Howto:Gentoo LVM LUKS
From Wiki
Contents |
Installation
What do we want ?
Inside a VM
This article has been written using a Virtual Machine for testing purpose.
kvm-img create /home/******/virtuel/disk/gentoo.img -f qcow2 20G virt-install --ram=1024 --name=Gentoo_LVM2 \ --file=/home/******/virtuel/disk/gentoo.img \ --network=bridge:virbr0 --vnc --noautoconsole -k fr \ --accelerate --cdrom=/home/******/virtuel/iso/install-amd64-minimal-20090903.iso
Used Media
install-amd64-minimal-XXXXX.iso
Partitions
Disk structure
- sda:
- /boot => sda1 (512Mo)
- LVM => sda2
fdisk /dev/sda Command (m for help): n 'new' Command action e extended p primary partition (1-4) p 'primary' Partition number (1-4): 1 'first part' First cylinder (1-2610, default 1): 'enter' Using default value 1 Last cylinder, +cylinders or +size{K,M,G} (1-2610, default 2610): +512M Command (m for help): n 'new' Command action e extended p primary partition (1-4) p 'primary' Partition number (1-4): 2 'second part' First cylinder (67-2610, default 67): 'enter' Using default value 67 Last cylinder, +cylinders or +size{K,M,G} (67-2610, default 2610): Using default value 2610 Command (m for help): w 'write changes' The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks.
Disk erasing
dd if=/dev/urandom of=/dev/sda2
Disk ciphering
cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda2
Binding the device in a LVM group
cryptsetup luksOpen /dev/sda2 vault pvcreate /dev/mapper/vault vgcreate vg /dev/mapper/vault
Creating partitions
lvcreate -L8G -nroot vg lvcreate -L11G -nhome vg lvcreate -L256M -nswap vg
Creating file systems
mke2fs /dev/sda1 mke2fs -j /dev/mapper/vg-root mke2fs -j /dev/mapper/vg-home mkswap /dev/mapper/vg-swap
Creating the swap
swapon /dev/mapper/vg-swap
Gentoo installation
Mounting partitions
mount /dev/mapper/vg-root /mnt/gentoo/ mkdir -p /mnt/gentoo/boot mount /dev/sda1 /mnt/gentoo/boot/
Stage3 & Portage
- Stage3 : Gentoo minimal files
- Portage : the Gentoo sources packages system.
Downloads
cd /mnt/gentoo wget http://dev.funtoo.org/linux/gentoo/amd64/stage3-amd64-current.tar.bz2 wget http://dev.funtoo.org/linux/gentoo/snapshots/portage-current.tar.bz2
Extractions
tar xjpf stage3-amd64-current.tar.bz2 tar xjf portage-current.tar.bz2 -C /mnt/gentoo/usr/ rm *.tar.bz2
make.conf
- Edit file /mnt/gentoo/etc/make.conf (to edit for your needs, be carefull with CPU type and ARCH related GCC flags) this sample is Core2Duo amd64 compliant.
File: /etc/make.conf
CHOST="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -O2 -pipe"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j3"
USE="sasl ctype pcre session unicode bash-completion apache2 \
bzip2 curl curlwrappers exif ftp gd gmp imap mysql \
simplexml sockets tokenizer truetype xml xmlreader \
xmlwriter berkdb innodb xmlrpc xpm xsl zip jpeg png \
gif -X mmx sse sse2 -gtk -sdl -nptl ipv6 -ldap vim-syntax"
LINGUAS="fr"
FEATURES="-sandbox"
APACHE2_MPMS="worker"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default \
authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex \
cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers \
include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling \
status unique_id userdir usertrack vhost_alias"
GENTOO_MIRRORS="http://mirror.ovh.net/gentoo-distfiles/"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
CFLAGS="-march=core2 -O2 -pipe"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j3"
USE="sasl ctype pcre session unicode bash-completion apache2 \
bzip2 curl curlwrappers exif ftp gd gmp imap mysql \
simplexml sockets tokenizer truetype xml xmlreader \
xmlwriter berkdb innodb xmlrpc xpm xsl zip jpeg png \
gif -X mmx sse sse2 -gtk -sdl -nptl ipv6 -ldap vim-syntax"
LINGUAS="fr"
FEATURES="-sandbox"
APACHE2_MPMS="worker"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default \
authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex \
cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers \
include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling \
status unique_id userdir usertrack vhost_alias"
GENTOO_MIRRORS="http://mirror.ovh.net/gentoo-distfiles/"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
chroot
cp -L /etc/resolv.conf /mnt/gentoo/etc/ mount -t proc none /mnt/gentoo/proc mount -o bind /dev /mnt/gentoo/dev chroot /mnt/gentoo /bin/bash env-update source /etc/profile export PS1="(chroot) $PS1"
Locale
This sample, is for a French use.
File: /etc/locale.gen
fr_FR UTF-8
fr_FR ISO-8859-1
fr_FR@euro ISO-8859-15
fr_FR ISO-8859-1
fr_FR@euro ISO-8859-15
locale-gen
Updating the portage tree
emerge --ask --verbose dev-util/git emerge --sync
Profile selection
eselect profile list Available profile symlink targets: [1] default/linux/amd64/10.0 [2] default/linux/amd64/10.0/desktop [3] default/linux/amd64/10.0/developer [4] default/linux/amd64/10.0/no-multilib *[5] default/linux/amd64/10.0/server [6] hardened/linux/amd64/10.0 [7] hardened/linux/amd64/10.0/no-multilib [8] selinux/2007.0/amd64 [9] selinux/2007.0/amd64/hardened [10] selinux/v2refpolicy/amd64 [11] selinux/v2refpolicy/amd64/desktop [12] selinux/v2refpolicy/amd64/developer [13] selinux/v2refpolicy/amd64/hardened [14] selinux/v2refpolicy/amd64/server eselect profile set 5
Timezone
cp /usr/share/zoneinfo/Europe/Paris /etc/localtime
Kernel
Kernel sources
USE="symlink" emerge -av gentoo-sources
Config
- You might want to make your own "make menuconfig"
- This example is for a amd64 Core2Duo inside a qemu-kvm virtual machine
cd /usr/src/linux wget http://polymorf.fr/files/linux/gentoo-config.txt -O .config
Build
make && make modules_install
Install
cp arch/x86/boot/bzImage /boot/gentoo
Configuration
fstab
File: /etc/fstab
/dev/sda1 /boot ext2 noauto,noatime 1 2
/dev/mapper/vg-root / ext3 noatime 0 1
/dev/mapper/vg-home /home ext3 noatime 0 2
/dev/mapper/vg-swap none swap sw 0 0
/dev/cdrom /mnt/cdrom auto noauto,ro 0 0
#/dev/fd0 /mnt/floppy auto noauto 0 0
/dev/mapper/vg-root / ext3 noatime 0 1
/dev/mapper/vg-home /home ext3 noatime 0 2
/dev/mapper/vg-swap none swap sw 0 0
/dev/cdrom /mnt/cdrom auto noauto,ro 0 0
#/dev/fd0 /mnt/floppy auto noauto 0 0
Hostname
nano -w /etc/conf.d/hostname
Network
nano -w /etc/conf.d/net
Ajust to your needs
File: /etc/conf.d/net
# This blank configuration will automatically use DHCP for any net.*
# scripts in /etc/init.d. To create a more complete configuration,
# please review /etc/conf.d/net.example and save your configuration
# in /etc/conf.d/net (this file :]!).
config_eth0=( "192.168.122.10 netmask 255.255.255.0 brd 192.168.122.255" )
routes_eth0=( "default via 192.168.122.1" )
# scripts in /etc/init.d. To create a more complete configuration,
# please review /etc/conf.d/net.example and save your configuration
# in /etc/conf.d/net (this file :]!).
config_eth0=( "192.168.122.10 netmask 255.255.255.0 brd 192.168.122.255" )
routes_eth0=( "default via 192.168.122.1" )
rc-update add net.eth0 default
Root password
passwdKeyboard mapping
nano -w /etc/conf.d/keymaps
Clock
nano -w /etc/conf.d/clock
System tools
- This isn't mandatory, do as you please.
emerge -v syslog-ng rc-update add syslog-ng default emerge -v vixie-cron rc-update add vixie-cron default emerge -v slocate emerge -v grub rc-update add sshd default
- USE flag "static" for these specific three paquets :
echo "sys-fs/lvm2 static" >>/etc/portage/package.use echo "sys-fs/mdadm static" >>/etc/portage/package.use echo "sys-apps/busybox static" >>/etc/portage/package.use emerge -v mdadm lvm2 busybox cryptsetup
INITRAMFS
mkdir -p /root/initram cd /root/initram mkdir bin dev dev/mapper dev/vc etc newroot proc sys cp /bin/busybox /sbin/cryptsetup /sbin/lvm.static /sbin/mdadm bin mv bin/lvm.static bin/lvm ln -s busybox bin/cat ln -s busybox bin/mount ln -s busybox bin/sh ln -s busybox bin/switch_root ln -s busybox bin/umount ln -s busybox bin/sleep ln -s lvm bin/vgscan ln -s lvm bin/vgchange cp -a /dev/console /dev/sda2 /dev/null /dev/urandom dev cp -a /dev/mapper/vg-root dev/mapper ln -s ../console dev/vc/0 mkdir /dev/vc ln -s ../console /dev/vc/0 busybox dumpkmap > etc/kmap-fr ln -s busybox bin/loadkmap
init file
nano -w init
File: init
#!/bin/sh
mount -t proc proc /proc
CMDLINE=`cat /proc/cmdline`
mount -t sysfs sysfs /sys
sleep 3
#for a french azerty keyboard
loadkmap < /etc/kmap-fr
/bin/cryptsetup luksOpen /dev/sda2 vault
/bin/vgchange -ay vg
mount -r /dev/mapper/vg-root /newroot
umount /sys
umount /proc
exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE}
mount -t proc proc /proc
CMDLINE=`cat /proc/cmdline`
mount -t sysfs sysfs /sys
sleep 3
#for a french azerty keyboard
loadkmap < /etc/kmap-fr
/bin/cryptsetup luksOpen /dev/sda2 vault
/bin/vgchange -ay vg
mount -r /dev/mapper/vg-root /newroot
umount /sys
umount /proc
exec /bin/busybox switch_root /newroot /sbin/init ${CMDLINE}
chmod u+x init find . | cpio --quiet -o -H newc | gzip -9 > /boot/initramfs
Grub
nano -w /boot/grub/grub.conf
File: /boot/grub/grub.conf
default 0
timeout 3
title=Gentoo Linux
root (hd0,0)
kernel /boot/gentoo
initrd /boot/initramfs
timeout 3
title=Gentoo Linux
root (hd0,0)
kernel /boot/gentoo
initrd /boot/initramfs
Master Boot Record (MBR)
grep -v rootfs /proc/mounts > /etc/mtab grub-install --no-floppy /dev/sda
Reboot
reboot
Security discution
| TODO |
|
- Your /boot is not encrypted, so anyone who have a physical access to the disk drive can't edit your initrd to store your password in /boot
- Your kernel on /boot can be altered too.
