Ezjail host: Difference between revisions
No edit summary |
|||
Line 79: | Line 79: | ||
== Encrypted zvol == | == Encrypted zvol == | ||
<pre> | <pre> | ||
[ | [root@ ~]# zfs list | ||
NAME | NAME USED AVAIL REFER MOUNTPOINT | ||
tank 359M 2.68T 21K none | |||
tank/root 359M 2.68T 84.8M / | |||
tank/root/tmp 28K 2.68T 28K /tmp | |||
tank/root/usr 274M 2.68T 274M /usr | |||
tank/root/var 412K 2.68T 412K /var | |||
[root@ ~]# zfs create -V 2640G tank/gelizvol | |||
[root@ ~]# zfs list | |||
NAME USED AVAIL REFER MOUNTPOINT | |||
tank 2.66T 17.0G 21K none | |||
tank/gelizvol 2.66T 2.68T 16K - | |||
tank/root 359M 17.0G 84.8M / | |||
tank/root/tmp 28K 17.0G 28K /tmp | |||
tank/root/usr 274M 17.0G 274M /usr | |||
tank/root/var 412K 17.0G 412K /var | |||
[root@ ~]# | |||
[ | [root@ ~]# ls -l /dev/zvol/tank/gelizvol | ||
crw-r----- 1 root operator 0, 124 May 24 13:10 /dev/zvol/tank/gelizvol | |||
[root@ ~]# | |||
</pre> | |||
[ | Now create a key from <code>/dev/random</code> and initialize the geli provider: | ||
<pre> | |||
[root@ ~]# dd if=/dev/random of=/root/encrypted.key bs=64 count=1 | |||
1+0 records in | |||
1+0 records out | |||
64 bytes transferred in 0.000031 secs (2064888 bytes/sec) | |||
[root@ ~]# ls -l /root/encrypted.key | |||
-rw-r--r-- 1 root wheel 64 May 24 13:14 /root/encrypted.key | |||
[root@ ~]# geli init -s 512 -K /root/encrypted.key /dev/zvol/tank/gelizvol | |||
Enter new passphrase: | |||
Reenter new passphrase: | |||
Metadata backup can be found in /var/backups/zvol_tank_gelizvol.eli and | |||
can be restored with the following command: | |||
# geli restore /var/backups/zvol_tank_gelizvol.eli /dev/zvol/tank/gelizvol | |||
[ | [root@ ~]# | ||
</pre> | |||
Next is to attach the newly created geli provider: | |||
<pre> | |||
[ | [root@ ~]# geli attach -k /root/encrypted.key /dev/zvol/tank/gelizvol | ||
Enter passphrase: | |||
[root@ ~]# ls -l /dev/zvol/tank/ | |||
total 0 | |||
crw-r----- 1 root operator 0, 124 May 24 13:20 gelizvol | |||
crw-r----- 1 root operator 0, 127 May 24 13:22 gelizvol.eli | |||
[root@ ~]# | |||
</pre> | |||
[ | Now to create the zpool on top of the unlocked geli provider: | ||
<pre> | |||
[root@ ~]# zpool create cryptopool /dev/zvol/tank/gelizvol.eli | |||
[root@ ~]# zpool list | |||
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT | |||
cryptopool 2.56T 108K 2.56T 0% 1.00x ONLINE - | |||
tank 2.72T 363M 2.72T 0% 1.00x ONLINE - | |||
[root@ ~]# zpool status cryptopool | |||
pool: cryptopool | pool: cryptopool | ||
state: ONLINE | state: ONLINE | ||
scan: none requested | |||
config: | config: | ||
NAME | NAME STATE READ WRITE CKSUM | ||
cryptopool | cryptopool ONLINE 0 0 0 | ||
zvol/ | zvol/tank/gelizvol.eli ONLINE 0 0 0 | ||
errors: No known data errors | errors: No known data errors | ||
[ | [root@ ~]# | ||
</pre> | |||
[ | The last remaining thing is to create a filesystem in the new zfs pool: | ||
NAME | <pre> | ||
cryptopool | [root@ ~]# zfs list | ||
NAME USED AVAIL REFER MOUNTPOINT | |||
cryptopool 91K 2.52T 31K /cryptopool | |||
tank 2.66T 17.0G 21K none | |||
tank/gelizvol 2.66T 2.68T 1.16M - | |||
tank/root 359M 17.0G 84.8M / | |||
tank/root/tmp 28K 17.0G 28K /tmp | |||
[ | tank/root/usr 274M 17.0G 274M /usr | ||
tank/root/var 419K 17.0G 419K /var | |||
[ | [root@ ~]# zfs set mountpoint=none cryptopool | ||
[root@ ~]# zfs create -o compression=gzip -o mountpoint=/usr/jails cryptopool/jails | |||
[ | [root@ ~]# zfs list | ||
NAME | NAME USED AVAIL REFER MOUNTPOINT | ||
cryptopool | cryptopool 149K 2.52T 31K none | ||
cryptopool/jails | cryptopool/jails 31K 2.52T 31K /usr/jails | ||
tank 2.66T 17.0G 21K none | |||
tank/gelizvol 2.66T 2.68T 1.33M - | |||
tank/root 359M 17.0G 84.8M / | |||
tank/root/tmp 28K 17.0G 28K /tmp | |||
tank/root/usr 274M 17.0G 274M /usr | |||
[ | [root@ ~]# | ||
</pre> | </pre> |
Revision as of 13:28, 24 May 2012
Basic install with mfsbsd
After receiving the server from Hetzner I boot it using the rescue system which puts me at an mfsbsd prompt. I then edit the zfsinstall script /root/bin/zfsinstall
and add "usr" to FS_LIST near the top of the script. I do this because I like to have /usr as a seperate ZFS dataset.
I then run the zfsinstall script like below. I am going to export the majority of the available diskspace as a ZVOL which will be used for a GELI device with another zfs pool on top. This pool will house the actual jails and data.
Note that the disks are new-ish (Power_On_Hours is 73 on both drives according to smartctl, which the mfsbsd author has been clever enough to include on mfsbsd) but I still found an MBR partition that needed to be deleted first. This can be done with the destroygeom command like shown below:
[root@rescue ~]# zfsinstall -d ad4 -d ad6 -r mirror -s 5G -t /nfs/mfsbsd/9.0-amd64-zfs.tar.xz Error: /dev/ad4 already contains a partition table. => 63 5860533105 ad4 MBR (2.7T) 63 5860533105 - free - (2.7T) You may erase the partition table manually with the destroygeom command [root@rescue ~]# destroygeom Usage: /root/bin/destroygeom [-h] -d geom [-d geom ...] [-p zpool ...] [root@rescue ~]# destroygeom -d ad4 -d ad6 Destroying geom ad4: Destroying geom ad6: [root@rescue ~]# zfsinstall -d ad4 -d ad6 -r mirror -s 5G -t /nfs/mfsbsd/9.0-amd64-zfs.tar.xz Creating GUID partitions on ad4 ... done Configuring ZFS bootcode on ad4 ... done => 34 5860533101 ad4 GPT (2.7T) 34 2014 - free - (1.0M) 2048 128 1 freebsd-boot (64K) 2176 10485760 2 freebsd-swap (5.0G) 10487936 5850045199 3 freebsd-zfs (2.7T) Creating GUID partitions on ad6 ... done Configuring ZFS bootcode on ad6 ... done => 34 5860533101 ad6 GPT (2.7T) 34 2014 - free - (1.0M) 2048 128 1 freebsd-boot (64K) 2176 10485760 2 freebsd-swap (5.0G) 10487936 5850045199 3 freebsd-zfs (2.7T) Creating ZFS pool tank on ad4p3 ad6p3 ... done Creating tank root partition: ... done Creating tank partitions: var tmp usr ... done Setting bootfs for tank to tank/root ... done NAME USED AVAIL REFER MOUNTPOINT tank 210K 2.68T 21K none tank/root 88K 2.68T 25K /mnt tank/root/tmp 21K 2.68T 21K /mnt/tmp tank/root/usr 21K 2.68T 21K /mnt/usr tank/root/var 21K 2.68T 21K /mnt/var Extracting FreeBSD distribution ... done Writing /boot/loader.conf... done Writing /etc/fstab...Writing /etc/rc.conf... done Copying /boot/zfs/zpool.cache ... done Installation complete. The system will boot from ZFS with clean install on next reboot You may type "chroot /mnt" and make any adjustments you need. For example, change the root password or edit/create /etc/rc.conf for for system services. WARNING - Don't export ZFS pool "tank"! [root@rescue] ~
Post install configuration (before reboot)
Before rebooting into the installed FreeBSD I need to make certain I can reach the server through SSH after the reboot. This means adding network settings to /etc/rc.conf
along with sshd_enable="YES". I also go change PermitRootLogin to Yes in /etc/ssh/sshd_config
. Finally I set the root password. All of these steps are essential if I am going to have any chance of logging in after reboot. Most of these changes can be done from the mfsbsd shell but the password change requires chroot into the newly installed environment.
I use the chroot command but start another shell as bash is not installed in /mnt:
[root@rescue ~]# chroot /mnt/ csh rescue# ee /etc/rc.conf rescue# ee /etc/ssh/sshd_config rescue# passwd New Password: Retype New Password: rescue#
So, the network settings are sorted, root password is set, and root is permitted to ssh in. Time to reboot (this is the exciting part).
Encrypted zvol
[root@ ~]# zfs list NAME USED AVAIL REFER MOUNTPOINT tank 359M 2.68T 21K none tank/root 359M 2.68T 84.8M / tank/root/tmp 28K 2.68T 28K /tmp tank/root/usr 274M 2.68T 274M /usr tank/root/var 412K 2.68T 412K /var [root@ ~]# zfs create -V 2640G tank/gelizvol [root@ ~]# zfs list NAME USED AVAIL REFER MOUNTPOINT tank 2.66T 17.0G 21K none tank/gelizvol 2.66T 2.68T 16K - tank/root 359M 17.0G 84.8M / tank/root/tmp 28K 17.0G 28K /tmp tank/root/usr 274M 17.0G 274M /usr tank/root/var 412K 17.0G 412K /var [root@ ~]# [root@ ~]# ls -l /dev/zvol/tank/gelizvol crw-r----- 1 root operator 0, 124 May 24 13:10 /dev/zvol/tank/gelizvol [root@ ~]#
Now create a key from /dev/random
and initialize the geli provider:
[root@ ~]# dd if=/dev/random of=/root/encrypted.key bs=64 count=1 1+0 records in 1+0 records out 64 bytes transferred in 0.000031 secs (2064888 bytes/sec) [root@ ~]# ls -l /root/encrypted.key -rw-r--r-- 1 root wheel 64 May 24 13:14 /root/encrypted.key [root@ ~]# geli init -s 512 -K /root/encrypted.key /dev/zvol/tank/gelizvol Enter new passphrase: Reenter new passphrase: Metadata backup can be found in /var/backups/zvol_tank_gelizvol.eli and can be restored with the following command: # geli restore /var/backups/zvol_tank_gelizvol.eli /dev/zvol/tank/gelizvol [root@ ~]#
Next is to attach the newly created geli provider:
[root@ ~]# geli attach -k /root/encrypted.key /dev/zvol/tank/gelizvol Enter passphrase: [root@ ~]# ls -l /dev/zvol/tank/ total 0 crw-r----- 1 root operator 0, 124 May 24 13:20 gelizvol crw-r----- 1 root operator 0, 127 May 24 13:22 gelizvol.eli [root@ ~]#
Now to create the zpool on top of the unlocked geli provider:
[root@ ~]# zpool create cryptopool /dev/zvol/tank/gelizvol.eli [root@ ~]# zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT cryptopool 2.56T 108K 2.56T 0% 1.00x ONLINE - tank 2.72T 363M 2.72T 0% 1.00x ONLINE - [root@ ~]# zpool status cryptopool pool: cryptopool state: ONLINE scan: none requested config: NAME STATE READ WRITE CKSUM cryptopool ONLINE 0 0 0 zvol/tank/gelizvol.eli ONLINE 0 0 0 errors: No known data errors [root@ ~]#
The last remaining thing is to create a filesystem in the new zfs pool:
[root@ ~]# zfs list NAME USED AVAIL REFER MOUNTPOINT cryptopool 91K 2.52T 31K /cryptopool tank 2.66T 17.0G 21K none tank/gelizvol 2.66T 2.68T 1.16M - tank/root 359M 17.0G 84.8M / tank/root/tmp 28K 17.0G 28K /tmp tank/root/usr 274M 17.0G 274M /usr tank/root/var 419K 17.0G 419K /var [root@ ~]# zfs set mountpoint=none cryptopool [root@ ~]# zfs create -o compression=gzip -o mountpoint=/usr/jails cryptopool/jails [root@ ~]# zfs list NAME USED AVAIL REFER MOUNTPOINT cryptopool 149K 2.52T 31K none cryptopool/jails 31K 2.52T 31K /usr/jails tank 2.66T 17.0G 21K none tank/gelizvol 2.66T 2.68T 1.33M - tank/root 359M 17.0G 84.8M / tank/root/tmp 28K 17.0G 28K /tmp tank/root/usr 274M 17.0G 274M /usr [root@ ~]#