View previous topic :: View next topic |
Author |
Message |
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
Posted: Wed Jul 31, 2013 3:40 pm Post subject: [SOLVED] Gentoo in encrypted LVM |
|
|
I'm trying to install Gentoo in encrypted LVM. The main problem is to generate proper initrd. I know that there are few ways to do that: genkernel, dracut, better-initramfs.
If it's possible I would like to stick to genkernel at least for now. From what I read, Genkernel would be able to generate working initrd only when cryptsetup and lvm2 are compiled with "static" USE flag. Can anyone confirm this?
But when I tried to emerge Cryptsetup with this flag, portage wants to install whole bunch or other stuff like python, mesa, and other X components. Is it obligatory? How to avoid this?
What about Dracut, does it also need cryptsetup with static flag?
Last edited by Tractor Girl on Fri Aug 02, 2013 7:29 pm; edited 1 time in total |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Wed Jul 31, 2013 4:34 pm Post subject: |
|
|
Quote: | I know that there are few ways to do that |
You skipped one: roll your own. If you want to try it, I can post a simple init and script to assemble the required components if you like. It will require the same static components, unfortunately.
Quote: | If it's possible I would like to stick to genkernel at least for now. | The documentation on genkernel is very good. Everything you need should be there.
Quote: | From what I read, Genkernel would be able to generate working initrd only when cryptsetup and lvm2 are compiled with "static" USE flag. Can anyone confirm this? | Yes. This will be true of any initramfs if you want to avoid 3000 dynamic links that have to be included. (OK maybe not quite that many.)
Quote: | What about Dracut, does it also need cryptsetup with static flag? |
It would have to because in order to make an initramfs you have to copy the binaries. This is not pleasant for dynamic ones. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
Posted: Wed Jul 31, 2013 5:19 pm Post subject: |
|
|
Thank you good Doctor
Quote: | If you want to try it, I can post a simple init and script to assemble the required components if you like. |
That would be nice. Are there any drawbacks of this approach comparing to automatic Genkernel/Dracut?
Ok so I'll emerge cryptsetup and lvm2 with static flag, But why portage wants to install all the other X stuff?
Without "static" flag it's only:
Code: |
Total: 5 packages (5 new), Size of downloads: 49,425 kB
|
And with "static" it's like:
Code: | Total: 66 packages (2 upgrades, 58 new, 6 reinstalls), Size of downloads: 125,820 kB |
Including mesa, libdrm etc...
Is it really need all this X things? |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Wed Jul 31, 2013 5:44 pm Post subject: |
|
|
Quote: | That would be nice. Are there any drawbacks of this approach comparing to automatic Genkernel/Dracut?
| One disadvantage is that it is barren. General approaches include general solutions. I never included an fscheck which could be an option if you need your /usr pre-mounted. On the other hand, it is much faster because it doesn't need to do as much. It also doesn't load any modules, so if you need to, you would have to do that manually. Quote: | Is it really need all this X things? | Unfortunately, yes. You probably also want to build a static busybox, but that doesn't require much at all, static or otherwise.
EDIT: Oh, one rather important thing: don't set USE="satic" in make.conf. This has several unpleasant consequences, Like more compiling and some packages not working. Use /etc/portage/package.use instead on a per package basis.
To make your own, first you need a workspace. I made a directory called /usr/src/initramfs for that purpose. The first thing you need is a file called init. Since its a busybox script, you will need a static busybox build.
This script is written for a lvm called "filesystem" on /dev/sda6
Code: | #!/bin/busybox sh
#Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev
#echo /sbin/mdev > /proc/sys/kernel/hotplug
#mdev -s
# disable kernel messages from popping onto the screen
echo 0 > /proc/sys/kernel/printk
# Rescue shell
rescue_shell() {
echo " An error has occured"
busybox --install -s
exec /bin/sh
}
# export the PATH
export PATH=/bin:/sbin
cryptsetup luksOpen /dev/sda6 root
# cryptsetup luksOpen /dev/sda6 root
echo " Decrypting the hard drive"
echo " Assembling the filesystem"
lvm vgscan --mknodes
lvm lvchange -aly filesystem/root
#separate usr?
#
#lvm lvchange -aly filesystem/usr
echo " Filesystem ready. Switching to kernel"
#echo
# Mount the root filesystem.
mount -o ro /dev/mapper/filesystem-root /mnt/root || rescue_shell
#mount -o ro /dev/mapper/filesystem-usr /mnt/root/usr || rescue_shell
# Clean up.
umount /proc
umount /sys
umount /dev
# Boot the real thing.
exec switch_root /mnt/root /sbin/init |
Next, this script will copy everything you need and actually make the initramfs and copy it to your /boot. There are a few directory you need to create first. The command in the second comment should make them all.
Code: | #!/bin/bash
# script to regenerate the initramfs
# requires mkdir /usr/src/initramfs/{bin,dev,etc,lib,mnt,proc,root,sbin,sys}
# initial setup move the the right directories and get ready
cd /usr/src/initramfs
cp -a /dev/{null,console,tty,sda1} /usr/src/initramfs/dev/
# copy the firmware over
# not strictly required since its built into the kernel.
# cp -a /lib/firmware/radeon/R700_rlc.bin /usr/src/initramfs/lib/firmware/radeon/R700_rlc.bin
cp -a /bin/busybox /usr/src/initramfs/bin/busybox
# crypt binaries
cp -a /sbin/cryptsetup /usr/src/initramfs/sbin/
cp -a /dev/{random,urandom} /usr/src/initramfs/dev/
# lvm binary
#cp -a /sbin/lvm /usr/src/initramfs/sbin/lvm
cp -a /sbin/lvm.static /usr/src/initramfs/sbin/lvm
ln -sf /usr/src/initramfs/sbin/lvm /usr/src/initramfs/sbin/lvchange
ln -sf /usr/src/initramfs/sbin/lvm /usr/src/initramfs/sbin/vgscan
find . -print0 | cpio --null -ov --format=newc | gzip -9 > /boot/initramfs.cpio.gz |
_________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
rh1 Guru
Joined: 10 Apr 2010 Posts: 501
|
Posted: Wed Jul 31, 2013 6:25 pm Post subject: |
|
|
better-initramfs downloads and builds it's own stuff for it to use so you wouldn't need to change anything on your system at all. Works really well. Only thing it won't do is load modules. |
|
Back to top |
|
|
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
Posted: Wed Jul 31, 2013 7:57 pm Post subject: |
|
|
@The Doctor
Thank you
I will definitely try that.
So you do not have to use static flag with better-initramfs?
This tutorial http://www.funtoo.org/Rootfs_over_encrypted_lvm (I believe it was written by Slashbeast - better-initramfs author) doesn't mention "static" flag. But it also doesn't mention the need of "static" flag, when using Genkernel. Does Funtoo have it's own Genkernel different from that one in Gentoo? |
|
Back to top |
|
|
rh1 Guru
Joined: 10 Apr 2010 Posts: 501
|
Posted: Wed Jul 31, 2013 9:27 pm Post subject: |
|
|
Yes, Funtoo has it's own fork of genkernel. |
|
Back to top |
|
|
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
Posted: Wed Jul 31, 2013 10:43 pm Post subject: |
|
|
What are they talking about here? http://www.gossamer-threads.com/lists/gentoo/dev/275353
Does this mean that "static" builds of cryptsetup and lvm2 are/will be no longer possible?
Also one guy there is saying that static builds of cryptsetup/lvm2 are only needed for:
Quote: | Any initramfs creation tool that isn't smart enough to realize
what cryptsetup/lvm2 are linked to and copy those into the initramfs
(shouldn't be an issue in anything modern). |
Are Genkernel and Dracut those "not smart enough" programs?
Anyway I've got an error when compiling lvm2:
Code: | * ERROR: sys-fs/lvm2-2.02.97-r1 failed (compile phase):
* emake failed
*
* If you need support, post the output of `emerge --info '=sys-fs/lvm2-2.02.97-r1'`,
* the complete build log and the output of `emerge -pqv '=sys-fs/lvm2-2.02.97-r1'`.
* The complete build log is located at '/var/tmp/portage/sys-fs/lvm2-2.02.97-r1/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/sys-fs/lvm2-2.02.97-r1/temp/environment'.
* Working directory: '/var/tmp/portage/sys-fs/lvm2-2.02.97-r1/work/LVM2.2.02.97'
* S: '/var/tmp/portage/sys-fs/lvm2-2.02.97-r1/work/LVM2.2.02.97'
>>> Failed to emerge sys-fs/lvm2-2.02.97-r1, Log file:
>>> '/var/tmp/portage/sys-fs/lvm2-2.02.97-r1/temp/build.log'
* Messages for package sys-fs/lvm2-2.02.97-r1:
* Warning, we no longer overwrite /sbin/lvm and /sbin/dmsetup with
* their static versions. If you need the static binaries,
* you must append .static to the filename!
* ERROR: sys-fs/lvm2-2.02.97-r1 failed (compile phase):
* emake failed
*
* If you need support, post the output of `emerge --info '=sys-fs/lvm2-2.02.97-r1'`,
* the complete build log and the output of `emerge -pqv '=sys-fs/lvm2-2.02.97-r1'`.
* The complete build log is located at '/var/tmp/portage/sys-fs/lvm2-2.02.97-r1/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/sys-fs/lvm2-2.02.97-r1/temp/environment'.
* Working directory: '/var/tmp/portage/sys-fs/lvm2-2.02.97-r1/work/LVM2.2.02.97'
* S: '/var/tmp/portage/sys-fs/lvm2-2.02.97-r1/work/LVM2.2.02.97'
|
|
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Wed Jul 31, 2013 11:13 pm Post subject: |
|
|
You only copied the useless part of the error message.
I'd be sorry to see static binaries go. It's part of Gentoo's customizability, and it makes building custom Initramfs easier... |
|
Back to top |
|
|
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
Posted: Thu Aug 01, 2013 12:02 am Post subject: |
|
|
/var/tmp/portage/sys-fs/lvm2-2.02.97-r1/temp/build.log
http://pastebin.com/E21UX08U
emerge --info '=sys-fs/lvm2-2.02.97-r1':
http://pastebin.com/SMujDmUj
What is the difference between "static" and "static-libs" flags?
This error occurs when only with "static". With sole "static-libs" everything goes flawlessly. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Thu Aug 01, 2013 12:15 am Post subject: |
|
|
The error is because the compiler can't find udev. You can work around it by using -udev _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Thu Aug 01, 2013 12:59 am Post subject: |
|
|
It very well may be that they are going to the hassle of finding all the libraries. When you build something with "static" you get everything you need to run it in one binary. The default, dynamic, is just that: dynamic. A binary only includes its code and any calls it makes to the library are handled to a copy in memory.
This is a big advantage if you have a large library and 42 applications open trying to use it. If you are building an initramfs, its more of a indifference because you have to include every library that the binary may need to use. It sounds like the tools go through the process of packaging up everything. It keeps it dynamic, but gets you a working initramfs. I didn't realize they did this. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
Tractor Girl Apprentice
Joined: 16 May 2013 Posts: 159
|
Posted: Fri Aug 02, 2013 7:28 pm Post subject: |
|
|
Uff, finally it's working.
I can confirm that Genkernel doesn't need cryptsetup and lvm2 with "static" flag.
Thank you all for help |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
|