ZFS rootfs over encrypted container
This tutorial will show you how to install Funtoo on ZFS (rootfs) over an encrypted container.
This tutorial is meant to be an "overlay" over the Regular Funtoo Installation. Follow the normal installation and only use this guide for steps 2, 3, and 8.
Since ZFS was really designed for 64 bit systems, we are only recommending and supporting 64 bit platforms and installations. We will not be supporting 32 bit platforms!
Contents |
Setting up your environment
In order for us to install Funtoo on ZFS, you will need an environment that provides the ZFS userspace tools. We will be downloading two things, System Rescue CD 3.1.2, and the ZFS SRM (System Rescue Module). This is just a file that when combined with System Rescue CD, gives you ZFS functionality.
Download System Rescue CD 3.1.2
Download the ZFS System Rescue Module
Name: SystemRescueCd-x86-3.1.2 (350 MiB) Release Date: 2012-12-05 md5sum 3c1ddfe5f26bb2f979a2ed9dfb504ee3 sha1sum 217cf7a81380d894b2433c59451787c16bc0af2f sha256sum ec0a995875e64ff9816a043737e5cbbb689b7f596b48679116f0a779f3dce673
Once you place the ISO on your USB flash drive, extract the modules from the tarball, and place the .srm and .md5 at the root of your USB filesystem. Further instructions can be found here.
We will now start to partition the system. Open up a terminal, and type in the following (We will assume it's a fresh drive for simplicity).
Creating partitions
We will be creating two partitions, /boot, and the remaining disk space will be for ZFS.
(All commands will be ran as root).
fdisk (MBR Style)
Create Partition 1 (boot):
Command: n ↵ Partition type: ↵ Partition number: ↵ First sector: ↵ Last sector: +250M ↵
Create Partition 2 (ZFS over encrypted container):
Command: n ↵ Partition type: ↵ Partition number: ↵ First sector: ↵ Last sector: ↵ Command: t ↵ Partition number: 2 ↵ Hex code (type L to list codes): bf ↵ Command: p ↵ Disk /dev/sda: 1000.2 GB, 1000204886016 bytes 255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x3e954df7 Device Boot Start End Blocks Id System /dev/sda1 2048 514047 256000 83 Linux /dev/sda2 514048 1953525167 976505560 bf Solaris
gdisk (GPT Style)
Create Partition 1 (boot):
Command: n ↵ Partition Number: ↵ First sector: ↵ Last sector: +250M ↵ Hex Code: ↵
Create Partition 2 (BIOS Boot Partition):
Command: n ↵ Partition Number: ↵ First sector: ↵ Last sector: +32M ↵ Hex Code: EF02 ↵
Only make the above BIOS Boot Partition if you are using GRUB 2 on GPT. If you are using the extlinux bootloader, this partition is not necessary. The below instructions continue as if you did not create this partition and assumes you are using extlinux as the bootloader.
Create Partition 2(/3) (ZFS over encrypted container):
Command: n ↵ Partition Number: ↵ First sector: ↵ Last sector: ↵ Hex Code: bf01 ↵ Command: p ↵ Disk /dev/sda: 1953525168 sectors, 931.5 GiB Logical sector size: 512 bytes Disk identifier (GUID): C0C1E56A-B24F-492F-95DB-2E227676F228 Partition table holds up to 128 entries First usable sector is 34, last usable sector is 1953525134 Partitions will be aligned on 2048-sector boundaries Total free space is 2014 sectors (1007.0 KiB) Number Start (sector) End (sector) Size Code Name 1 2048 514047 250.0 MiB 8300 Linux filesystem 2 514048 1953525134 931.3 GiB BF01 Solaris /usr & Mac ZFS
Format your boot volume
# mkfs.ext4 /dev/sda1
Create the crypto container
Be aware that this step will take a lot of time, 1-2 days might be possible depending on your disksize. The bs part in the next commands is important, so that you don't know about the actual disksize and the disk get's filled up to the end with data for the cryptocontainer.
# dd if=/dev/zero of=/dev/sda2 bs=100M # dd if=/dev/urandom of=/dev/sda2 bs=100M
Next we will create the cryptocontainer in the before prepared partition and mount the container after that:
# cryptsetup -c aes-xts-plain64 luksFormat /dev/sda2 # cryptsetup luksOpen /dev/sda2 enc-root
This opens the cryptocontainer in /dev/mapper/enc-root, what will from now on the device for our ZFS pool.
Create the zpool
We will first create the pool. The pool will be named `rpool` and the disk will be aligned to 4096 (using ashift=12)
# zpool create -f -o ashift=12 -o cachefile= -O compression=on -m none -R /mnt/funtoo rpool /dev/mapper/enc-root
Create the zfs datasets
We will now create some datasets. For this installation, we will create a small but future proof amount of datasets. We will have a dataset for the OS (/), and your swap. We will also show you how to create some optional datasets: /home, /var, /usr/src, and /usr/portage.
Create some empty containers for organization purposes, and make the dataset that will hold / # zfs create -o mountpoint=none rpool/ROOT # zfs create -o mountpoint=/ rpool/ROOT/funtoo Optional, but recommended datasets: /home, /root # zfs create -o mountpoint=/home rpool/HOME # zfs create -o mountpoint=/root rpool/HOME/root Optional datasets: /usr/src, /var # zfs create -o mountpoint=none rpool/FUNTOO # zfs create -o mountpoint=/usr/src rpool/FUNTOO/src # zfs create -o mountpoint=/var rpool/FUNTOO/var
Creating a separate portage dataset (optional)
Creating a separate portage dataset could be useful if you would like to keep your portage tree, distfiles (source code files), and packages (your compiled binaries if you have FEATURES="buildpkg" enabled) in a safe place (or if you want to back up this directory up easily).
This requires a few extra steps because we can't just do a regular emerge --sync when we initially chroot. We will need to download a portage snapshot tarball and extract it into the directory.
The required steps for getting and extracting the snapshot will be shown later on in the guide once you chroot into the environment. For now just create the datasets:
# zfs create -o mountpoint=/usr/portage -o compression=off rpool/FUNTOO/portage # zfs create -o mountpoint=/usr/portage/distfiles -o compression=off rpool/FUNTOO/distfiles
Create your swap dataset
Make your swap +1G greater than your RAM. An 8G machine would have 9G of RAM (This is kinda big though).
# zfs create -o sync=always -o primarycache=metadata -o secondarycache=none -V 9G rpool/swap
Format your swap dataset
# mkswap -f /dev/zvol/rpool/swap # swapon /dev/zvol/rpool/swap
Alright that finishes the creation of the zpool and zfs datasets. Check to make sure everything appears fine:
# zpool status # zfs list
Copy the zpool.cache file to your new environment.
# mkdir -p /mnt/funtoo/etc/zfs # cp /etc/zfs/zpool.cache /mnt/funtoo/etc/zfs
Make an empty mtab file
# touch /mnt/funtoo/etc/mtab
Now we will continue to install funtoo.
Installing Funtoo
Download and install the Funtoo stage3 and continue installation as normal.
Then chroot into your new funtoo environment:
# cd /mnt/funtoo Mount your boot drive # mount /dev/sda1 /mnt/funtoo/boot Bind the kernel related directories # for i in proc dev sys; do mount --bind /$i ./$i; done Copy network settings # cp /etc/resolv.conf etc/ chroot into your new funtoo environment # env -i HOME=/root TERM=$TERM chroot . bash -l
Syncing your portage tree
If you didn't create a separate portage dataset, then just sync your portage tree as normal.
# emerge --sync
If you did create a separate portage dataset, let's now get the portage snapshot set up.
Change into your /usr directory # cd /usr Download and extract the portage snapshot # wget http://ftp.osuosl.org/pub/funtoo/funtoo-current/snapshots/portage-latest.tar.xz # tar xf portage-latest.tar.xz Change into your portage directory and checkout the funtoo branch # cd portage # git checkout funtoo.org Now sync your portage tree # emerge --sync
Kernel Configuration
Tested with kernel 2.6.32, 3.2.34, 3.6.9, 3.7.1.
When you get up to the kernel, make sure that you disable the CFQ scheduler, and turnon No-op (It's the default one once you disable all schedulers). The reason for this is because ZFS has itsown scheduler and the CFQ one conflicts with it.
Go to your kernel config, and make sure you have the following: (there should be a /usr/src/linux symlink as well)
ZLIB_INFLATE/DEFLATE must be compiled into the kernel (not as a module). > ZLIB_INFLATE [=y], ZLIB_DEFLATE [=y] General setup ---> > [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support > () Initramfs source file(s) [*] Enable loadable module support ---> [*] Module unloadingEnable the block layer ---> IO Schedulers ---> < > Deadline I/O scheduler < > CFQ I/O schedulerDefault I/O scheduler (No-op) Device Drivers ---> > Generic Driver Options ---> >> [*] Maintain a devtmpfs filesystem to mount at /dev >> [*] Automount devtmpfs at /dev, after the kernel mounted the rootfs Cryptographic API ---> > <*> XTS support > -*- AES cipher algorithms * All other drivers required to see your PATA/SATA drives must be compiled in.
Continue and compile/install your kernel:
# make bzImage # make modules_install # cp arch/x86_64/boot/bzImage /boot/bzImage-<Kernel-version>
Installing the ZFS userspace tools
# emerge -av zfs
Check to make sure that the zfs tools are working, the zpool.cache file that you copied before should be displayed.
# zpool status # zfs list
If everything worked, continue.
Bliss Initramfs Creator
Make sure you compile sys-apps/busybox and sys-fs/cryptsetup with the static flag.
# echo "sys-apps/busybox static" >> /etc/portage/package.use/busybox # echo "sys-fs/cryptsetup static" >> /etc/portage/package.use/cryptsetup # echo "sys-libs/e2fsprogs-libs static-libs" >> /etc/portage/package.use/e2fsprogs-libs # echo "dev-libs/popt static-libs" >> /etc/portage/package.use/popt # echo "sys-apps/util-linux static-libs" >> /etc/portage/package.use/util-linux # emerge -avt sys-apps/busybox sys-fs/cryptsetup
Clone my creator which is located at: git://github.com/fearedbliss/Bliss-Initramfs-Creator.git
# git clone git://github.com/fearedbliss/Bliss-Initramfs-Creator.git # cd Bliss-Initramfs-Creator
Then run the script as root, and place the initrd into /boot
# ./createInit Choose Option 2 ZFS+LUKS # mv initrd-<kernel_name>.img /boot
<kernel_name> is the name of what you selected in the initramfs creator, and the name of the outputted file.
Once you do this just go to your bootloader config, and add it in there.
Example:
kernel name is: bzImage-3.7.1-ALL initramfs name is: initrd-3.7.1-ALL.img pool root is: rpool/ROOT/funtoo encrypted root is: /dev/sda2
Installing Extlinux
To install extlinux first merge syslinux
# emerge -avt syslinux
next prepare your /boot folder
# install -d /boot/extlinux # extlinux --install /boot/extlinux # cd /boot # ln -s . boot
Finally install Extlinux for your Boot Record
MBR
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda # cp /usr/share/syslinux/menu.c32 /boot/extlinux/ # touch /boot/extlinux/extlinux.conf
GPT
# sgdisk /dev/sda --attributes=1:set:2 # sgdisk /dev/sda --attributes=1:show 1:2:1 (legacy BIOS bootable) # dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda # cp /usr/share/syslinux/menu.c32 /boot/extlinux/ # touch /boot/extlinux/extlinux.conf
Config Extlinux
Open /boot/extlinux/extlinux.conf with your favorite editor and add the following to it:
TIMEOUT 30 UI menu.c32 MENU TITLE Funtoo Boot Menu MENU COLOR title 1;37;40 MENU COLOR border 30;40 MENU COLOR unsel 37;40 LABEL funtoo bzImage-<Kernel-Version> MENU LABEL Funtoo Linux bzImage-<Kernel-Version> KERNEL /bzImage-<Kernel-Version> INITRD /initrd-<Kernel-Version>.img APPEND enc_root=/dev/sda2 pool_root=rpool/ROOT/funtoo
Final configuration
Add the zfs tools to openrc
# rc-update add zfs boot # rc-update add zfs-shutdown shutdown
Add filesystems to /etc/fstab
# nano /etc/fstab
# <fs> <mountpoint> <type> <opts> <dump/pass>
/dev/sda1 /boot ext4 defaults 1 2
/dev/zvol/rpool/swap none swap sw 0 0
Clean up and reboot
We are almost done, we are just going to clean up and unmount whatever we mounted and get out.
Delete the stage3/portage tarballs you downloaded earlier so they don't take up space. # cd / # rm stage3-latest.tar.xz # rm /usr/portage-latest.tar.xz Set your root password # passwd >> Enter your password, you won't see what you are writing (for security reasons), but it is there! Get out of the chroot environment # exit Unmount all the kernel filesystem stuff and boot # cd /mnt/funtoo # umount proc dev sys boot Turn off the swap # swapoff /dev/zvol/rpool/swap Export the zpool # cd / # zpool export -f rpool Reboot # reboot
and that should be enough to get your system to boot on ZFS.
Extra: After reboot
After you restart your machine and your inside your desktop, continue to set up anything you need in terms of /etc configurations. Once you have everything the way you like it, take a snapshot of your system. You will be using this snapshot to revert back to this state if anything ever happens to your system down the road. The snapshots are cheap, and almost instant. To take the snapshot of your rootfs, type the following:
# zfs snapshot rpool/ROOT/funtoo@install
To see if your snapshot was taken, type:
# zfs list -t snapshot
If your machine ever fails and you need to get back to this state, just type:
# zfs rollback rpool/ROOT/funtoo@install
Enjoy your new install on ZFS :)
Getting back into your ZFS pool in case of emergency
If you ever need to get back into your ZFS pool in case of an emergency (missing rebuild of modules, unable to boot, etc) reboot your box with the System Rescue USB you created earlier, then issue the following commands:
# depmod # cryptsetup luksOpen /dev/sda2 enc-root # zpool import -f -o cachefile= -R /mnt/funtoo rpool
Now you should be able to mount the system like we did earlier in this Guide (chroot instructions), fix your problem and enjoy.
