are not in the encryption algorithms used. As far as I am aware, they have not lead to any exploits which could compromise the encrypted data. However, one should not trust classified data to cryptoloop.
First, you will need to create a cryptoloop encrypted filesystem. This is done using the losetup command (see losetup(8) for full details). Before losetup can be used to create an encrypted filesystem, you will need to load a couple of kernel modules:
# modprobe cryptoloop # modprobe aes
After these modules are loaded, use losetup to create an encrypted partition (note, in this example, I am using an LVM logical volume; you can use any block device you like):
# losetup -e aes /dev/loop0 /dev/vg0/secure Password: Enter a passphrase here
Of course, I do not want you to tell me what passphrase you use. More importantly, it is recommended that your passphrase be at least 20 characters long. Cryptographically strong passwords are always a good idea.
Now you have a loopback device (/dev/loop0, in this example) that is encrypted on disk. The cryptoloop driver presents a standard block device on the loopX device node. This device can be formated and mounted just like any other block device:
# mkreiserfs /dev/loop0
mkreiserfs 3.6.13 (2003 www.namesys.com)
. . . snip . . .
ATTENTION: YOU SHOULD REBOOT AFTER FDISK!
ALL DATA WILL BE LOST ON '/dev/loop0'!
Continue (y/n):y
The encrypted filesystem is ready to use. Simply mount and use the new filesystem (create the mountpoint with the mkdir command first, as needed):
# mkdir /secure # mount /dev/loop0 /secure/
After you have copied/moved some data over to your new encrypted filesystem, unmount it and remove the cryptoloop device, thus "locking" the partition:
# umount /secure/ # losetup -d /dev/loop0
Until you run the losetup command, the partition will be available for mounting without having to enter the passphrase.
To mount existing encrypted partitions, simply run losetup to setup the loop device and mount it:
# losetup -e aes /dev/loop0 /dev/vg0/secure Password: Enter the correct passphrase here # mount /dev/loop0 /secure/
(NOTE: If the mount command fails, it is usually due to a mistyped passphrase; run losetup -d /dev/loop0 to delete the device and try again, in that case.)
It is not necessary to run these commands when shutting down the system, as the normal system shutdown process will take care of umount'ing the partition and the reboot (or system halt) itself will close the cryptoloop device.
"OK. So now I have this encrypted partition and I know these commands to run to manually mount it, but I want this thing to be taken care of when I boot my notebook." Well, I'm glad you mentioned that; here is how I solved that problem:
First, I edited /etc/rc.sysinit and made this addition (in bold, the rest is for context and the line numbers are for the version of this file on FC4 for x86):
483 # Mount all other filesystems (except for NFS and /proc, which is already 484 # mounted). Contrary to standard usage, 485 # filesystems are NOT unmounted in single user mode. 486 action $"Mounting local filesystems: " mount -a -t nonfs,nfs4,smbfs,ncpfs,cifs,gfs -O no_netdev 487 488 # Mount cryptoloop filesystems 489 if [ -r /etc/cryptotab ]; then 490 action $"Mounting encrypted filesystems: " /sbin/cryptomount 491 fi 492 493 if [ -x /sbin/quotaon ]; then 494 action $"Enabling local filesystem quotas: " /sbin/quotaon -aug 495 fi 496 497 # Check to see if a full relabel is needed
Next, I created the /sbin/cryptomount script, which can be downloaded from the Guru Labs Downloads page. I wrote that script, basing it on the one shipped by SUSE with their distributions (which have supported encrypted filesystems out of the box for years).
The last thing to do is to create the /etc/cryptotab file. In this file, each line describes one encrypted filesystem that should be mounted when the cryptomount command is run. The format of this file is (which is identical to that used by SUSE's built in encrypted filesystem support):
# Loop device Physical device Mountpoint fs-type Algorithm fs-options /dev/loop0 /dev/vg0/secure /secure reiserfs aes defaults
That's it. With these changes, the system will prompt for the passphrase for each encrypted filesystem described in your /etc/cryptoloop file during bootup.
Note: It looks like at least SUSE Linux 10.1 (and probably OpenSUSE 10.0) have switched to using dm-crypt in a way that is now slightly incompatible with the technique described here. (Ed. They are actually using cryptoloop still, but don't load the aes kernel module which is why the SUSE 10.1 tools can't just setup access to the cryptoloop encrypted filesystem on my notebook, which was created for Fedora using the technique found here.)
Posted by lamontp at 11:45 AM | Comments (3) | TrackBack