Difference between revisions of "ZFS rootfs over encrypted container"

Revision as of 23:54, 11 January 2013

This tutorial will show you how to install Funtoo on ZFS (rootfs) over an encrypted container.

This tutorial is meant to be an "overlay" over the Regular Funtoo Installation. Follow the normal installation and only use this guide for steps 2, 3, and 8.

Since ZFS was really designed for 64 bit systems, we are only recommending and supporting 64 bit platforms and installations. We will not be supporting 32 bit platforms!

1 Setting up your environment
2 Creating partitions
3 Installing Funtoo
- 3.1 Syncing your portage tree
  - 3.1.1 If you didn't create a separate portage dataset, then just sync your portage tree as normal.
  - 3.1.2 If you did create a separate portage dataset, let's now get the portage snapshot set up.
4 Kernel Configuration
5 Installing the ZFS userspace tools
6 Bliss Initramfs Creator
7 Installing Extlinux
8 Final configuration
9 Extra: After reboot
10 Getting back into your ZFS pool in case of emergency

Setting up your environment

In order for us to install Funtoo on ZFS, you will need an environment that provides the ZFS userspace tools. We will be downloading two things, System Rescue CD 3.1.2, and the ZFS SRM (System Rescue Module). This is just a file that when combined with System Rescue CD, gives you ZFS functionality.

Download System Rescue CD 3.1.2

Download the ZFS System Rescue Module

Name: SystemRescueCd-x86-3.1.2 (350 MiB)
Release Date: 2012-12-05


md5sum 3c1ddfe5f26bb2f979a2ed9dfb504ee3
sha1sum 217cf7a81380d894b2433c59451787c16bc0af2f
sha256sum ec0a995875e64ff9816a043737e5cbbb689b7f596b48679116f0a779f3dce673

Once you place the ISO on your USB flash drive, extract the modules from the tarball, and place the .srm and .md5 at the root of your USB filesystem. Further instructions can be found here.

We will now start to partition the system. Open up a terminal, and type in the following (We will assume it's a fresh drive for simplicity).

Creating partitions

We will be creating two partitions, /boot, and the remaining disk space will be for ZFS.

(All commands will be ran as root).

fdisk (MBR Style)

Create Partition 1 (boot):

Command: n ↵
Partition type: ↵
Partition number: ↵
First sector: ↵
Last sector: +250M ↵

Create Partition 2 (ZFS over encrypted container):

Command: n ↵
Partition type: ↵
Partition number: ↵
First sector: ↵
Last sector: ↵
Command: t ↵
Partition number: 2 ↵
Hex code (type L to list codes): bf ↵
Command: p ↵
Disk /dev/sda: 1000.2 GB, 1000204886016 bytes
255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x3e954df7
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1            2048      514047      256000   83  Linux
/dev/sda2          514048  1953525167   976505560   bf  Solaris

gdisk (GPT Style)

Create Partition 1 (boot):

Command: n ↵
Partition Number: ↵
First sector: ↵
Last sector: +250M ↵
Hex Code: ↵

Create Partition 2 (BIOS Boot Partition):

Command: n ↵
Partition Number: ↵
First sector: ↵
Last sector: +32M ↵
Hex Code: EF02 ↵

Only make the above BIOS Boot Partition if you are using GRUB 2 on GPT. If you are using the extlinux bootloader, this partition is not necessary. The below instructions continue as if you did not create this partition and assumes you are using extlinux as the bootloader.

Create Partition 2(/3) (ZFS over encrypted container):

Command: n ↵
Partition Number: ↵
First sector: ↵
Last sector: ↵
Hex Code: bf01 ↵
Command: p ↵
Disk /dev/sda: 1953525168 sectors, 931.5 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): C0C1E56A-B24F-492F-95DB-2E227676F228
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 1953525134
Partitions will be aligned on 2048-sector boundaries
Total free space is 2014 sectors (1007.0 KiB)
Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048          514047   250.0 MiB   8300  Linux filesystem
   2          514048      1953525134   931.3 GiB   BF01  Solaris /usr & Mac ZFS

Format your boot volume

# mkfs.ext4 /dev/sda1

Create the crypto container

Be aware that this step will take a lot of time, 1-2 days might be possible depending on your disksize. The bs part in the next commands is important, so that you don't know about the actual disksize and the disk get's filled up to the end with data for the cryptocontainer.

# dd if=/dev/zero of=/dev/sda2 bs=100M
# dd if=/dev/urandom of=/dev/sda2 bs=100M

Next we will create the cryptocontainer in the before prepared partition and mount the container after that:

# cryptsetup -c aes-xts-plain64 luksFormat /dev/sda2
# cryptsetup luksOpen /dev/sda2 enc-root

This opens the cryptocontainer in /dev/mapper/enc-root, what will from now on the device for our ZFS pool.

Create the zpool

We will first create the pool. The pool will be named `rpool` and the disk will be aligned to 4096 (using ashift=12)

# zpool create -f -o ashift=12 -o cachefile= -O compression=on -m none -R /mnt/funtoo rpool /dev/mapper/enc-root

Create the zfs datasets

We will now create some datasets. For this installation, we will create a small but future proof amount of datasets. We will have a dataset for the OS (/), and your swap. We will also show you how to create some optional datasets: /home, /var, /usr/src, and /usr/portage.

Create some empty containers for organization purposes, and make the dataset that will hold /
# zfs create -o mountpoint=none rpool/ROOT
# zfs create -o mountpoint=/ rpool/ROOT/funtoo


Optional, but recommended datasets: /home, /root 
# zfs create -o mountpoint=/home rpool/HOME
# zfs create -o mountpoint=/root rpool/HOME/root


Optional datasets: /usr/src, /var
# zfs create -o mountpoint=none rpool/FUNTOO
# zfs create -o mountpoint=/usr/src rpool/FUNTOO/src
# zfs create -o mountpoint=/var rpool/FUNTOO/var

Creating a separate portage dataset (optional)

Creating a separate portage dataset could be useful if you would like to keep your portage tree, distfiles (source code files), and packages (your compiled binaries if you have FEATURES="buildpkg" enabled) in a safe place (or if you want to back up this directory up easily).

This requires a few extra steps because we can't just do a regular emerge --sync when we initially chroot. We will need to download a portage snapshot tarball and extract it into the directory.

The required steps for getting and extracting the snapshot will be shown later on in the guide once you chroot into the environment. For now just create the datasets:

# zfs create -o mountpoint=/usr/portage -o compression=off rpool/FUNTOO/portage
# zfs create -o mountpoint=/usr/portage/distfiles -o compression=off rpool/FUNTOO/distfiles

Create your swap dataset

Make your swap +1G greater than your RAM. An 8G machine would have 9G of RAM (This is kinda big though).

# zfs create -o sync=always -o primarycache=metadata -o secondarycache=none -V 9G rpool/swap

Format your swap dataset

# mkswap -f /dev/zvol/rpool/swap
# swapon /dev/zvol/rpool/swap

Alright that finishes the creation of the zpool and zfs datasets. Check to make sure everything appears fine:

# zpool status
# zfs list

Copy the zpool.cache file to your new environment.

# mkdir -p /mnt/funtoo/etc/zfs
# cp /etc/zfs/zpool.cache /mnt/funtoo/etc/zfs

Make an empty mtab file

# touch /mnt/funtoo/etc/mtab

Now we will continue to install funtoo.

Installing Funtoo

Download and install the Funtoo stage3 and continue installation as normal.

Then chroot into your new funtoo environment:

# cd /mnt/funtoo


Mount your boot drive
# mount /dev/sda1 /mnt/funtoo/boot


Bind the kernel related directories
# for i in proc dev sys; do mount --bind /$i ./$i; done


Copy network settings
# cp /etc/resolv.conf etc/


chroot into your new funtoo environment
# env -i HOME=/root TERM=$TERM chroot . bash -l

Syncing your portage tree

If you didn't create a separate portage dataset, then just sync your portage tree as normal.

# emerge --sync

If you did create a separate portage dataset, let's now get the portage snapshot set up.

Change into your /usr directory
# cd /usr


Download and extract the portage snapshot
# wget http://ftp.osuosl.org/pub/funtoo/funtoo-current/snapshots/portage-latest.tar.xz
# tar xf portage-latest.tar.xz


Change into your portage directory and checkout the funtoo branch
# cd portage
# git checkout funtoo.org


Now sync your portage tree
# emerge --sync

Kernel Configuration

Tested with kernel 2.6.32, 3.2.34, 3.6.9, 3.7.1.

When you get up to the kernel, make sure that you disable the CFQ scheduler, and turnon No-op (It's the default one once you disable all schedulers). The reason for this is because ZFS has itsown scheduler and the CFQ one conflicts with it.

Go to your kernel config, and make sure you have the following: (there should be a /usr/src/linux symlink as well)

ZLIB_INFLATE/DEFLATE must be compiled into the kernel (not as a module).
> ZLIB_INFLATE [=y], ZLIB_DEFLATE [=y]


General setup --->
> [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
> () Initramfs source file(s)
[*] Enable loadable module support --->
[*] Module unloadingEnable the block layer --->
IO Schedulers --->
< > Deadline I/O scheduler
< > CFQ I/O schedulerDefault I/O scheduler (No-op)
Device Drivers --->
> Generic Driver Options --->
>> [*] Maintain a devtmpfs filesystem to mount at /dev
>> [*] Automount devtmpfs at /dev, after the kernel mounted the rootfs


Cryptographic API --->
> <*> XTS support
> -*- AES cipher algorithms


* All other drivers required to see your PATA/SATA drives must be compiled in.

Continue and compile/install your kernel:

# make bzImage
# make modules_install
# cp arch/x86_64/boot/bzImage /boot/bzImage-<Kernel-version>

Installing the ZFS userspace tools

# emerge -av zfs

Check to make sure that the zfs tools are working, the zpool.cache file that you copied before should be displayed.

# zpool status
# zfs list

If everything worked, continue.

Bliss Initramfs Creator

Make sure you compile sys-apps/busybox and sys-fs/cryptsetup with the static flag.

# echo "sys-apps/busybox static" >> /etc/portage/package.use/busybox
# echo "sys-fs/cryptsetup static" >> /etc/portage/package.use/cryptsetup
# echo "sys-libs/e2fsprogs-libs static-libs" >> /etc/portage/package.use/e2fsprogs-libs
# echo "dev-libs/popt static-libs" >> /etc/portage/package.use/popt
# echo "sys-apps/util-linux static-libs" >> /etc/portage/package.use/util-linux
# emerge -avt sys-apps/busybox sys-fs/cryptsetup

Clone my creator which is located at: git://github.com/fearedbliss/Bliss-Initramfs-Creator.git

# git clone git://github.com/fearedbliss/Bliss-Initramfs-Creator.git
# cd Bliss-Initramfs-Creator

Then run the script as root, and place the initrd into /boot

# ./createInit
Choose Option 2 ZFS+LUKS
# mv initrd-<kernel_name>.img /boot

<kernel_name> is the name of what you selected in the initramfs creator, and the name of the outputted file.

Once you do this just go to your bootloader config, and add it in there.

Example:

kernel name is: bzImage-3.7.1-ALL
initramfs name is: initrd-3.7.1-ALL.img
pool root is: rpool/ROOT/funtoo
encrypted root is: /dev/sda2

Installing Extlinux

To install extlinux first merge syslinux

# emerge -avt syslinux

next prepare your /boot folder

# install -d /boot/extlinux
# extlinux --install /boot/extlinux
# cd /boot
# ln -s . boot

Finally install Extlinux for your Boot Record

MBR

# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
# cp /usr/share/syslinux/menu.c32 /boot/extlinux/
# touch /boot/extlinux/extlinux.conf

GPT

# sgdisk /dev/sda --attributes=1:set:2
# sgdisk /dev/sda --attributes=1:show
1:2:1 (legacy BIOS bootable)
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda
# cp /usr/share/syslinux/menu.c32 /boot/extlinux/
# touch /boot/extlinux/extlinux.conf

Config Extlinux

Open /boot/extlinux/extlinux.conf with your favorite editor and add the following to it:

TIMEOUT 30
UI menu.c32

MENU TITLE Funtoo Boot Menu
MENU COLOR title        1;37;40
MENU COLOR border       30;40
MENU COLOR unsel        37;40

LABEL funtoo bzImage-<Kernel-Version>
  MENU LABEL Funtoo Linux bzImage-<Kernel-Version>
  KERNEL /bzImage-<Kernel-Version>
  INITRD /initrd-<Kernel-Version>.img
  APPEND enc_root=/dev/sda2 pool_root=rpool/ROOT/funtoo

Final configuration

Add the zfs tools to openrc

# rc-update add zfs boot
# rc-update add zfs-shutdown shutdown

Add filesystems to /etc/fstab

# nano /etc/fstab
# <fs>                  <mountpoint>    <type>          <opts>          <dump/pass>
/dev/sda1               /boot           ext4            defaults        1 2
/dev/zvol/rpool/swap    none            swap            sw              0 0

Clean up and reboot

We are almost done, we are just going to clean up and unmount whatever we mounted and get out.

Delete the stage3/portage tarballs you downloaded earlier so they don't take up space.
# cd /
# rm stage3-latest.tar.xz
# rm /usr/portage-latest.tar.xz

Set your root password
# passwd
>> Enter your password, you won't see what you are writing (for security reasons), but it is there!

Get out of the chroot environment
# exit

Unmount all the kernel filesystem stuff and boot
# cd /mnt/funtoo
# umount proc dev sys boot

Turn off the swap
# swapoff /dev/zvol/rpool/swap

Export the zpool
# cd /
# zpool export -f rpool

Reboot
# reboot

and that should be enough to get your system to boot on ZFS.

Extra: After reboot

After you restart your machine and your inside your desktop, continue to set up anything you need in terms of /etc configurations. Once you have everything the way you like it, take a snapshot of your system. You will be using this snapshot to revert back to this state if anything ever happens to your system down the road. The snapshots are cheap, and almost instant. To take the snapshot of your rootfs, type the following:

# zfs snapshot rpool/ROOT/funtoo@install

To see if your snapshot was taken, type:

# zfs list -t snapshot

If your machine ever fails and you need to get back to this state, just type:

# zfs rollback rpool/ROOT/funtoo@install

Enjoy your new install on ZFS :)

Getting back into your ZFS pool in case of emergency

If you ever need to get back into your ZFS pool in case of an emergency (missing rebuild of modules, unable to boot, etc) reboot your box with the System Rescue USB you created earlier, then issue the following commands:

# depmod
# cryptsetup luksOpen /dev/sda2 enc-root
# zpool import -f -o cachefile= -R /mnt/funtoo rpool

Now you should be able to mount the system like we did earlier in this Guide (chroot instructions), fix your problem and enjoy.

@@ Line 366: / Line 366: @@
 == Bliss Initramfs Creator ==
 Make sure you compile sys-apps/busybox and sys-fs/cryptsetup with the static flag.
 <console>
@@ Line 377: / Line 376: @@
 </console>
+Clone my creator which is located at: git://github.com/fearedbliss/Bliss-Initramfs-Creator.git
-Clone my creator which is located at: git://github.com/fearedbliss/Bliss-Initramfs-Creator.github and for now checkout the '''next''' branch
 <console>
 # ##i##git clone git://github.com/fearedbliss/Bliss-Initramfs-Creator.git
 # ##i##cd Bliss-Initramfs-Creator
-# ##i##git checkout -b next
-# ##i##git --set-upstream-to=origin/next next
 </console>
 Then run the script as root, and place the initrd into /boot
 <console>
@@ Line 397: / Line 390: @@
 # ##i##mv initrd-<kernel_name>.img /boot
 </console>
 '''<kernel_name>''' is the name of what you selected in the initramfs creator, and the name of the outputted file.
 Once you do this just go to your bootloader config, and add it in there.
 Example:
   kernel name is: bzImage-3.7.1-ALL
   initramfs name is: initrd-3.7.1-ALL.img
-  pool name is: rpool
+  pool root is: rpool/ROOT/funtoo
   encrypted root is: /dev/sda2
@@ Line 471: / Line 461: @@
 # ##i##rc-update add zfs-shutdown shutdown
 </console>
 === Add filesystems to /etc/fstab ===
@@ Line 480: / Line 469: @@
 /dev/zvol/rpool/swap    none            swap            sw              0 0
 </console>
 === Clean up and reboot ===
@@ Line 490: / Line 478: @@
 # ##i##rm /usr/portage-latest.tar.xz
+Set your root password
+# ##i##passwd
+>> Enter your password, you won't see what you are writing (for security reasons), but it is there!
 Get out of the chroot environment
 # ##i##exit
 Unmount all the kernel filesystem stuff and boot
 # ##i##cd /mnt/funtoo
 # ##i##umount proc dev sys boot
 Turn off the swap
 # ##i##swapoff /dev/zvol/rpool/swap
 Export the zpool
 # ##i##cd /
 # ##i##zpool export -f rpool
 Reboot
 # ##i##reboot
 </console>
 and that should be enough to get your system to boot on ZFS.
 == Extra: After reboot ==
 After you restart your machine and your inside your desktop, continue to set up anything you need in terms of /etc configurations. Once you have everything the way you like it, take a snapshot of your system. You will be using this snapshot to revert back to this state if anything ever happens to your system down the road. The snapshots are cheap, and almost instant. To take the snapshot of your rootfs, type the following:
 <console>
 # ##i##zfs snapshot rpool/ROOT/funtoo@install
 </console>
 To see if your snapshot was taken, type:
 <console>
 # ##i##zfs list -t snapshot
 </console>
 If your machine ever fails and you need to get back to this state, just type:
 <console>
 # ##i##zfs rollback rpool/ROOT/funtoo@install
 </console>
 Enjoy your new install on ZFS :)
 == Getting back into your ZFS pool in case of emergency ==
 If you ever need to get back into your ZFS pool in case of an emergency (missing rebuild of modules, unable to boot, etc) reboot your box with the System Rescue USB you created earlier, then issue the following commands:
 <console>
@@ Line 553: / Line 534: @@
 Now you should be able to mount the system like we did earlier in this Guide [[ZFS_rootfs_over_encrypted_container#Installing_Funtoo|(chroot instructions)]], fix your problem and enjoy.
+[[Category:HOWTO]]
+[[Category:Filesystems]]
+[[Category:Featured]]