Prev: New 3-button serial mouse not detected by Lenny
Next: PDF printing - was: Re: Flash is open?
From: B. Alexander on 15 May 2010 14:00
I use LUKS drive encryption on several machines on my network. The problem I
have is that every time I attempt to set up LVM which spans multiple drives,
it decrypts the first one, then panics because it can't see the rest of the
PVs, because they are still encrypted. For instance, the my backup machine
has a 250GB and 500GB partition. If I could combine the two drives in one
LVM, I would have nearly 700GB available for backups. Unfortunately, I have
to put the second drive on a separate volume group, which limits me to
500gb.

The fix is probably simple, but I haven't found the right combination of
secret sauce to get all drives decrypted before the system issues vgchange
-a y, which results in a panic or other Bad Things.

Does anyone know the right way to get the drives decrypted first?

--b
From: thib on 16 May 2010 13:00
B. Alexander wrote:
> [snip]
>
> The fix is probably simple, but I haven't found the right combination of
> secret sauce to get all drives decrypted before the system issues vgchange
> -a y, which results in a panic or other Bad Things.

I'd say the design of your setup is the problem. Obviously, this doesn't
answer your question, but consider encrypting the logical volume instead of
the physical volumes. It makes much more sense to me.

> Does anyone know the right way to get the drives decrypted first?

The fun might take place in your init scripts or in your initramfs,
depending on your configuration. Unfortunately, things are currently moving
in this domain, and I'm not sure about Debian's position here -- thus I
cannot recommend you a hack over any other. Maybe someone can.

I (very) quickly overviewed the initscripts, it looks like the same code in
/lib/cryptsetup/cryptdisks.functions is called twice by cryptdisks-early
(before lvm2), and then by cryptdisks (after lvm2). Supposedly, the -early
script can't decrypt some devices, I just don't know why. By the looks of
it all, I wouldn't be surprised if there were some dependency problems for
unusual setups; is the problematic device a raid volume or something?

If you mount your filesystems in your initramfs (which should really be done
only for the root fs), you might be able to put some hooks in
/etc/initramfs-tools. I'm not really comfortable with it, so you should
read the initramfs-tools(8) manual page or wait for more help.

-thib


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/4BF02141.50302(a)stammed.net
From: B. Alexander on 16 May 2010 13:30
On Sun, May 16, 2010 at 12:45 PM, thib <thib(a)stammed.net> wrote:

> ...
> but consider encrypting the logical volume instead of the physical
> volumes. It makes much more sense to me.
>

It seems to me that


> Does anyone know the right way to get the drives decrypted first?
>>
>
> The fun might take place in your init scripts or in your initramfs,
> depending on your configuration. Unfortunately, things are currently moving
> in this domain, and I'm not sure about Debian's position here -- thus I
> cannot recommend you a hack over any other. Maybe someone can.
>
> I (very) quickly overviewed the initscripts, it looks like the same code in
> /lib/cryptsetup/cryptdisks.functions is called twice by cryptdisks-early
> (before lvm2), and then by cryptdisks (after lvm2). Supposedly, the -early
> script can't decrypt some devices, I just don't know why. By the looks of
> it all, I wouldn't be surprised if there were some dependency problems for
> unusual setups; is the problematic device a raid volume or something?
>

I started looking in this direction myself last night. I am, for the life
of me, unable to figure why or how drives are designated as early versus
non-early. With the exception of adding "noearly" to the options in
/etc/cryptab. However, I am unable to find a single partition on a single
encrypted machine that uses this option. So theoretically, all of the drives
should be designated as early. I also haven't done this in a couple of
years, so maybe the encryption system has matured in the meantime.


> If you mount your filesystems in your initramfs (which should really be
> done only for the root fs), you might be able to put some hooks in
> /etc/initramfs-tools. I'm not really comfortable with it, so you should
> read the initramfs-tools(8) manual page or wait for more help.
>

I'm really not comfortable with modifying something like that, not because I
can't, but rather because I don't want to tweak something and have it break
on the next upgrade. So I will take the latter suggestion. I want to build a
test box to see if I can further troubleshoot the problem or if it still
even exists.

Thanks for the suggestions, thib...

--b
From: deloptes on 16 May 2010 19:00
B. Alexander wrote:

> I'm really not comfortable with modifying something like that, not because
> I can't, but rather because I don't want to tweak something and have it
> break on the next upgrade. So I will take the latter suggestion. I want to
> build a test box to see if I can further troubleshoot the problem or if it
> still even exists.

by convenience you create first an encrypted partition and setup lvm upon it

you then do (as root)
vgscan
or
lvm vgscan
and
vgchange -a y
to get the partitions activated. The initrd scripts of debian are designed
to do this automatically.

If you want to do something smart then follow the smart ones and you'll get
a pay off as I did ;-)

concerning your original problem I would use something like raid device and
put all on top of it.

regards




--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/hspsqt$vb7$1(a)dough.gmane.org
From: Alexander Samad on 17 May 2010 02:30
On Sun, May 16, 2010 at 3:57 AM, B. Alexander <storm16(a)gmail.com> wrote:
> I use LUKS drive encryption on several machines on my network. The problem I
> have is that every time I attempt to set up LVM which spans multiple drives,
> it decrypts the first one, then panics because it can't see the rest of the

what is happening is when the device is unecrypted udev adds it in and
lvm does a scan of the device sees the lvm signature and wants to
build the LVM.

look in /etc/lvm/lvm.conf and tell it to ingore your unencrypted
devices and then manually run the lvmscan on the devices

Alex

[snip]


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/AANLkTikLmGB9xNnNsfBPGtF6FfLvFNv4TKIgZN3WTiwD(a)mail.gmail.com
 |  Next  |  Last
Pages: 1 2
Prev: New 3-button serial mouse not detected by Lenny
Next: PDF printing - was: Re: Flash is open?