Last active
February 16, 2022 03:36
-
-
Save ghfields/92660bc9199fee6c78e34b6913531722 to your computer and use it in GitHub Desktop.
Change "zpool create" to more feature rich set with improved encryption algorithm
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run as root | |
| # sudo -i | |
| # Prepare LiveCD Environment | |
| add-apt-repository -y ppa:jonathonf/zfs | |
| apt install -y zfs-dkms | |
| systemctl stop zfs-zed.service | |
| modprobe -r zfs | |
| modprobe zfs | |
| # Manually Partition Disk | |
| sgdisk -n2:1M:+2G -t2:8300 /dev/vda | |
| mkfs /dev/vda2 | |
| sgdisk -n3:0:0 -t3:BF07 /dev/vda | |
| # Create pool | |
| zpool create -o ashift=12 -O compression=lz4 -O relatime=on -O dnodesize=auto -O recordsize=1M -O xattr=sa -O normalization=formD -O acltype=posixacl -O encryption=aes-256-gcm -O keylocation=prompt -O keyformat=passphrase rpool /dev/vda3 | |
| # Create temp ZVOL, and run ubiquity installer | |
| zfs create -V 10G rpool/ubuntu-temp | |
| ubiquity --no-bootloader #(install to /dev/zd0) | |
| # Create root dataset and boot mountpoint, mount /boot and rsync | |
| zfs create rpool/ROOT | |
| zfs create rpool/ROOT/ubuntu-1 | |
| mkdir /rpool/ROOT/ubuntu-1/boot | |
| mount /dev/vda2 /rpool/ROOT/ubuntu-1/boot | |
| rsync -avPX --exclude '/swapfile' /target/. /rpool/ROOT/ubuntu-1/. | |
| # Turn off swap and destroy temp ZVOL, set up chroot and enter chroot | |
| swapoff -a | |
| umount /target | |
| zfs destroy rpool/ubuntu-temp | |
| for d in proc sys dev; do mount --bind /$d /rpool/ROOT/ubuntu-1/$d; done | |
| cp /etc/resolv.conf /rpool/ROOT/ubuntu-1/etc/resolv.conf | |
| # Inside chroot, install zfs | |
| chroot /rpool/ROOT/ubuntu-1 add-apt-repository -y ppa:jonathonf/zfs | |
| chroot /rpool/ROOT/ubuntu-1 apt install -y zfs-dkms zfs-initramfs | |
| # Fix fstab and grub defaults | |
| sed -e '/\s\/\s/ s/^#*/#/' -i /rpool/ROOT/ubuntu-1/etc/fstab #Comment out / line | |
| sed -e '/\sswap\s/ s/^#*/#/' -i /rpool/ROOT/ubuntu-1/etc/fstab #Comment out /swap line | |
| echo UUID=$(blkid -s UUID -o value /dev/vda2) /boot ext4 noatime 0 2 >> /rpool/ROOT/ubuntu-1/etc/fstab # Add /boot line | |
| echo 'GRUB_DISABLE_OS_PROBER=true' >> /rpool/ROOT/ubuntu-1/etc/default/grub # Silent an error during grub-probe | |
| # In my case, vt_handoff kernel option sometimes blocks TTY prompt | |
| # # Change vt_handoff="1" to "0" in /etc/default/grub | |
| sed -i '/vt_handoff/ s/="[^"][^"]*"/="0"/' /rpool/ROOT/ubuntu-1/etc/grub.d/10_linux | |
| #grub-probe doesn't work to produce poolname with encryption enabled. Replaced with "zdb -l" command | |
| sed -i 's/.*fs_label*/\trpool=\`zdb -l ${GRUB_DEVICE} \| grep \" name\"\| grep -o \"\x27.*\x27\"\| sed \"s\/\x27\/\/g\"/' /rpool/ROOT/ubuntu-1/etc/grub.d/10_linux | |
| # Make grub.cfg and fix grub.cfg, make init, make bios_grub partition, install grub | |
| chroot /rpool/ROOT/ubuntu-1 update-grub | |
| chroot /rpool/ROOT/ubuntu-1 update-initramfs -u | |
| chroot /rpool/ROOT/ubuntu-1 sgdisk -a1 -n1:512:2047 -t1:EF02 /dev/vda | |
| chroot /rpool/ROOT/ubuntu-1 grub-install /dev/vda | |
| # Unmount everything, set mountpoint, export pool and reboot | |
| umount -R /rpool/ROOT/ubuntu-1 | |
| zfs set mountpoint=/ rpool/ROOT/ubuntu-1 | |
| zpool export rpool | |
| # Restart computer | |
| # shutdown -r 0 |
I do still want to try @ghfields installer mod, but I was able to get an encrypted setup going using the roundabout method of: install, "zfs send" the rpool/ROOT and rpool/USERDATA, re-create the rpool with encryption, then "zfs recv", and use part of the above workflow. Annoying, but seems to work. I do get an os-prober error during update-grub, but the result seems to work.
Notes for future-me or someone else:
- Do normal install using zfs.
- Boot live CD.
- Recursive snapshot of ROOT and USERDATA: zfs snapshot -r rpool/ROOT@copy; zfs snapshot -r rpool/USERDATA
- Send dumps to another system: zfs send -R rpool/ROOT | gzip | nc REMOTEIP:PORT ; and same for rpool/USERDATA
- "zfs export rpool" and reformat using encryption from line 18 above.
- "zfs load-key rpool"
- Load ROOT and USERDATA from dumps: "nc -l PORT | gunzip | zfs recv -x encryption rpool/ROOT" and same for USERDATA.
- "zfs set mountpoint=/mnt" for the root filesystem and "/mnt/boot" for the /boot.
- zfs mount -a
- Steps 36-37, 45-57 above, but using /mnt instead. I just "chroot /mnt" and modify files as absolute path. I also commented out the swap entry from /etc/fstab.
- Then unmount -R /mnt; change the mountpoints back to absolute; zpool export bpool; zpool export rpool; reboot
@ghfields: Ok, that Ubiquity hack worked totally brilliantly! Thanks!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@ghfelds: That's an interesting idea, I'll try giving that a shot in a bit. I'm currently doing a "zfs recv" on an encrypted pool after dumping from a normal install, then I was going to try some of your changes above (vt_handoff, prober), to see if that would work. But I'll take a look at your gist a bit later.