Difference between pages "OpenSSH Key Management, Part 3" and "ZFS Install Guide"

(Difference between pages)
(Created page with "{{Article |Subtitle=Agent Forwarding |Summary=In this third article in a series, Daniel Robbins shows you how to take advantage of OpenSSH agent connection forwarding to enhan...")
 
(Extlinux (Optional if you are using another bootloader))
 
Line 1: Line 1:
{{Article
+
== Introduction ==
|Subtitle=Agent Forwarding
+
|Summary=In this third article in a series, Daniel Robbins shows you how to take advantage of OpenSSH agent connection forwarding to enhance security. He also shares recent improvements to the keychain shell script.
+
|Author=Drobbins
+
|Previous in Series=OpenSSH Key Management, Part 2
+
}}
+
Many of us use the excellent OpenSSH as a secure, encrypted replacement for the venerable telnet and rsh commands. One of OpenSSH's more intriguing features is its ability to authenticate users using the RSA and DSA authentication protocols, which are based on a pair of complementary numerical "keys." One of the main appeals of RSA and DSA authentication is the promise of being able to establish connections to remote systems without supplying a password. For more background, see the previous installments of this series on OpenSSH key management, which cover RSA/DSA authentication (Part 1) and ssh-agent and keychain (Part 2), respectively.
+
  
Since Part 2 was published on developerWorks in September 2001, and later referenced on Slashdot and Freshmeat (see Resources later in this article for links to these sites), a lot of people have started using keychain, and it's undergone a lot of changes. I've received approximately 20 or so high-quality patches from developers around the world. I've incorporated many of these patches into the keychain source, which is now at version 1.8 (see Resources). I send my sincere thanks to all those who submitted patches, bug reports, feature requests, and notes of appreciation.
+
This tutorial will show you how to install Funtoo on ZFS (rootfs). This tutorial is meant to be an "overlay" over the [[Funtoo_Linux_Installation|Regular Funtoo Installation]]. Follow the normal installation and only use this guide for steps 2, 3, and 8.
  
=== Tightening ssh security ===
+
=== Introduction to ZFS ===
  
In my last article, I've spent some time discussing the security benefits and tradeoffs of running ssh-agent. A few days after the second article appeared on developerWorks, I received an e-mail from Charles Karney of Sarnoff Corporation, who politely informed me of OpenSSH's new authentication agent forwarding abilities, which we'll take a look at in a bit. In addition, Charles emphasized that running ssh-agent on untrusted machines is quite dangerous: if someone manages to get root access on the system, then your decrypted keys can be extracted from ssh-agent. Even though extracting the keys would be somewhat difficult, it is within the skill of professional crackers. And the mere fact that private key theft is possible means that we should take steps to guard against it happening in the first place.
+
Since ZFS is a new technology for Linux, it can be helpful to understand some of its benefits, particularly in comparison to BTRFS, another popular next-generation Linux filesystem:
  
To formulate a strategy to protect our private keys, we must first put the machines we access into one of two categories. If a particular host is well-secured or isolated -- making successful root exploit against it quite unlikely -- then that machine should be considered a trusted host. If, however, a machine is used by many other people or you have some doubts about the security of the system, then the machine should be considered an untrusted host. To guard your private keys against extraction, ssh-agent (and thus keychain) should never be run on an untrusted host. That way, even if the system's security is compromised, there will be no ssh-agent around for the intruder to extract keys from in the first place.
+
* On Linux, the ZFS code can be updated independently of the kernel to obtain the latest fixes. btrfs is exclusive to Linux and you need to build the latest kernel sources to get the latest fixes.
  
However, this creates a problem. If you can't run ssh-agent on untrusted hosts, then how do you establish secure, passwordless ssh connections from these systems? The answer is to only use ssh-agent and keychain on trusted hosts, and to use OpenSSH's new authentication forwarding abilities to extend passwordless authentication to any untrusted hosts. In a nutshell, authentication forwarding works by allowing remote ssh sessions to contact an ssh-agent running on a trusted system.
+
* ZFS is supported on multiple platforms. The platforms with the best support are Solaris, FreeBSD and Linux. Other platforms with varying degrees of support are NetBSD, Mac OS X and Windows. btrfs is exclusive to Linux.
  
=== Authentication agent forwarding ===
+
* ZFS has the Adaptive Replacement Cache replacement algorithm while btrfs uses the Linux kernel's Last Recently Used replacement algorithm. The former often has an overwhelmingly superior hit rate, which means fewer disk accesses.
  
To get an idea of how authentication forwarding works, let's first take a look at a hypothetical situation where user drobbins has a trusted laptop called lappy, a trusted server called trustbox, and two other untrusted systems that he must access, called notrust1 and notrust2, respectively. Currently, he uses ssh-agent along with keychain on all four machines, as follows:
+
* ZFS has the ZFS Intent Log and SLOG devices, which accelerates small synchronous write performance.
  
[[FIle:l-ssh-3.jpg|center|frame|ssh-agent running on trusted and untrusted machines]]
+
* ZFS handles internal fragmentation gracefully, such that you can fill it until 100%. Internal fragmentation in btrfs can make btrfs think it is full at 10%. Btrfs has no automatic rebalancing code, so it requires a manual rebalance to correct it.
  
The problem with this approach is that if someone gains root access on notrust1 or notrust2, then it is of course possible for this person to extract keys from the now vulnerable ssh-agent process. To fix this, drobbins stops running ssh-agent and keychain on untrusted hosts notrust1 and notrust2. In fact, to be even more careful, drobbins decides to only use ssh-agent and keychain on lappy. This limits exposure of his decrypted private keys, protecting him against private key theft:
+
* ZFS has raidz, which is like RAID 5/6 (or a hypothetical RAID 7 that supports 3 parity disks), except it does not suffer from the RAID write hole issue thanks to its use of CoW and a variable stripe size. btrfs gained integrated RAID 5/6 functionality in Linux 3.9. However, its implementation uses a stripe cache that can only partially mitigate the effect of the RAID write hole.
  
[[File:l-ssh-4.jpg|center|frame|ssh-agent running only on lappy; a more secure configuration]]
+
* ZFS send/receive implementation supports incremental update when doing backups. btrfs' send/receive implementation requires sending the entire snapshot.
  
Of course, the problem with this approach is that drobbins can now only establish passwordless connections from lappy. Let's see how to enable authentication forwarding and get around this problem.
+
* ZFS supports data deduplication, which is a memory hog and only works well for specialized workloads. btrfs has no equivalent.
  
Assuming that all machines are running recent versions of OpenSSH, we can get around this problem by using authentication forwarding. Authentication forwarding allows remote ssh processes to contact the ssh-agent that is running on your local trusted machine -- rather than requiring a version of ssh-agent to be running on the same machine that you are sshing out from. This usually allows you to run ssh-agent (and keychain) on a single machine, and means that all ssh connections that originate (either directly or indirectly) from this machine will use your local ssh-agent.
+
* ZFS datasets have a hierarchical namespace while btrfs subvolumes have a flat namespace.
  
To enable authentication forwarding, we add the following line to lappy and trustbox's /etc/ssh/ssh_config. Note that this is the config file for ssh (ssh_config), not the ssh daemon sshd (sshd_config):
+
* ZFS has the ability to create virtual block devices called zvols in its namespace. btrfs has no equivalent and must rely on the loop device for this functionality, which is cumbersome.
  
{{file|name=ssh_config|body=
+
The only area where btrfs is ahead of ZFS is in the area of small file
ForwardAgent Yes
+
efficiency. btrfs supports a feature called block suballocation, which
}}
+
enables it to store small files far more efficiently than ZFS. It is
 +
possible to use another filesystem (e.g. reiserfs) on top of a ZFS zvol
 +
to obtain similar benefits (with arguably better data integrity) when
 +
dealing with many small files (e.g. the portage tree).
  
Now, to take advantage of authentication forwarding, drobbins can connect from lappy to trustbox, and then from trustbox to notrust1 without supplying passphrases for any of the connections. Both ssh processes "tap in" to the ssh-agent running on lappy:
+
For a quick tour of ZFS and have a big picture of its common operations you can consult the page [[ZFS Fun]].
 +
 
 +
=== Disclaimers ===
 +
 
 +
{{fancywarning|This guide is a work in progress. Expect some quirks.}}
 +
{{fancyimportant|'''Since ZFS was really designed for 64 bit systems, we are only recommending and supporting 64 bit platforms and installations. We will not be supporting 32 bit platforms'''!}}
 +
== Downloading the ISO (With ZFS) ==
 +
In order for us to install Funtoo on ZFS, you will need an environment that already provides the ZFS tools. Therefore we will download a customized version of System Rescue CD with ZFS included.
 +
 
 +
<pre>
 +
Name: sysresccd-4.2.0_zfs_0.6.2.iso  (545 MB)
 +
Release Date: 2014-02-25
 +
md5sum 01f4e6929247d54db77ab7be4d156d85
 +
</pre>
 +
 
 +
 
 +
'''[http://ftp.osuosl.org/pub/funtoo/distfiles/sysresccd/ Download System Rescue CD with ZFS]'''<br />
 +
 
 +
== Creating a bootable USB from ISO (From a Linux Environment) ==
 +
After you download the iso, you can do the following steps to create a bootable USB:
  
 
<console>
 
<console>
$ ##i##ssh drobbins@trustbox
+
Make a temporary directory
Last login: Wed Sep 26 13:42:08 2001 from lappy
+
# ##i##mkdir /tmp/loop
  
Welcome to trustbox!
+
Mount the iso
$ ##i##ssh drobbins@notrust1
+
# ##i##mount -o ro,loop /root/sysresccd-4.2.0_zfs_0.6.2.iso /tmp/loop
Last login: Tue Sep 25 12:03:40 2001 from trustbox
+
  
Welcome to notrust1!
+
Run the usb installer
$
+
# ##i##/tmp/loop/usb_inst.sh
 
</console>
 
</console>
  
If you try a similar configuration and find that agent forwarding isn't working, try using ssh -A instead of plain old ssh to explicitly enable authentication forwarding. Here's a diagram of what went on behind the scenes when we logged in to trustbox and notrust1 using authentication forwarding, above:
+
That should be all you need to do to get your flash drive working.
  
[[File:l-ssh-5.jpg|frame|center|Agent forwarding in action]]
+
== Booting the ISO ==
  
As you can see, when ssh connected to trustbox, it maintained a connection to the ssh-agent running on lappy. When an ssh connection was made from trustbox to notrust1, this new ssh process maintained the authentication connection to the previous ssh, effectively extending the chain. Whether this authentication chain can be extended beyond notrust1 to other hosts depends on how notrust1's /etc/ssh/ssh_config is configured. As long as agent forwarding is enabled, all parts of the chain will be able to authenticate using the ssh-agent running on the trusted lappy.
+
{{fancywarning|'''When booting into the ISO, Make sure that you select the "Alternate 64 bit kernel (altker64)". The ZFS modules have been built specifically for this kernel rather than the standard kernel. If you select a different kernel, you will get a fail to load module stack error message.'''}}
  
=== Advantages of agent connection forwarding ===
+
== Creating partitions ==
 +
There are two ways to partition your disk: You can use your entire drive and let ZFS automatically partition it for you, or you can do it manually.
  
Authentication forwarding offers a number of security advantages not touched on here. To convince me of the importance of agent connection forwarding, Charles Karney shared with me these three security advantages:
+
We will be showing you how to partition it '''manually''' because if you partition it manually you get to create your own layout, you get to have your own separate /boot partition (Which is nice since not every bootloader supports booting from ZFS pools), and you get to boot into RAID10, RAID5 (RAIDZ) pools and any other layouts due to you having a separate /boot partition.
  
The private key is stored only on the trusted machine. This prevents malicious users from grabbing your encrypted key from disk and attempting to crack the encryption.
+
==== gdisk (GPT Style) ====
ssh-agent runs only on the trusted machine. This prevents an intruder from doing a memory dump of a remote ssh-agent process and then extracting your decrypted private keys from the dump.
+
  
Since you only need to type in the passphrase on your trusted machine, you prevent any keystroke loggers from stealthily grabbing your passphrase as it is entered.
+
'''A Fresh Start''':
The one drawback to relying on authentication agent connection forwarding is that it doesn't solve the problem of allowing cron jobs to take advantage of RSA/DSA authentication. One solution to this problem is to set up all cron jobs that need RSA/DSA authentication so that they execute from a trusted machine on your LAN. If necessary, these cron jobs can use ssh to connect to remote systems to automate backups, synchronize files, and so on.
+
  
Now that we've looked at authentication agent connection forwarding, let's turn to recent improvements made to the keychain script itself.
+
First lets make sure that the disk is completely wiped from any previous disk labels and partitions.
 +
We will also assume that <tt>/dev/sda</tt> is the target drive.<br />
  
=== Keychain functionality improvements ===
+
<console>
 +
# ##i##sgdisk -Z /dev/sda
 +
</console>
  
Since the time this article was originally written in 2001, Keychain has become a successful Open Source project, and now supports nearly every version of UNIX (including Linux, BSD, Solaris, IRIX, and AIX as well as other UNIX platforms,) and has lots of advanced features. These features include support for gpg-agent, as well as a number of new command-line options, which you can learn about by typing {{c|keychain --help}} or reading the keychain man page ({{c|man keychain}}).
+
{{fancywarning|This is a destructive operation and the program will not ask you for confirmation! Make sure you really don't want anything on this disk.}}
 +
 
 +
Now that we have a clean drive, we will create the new layout.
 +
 
 +
First open up the application:
 +
 
 +
<console>
 +
# ##i##gdisk /dev/sda
 +
</console>
 +
 
 +
'''Create Partition 1''' (boot):
 +
<console>
 +
Command: ##i##n ↵
 +
Partition Number: ##i##↵
 +
First sector: ##i##↵
 +
Last sector: ##i##+250M ↵
 +
Hex Code: ##i##↵
 +
</console>
 +
 
 +
'''Create Partition 2''' (BIOS Boot Partition):
 +
<console>Command: ##i##n ↵
 +
Partition Number: ##i##↵
 +
First sector: ##i##↵
 +
Last sector: ##i##+32M ↵
 +
Hex Code: ##i##EF02 ↵
 +
</console>
 +
 
 +
'''Create Partition 3''' (ZFS):
 +
<console>Command: ##i##n ↵
 +
Partition Number: ##i##↵
 +
First sector: ##i##↵
 +
Last sector: ##i##↵
 +
Hex Code: ##i##bf00 ↵
 +
 
 +
Command: ##i##p ↵
 +
 
 +
Number  Start (sector)    End (sector)  Size      Code  Name
 +
  1            2048          514047  250.0 MiB  8300  Linux filesystem
 +
  2          514048          579583  32.0 MiB    EF02  BIOS boot partition
 +
  3          579584      1953525134  931.2 GiB  BF00  Solaris root
 +
 
 +
Command: ##i##w ↵
 +
</console>
 +
 
 +
 
 +
=== Format your /boot partition ===
 +
 
 +
<console>
 +
# ##i##mkfs.ext2 -m 1 /dev/sda1
 +
</console>
 +
 
 +
=== Create the zpool ===
 +
We will first create the pool. The pool will be named `tank` and the disk will be aligned to 4096 (using ashift=12)
 +
<console># ##i##zpool create -f -o ashift=12 -o cachefile= -O compression=on -m none -R /mnt/funtoo tank /dev/sda3</console>
 +
 
 +
=== Create the zfs datasets ===
 +
We will now create some datasets. For this installation, we will create a small but future proof amount of datasets. We will have a dataset for the OS (/), and your swap. We will also show you how to create some optional datasets: <tt>/home</tt>, <tt>/var</tt>, <tt>/usr/src</tt>, and <tt>/usr/portage</tt>.
 +
 
 +
<console>
 +
Create some empty containers for organization purposes, and make the dataset that will hold /
 +
# ##i##zfs create -p tank/funtoo
 +
# ##i##zfs create -o mountpoint=/ tank/funtoo/root
 +
 
 +
Optional, but recommended datasets: /home
 +
# ##i##zfs create -o mountpoint=/home tank/funtoo/home
 +
 
 +
Optional datasets: /usr/src, /usr/portage/{distfiles,packages}
 +
# ##i##zfs create -o mountpoint=/usr/src tank/funtoo/src
 +
# ##i##zfs create -o mountpoint=/usr/portage -o compression=off tank/funtoo/portage
 +
# ##i##zfs create -o mountpoint=/usr/portage/distfiles tank/funtoo/portage/distfiles
 +
# ##i##zfs create -o mountpoint=/usr/portage/packages tank/funtoo/portage/packages
 +
</console>
 +
 
 +
=== Create your swap zvol ===
 +
For modern machines that have greater than 4 GB of RAM, A swap size of 2G should be enough. However if your machine doesn't have a lot of RAM, the rule of thumb is either 2x the RAM or RAM + 1 GB.
 +
 
 +
For this tutorial we will assume that it is a newer machine and make a 2 GB swap.
 +
 
 +
<console>
 +
# ##i##zfs create -o sync=always -o primarycache=metadata -o secondarycache=none -o volblocksize=4K -V 2G tank/swap
 +
</console>
 +
{{fancywarning|ZFS swap is not stable and should be used with precautions.}}
 +
 
 +
=== Format your swap zvol ===
 +
<console>
 +
# ##i##mkswap -f /dev/zvol/tank/swap
 +
# ##i##swapon /dev/zvol/tank/swap
 +
</console>
 +
 
 +
Now we will continue to install funtoo.
 +
 
 +
== Installing Funtoo ==
 +
 
 +
=== Pre-Chroot ===
 +
 
 +
<console>
 +
Go into the directory that you will chroot into
 +
# ##i##cd /mnt/funtoo
 +
 
 +
Make a boot folder and mount your boot drive
 +
# ##i##mkdir boot
 +
# ##i##mount /dev/sda1 boot
 +
</console>
 +
 
 +
[[Funtoo_Linux_Installation|Now download and extract the Funtoo stage3 ...]]
 +
 
 +
Once you've extracted the stage3, do a few more preparations and chroot into your new funtoo environment:
 +
 
 +
<console>
 +
Bind the kernel related directories
 +
# ##i##mount -t proc none proc
 +
# ##i##mount --rbind /dev dev
 +
# ##i##mount --rbind /sys sys
 +
 
 +
Copy network settings
 +
# ##i##cp -f /etc/resolv.conf etc
 +
 
 +
Make the zfs folder in 'etc' and copy your zpool.cache
 +
# ##i##mkdir etc/zfs
 +
# ##i##cp /etc/zfs/zpool.cache etc/zfs
 +
 
 +
Chroot into Funtoo
 +
# ##i##env -i HOME=/root TERM=$TERM chroot . bash -l
 +
</console>
 +
 
 +
=== In Chroot ===
 +
 
 +
<console>
 +
Create a symbolic link to your mountpoints
 +
# ##i##ln -sf /proc/mounts /etc/mtab
 +
 
 +
Sync your tree
 +
# ##i##emerge --sync
 +
</console>
 +
 
 +
=== Add filesystems to /etc/fstab ===
 +
 
 +
Before we continue to compile and or install our kernel in the next step, we will edit the <tt>/etc/fstab</tt> file because if we decide to install our kernel through portage, portage will need to know where our <tt>/boot</tt> is, so that it can place the files in there.
 +
 
 +
Edit <tt>/etc/fstab</tt>:
 +
 
 +
<pre>
 +
# <fs>                  <mountpoint>    <type>          <opts>          <dump/pass>
 +
 
 +
/dev/sda1              /boot          ext2            defaults        0 2
 +
/dev/zvol/tank/swap    none            swap            sw              0 0
 +
</pre>
 +
 
 +
== Kernel Configuration ==
 +
...wip
 +
 
 +
== Installing the ZFS userspace tools and kernel modules ==
 +
Emerge {{Package|sys-fs/zfs}}. This package will bring in {{Package|sys-kernel/spl}}, and {{Package|sys-fs/zfs-kmod}} as its dependencies:
 +
 
 +
<console>
 +
# ##i##emerge zfs
 +
</console>
 +
 
 +
Check to make sure that the zfs tools are working. The <code>zpool.cache</code> file that you copied before should be displayed.
 +
 
 +
<console>
 +
# ##i##zpool status
 +
# ##i##zfs list
 +
</console>
 +
 
 +
If everything worked, continue.
 +
 
 +
== Create the initramfs ==
 +
There are two ways to do this, you can use "genkernel" or "bliss-initramfs". Both will be shown.
 +
 
 +
=== genkernel ===
 +
Install genkernel and run it:
 +
<console>
 +
# ##i##emerge genkernel
 +
 
 +
You only need to add --luks if you used encryption
 +
# ##i##genkernel --zfs --luks initramfs
 +
</console>
 +
 
 +
== Installing & Configuring the Bootloader ==
 +
 
 +
=== GRUB 2 (Optional if you are using another bootloader) ===
 +
<console>
 +
# ##i##emerge grub
 +
</console>
 +
 
 +
You can check that grub is version 2.00 by typing the following command:
 +
 
 +
<console>
 +
# ##i##grub-install --version
 +
grub-install (GRUB) 2.00
 +
</console>
 +
 
 +
Now install grub to the drive itself (not a partition):
 +
<console>
 +
# ##i##grub-install /dev/sda
 +
</console>
 +
 
 +
You should receive the following message:
 +
 
 +
<console>
 +
Installation finished. No error reported.
 +
</console>
 +
 
 +
You should now see some a grub directory with some files inside your /boot folder:
 +
 
 +
<console>
 +
# ##i##ls -l /boot/grub
 +
total 2520
 +
-rw-r--r-- 1 root root    1024 Jan  4 16:09 grubenv
 +
drwxr-xr-x 2 root root    8192 Jan 12 14:29 i386-pc
 +
drwxr-xr-x 2 root root    4096 Jan 12 14:28 locale
 +
-rw-r--r-- 1 root root 2555597 Feb  4 11:50 unifont.pf2
 +
</console>
 +
 
 +
=== LILO (Optional if you are using another bootloader) ===
 +
To install lilo you can type the following:
 +
 
 +
<console>
 +
# ##i##emerge lilo
 +
</console>
 +
 
 +
=== boot-update ===
 +
boot-update comes as a dependency of grub2, so if you already installed grub, it's already on your system!
 +
 
 +
==== Genkernel ====
 +
If your using genkernel you must add 'real_root=ZFS=<root>' and 'dozfs' to your params.
 +
Example entry for <tt>/etc/boot.conf</tt>:
 +
 
 +
<pre>
 +
"Funtoo ZFS" {
 +
        kernel vmlinuz[-v]
 +
        initrd initramfs-genkernel-x86_64[-v]
 +
        params real_root=ZFS=tank/funtoo/root
 +
        params += dozfs=force
 +
        # Also add 'params += crypt_root=/dev/sda3' if you used encryption
 +
        # Adjust the above setting to your system if needed
 +
 
 +
        # You should also add 'root=none' to your params (not 'params +=') if you plan to use it along with boot-update
 +
        # If root variable will not be set, boot-update will fail to generate boot.conf
 +
        # This is right for <=sys-boot/boot-update-1.6.11 on 16.08.2014 date
 +
}
 +
</pre>
 +
 
 +
==== Bliss Initramfs Creator ====
 +
If you used Bliss Initramfs Creator then all you need to do is add 'root=<root>' to your params.
 +
Example entry for <tt>/etc/boot.conf</tt>:
 +
 
 +
<pre>
 +
"Funtoo ZFS" {
 +
        kernel vmlinuz[-v]
 +
        initrd initrd[-v]
 +
        params root=tank/funtoo/root quiet
 +
        # If you have an encrypted device with a regular passphrase,
 +
        # you can add the following line
 +
        params += enc_root=/dev/sda3 enc_type=pass
 +
}
 +
</pre>
 +
 
 +
After editing /etc/boot.conf, you just need to run boot-update to update grub.cfg
 +
 
 +
<console>
 +
###i## boot-update
 +
</console>
 +
 
 +
=== bliss-boot ===
 +
This is a new program that is designed to generate a simple, human-readable/editable, configuration file for a variety of bootloaders. It currently supports grub2, extlinux, and lilo.
 +
 
 +
You can install it via the following command:
 +
<console>
 +
# ##i##emerge bliss-boot
 +
</console>
 +
 
 +
==== Bootloader Configuration ====
 +
In order to generate our bootloader configuration file, we will first configure bliss-boot so that it knows what we want. The 'bliss-boot' configuration file is located in '''/etc/bliss-boot/conf.py'''. Open that file and make sure that the following variables are set appropriately:
 +
 
 +
<pre>
 +
# This should be set to the bootloader you installed earlier: (grub2, extlinux, and lilo are the available options)
 +
bootloader = "grub2"
 +
 
 +
# This should be set to the kernel you installed earlier
 +
default = "3.12.13-KS.02"
 +
</pre>
 +
 
 +
Scroll all the way down until you find 'kernels'. You will need to add the kernels and the options
 +
you want for these kernels here. Below are a few configuration options depending if you are using
 +
'''bliss-initramfs''' or '''genkernel'''.
 +
 
 +
===== Genkernel =====
 +
 
 +
<pre>
 +
kernel = {
 +
    '3.12.13-KS.02' : 'real_root=ZFS=tank/funtoo/root dozfs=force quiet',
 +
}
 +
</pre>
 +
 
 +
'''If you are using encryption you can add the crypt_root option:'''
 +
 
 +
<pre>
 +
kernel = {
 +
    '3.12.13-KS.02' : 'real_root=ZFS=tank/funtoo/root dozfs=force crypt_root=/dev/sda3 quiet',
 +
}
 +
</pre>
 +
 
 +
===== Bliss Initramfs Creator =====
 +
<pre>
 +
kernel = {
 +
    '3.12.13-KS.02' : 'root=tank/funtoo/root quiet',
 +
}
 +
</pre>
 +
 
 +
'''If you are using encryption then you would let the initramfs know:'''
 +
 
 +
#"What type of encryption authentication you want to use? ('''enc_type=''')
 +
::* pass = will ask for passphrase directly
 +
::* key = a plain unencrypted key file
 +
::* key_gpg = an encrypted key file
 +
#"Where is the encrypted drive?" ('''enc_root=''')
 +
#"Where is the root pool after it has been decrypted?" ('''root=''')
 +
 
 +
<pre>
 +
kernel = {
 +
    '3.12.13-KS.02' : 'root=tank/funtoo/root enc_root=/dev/sda3 enc_type=pass quiet',
 +
}
 +
</pre>
 +
 
 +
==== Generate the configuration ====
 +
Now that we have configure our '''/etc/bliss-boot/conf.py''' file, we can generate our config. Simply run the following command:
 +
 
 +
<console>
 +
# ##i##bliss-boot
 +
</console>
 +
 
 +
This will generate a configuration file for the bootloader you specified previously in your current directory. You can check your config file before hand to make sure it doesn't have any errors. Simply open either: grub.cfg, extlinux.conf, or lilo.conf.
 +
 
 +
Once you have checked it for errors, place this file in the correct directory:
 +
 
 +
* grub2 = /boot/grub/
 +
* extlinux = /boot/extlinux/
 +
* lilo = /etc/lilo.conf
 +
 
 +
=== LILO (Optional if you are using another bootloader) ===
 +
Now that bliss-boot generated the lilo.conf file, move that config file to its appropriate location
 +
and install lilo to the MBR:
 +
 
 +
<console>
 +
# ##i##mv lilo.conf /etc
 +
# ##i##lilo
 +
 
 +
You should see the following:
 +
 
 +
Warning: LBA32 addressing assumed
 +
Added Funtoo + *
 +
One warning was issued
 +
</console>
 +
 
 +
== Final configuration ==
 +
=== Add the zfs tools to openrc ===
 +
<console># ##i##rc-update add zfs boot</console>
 +
 
 +
=== Clean up and reboot ===
 +
We are almost done, we are just going to clean up, '''set our root password''', and unmount whatever we mounted and get out.
 +
 
 +
<console>
 +
Delete the stage3 tarball that you downloaded earlier so it doesn't take up space.
 +
# ##i##cd /
 +
# ##i##rm stage3-latest.tar.xz
 +
 
 +
Set your root password
 +
# ##i##passwd
 +
>> Enter your password, you won't see what you are writing (for security reasons), but it is there!
 +
 
 +
Get out of the chroot environment
 +
# ##i##exit
 +
 
 +
Unmount all the kernel filesystem stuff and boot (if you have a separate /boot)
 +
# ##i##umount -l proc dev sys boot
 +
 
 +
Turn off the swap
 +
# ##i##swapoff /dev/zvol/tank/swap
 +
 
 +
Export the zpool
 +
# ##i##cd /
 +
# ##i##zpool export tank
 +
 
 +
Reboot
 +
# ##i##reboot
 +
</console>
 +
 
 +
{{fancyimportant|'''Don't forget to set your root password as stated above before exiting chroot and rebooting. If you don't set the root password, you won't be able to log into your new system.'''}}
 +
 
 +
and that should be enough to get your system to boot on ZFS.
 +
 
 +
== After reboot ==
 +
 
 +
=== Forgot to reset password? ===
 +
==== System Rescue CD ====
 +
If you aren't using bliss-initramfs, then you can reboot back into your sysresccd and reset through there by mounting your drive, chrooting, and then typing passwd.
 +
 
 +
Example:
 +
<console>
 +
# ##i##zpool import -f -R /mnt/funtoo tank
 +
# ##i##chroot /mnt/funtoo bash -l
 +
# ##i##passwd
 +
# ##i##exit
 +
# ##i##zpool export -f tank
 +
# ##i##reboot
 +
</console>
 +
 
 +
==== Using bliss-initramfs ====
 +
If you forgot to reset your password and are using '''bliss-initramfs''', you can add the '''su''' option to your bootloader parameters and the initramfs will throw you into the rootfs of your drive. In there you can run 'passwd' and then type 'exit'. Once you type 'exit', the initramfs will continue to boot your system as normal.
 +
 
 +
=== Create initial ZFS Snapshot ===
 +
Continue to set up anything you need in terms of /etc configurations. Once you have everything the way you like it, take a snapshot of your system. You will be using this snapshot to revert back to this state if anything ever happens to your system down the road. The snapshots are cheap, and almost instant.
 +
 
 +
To take the snapshot of your system, type the following:
 +
<console># ##i##zfs snapshot -r tank@install</console>
 +
 
 +
To see if your snapshot was taken, type:
 +
<console># ##i##zfs list -t snapshot</console>
 +
 
 +
If your machine ever fails and you need to get back to this state, just type (This will only revert your / dataset while keeping the rest of your data intact):
 +
<console># ##i##zfs rollback tank/funtoo/root@install</console>
 +
 
 +
{{fancyimportant|'''For a detailed overview, presentation of ZFS' capabilities, as well as usage examples, please refer to the [[ZFS_Fun|ZFS Fun]] page.'''}}
 +
 
 +
== Troubleshooting ==
 +
 
 +
=== Starting from scratch ===
 +
If your installation has gotten screwed up for whatever reason and you need a fresh restart, you can do the following from sysresccd to start fresh:
 +
 
 +
<console>
 +
Destroy the pool and any snapshots and datasets it has
 +
# ##i##zpool destroy -R -f tank
 +
 
 +
This deletes the files from /dev/sda1 so that even after we zap, recreating the drive in the exact sector
 +
position and size will not give us access to the old files in this partition.
 +
# ##i##mkfs.ext2 /dev/sda1
 +
# ##i##sgdisk -Z /dev/sda
 +
</console>
  
The official home for Keychain is on the [[Keychain]] page on the Funtoo wiki. Check there for updates and more information on this useful tool.
+
Now start the guide again :).
  
=== Conclusion ===
+
[[Category:HOWTO]]
 +
[[Category:Filesystems]]
 +
[[Category:Featured]]
 +
[[Category:Install]]
  
This column concludes my coverage of OpenSSH. Hopefully, you've learned enough about it to start using OpenSSH in an effective way to secure your systems.
+
__NOTITLE__
{{ArticleFooter}}
+

Revision as of 14:57, January 5, 2015

Introduction

This tutorial will show you how to install Funtoo on ZFS (rootfs). This tutorial is meant to be an "overlay" over the Regular Funtoo Installation. Follow the normal installation and only use this guide for steps 2, 3, and 8.

Introduction to ZFS

Since ZFS is a new technology for Linux, it can be helpful to understand some of its benefits, particularly in comparison to BTRFS, another popular next-generation Linux filesystem:

  • On Linux, the ZFS code can be updated independently of the kernel to obtain the latest fixes. btrfs is exclusive to Linux and you need to build the latest kernel sources to get the latest fixes.
  • ZFS is supported on multiple platforms. The platforms with the best support are Solaris, FreeBSD and Linux. Other platforms with varying degrees of support are NetBSD, Mac OS X and Windows. btrfs is exclusive to Linux.
  • ZFS has the Adaptive Replacement Cache replacement algorithm while btrfs uses the Linux kernel's Last Recently Used replacement algorithm. The former often has an overwhelmingly superior hit rate, which means fewer disk accesses.
  • ZFS has the ZFS Intent Log and SLOG devices, which accelerates small synchronous write performance.
  • ZFS handles internal fragmentation gracefully, such that you can fill it until 100%. Internal fragmentation in btrfs can make btrfs think it is full at 10%. Btrfs has no automatic rebalancing code, so it requires a manual rebalance to correct it.
  • ZFS has raidz, which is like RAID 5/6 (or a hypothetical RAID 7 that supports 3 parity disks), except it does not suffer from the RAID write hole issue thanks to its use of CoW and a variable stripe size. btrfs gained integrated RAID 5/6 functionality in Linux 3.9. However, its implementation uses a stripe cache that can only partially mitigate the effect of the RAID write hole.
  • ZFS send/receive implementation supports incremental update when doing backups. btrfs' send/receive implementation requires sending the entire snapshot.
  • ZFS supports data deduplication, which is a memory hog and only works well for specialized workloads. btrfs has no equivalent.
  • ZFS datasets have a hierarchical namespace while btrfs subvolumes have a flat namespace.
  • ZFS has the ability to create virtual block devices called zvols in its namespace. btrfs has no equivalent and must rely on the loop device for this functionality, which is cumbersome.

The only area where btrfs is ahead of ZFS is in the area of small file efficiency. btrfs supports a feature called block suballocation, which enables it to store small files far more efficiently than ZFS. It is possible to use another filesystem (e.g. reiserfs) on top of a ZFS zvol to obtain similar benefits (with arguably better data integrity) when dealing with many small files (e.g. the portage tree).

For a quick tour of ZFS and have a big picture of its common operations you can consult the page ZFS Fun.

Disclaimers

Warning

This guide is a work in progress. Expect some quirks.

Important

Since ZFS was really designed for 64 bit systems, we are only recommending and supporting 64 bit platforms and installations. We will not be supporting 32 bit platforms!

Downloading the ISO (With ZFS)

In order for us to install Funtoo on ZFS, you will need an environment that already provides the ZFS tools. Therefore we will download a customized version of System Rescue CD with ZFS included.

Name: sysresccd-4.2.0_zfs_0.6.2.iso  (545 MB)
Release Date: 2014-02-25
md5sum 01f4e6929247d54db77ab7be4d156d85


Download System Rescue CD with ZFS

Creating a bootable USB from ISO (From a Linux Environment)

After you download the iso, you can do the following steps to create a bootable USB:

Make a temporary directory
# mkdir /tmp/loop

Mount the iso
# mount -o ro,loop /root/sysresccd-4.2.0_zfs_0.6.2.iso /tmp/loop

Run the usb installer
# /tmp/loop/usb_inst.sh

That should be all you need to do to get your flash drive working.

Booting the ISO

Warning

When booting into the ISO, Make sure that you select the "Alternate 64 bit kernel (altker64)". The ZFS modules have been built specifically for this kernel rather than the standard kernel. If you select a different kernel, you will get a fail to load module stack error message.

Creating partitions

There are two ways to partition your disk: You can use your entire drive and let ZFS automatically partition it for you, or you can do it manually.

We will be showing you how to partition it manually because if you partition it manually you get to create your own layout, you get to have your own separate /boot partition (Which is nice since not every bootloader supports booting from ZFS pools), and you get to boot into RAID10, RAID5 (RAIDZ) pools and any other layouts due to you having a separate /boot partition.

gdisk (GPT Style)

A Fresh Start:

First lets make sure that the disk is completely wiped from any previous disk labels and partitions. We will also assume that /dev/sda is the target drive.

# sgdisk -Z /dev/sda
Warning

This is a destructive operation and the program will not ask you for confirmation! Make sure you really don't want anything on this disk.

Now that we have a clean drive, we will create the new layout.

First open up the application:

# gdisk /dev/sda

Create Partition 1 (boot):

Command: n ↵
Partition Number: 
First sector: 
Last sector: +250M ↵
Hex Code: 

Create Partition 2 (BIOS Boot Partition):

Command: n ↵
Partition Number: 
First sector: 
Last sector: +32M ↵
Hex Code: EF02 ↵

Create Partition 3 (ZFS):

Command: n ↵
Partition Number: 
First sector: 
Last sector: 
Hex Code: bf00 ↵

Command: p ↵

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048          514047   250.0 MiB   8300  Linux filesystem
   2          514048          579583   32.0 MiB    EF02  BIOS boot partition
   3          579584      1953525134   931.2 GiB   BF00  Solaris root

Command: w ↵


Format your /boot partition

# mkfs.ext2 -m 1 /dev/sda1

Create the zpool

We will first create the pool. The pool will be named `tank` and the disk will be aligned to 4096 (using ashift=12)

# zpool create -f -o ashift=12 -o cachefile= -O compression=on -m none -R /mnt/funtoo tank /dev/sda3

Create the zfs datasets

We will now create some datasets. For this installation, we will create a small but future proof amount of datasets. We will have a dataset for the OS (/), and your swap. We will also show you how to create some optional datasets: /home, /var, /usr/src, and /usr/portage.

Create some empty containers for organization purposes, and make the dataset that will hold /
# zfs create -p tank/funtoo
# zfs create -o mountpoint=/ tank/funtoo/root

Optional, but recommended datasets: /home
# zfs create -o mountpoint=/home tank/funtoo/home

Optional datasets: /usr/src, /usr/portage/{distfiles,packages}
# zfs create -o mountpoint=/usr/src tank/funtoo/src
# zfs create -o mountpoint=/usr/portage -o compression=off tank/funtoo/portage
# zfs create -o mountpoint=/usr/portage/distfiles tank/funtoo/portage/distfiles
# zfs create -o mountpoint=/usr/portage/packages tank/funtoo/portage/packages

Create your swap zvol

For modern machines that have greater than 4 GB of RAM, A swap size of 2G should be enough. However if your machine doesn't have a lot of RAM, the rule of thumb is either 2x the RAM or RAM + 1 GB.

For this tutorial we will assume that it is a newer machine and make a 2 GB swap.

# zfs create -o sync=always -o primarycache=metadata -o secondarycache=none -o volblocksize=4K -V 2G tank/swap
Warning

ZFS swap is not stable and should be used with precautions.

Format your swap zvol

# mkswap -f /dev/zvol/tank/swap
# swapon /dev/zvol/tank/swap

Now we will continue to install funtoo.

Installing Funtoo

Pre-Chroot

Go into the directory that you will chroot into
# cd /mnt/funtoo

Make a boot folder and mount your boot drive
# mkdir boot
# mount /dev/sda1 boot

Now download and extract the Funtoo stage3 ...

Once you've extracted the stage3, do a few more preparations and chroot into your new funtoo environment:

Bind the kernel related directories
# mount -t proc none proc
# mount --rbind /dev dev
# mount --rbind /sys sys

Copy network settings
# cp -f /etc/resolv.conf etc

Make the zfs folder in 'etc' and copy your zpool.cache
# mkdir etc/zfs
# cp /etc/zfs/zpool.cache etc/zfs

Chroot into Funtoo
# env -i HOME=/root TERM=$TERM chroot . bash -l

In Chroot

Create a symbolic link to your mountpoints
# ln -sf /proc/mounts /etc/mtab

Sync your tree
# emerge --sync

Add filesystems to /etc/fstab

Before we continue to compile and or install our kernel in the next step, we will edit the /etc/fstab file because if we decide to install our kernel through portage, portage will need to know where our /boot is, so that it can place the files in there.

Edit /etc/fstab:

# <fs>                  <mountpoint>    <type>          <opts>          <dump/pass>

/dev/sda1               /boot           ext2            defaults        0 2
/dev/zvol/tank/swap     none            swap            sw              0 0

Kernel Configuration

...wip

Installing the ZFS userspace tools and kernel modules

Emerge sys-fs/zfs (package not on wiki - please add). This package will bring in sys-kernel/spl (package not on wiki - please add), and sys-fs/zfs-kmod (package not on wiki - please add) as its dependencies:

# emerge zfs

Check to make sure that the zfs tools are working. The zpool.cache file that you copied before should be displayed.

# zpool status
# zfs list

If everything worked, continue.

Create the initramfs

There are two ways to do this, you can use "genkernel" or "bliss-initramfs". Both will be shown.

genkernel

Install genkernel and run it:

# emerge genkernel

You only need to add --luks if you used encryption
# genkernel --zfs --luks initramfs

Installing & Configuring the Bootloader

GRUB 2 (Optional if you are using another bootloader)

# emerge grub

You can check that grub is version 2.00 by typing the following command:

# grub-install --version
grub-install (GRUB) 2.00

Now install grub to the drive itself (not a partition):

# grub-install /dev/sda

You should receive the following message:

Installation finished. No error reported.

You should now see some a grub directory with some files inside your /boot folder:

# ls -l /boot/grub
total 2520
-rw-r--r-- 1 root root    1024 Jan  4 16:09 grubenv
drwxr-xr-x 2 root root    8192 Jan 12 14:29 i386-pc
drwxr-xr-x 2 root root    4096 Jan 12 14:28 locale
-rw-r--r-- 1 root root 2555597 Feb  4 11:50 unifont.pf2

LILO (Optional if you are using another bootloader)

To install lilo you can type the following:

# emerge lilo

boot-update

boot-update comes as a dependency of grub2, so if you already installed grub, it's already on your system!

Genkernel

If your using genkernel you must add 'real_root=ZFS=<root>' and 'dozfs' to your params. Example entry for /etc/boot.conf:

"Funtoo ZFS" {
        kernel vmlinuz[-v]
        initrd initramfs-genkernel-x86_64[-v]
        params real_root=ZFS=tank/funtoo/root
        params += dozfs=force
        # Also add 'params += crypt_root=/dev/sda3' if you used encryption
        # Adjust the above setting to your system if needed

        # You should also add 'root=none' to your params (not 'params +=') if you plan to use it along with boot-update
        # If root variable will not be set, boot-update will fail to generate boot.conf
        # This is right for <=sys-boot/boot-update-1.6.11 on 16.08.2014 date
}

Bliss Initramfs Creator

If you used Bliss Initramfs Creator then all you need to do is add 'root=<root>' to your params. Example entry for /etc/boot.conf:

"Funtoo ZFS" {
        kernel vmlinuz[-v]
        initrd initrd[-v]
        params root=tank/funtoo/root quiet
        # If you have an encrypted device with a regular passphrase,
        # you can add the following line
        params += enc_root=/dev/sda3 enc_type=pass
}

After editing /etc/boot.conf, you just need to run boot-update to update grub.cfg

# boot-update

bliss-boot

This is a new program that is designed to generate a simple, human-readable/editable, configuration file for a variety of bootloaders. It currently supports grub2, extlinux, and lilo.

You can install it via the following command:

# emerge bliss-boot

Bootloader Configuration

In order to generate our bootloader configuration file, we will first configure bliss-boot so that it knows what we want. The 'bliss-boot' configuration file is located in /etc/bliss-boot/conf.py. Open that file and make sure that the following variables are set appropriately:

# This should be set to the bootloader you installed earlier: (grub2, extlinux, and lilo are the available options)
bootloader = "grub2"

# This should be set to the kernel you installed earlier
default = "3.12.13-KS.02" 

Scroll all the way down until you find 'kernels'. You will need to add the kernels and the options you want for these kernels here. Below are a few configuration options depending if you are using bliss-initramfs or genkernel.

Genkernel
kernel = {
    '3.12.13-KS.02' : 'real_root=ZFS=tank/funtoo/root dozfs=force quiet',
}

If you are using encryption you can add the crypt_root option:

kernel = {
    '3.12.13-KS.02' : 'real_root=ZFS=tank/funtoo/root dozfs=force crypt_root=/dev/sda3 quiet',
}
Bliss Initramfs Creator
kernel = {
    '3.12.13-KS.02' : 'root=tank/funtoo/root quiet',
}

If you are using encryption then you would let the initramfs know:

  1. "What type of encryption authentication you want to use? (enc_type=)
  • pass = will ask for passphrase directly
  • key = a plain unencrypted key file
  • key_gpg = an encrypted key file
  1. "Where is the encrypted drive?" (enc_root=)
  2. "Where is the root pool after it has been decrypted?" (root=)
kernel = {
    '3.12.13-KS.02' : 'root=tank/funtoo/root enc_root=/dev/sda3 enc_type=pass quiet',
}

Generate the configuration

Now that we have configure our /etc/bliss-boot/conf.py file, we can generate our config. Simply run the following command:

# bliss-boot

This will generate a configuration file for the bootloader you specified previously in your current directory. You can check your config file before hand to make sure it doesn't have any errors. Simply open either: grub.cfg, extlinux.conf, or lilo.conf.

Once you have checked it for errors, place this file in the correct directory:

  • grub2 = /boot/grub/
  • extlinux = /boot/extlinux/
  • lilo = /etc/lilo.conf

LILO (Optional if you are using another bootloader)

Now that bliss-boot generated the lilo.conf file, move that config file to its appropriate location and install lilo to the MBR:

# mv lilo.conf /etc
# lilo

You should see the following:

Warning: LBA32 addressing assumed
Added Funtoo + *
One warning was issued

Final configuration

Add the zfs tools to openrc

# rc-update add zfs boot

Clean up and reboot

We are almost done, we are just going to clean up, set our root password, and unmount whatever we mounted and get out.

Delete the stage3 tarball that you downloaded earlier so it doesn't take up space.
# cd /
# rm stage3-latest.tar.xz

Set your root password
# passwd
>> Enter your password, you won't see what you are writing (for security reasons), but it is there!

Get out of the chroot environment
# exit

Unmount all the kernel filesystem stuff and boot (if you have a separate /boot)
# umount -l proc dev sys boot

Turn off the swap
# swapoff /dev/zvol/tank/swap

Export the zpool
# cd /
# zpool export tank

Reboot
# reboot
Important

Don't forget to set your root password as stated above before exiting chroot and rebooting. If you don't set the root password, you won't be able to log into your new system.

and that should be enough to get your system to boot on ZFS.

After reboot

Forgot to reset password?

System Rescue CD

If you aren't using bliss-initramfs, then you can reboot back into your sysresccd and reset through there by mounting your drive, chrooting, and then typing passwd.

Example:

# zpool import -f -R /mnt/funtoo tank
# chroot /mnt/funtoo bash -l
# passwd
# exit
# zpool export -f tank
# reboot

Using bliss-initramfs

If you forgot to reset your password and are using bliss-initramfs, you can add the su option to your bootloader parameters and the initramfs will throw you into the rootfs of your drive. In there you can run 'passwd' and then type 'exit'. Once you type 'exit', the initramfs will continue to boot your system as normal.

Create initial ZFS Snapshot

Continue to set up anything you need in terms of /etc configurations. Once you have everything the way you like it, take a snapshot of your system. You will be using this snapshot to revert back to this state if anything ever happens to your system down the road. The snapshots are cheap, and almost instant.

To take the snapshot of your system, type the following:

# zfs snapshot -r tank@install

To see if your snapshot was taken, type:

# zfs list -t snapshot

If your machine ever fails and you need to get back to this state, just type (This will only revert your / dataset while keeping the rest of your data intact):

# zfs rollback tank/funtoo/root@install
Important

For a detailed overview, presentation of ZFS' capabilities, as well as usage examples, please refer to the ZFS Fun page.

Troubleshooting

Starting from scratch

If your installation has gotten screwed up for whatever reason and you need a fresh restart, you can do the following from sysresccd to start fresh:

Destroy the pool and any snapshots and datasets it has
# zpool destroy -R -f tank

This deletes the files from /dev/sda1 so that even after we zap, recreating the drive in the exact sector
position and size will not give us access to the old files in this partition.
# mkfs.ext2 /dev/sda1
# sgdisk -Z /dev/sda

Now start the guide again :).