Difference between revisions of "ZFS rootfs over encrypted container"
From Funtoo Linux
(Created page with "This tutorial will show you how to install Funtoo on ZFS (rootfs) over an encrypted container.This tutorial is meant to be an "overlay" over the [[Funtoo_Linux_Installation|Re...") |
Revision as of 08:08, 3 January 2013
This tutorial will show you how to install Funtoo on ZFS (rootfs) over an encrypted container.This tutorial is meant to be an "overlay" over the Regular Funtoo Installation. Follow the normal installation and only use this guide for steps 2, 3, and 8.Since ZFS was really designed for 64 bit systems, we are only recommending and supporting 64 bit platforms and installations. We will not be supporting 32 bit platforms!
Name: SystemRescueCd-x86-3.1.2 (350 MiB)Release Date: 2012-12-05md5sum 3c1ddfe5f26bb2f979a2ed9dfb504ee3sha1sum 217cf7a81380d894b2433c59451787c16bc0af2fsha256sum ec0a995875e64ff9816a043737e5cbbb689b7f596b48679116f0a779f3dce673Once you place the ISO on your USB flash drive, extract the modules from the tarball, and place the .srm and .md5 at the root of your USB filesystem. Further instructions can be found here. We will now start to partition the system. Open up a terminal, and type in the following (We will assume it's a fresh drive for simplicity).== Creating partitions ==We will be creating two partitions, /boot, and the remaining disk space will be for ZFS.(All commands will be ran as root).=== fdisk (MBR Style) ===Create Partition 1 (boot):
Command: n ↵Partition type: ##i##↵Partition number: ##i##↵First sector: ##i##↵Last sector: ##i##+250M ↵Create Partition 2 (ZFS over encrypted container):Command: n ↵Partition type: ##i##↵Partition number: ##i##↵First sector: ##i##↵Last sector: ##i##↵Command: ##i##t ↵Partition number: ##i##2 ↵Hex code (type L to list codes): ##i##bf ↵Command: ##i##p ↵Disk /dev/sda: 1000.2 GB, 1000204886016 bytes255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectorsUnits = sectors of 1 * 512 = 512 bytesSector size (logical/physical): 512 bytes / 512 bytesI/O size (minimum/optimal): 512 bytes / 512 bytesDisk identifier: 0x3e954df7 Device Boot Start End Blocks Id System/dev/sda1 2048 514047 256000 83 Linux/dev/sda2 514048 1953525167 976505560 bf Solaris=== gdisk (GPT Style) ===Create Partition 1 (boot):Command: n ↵Partition Number: ##i##↵First sector: ##i##↵Last sector: ##i##+250M ↵Hex Code: ##i##↵Create Partition 2 (BIOS Boot Partition):Command: n ↵Partition Number: ##i##↵First sector: ##i##↵Last sector: ##i##+32M ↵Hex Code: ##i##EF02 ↵Only make the above BIOS Boot Partition if you are using GRUB 2 on GPT. If you are using the extlinux bootloader, this partition is not necessary. The below instructions continue as if you did not create this partition and assumes you are using extlinux as the bootloader.
Command: n ↵Partition Number: ##i##↵First sector: ##i##↵Last sector: ##i##↵Hex Code: ##i##bf01 ↵Command: ##i##p ↵Disk /dev/sda: 1953525168 sectors, 931.5 GiBLogical sector size: 512 bytesDisk identifier (GUID): C0C1E56A-B24F-492F-95DB-2E227676F228Partition table holds up to 128 entriesFirst usable sector is 34, last usable sector is 1953525134Partitions will be aligned on 2048-sector boundariesTotal free space is 2014 sectors (1007.0 KiB)Number Start (sector) End (sector) Size Code Name 1 2048 514047 250.0 MiB 8300 Linux filesystem 2 514048 1953525134 931.3 GiB BF01 Solaris /usr & Mac ZFS=== Format your boot volume ===# mkfs.ext4 /dev/sda1=== Create the crypto container ===Be aware that this step will take a lot of time, 1-2 days might be possible depending on your disksize. The bs part in the next commands is important, so that you don't know about the actual disksize and the disk get's filled up to the end with data for the cryptocontainer.# dd if=/dev/zero of=/dev/sda2 bs=100M# ##i##dd if=/dev/urandom of=/dev/sda2 bs=100MNext we will create the cryptocontainer in the before prepared partition and mount the container after that:# cryptsetup -c aes-xts-plain64 luksFormat /dev/sda2UPDATE PART# ##i##cryptsetup luksOpen /dev/sda2 enc-rootPassword:This opens the cryptocontainer in /dev/mapper/enc-root, what will from now on the device for our ZFS pool.=== Create the zpool ===We will first create the pool. The pool will be named `rpool` and the disk will be aligned to 4096 (using ashift=12)# zpool create -f -o ashift=12 -o cachefile= -O compression=on -m none -R /mnt/funtoo rpool /dev/mapper/enc-root=== Create the zfs datasets ===We will now create some datasets. For this installation, we will create a small but future proof amount of datasets. We will have a dataset for the OS (/), and your swap. We will also show you how to create some optional datasets: /home, /var, /usr/src, and /usr/portage.Create some empty containers for organization purposes, and make the dataset that will hold /# zfs create -o mountpoint=none rpool/ROOT# ##i##zfs create -o mountpoint=/ rpool/ROOT/funtooOptional, but recommended datasets: /home, /root # ##i##zfs create -o mountpoint=/home rpool/HOME# ##i##zfs create -o mountpoint=/root rpool/HOME/rootOptional datasets: /usr/src, /var# ##i##zfs create -o mountpoint=none rpool/FUNTOO# ##i##zfs create -o mountpoint=/usr/src rpool/FUNTOO/src# ##i##zfs create -o mountpoint=/var rpool/FUNTOO/var==== Creating a separate portage dataset (optional) ====Creating a separate portage dataset could be useful if you would like to keep your portage tree, distfiles (source code files), and packages (your compiled binaries if you have FEATURES="buildpkg" enabled) in a safe place (or if you want to back up this directory up easily).This requires a few extra steps because we can't just do a regular emerge --sync when we initially chroot. We will need to download a portage snapshot tarball and extract it into the directory.The required steps for getting and extracting the snapshot will be shown later on in the guide once you chroot into the environment. For now just create the datasets:# zfs create -o mountpoint=/usr/portage -o compression=off rpool/FUNTOO/portage# ##i##zfs create -o mountpoint=/usr/portage/distfiles -o compression=off rpool/FUNTOO/distfiles=== Create your swap dataset ===Make your swap +1G greater than your RAM. An 8G machine would have 9G of RAM (This is kinda big though).# zfs create -o sync=always -o primarycache=metadata -o secondarycache=none -V 9G rpool/swap=== Format your swap dataset ===# mkswap -f /dev/zvol/rpool/swap# ##i##swapon /dev/zvol/rpool/swapAlright that finishes the creation of the zpool and zfs datasets. Check to make sure everything appears fine:# zpool status# ##i##zfs listCopy the zpool.cache file to your new environment.# mkdir -p /mnt/funtoo/etc/zfs# ##i##cp /etc/zfs/zpool.cache /mnt/funtoo/etc/zfsMake an empty mtab file# touch /mnt/funtoo/etc/mtabNow we will continue to install funtoo.== Installing Funtoo ==Download and install the Funtoo stage3 and continue installation as normal.Then chroot into your new funtoo environment:# cd /mnt/funtooMount your boot drive# ##i##mount /dev/sda1 /mnt/funtoo/bootBind the kernel related directories# ##i##mount --bind /proc ./proc# ##i##mount --bind /dev ./dev# ##i##mount --bind /sys ./sysCopy network settings# ##i##cp /etc/resolv.conf etc/chroot into your new funtoo environment# ##i##env -i HOME=/root TERM=$TERM chroot . bash -l=== Syncing your portage tree ======= If you didn't create a separate portage dataset, then just sync your portage tree as normal. ====# emerge --sync==== If you did create a separate portage dataset, let's now get the portage snapshot set up. ====Change into your /usr directory# cd /usrDownload and extract the portage snapshot# ##i##wget http://ftp.osuosl.org/pub/funtoo/funtoo-current/snapshots/portage-latest.tar.xz# ##i##tar xf portage-latest.tar.xzChange into your portage directory and checkout the funtoo branch# ##i##cd portage# ##i##git checkout funtoo.orgNow sync your portage tree# ##i##emerge --sync== Kernel Configuration ==Tested with kernel 2.6.32, 3.2.34, 3.6.9, 3.7.1.When you get up to the kernel, make sure that you disable the CFQ scheduler, and turnon No-op (It's the default one once you disable all schedulers). The reason for this is because ZFS has itsown scheduler and the CFQ one conflicts with it.Go to your kernel config, and make sure you have the following: (there should be a /usr/src/linux symlink as well)ZLIB_INFLATE/DEFLATE must be compiled into the kernel (not as a module).> ZLIB_INFLATE [=y], ZLIB_DEFLATE [=y]General setup --->> [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support> () Initramfs source file(s)[*] Enable loadable module support --->[*] Module unloadingEnable the block layer --->IO Schedulers --->< > Deadline I/O scheduler< > CFQ I/O schedulerDefault I/O scheduler (No-op)Device Drivers --->> Generic Driver Options --->>> [*] Maintain a devtmpfs filesystem to mount at /dev>> [*] Automount devtmpfs at /dev, after the kernel mounted the rootfsCryptographic API --->> <*> XTS support> -*- AES cipher algorithms* All other drivers required to see your PATA/SATA drives must be compiled in.Continue and compile/install your kernel:
# make bzImage# ##i##make modules_install# ##i##cp arch/x86_64/boot/bzImage /boot/bzImage-<Kernel-version>== Installing the ZFS userspace tools ==# emerge -av spl zfs zfs-kmodCheck to make sure that the zfs tools are working, the zpool.cache file that you copied before should bedisplayed.# zpool status# ##i##zfs listIf everything worked, continue.== Bliss Initramfs Creator ==Make sure you compile sys-apps/busybox with the static flag.# echo "sys-apps/busybox static" >> /etc/portage/package.use/busybox# ##i##echo "sys-fs/cryptsetup static" >> /etc/portage/package.use/cryptsetup# ##i##echo "sys-libs/e2fsprogs-libs static-libs" >> /etc/portage/package.use/e2fsprogs-libs# ##i##echo "dev-libs/popt static-libs" >> /etc/portage/package.use/popt# ##i##echo "sys-apps/util-linux static-libs" >> /etc/portage/package.use/util-linux# ##i##emerge -avt sys-apps/busybox sys-fs/cryptsetupClone my creator which is located at: git://github.com/fearedbliss/Bliss-Initramfs-Creator.github and for now checkout the next branch# git clone git://github.com/fearedbliss/Bliss-Initramfs-Creator.git# ##i##cd Bliss-Initramfs-Creator# ##i##git checkout -b next# ##i##git --set-upstream-to=origin/next nextThen run the script as root, and place the initrd into /boot# cd Bliss-Initramfs-Creator# ##i##./createInitChoose Option 2 ZFS+LUKS# ##i##mv initrd-<kernel_name>.img /boot<kernel_name> is the name of what you selected in the initramfs creator, and the name of the outputted file.Once you do this just go to your bootloader config, and add it in there.Example: kernel name is: vmlinuz-3.7.1-ALLinitramfs name is: initrd-3.7.1-ALL.imgpool name is: rpoolencrypted root is: /dev/sda2== Installing Extlinux ==To install extlinux first merge syslinux# emerge -avt syslinuxnext prepare your /boot folder# install -d /boot/extlinux# ##i##extlinux --install /boot/extlinux# ##i##cd /boot# ##i##ln -s . bootNext finally install Extlinux for your Boot Record=== MBR ===# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda# cp /usr/share/syslinux/menu.c32 /boot/extlinux/# touch /boot/extlinux/extlinux.conf=== GPT ===
# sgdisk /dev/sda --attributes=1:set:2# sgdisk /dev/sda --attributes=1:show1:2:1 (legacy BIOS bootable)# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda# cp /usr/share/syslinux/menu.c32 /boot/extlinux/# touch /boot/extlinux/extlinux.conf=== Config Extlinux ===Open /boot/extlinux/extlinux.conf with your favorite editor and add the following to it:
TIMEOUT 30UI menu.c32MENU TITLE Funtoo Boot MenuMENU COLOR title 1;37;40MENU COLOR border 30;40MENU COLOR unsel 37;40LABEL funtoo bzImage-<Kernel-Version> MENU LABEL Funtoo Linux bzImage-<Kernel-Version> KERNEL /bzImage-<Kernel-Version> INITRD /initrd-<Kernel-Version>.img APPEND enc_root=/dev/sda2 pool_name=rpool== Final configuration ===== Add the zfs tools to openrc ===
# rc-update add zfs boot# ##i##rc-update add zfs-shutdown shutdown=== Add filesystems to /etc/fstab ===# nano /etc/fstab# <fs> <mountpoint> <type> <opts> <dump/pass>/dev/sda1 /boot ext4 defaults 1 2/dev/zvol/rpool/swap none swap sw 0 0=== Clean up and reboot ===We are almost done, we are just going to clean up and unmount whatever we mounted and get out.Delete the stage3/portage tarballs you downloaded earlier so they don't take up space.# cd /# ##i##rm stage3-latest.tar.xz# ##i##rm /usr/portage-latest.tar.xzGet out of the chroot environment# ##i##exitUnmount all the kernel filesystem stuff and boot# ##i##cd /mnt/funtoo# ##i##umount proc dev sys bootTurn off the swap# ##i##swapoff /dev/zvol/rpool/swapExport the zpool# ##i##cd /# ##i##zpool export -f rpoolReboot# ##i##rebootand that should be enough to get your system to boot on ZFS.== Extra: After reboot ==After you restart your machine and your inside your desktop, continue to set up anything you need in terms of /etc configurations. Once you have everything the way you like it, take a snapshot of your system. You will be using this snapshot to revert back to this state if anything ever happens to your system down the road. The snapshots are cheap, and almost instant. To take the snapshot of your rootfs, type the following:# zfs snapshot rpool/ROOT/funtoo@installTo see if your snapshot was taken, type:# zfs list -t snapshotIf your machine ever fails and you need to get back to this state, just type:# zfs rollback rpool/ROOT/funtoo@installEnjoy your new install on ZFS :)== Getting back into your ZFS pool in case of emergency ==If you ever need to get back into your ZFS pool in case of an emergency (missing rebuild of modules, unable to boot, etc) reboot your box with the System Rescue USB you created earlier, then issue the following commands:# depmod# ##i##cryptsetup luksOpen /dev/sda2 enc-root# ##i##zpool import -f -o cachefile= -R /mnt/funtoo rpoolNow you should be able to mount the system like we did earlier in this Guide (chroot instructions), fix your problem and enjoy.
