Difference between pages "Rootfs over encrypted lvm" and "Package:Nginx"

(Difference between pages)
m (Lilo configuration)
 
 
Line 1: Line 1:
This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive
+
__TOC__
  
= Prepare the hard drive and partitions =
+
== What is nginx ==
This is an example partition scheme, you may want to choose differently.
+
<code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM.
+
  
* <code>/dev/sda1</code> -- <code>/boot</code> partition.
+
nginx (pronounced "engin-x") is a Web and reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols. It focuses on high concurrency, performance and low memory usage. Nginx quickly delivers static content with efficient use of system resources, also dynamic content is delivered on a network using FastCGI, SCGI handlers for scripts, uWSGI application servers or Phusion Passenger module (atm broken in [http://funtoo.org funtoo]), further more it can serve a very capable software load balancer. It uses an asynchronos event-driven approach to handle requests which provides more predictable performance under load, in contrast to the Apache HTTP server model, that uses a threaded or process-oriented approach to handling request. Nginx is licensed under a BSD-like license and it runs on Unix, Linux, BSD variants, Mac OS X, Solaris, AIX and Microsoft Windows. [[Image:nginx.gif|frame]]
* <code>/dev/sda2</code> -- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [http://www.funtoo.org/Funtoo_Linux_Installation#Prepare_Hard_Disk] for more information on GPT and MBR.  
+
* <code>/dev/sda3</code> -- <code>/</code> partition, will be the drive with LUKS and LVM.
+
  
<console>
+
== Installation ==
# ##i##dd if=/dev/zero of=/dev/sda3 bs=100M
+
# ##i##dd if=/dev/urandom of=/dev/sda3 bs=100M
+
</console>
+
The <code>dd</code> part is optional, and the command only needs to be run for security reasons (i.e only if you had top secret files on your drive). The command overwrites the lingering data on the device with random data. It takes around 6 hours to complete for a 200GB drive.
+
  
{{Note}} You will get a message about reaching the end of the device when the <code>dd</code> command has finished. This behavior is intended.
+
=== USE flags ===
  
= Encrypting the drive =
+
Before you can install nginx, there are the following USE-flags available, these can be set by ''/etc/portage/package.use'' or ''/etc/portage/package.use/nginx'', depending on your setup of package.use.
<console>
+
# ##i##cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3
+
# ##i##cryptsetup luksOpen /dev/sda3 dmcrypt_root
+
</console>
+
  
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
+
* aio - Enables file AIO support
 +
* debug - Enables extra debug codepaths, like asserts and extra output.
 +
* http - Enable http serving
 +
* http-cache - Enables caching for http files
 +
* ipv6 - Enables IPv6 support
 +
* libatomic - Use libatomic instead of buildtin atomic operations
 +
* pcre - Enables support for Perl Compatible Regular Expressions
 +
* ssl - Adds support for Secure Socket Layer connections
 +
* vim-syntax - Pulls in related vim syntax scripts
  
= Create logical volumes =
+
Further more you can set the nginx modules you like to use in ''/etc/make.conf'' in the NGINX_MODULES_HTTP variable as NGINX_MODULES_HTTP="variables".
<console>
+
# ##i##pvcreate /dev/mapper/dmcrypt_root
+
# ##i##vgcreate vg /dev/mapper/dmcrypt_root
+
# ##i##lvcreate -L10G --name root vg         
+
# ##i##lvcreate -L2G --name swap vg
+
# ##i##lvcreate -L5G --name portage vg
+
# ##i##lvcreate -l 100%FREE -nhome vg
+
</console>
+
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.
+
  
= Create a filesystem on volumes =
+
* access
<console>
+
* addition
# ##i##mkfs.ext2 /dev/sda1
+
* auth_basic
# ##i##mkswap /dev/mapper/vg-swap
+
* autoindex
# ##i##mkfs.ext4 /dev/mapper/vg-root
+
* browser
# ##i##mkfs.ext4 /dev/mapper/vg-portage
+
* cache_purge
# ##i##mkfs.ext4 /dev/mapper/vg-home
+
* charset
</console>
+
* dav
 +
* degradation
 +
* empty_gif
 +
* ey_balancer
 +
* fastcgi
 +
* flv
 +
* geo
 +
* geoip
 +
* gzip
 +
* gzip_static
 +
* headers_more
 +
* image_filter
 +
* limit_req
 +
* limit_zone
 +
* map
 +
* memcached
 +
* perl
 +
* proxy
 +
* push
 +
* random_index
 +
* realip
 +
* referer
 +
* rewrite
 +
* scgi
 +
* secure_link
 +
* slowfs_cache
 +
* split_clients
 +
* ssi
 +
* stub_status
 +
* sub
 +
* upload
 +
* upstream_ip_hash
 +
* userid
 +
* uwsgi
 +
* xslt
  
= Basic system setup =
+
and the following mail modules as NGINX_MODULES_MAIL in '/etc/make.conf':
<console>
+
# ##i##swapon /dev/mapper/vg-swap
+
# ##i##mkdir /mnt/funtoo
+
# ##i##mount /dev/mapper/vg-root /mnt/funtoo
+
# ##i##mkdir -p /mnt/funtoo/{boot,usr/portage,home}
+
# ##i##mount /dev/sda1 /mnt/funtoo/boot
+
# ##i##mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage
+
# ##i##mount /dev/mapper/vg-home /mnt/funtoo/home
+
</console>
+
Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation]
+
don't forget to emerge the following before your install is finished:
+
  
* '''cryptsetup'''
+
* imap
* '''lvm2'''
+
* pop3
* '''a bootloader (grub recommended)'''
+
* smtp
* '''kernel sources (gentoo-sources recommended)'''
+
  
= Editing the fstab =
+
=== USE Expanded flags ===
Fire up your favorite text editor to edit <code>/etc/fstab</code>. You want to put the following in the file:
+
<console>
+
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
+
/dev/sda1              /boot        ext2      noauto,noatime                  1 2
+
/dev/mapper/vg-swap    none          swap      sw                              0 0
+
/dev/mapper/vg-root    /            ext4      noatime,nodiratime,defaults    0 1
+
/dev/sr0                /mnt/cdrom    auto      noauto,ro                      0 0
+
/dev/mapper/vg-portage  /usr/portage  ext4      noatime,nodiratime              0 0
+
/dev/mapper/vg-home    /home        ext4      noatime,nodiratime              0 0
+
</console>
+
  
= Kernel options =
+
nginx USE-flags go into ''/etc/portage/package.use'' or ''/etc/portage/package.use/nginx'', while the HTTP and MAIL modules go as NGINX_MODULES_HTTP or NGINX_MODULES_MAIL are stored in /etc/make.conf. And as you wouldn't server only static html files, but most commonly also php files/scripts you should also install php with fpm enabled and xcache for caching the content, what makes your nginx setup way faster. For xcache you need to set PHP_TARGETS="php5-3" in '/etc/make.conf'.
{{Note}}This part is particularly important: pay close attention.
+
{{kernelop
+
|'''General setup --->'''
+
|'''[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support'''
+
}}
+
  
{{kernelop
+
Example:
|'''Device Drivers --->''' <br> '''Generic Driver Options --->'''
+
<pre>
|'''[*] Maintain a devtmpfs filesystem to mount at /dev''' <br>
+
echo "www-servers/nginx USE-FLAG-List" >> /etc/portage/package.use/nginx
}}
+
</pre>
  
{{kernelop
+
=== Emerging nginx ===
|'''Device Drivers --->''' <br> '''[*] Multiple devices driver support --->'''
+
|'''<*>Device Mapper Support''' <br> '''<*> Crypt target support'''
+
}}
+
  
{{kernelop
+
Now you are ready to install nginx with php and xcache support:
|'''Cryptographic API --->'''
+
<pre>
|'''-*-AES cipher algorithms''' <br> '''<*> XTS support'''
+
emerge -avt nginx php xcache
}}
+
</pre>
 +
so now just check your useflags and press enter to start emerge.
  
= Initramfs setup and configuration =
+
== Configuring ==
== Better-initramfs ==
+
'''Build your initramfs with [https://bitbucket.org/piotrkarbowski/better-initramfs better-initramfs] project.'''
+
  
{{note}}better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices.
+
All configuration is done in ''/etc/nginx'' with ''nginx.conf'' as the main configuration file and all virtual hosts in ''/etc/nginx/sites/available'' while you have to symlink ''/etc/nginx/sites-available/{VHOST}'' to ''/etc/nginx/sites-enabled/{VHOST}'' to activate them. An example config for such a {VHOST} looks like that:
  
<console>
+
<pre>
# ##i##cd /opt
+
server {
# ##i##git clone git://github.com/slashbeast/better-initramfs.git
+
    listen          80;
# ##i##cd better-initramfs
+
    server_name    www.example.com;
# ##i##less README.rst
+
# ##i##bootstrap/bootstrap-all
+
# ##i##make prepare
+
# ##i##make image
+
</console>
+
  
Copy resulting <code>initramfs.cpio.gz</code> to <code>/boot</code>:
+
    access_log      /var/log/nginx/www.example.com.access_log main;
<console># ##i##cp output/initramfs.cpio.gz /boot</console>
+
    error_log      /var/log/nginx/www.example.com.error_log info;
  
Alternatively, a pre-compiled binary initramfs is available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads
+
    root /var/www/www.example.com/htdocs;
<console>
+
}
# ##i##wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2
+
</pre>  
# ##i##tar xf release-x86_64-v0.5.tar.bz2
+
# ##i##cd release*
+
# ##i##gzip initramfs.cpio
+
# ##i##cp initramfs.cpio.gz /boot
+
</console>
+
  
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with <code>git</code>. Go to the better-initramfs source dir and follow:
+
The ''nginx.conf'' and ''sites-available/localhost'' file is well commented. Customize it to your needs. Make sure you set the listen option correctly. By default, the listen option is set to listen on the loopback interface. If you leave this unchanged other computers on the network will not be able to connect to the server.  
<console>
+
# ##i##cd /opt/better-initramfs
+
# ##i##git pull
+
# ##i##less ChangeLog
+
</console>
+
{{Note}}Please read the ChangeLog carefuly and perform necessary updates to <code>/etc/boot.conf</code>. Also, please backup the working <code>/boot/initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating better-initramfs.
+
  
== Genkernel ==
+
== Configuring PHP FPM ==
Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:
+
<console>
+
# ##i##genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all </console>
+
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2:
+
  
{{code|/etc/boot.conf|<pre>
+
As we already installed php with fpm support above we just need to adjust the following settings in ''/etc/php/fpm-php5.3/php-fpm.conf''. You should enable the following settings:
boot {
+
  generate grub
+
  default "Funtoo Linux"
+
  timeout 3
+
}
+
"Funtoo Linux" {
+
  kernel kernel-genkernel-x86_64-2.6.39
+
  initrd initramfs-genkernel-x86_64-2.6.39
+
  params += crypt_root=/dev/sda2 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
+
}</pre>}}
+
  
= Grub2 configuration =
+
<pre>
An example of <code>/etc/boot.conf</code> for better-initramfs
+
user = nginx
{{code|/etc/boot.conf|<pre>
+
group = nginx
boot {
+
pm.start_servers = 20
  generate grub
+
</pre>
  default "Funtoo Linux"
+
  timeout 3
+
}
+
"Funtoo Linux" {
+
  kernel bzImage[-v]
+
  initrd /initramfs.cpio.gz
+
  params += enc_root=/dev/sda2 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
+
}</pre>}}
+
  
= Lilo configuration =
+
The other options should all be very well documented, so make it fit your needs.
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
+
<console>
+
# ##i##echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo
+
# ##i##emerge lilo
+
  
</console>
+
== Configuring xcache ==
  
{{code|/etc/lilo.conf|<pre>append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
+
For setting xcache just edit ''/etc/php/fpm-php5.3/ext-active/xcache''
boot=/dev/sda
+
compact
+
default=funtoo
+
lba32
+
prompt
+
read-only
+
timeout=50
+
image=/boot/kernel-genkernel-x86_64-2.6.39
+
initrd=/boot/initramfs-genkernel-x86_64-2.6.39
+
label=funtoo
+
</pre>}}
+
  
= Syslinux bootloader setup =
 
Syslinux is another advanced bootloader which you can find on all live CD's.
 
 
<pre>
 
<pre>
# emerge syslinux
+
zend_extension=/usr/lib64/php5.3/lib/extensions/no-debug-zts-20090626/          xcache.so                                                                 
# mkdir /boot/extlinux
+
  2 xcache.admin.enable_auth="On"
# extlinux --install /boot/extlinux
+
  3 xcache.admin.user="admin"
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
+
  4 xcache.admin.pass=""
- or -
+
  5 xcache.cacher="On"
# sgdisk /dev/sda --attributes=1:set:2
+
  6 xcache.size="64M"
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition</pre>
+
  7 xcache.count="9"
{{code|/boot/extlinux/extlinux.conf|<pre>LABEL kernel1_bzImage-3.2.1
+
  8 xcache.slots="8k"
MENU LABEL Funtoo Linux bzImage-3.2.1
+
  9 xcache.ttl="0"
LINUX /bzImage-3.2.1
+
10 xcache.gc_interval="0"
INITRD /initramfs.cpio.gz
+
11 xcache.var_size="8M"
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root
+
12 xcache.var_count="1"
</pre>}}
+
13 xcache.var_slots="8K"
 +
14 xcache.var_ttl="0"
 +
15 xcache.var_maxttl="0"
 +
16 xcache.var_gc_interval="600"
 +
17 xcache.readonly_protection="Off"
 +
18 xcache.mmap_path="/dev/zero"
 +
19 xcache.coverager="On"
 +
20 xcache.coveragedump_directory="/tmp/coverager"
 +
21 xcache.optimizer="On"
 +
</pre>
  
= Final steps =
+
it might look like that for you, feel free to change the settings, and if you want to be able to log in into the admin interface set the ''xcache.admin.pass'' as a md5 encrypted password you can find it out with:
Umount everything, close encrypted drive and reboot
+
 
<pre>umount /mnt/funtoo/proc (/dev, /home, /usr/portage, /boot)
+
<pre>
vgchange -a n
+
php -a
cryptsetup luksClose /dev/sda2 dmcrypt_root</pre>
+
php> echo md5(PASSWORD);
After reboot you will get the following:
+
</pre>
<pre>>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
+
 
>>> Create all the symlinks to /bin/busybox.
+
and copy the admin interface to your vhost:
>>> Initiating /dev/dir
+
 
>>> Getting LVM volumes up (if any)
+
<pre>
Reding all physical volumes. This make take awhile...
+
cp /usr/share/php/xcache/admin -a /var/www/{VHOST}/htdocs/xcache-admin
No volume group found
+
</pre>
No volume group found
+
 
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
+
== Starting the service ==
Enter passphrase fore /dev/sda2:</pre>
+
 
Type your password
+
Now start the services:
 +
 
 +
<pre>
 +
/etc/init.d/php-fpm start
 +
/etc/init.d/nginx start
 +
</pre>
 +
 
 +
and make them default:
 +
 
 +
<pre>
 +
rc-update add php-fpm default
 +
rc-update add nginx default
 +
</pre>
  
<pre>>>> Again, getting LVM volumes up (if any, after map dmcrypt).
+
== See also ==
  Reading all physical volumes.  This may take a while...
+
  Found volume group "vg" using metadata type lvm2
+
  4 logical volume(s) in volume group "vg" now active
+
>>> Mounting rootfs to /newroot
+
>>> Umounting /sys and /proc.
+
>>> Switching root to /newroot and executing /sbin/init.
+
INIT: version 2.88 booting
+
Loading /libexec/rc/console/keymap
+
  OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
+
...boot messages omitted for clarity
+
 
+
orion login: oleg
+
Password:
+
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
+
oleg@orion ~ %</pre>
+
  
= Additional links =
+
== External links ==
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
+
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
+
  
[[Category:HOWTO]]
+
[[Category:Featured]]

Revision as of 21:45, December 10, 2011

What is nginx

nginx (pronounced "engin-x") is a Web and reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols. It focuses on high concurrency, performance and low memory usage. Nginx quickly delivers static content with efficient use of system resources, also dynamic content is delivered on a network using FastCGI, SCGI handlers for scripts, uWSGI application servers or Phusion Passenger module (atm broken in funtoo), further more it can serve a very capable software load balancer. It uses an asynchronos event-driven approach to handle requests which provides more predictable performance under load, in contrast to the Apache HTTP server model, that uses a threaded or process-oriented approach to handling request. Nginx is licensed under a BSD-like license and it runs on Unix, Linux, BSD variants, Mac OS X, Solaris, AIX and Microsoft Windows.
Nginx.gif

Installation

USE flags

Before you can install nginx, there are the following USE-flags available, these can be set by /etc/portage/package.use or /etc/portage/package.use/nginx, depending on your setup of package.use.

  • aio - Enables file AIO support
  • debug - Enables extra debug codepaths, like asserts and extra output.
  • http - Enable http serving
  • http-cache - Enables caching for http files
  • ipv6 - Enables IPv6 support
  • libatomic - Use libatomic instead of buildtin atomic operations
  • pcre - Enables support for Perl Compatible Regular Expressions
  • ssl - Adds support for Secure Socket Layer connections
  • vim-syntax - Pulls in related vim syntax scripts

Further more you can set the nginx modules you like to use in /etc/make.conf in the NGINX_MODULES_HTTP variable as NGINX_MODULES_HTTP="variables".

  • access
  • addition
  • auth_basic
  • autoindex
  • browser
  • cache_purge
  • charset
  • dav
  • degradation
  • empty_gif
  • ey_balancer
  • fastcgi
  • flv
  • geo
  • geoip
  • gzip
  • gzip_static
  • headers_more
  • image_filter
  • limit_req
  • limit_zone
  • map
  • memcached
  • perl
  • proxy
  • push
  • random_index
  • realip
  • referer
  • rewrite
  • scgi
  • secure_link
  • slowfs_cache
  • split_clients
  • ssi
  • stub_status
  • sub
  • upload
  • upstream_ip_hash
  • userid
  • uwsgi
  • xslt

and the following mail modules as NGINX_MODULES_MAIL in '/etc/make.conf':

  • imap
  • pop3
  • smtp

USE Expanded flags

nginx USE-flags go into /etc/portage/package.use or /etc/portage/package.use/nginx, while the HTTP and MAIL modules go as NGINX_MODULES_HTTP or NGINX_MODULES_MAIL are stored in /etc/make.conf. And as you wouldn't server only static html files, but most commonly also php files/scripts you should also install php with fpm enabled and xcache for caching the content, what makes your nginx setup way faster. For xcache you need to set PHP_TARGETS="php5-3" in '/etc/make.conf'.

Example:

echo "www-servers/nginx USE-FLAG-List" >> /etc/portage/package.use/nginx

Emerging nginx

Now you are ready to install nginx with php and xcache support:

emerge -avt nginx php xcache

so now just check your useflags and press enter to start emerge.

Configuring

All configuration is done in /etc/nginx with nginx.conf as the main configuration file and all virtual hosts in /etc/nginx/sites/available while you have to symlink /etc/nginx/sites-available/{VHOST} to /etc/nginx/sites-enabled/{VHOST} to activate them. An example config for such a {VHOST} looks like that:

server {
    listen          80;
    server_name     www.example.com;

    access_log      /var/log/nginx/www.example.com.access_log main;
    error_log       /var/log/nginx/www.example.com.error_log info;

    root /var/www/www.example.com/htdocs;
}

The nginx.conf and sites-available/localhost file is well commented. Customize it to your needs. Make sure you set the listen option correctly. By default, the listen option is set to listen on the loopback interface. If you leave this unchanged other computers on the network will not be able to connect to the server.

Configuring PHP FPM

As we already installed php with fpm support above we just need to adjust the following settings in /etc/php/fpm-php5.3/php-fpm.conf. You should enable the following settings:

user = nginx
group = nginx
pm.start_servers = 20

The other options should all be very well documented, so make it fit your needs.

Configuring xcache

For setting xcache just edit /etc/php/fpm-php5.3/ext-active/xcache

zend_extension=/usr/lib64/php5.3/lib/extensions/no-debug-zts-20090626/          xcache.so                                                                   
  2 xcache.admin.enable_auth="On"
  3 xcache.admin.user="admin"
  4 xcache.admin.pass=""
  5 xcache.cacher="On"
  6 xcache.size="64M"
  7 xcache.count="9"
  8 xcache.slots="8k"
  9 xcache.ttl="0"
 10 xcache.gc_interval="0"
 11 xcache.var_size="8M"
 12 xcache.var_count="1"
 13 xcache.var_slots="8K"
 14 xcache.var_ttl="0"
 15 xcache.var_maxttl="0"
 16 xcache.var_gc_interval="600"
 17 xcache.readonly_protection="Off"
 18 xcache.mmap_path="/dev/zero"
 19 xcache.coverager="On"
 20 xcache.coveragedump_directory="/tmp/coverager"
 21 xcache.optimizer="On"

it might look like that for you, feel free to change the settings, and if you want to be able to log in into the admin interface set the xcache.admin.pass as a md5 encrypted password you can find it out with:

php -a
php> echo md5(PASSWORD);

and copy the admin interface to your vhost:

cp /usr/share/php/xcache/admin -a /var/www/{VHOST}/htdocs/xcache-admin

Starting the service

Now start the services:

/etc/init.d/php-fpm start
/etc/init.d/nginx start

and make them default:

rc-update add php-fpm default
rc-update add nginx default

See also

External links