On Thu, 2010-05-27 at 17:37 -0400, rh.30.miller_2555@xxxxxxxxxxxxxxx wrote: > Hi - > I've scoured the web to find an answer for this, but haven't found > an answer: Is anaconda able to install into LVM logical volumes over a > LUKS-encrypted partition? Is it a requirement that the LVM setup be configured prior to install, as opposed to using anaconda/kickstart to create it? If not, anaconda/kickstart can create such a setup for you -- all you need to do is add --encrypted to the pv line in your kickstart (provided you did not also pass --noformat). If you require that the LVM configuration exist prior to running kickstart, read on. > > The Detail: > - One drive (sda) divided into two partitions /boot (sda1) and > the reamainder (sda2) using gparted (formatted in ext4) > - Ran: `cryptsetup luksFormat /dev/sda2` with customized hash/ > cipher (also tried using "aes-xts-plain" cipher w/ key-size of 512 and > sha1 hash) The cipher/hash used by preexisting encrypted devices shouldn't matter, as long as the kernel modules are present in the installer's runtime environment (which they should be). > - Created a LVM2 physical volume and volume group (named > vg_primary) encompassing all of sda2 > - Created four logical volumes (lv_root, lv_home, lv_log, and > lv_swap), formatted with ext4, except lv_swap -- formatted in mkswap) > > The current kickstart script (abridged) contains the following: > # Identify /boot > part /boot --onpart=sda1 --asprimary The --asprimary option won't do anything here -- that's for partitions you're creating from kickstart. > # Identify the LVM physical volume (on the encrypted device) > part pv.0 --onpart=mapper/dm-root --noformat The above line should be omitted. > # Identify the LVM volume group > volgroup vg_primary pv.0 --noformat The above line should also be omitted. As long as you don't have any clearpart commands anaconda will find your encrypted PV and, if you provide a passphrase to unlock it, find the VG and the LVs it contains. All that's left for you to do is specify the filesystems and/or mountpoints for the LVs, as below. > # Identify the LVM logical volumes > logvol / --vgname=vg_primary --name=lv_root --noformat Are you sure you don't want to reformat the root filesystem? You're begging for trouble here. > logvol /var/log --vgname=vg_primary --name=lv_log --noformat > logvol /home --vgname=vg_primary --name=lv_home --noformat > > # Pre-script > %pre > #!/bin/bash > # Cycle LUKS/ LVM to ensure mountings > # - - - - Unmount > umount /media/* > umount /mnt/* > vgchange --available n --ignorelockingfailure > cryptsetup luksClose dm-root > # - - - - Mount > echo -ne "fakepw" | cryptsetup --key-file=- > luksOpen /dev/sda2 dm-root > dmsetup mknodes > vgscan --ignorelockingfailure > vgchange --available y --ignorelockingfailure > %end The above script won't work. There's no way to use preexisting encrypted devices without interactively entering the passphrase. > > However, the anaconda script fails with: > "No preexisting partition with the name "mapper/dm-root" was > found > > Is the kickstart script incorrect, or is installation in this manner > feasible? Also - Is there an option to script the unattended unlock > of storage media in anaconda (as opposed to typing it in during the > install) There is currently no way to specify the key/passphrase other than through the installer's graphical or text user interface. Dave > > Thanks! > _______________________________________________ > Anaconda-devel-list mailing list > Anaconda-devel-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/anaconda-devel-list _______________________________________________ Anaconda-devel-list mailing list Anaconda-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/anaconda-devel-list
