Installing devuan to lvm partitions within dm-crypt container

cjm · 2017-06-04 16:53:23

Hello all

I am trying to replace my Slackware 14.1 installation with Devuan Jessie on my existing setup which includes lvm partitions within a dm-crypt container. I have installed lvm2 from my live CD and activated all of my required partitions. My setup is as follows:

/dev/sda
--/dev/sda1 - ext4 (/boot)
--/dev/sda2 - dm-crypt (/dev/crypt)
----/dev/crypt/root - ext4 (/)
----/dev/crypt/home - ext4 (/home)
----/dev/crypt/swap - swap

I achieved this using the following commands:

cryptsetup luksOpen /dev/sda2 crypt
vgscan --mknodes
vgchange -a y crypt

My problem arises when i attempt to run the installer; only /dev/sda1 and /dev/sda2 show up for selection. Here are the options i selected on the installer:

Is there a way I can get the Devuan installer to recognise the lvm volumes or do I need to create them from scratch? (I haven't actually seen the option to create lvm volumes in the installer as of yet. Does it have the functionality?)

Thanks in advance!

Edit: After a second look at the forum I found https://dev1galaxy.org/viewtopic.php?id=559, which mentions using the standard installer - https://mirror.leaseweb.com/devuan/devu … aller-iso/. I will try this now.

Last edited by cjm (2017-06-04 17:07:24)

fsmithred · 2017-06-04 17:20:32

Which live-CD and installer are you using? Your screenshot is not a link.

The devuan desktop-live isos don't contain the standard installer. You might be able to do it with the cli version of refractainstaller, but you would have to edit the script so that it did not format your partitions.

The thread you linked is for a full-disk encryption that includes encrypted /boot. That's different from what you have. Here's an account of someone doing it with a debian-live iso: http://forums.debian.net/viewtopic.php? … 3e#p571829
You might be able to do this with one of the regular devuan installer isos (e.g. netinstall). Choose expert install from the advanced options, before you get to partitioning, go to another virtual terminal and mount your partitions, then go back to installer and choose manual partitioning. You should be able to select partitions and use them without formatting them.

I have never tried either of these things. Be careful you do not lose your data. There are probably some config files you want to save from the old setup (fstab, crypttab, maybe others.)

The debian-installer/devuan-installer will allow you to create encrypted lvm from scratch, if you can figure it out. It's not intuitive at all.

UPDATE 28 Aug 2018: I finally tried it. It's possible to set up lvm, encryption, raid, or any combination of those and then install with refractainstaller. Here are some examples -
https://dev1galaxy.org/viewtopic.php?id=2323

Last edited by fsmithred (2018-08-28 16:56:21)

cjm · 2017-06-04 18:57:04

fsmithred wrote:

Which live-CD and installer are you using? Your screenshot is not a link.

I was using devuan_jessie_1.0.0_amd64_desktop-live.iso but now i've switched to devuan_jessie_1.0.0_amd64_CD.iso

fsmithred wrote:

The devuan desktop-live isos don't contain the standard installer. You might be able to do it with the cli version of refractainstaller, but you would have to edit the script so that it did not format your partitions.

I will take a look at this.

fsmithred wrote:

The thread you linked is for a full-disk encryption that includes encrypted /boot. That's different from what you have. Here's an account of someone doing it with a debian-live iso: http://forums.debian.net/viewtopic.php? … 3e#p571829
You might be able to do this with one of the regular devuan installer isos (e.g. netinstall). Choose expert install from the advanced options, before you get to partitioning, go to another virtual terminal and mount your partitions, then go back to installer and choose manual partitioning. You should be able to select partitions and use them without formatting them.

I have just tried this with the regular non-live Devuan installer CD but it uses ash shell and I can't seem to use or install dm-crypt or lvm2 from it

fsmithred wrote:

The debian-installer/devuan-installer will allow you to create encrypted lvm from scratch, if you can figure it out. It's not intuitive at all.

Failing all else I will try this. I have already backed up my /home to an external drive but would like to avoid having to transfer it back if possible as it contains over 700GB of files and i will have to transfer it via USB 2

Thank you for your help!

Simplicio · 2017-06-06 07:42:25

I confirm what fsmithred is saying. It is possible to achieve what you want with the Devuan installer: in my case, I know it can be done with the net installer, but I also confirm it is non-intuitive.

Once you get to the partition manager part of the install (partman), there is a list of options which, in order from the top down, places dealing with encryption after setting up lvm. The key to understanding this is that you don't have to follow the order of the menu.

What you do is create the partitions (/dev/sda1 and /dev/sda2) /dev/sda1 is your non-encrypted boot. Set up /dev/sda2 as encrypted, then once you have done that, you can set up lvm inside/on top of the encrypted partition, and having done that, create the filesystems (or swap) on the lvm volumes you have created. You might, at one point, need to ignore a dialogue that says you can't make further changes to the partitioning setup and use the <Go Back> function of the setup process.

I don't have the time to give step-by-step instructions, but I'm sure you can get there by experimenting with a minimal install. I've been aiming at a setup with encrypted boot, and using NILFS as the filesystem (not ext4), and while I've go the set-up of the encrypted root nailed, I need to work out and practice how to get everything onto NILFS. ext4 is supported by partman, but NILFS, unfortunately, isn't.

I hope that helps. Even knowing what you want to do is possible is useful, sometimes.

giorgiob · 2018-01-21 08:58:10

I have performed an install with an encrypted disk yesterday using the text-based installer of the devuan jessie image (devuan_jessie_1.0.0_amd64_NETINST.iso) and I can confirm what Simplicio sketched.

In the partition manager I chose manual partitioning and then first set up the unencrypted partitions (/dev/sda1 for /boot, /dev/sda2 for all the rest). Then I used dm-crypt to encrypt /dev/sda2, which created a new device /dev/mapper/sda2_crypt.
Then I had to define an LVM group inside /dev/mapper/sda2_crypt and add logical volumes (partitions) to it. They got mapped to /dev/mapper/vg-rootfs and /dev/mapper/vg-swap. Finally I used the last two mapped devices to install Devuan.

giorgiob · 2018-02-21 13:18:01

My encrypted partitions are working but I have a problem when shutting down the system: The console blocks and displays the message

Stopping remaining crypt disks...sda2_crypt(busy)

several times. After about one minute it displays an error message

stopping early crypto disks failed.

and the system is shut down.

It seems this is not a really issue and it has been known for ages (https://bugs.debian.org/cgi-bin/bugrepo … bug=575652) but
it is a bit annoying to see this happening each time I switch my computer off.
Also, I use this setup for most friends who want to install Linux on their laptops, so I see it pretty often.

Do you know if there is any plan to address this issue?

Last edited by giorgiob (2018-02-21 13:22:36)

rolfie · 2018-02-25 08:46:43

Same issue, no solution for ASCII, see here:
https://dev1galaxy.org/viewtopic.php?id=1753

Regards, rolfie

emanym · 2018-04-09 15:08:49

You can (kindof) ''f1x0r'' this by replacing lines 764-784 in /lib/cryptsetup/cryptdisk.functions with the old version from devuan jessie:

# Removes all mappings in crypttab
do_stop () {
	local dst src key opts opencount major minor

	dmsetup mknodes
	log_action_begin_msg "Stopping $INITSTATE crypto disks"

	egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
		for i in 1 2 4 8 16 32; do
			handle_crypttab_line_stop "$dst" "$src" "$key" "$opts" <&3 && break || ret=$?
			if [ $ret -eq 1 ] || [ $ret -eq 2 -a $i -gt 16 ]; then
				log_action_end_msg $ret
				break
			fi
			log_action_cont_msg "$dst busy..."
			sleep $i
		done 3<&1
	done

	log_action_end_msg 0
}

to:

# Removes all mappings in crypttab
do_stop () {
	local dst src key opts opencount major minor

	dmsetup mknodes
	log_action_begin_msg "Stopping $INITSTATE crypto disks"

	egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
		handle_crypttab_line_stop "$dst" "$src" "$key" "$opts" <&3 || log_action_end_msg $?
	done 3<&1

	log_action_end_msg 0
}

I'm not sure this is safe (or sane). It will still fail, but quickly...

Changing the timeouts (for i in 1 2 4 8 16 32) may be cleaner.

fsmithred · 2018-04-10 12:15:27

I tried changing the timeouts to smaller numbers, but it didn't make a difference. Last group of numbers I tried was 1 2 3 4 5 6 and it still stalled for slightly more than 30 seconds.

emanym · 2018-04-10 12:43:05

That would add up to a 21 second sleep, i guess (6+5+ etc).

However,

		for i in 1; do

should be valid shell syntax as well...

I do find having a pointless for loop rather offensive, though...

.. edit ..

Actually, just looked at the man page, and the gnu coreutils version of sleep handles floating point numbers:

me@sybilla:~$ time for i in 0.001 0.002 0.003; do sleep $i; done 

real	0m0.014s
user	0m0.000s
sys	0m0.000s

So using something like

		for i in 0.001; do

should be reasonably fast anyway...

Last edited by emanym (2018-04-10 13:15:21)

fsmithred · 2018-04-10 13:25:17

for i in 1; do

Hey, that worked! Only took five seconds. Thanks!

Vizitor · 2018-06-20 22:00:51

for i in 1; do

This really do the trick;

But, the question is: Does encrypted filesystem/partition/container in the end get proper unmount?
Because all those unmounting messages are ending with "failed".
My guess is "yes", because on reboot there are no messages about recovering journal or similar.
However, this is only a guessing.
I am concerned that over time, some files may become corrupted without noticing.

More light into this issue will be appreciated.

emanym · 2018-06-20 23:17:29

Vizitor wrote:

But, the question is: Does encrypted filesystem/partition/container in the end get proper unmount?
Because all those unmounting messages are ending with "failed".

I don't really know, however:

The "unmounting local filesystems" step (suppposedly) happens before the "stopping remaining crypt disks" step,

The "crypt disk" is a dm mapping to the lvm container, not the logical volumes inside the container,

The standard ascii version always fails as well, the modified versions just fail quickly,

The jessie version also fails, but only tries one time...

It might be possible to verify that filesystems inside the lvm container have been unmounted before the ...(failed) loop starts, but timing that would be tricky, and I'm not even sure about what exactly causes the delay...

Vizitor wrote:

I am concerned that over time, some files may become corrupted without noticing.

That's precisely the problem with this problem ;-)

Last edited by emanym (2018-06-20 23:52:29)

baneth · 2018-08-01 16:55:49

emanym wrote:

Actually, just looked at the man page, and the gnu coreutils version of sleep handles floating point numbers:
me@sybilla:~$ time for i in 0.001 0.002 0.003; do sleep $i; done 

real	0m0.014s
user	0m0.000s
sys	0m0.000s
So using something like
		for i in 0.001; do
should be reasonably fast anyway...

Thank you! That fixed the delay quite well. Thou I'm still hoping for some real solution - involving what was posted by @Geoff 42 in https://dev1galaxy.org/viewtopic.php?id=1156

fsmithred · 2018-08-27 13:03:05

A patch was submitted for the slow shutdowns. (Thanks, Jan!)
https://bugs.devuan.org//cgi/bugreport.cgi?bug=237
I just tested it and can shut down with no delay and no "failed" message.

It's not one of our packages, and upstream already has marked it "Wontfix".
https://bugs.debian.org/cgi-bin/bugrepo … bug=720340

------------------------patch------------------------------------------------------
--- /lib/cryptsetup/cryptdisks.functions.orig   2018-08-14 17:12:31.543227705 +0200
+++ /lib/cryptsetup/cryptdisks.functions        2018-08-23 16:36:23.849064962 +0200
@@ -763,9 +763,17 @@
 
 # Removes all mappings in crypttab
 do_stop () {
-       local dst src key opts opencount major minor
+       local dst src key opts opencount major minor vgs vg
 
        dmsetup mknodes
+       if [ -x /sbin/lvm ]; then
+        vgs="$(/sbin/lvm vgscan | sed -n '/"/s/^.*"\([^'\'']*\)".*$/\1/p')"
+         if [ -n "${vgs}" ]; then
+          for vg in ${vgs}; do
+           /sbin/lvm vgchange -a n ${vg} >/dev/null 2>&1 
+          done 
+         fi
+        fi
        log_action_begin_msg "Stopping $INITSTATE crypto disks"
 
        egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
------------------------patch/-----------------------------------------------------

Ogis1975 · 2018-08-28 15:38:55

fsmithred wrote:

A patch was submitted for the slow shutdowns. (Thanks, Jan!)

Hello. This patch for 1.0.0 Jessie only or will be for both versions (1.0.0 Jessie and 2.0.0 ASCII)?

fsmithred · 2018-08-28 16:49:43

I guess it will work in jessie or ascii. The devuan bug report is on ascii, and I tested it on ascii (with cryptsetup 1.7). The debian bug report is from 2013 and is for cryptsetup 1.6. You might need to apply it manually on jessie if the files aren't exactly the same in jessie and ascii.

Ogis1975 · 2018-08-28 17:49:29

fsmithred wrote:

I guess it will work in jessie or ascii. The devuan bug report is on ascii, and I tested it on ascii (with cryptsetup 1.7). The debian bug report is from 2013 and is for cryptsetup 1.6. You might need to apply it manually on jessie if the files aren't exactly the same in jessie and ascii.

I understood. Thanks for the reply.

Andre4freedom · 2018-08-29 06:06:40

I can confirm this: the patch works perfectly well in ASCII. Although I had to vi the file in question (/lib/cryptsetup/cryptdisks.functions), since I couldn't figure out how to apply the patch using the patch command.
Thanks for the fix!! Happy Devuan.

pota · 2019-04-22 12:57:21

giorgiob wrote:

My encrypted partitions are working but I have a problem when shutting down the system: The console blocks and displays the message
Stopping remaining crypt disks...sda2_crypt(busy)
several times. After about one minute it displays an error message
stopping early crypto disks failed.
and the system is shut down.

I have the same problem with ascii. Has it been solved in the meantime? What to do? thanks

rolfie · 2019-04-22 13:06:36

Look at the patch in #15, works fine.

Rolf

pota · 2019-04-22 16:18:37

rolfie wrote:

Look at the patch in #15, works fine.
Rolf

I have no idea how to apply it.

rolfie · 2019-04-22 16:48:48

Open a terminal as root, go to /lib/cryptsetup. Use an editor you are familiar with and open cryptdisks.functions (I have used geany). Before you change something make a backup copy of the original file.

Scroll down to line 763. There you should find this code:

 # Removes all mappings in crypttab
 do_stop () {
      local dst src key opts opencount major minor

Add vgs vg to this line.
Between

dmsetup mknodes
log_action_begin_msg "Stopping $INITSTATE crypto disks"

add

dmsetup mknodes
       if [ -x /sbin/lvm ]; then
        vgs="$(/sbin/lvm vgscan | sed -n '/"/s/^.*"\([^'\'']*\)".*$/\1/p')"
         if [ -n "${vgs}" ]; then
          for vg in ${vgs}; do
           /sbin/lvm vgchange -a n ${vg} >/dev/null 2>&1 
          done 
         fi
        fi
log_action_begin_msg "Stopping $INITSTATE crypto disks"

You can copy the text from #15, but remove the +- signs in front of the script text.

Rolf

Last edited by rolfie (2019-04-22 16:53:00)

Head_on_a_Stick · 2019-04-22 16:49:53

^ Copy the patch to a file at /tmp/cryptdisks.patch, remove the .orig bit in the first line and then run this command as root:

cd /lib/cryptsetup && patch -p1 < /tmp/cryptdisks.patch

Probably wise to backup the file first though:

# cp /lib/cryptsetup/cryptdisks.functions{,.bak}

EDIT: ninja'd by rolfie...

Last edited by Head_on_a_Stick (2019-04-22 16:50:12)

pota · 2019-04-22 17:32:14

thank you so much for both of us

The officially official Devuan Forum!

#1 2017-06-04 16:53:23

Installing devuan to lvm partitions within dm-crypt container

#2 2017-06-04 17:20:32

Re: Installing devuan to lvm partitions within dm-crypt container

#3 2017-06-04 18:57:04

Re: Installing devuan to lvm partitions within dm-crypt container

#4 2017-06-06 07:42:25

Re: Installing devuan to lvm partitions within dm-crypt container

#5 2018-01-21 08:58:10

Re: Installing devuan to lvm partitions within dm-crypt container

#6 2018-02-21 13:18:01

Re: Installing devuan to lvm partitions within dm-crypt container

#7 2018-02-25 08:46:43

Re: Installing devuan to lvm partitions within dm-crypt container

#8 2018-04-09 15:08:49

Re: Installing devuan to lvm partitions within dm-crypt container

#9 2018-04-10 12:15:27

Re: Installing devuan to lvm partitions within dm-crypt container

#10 2018-04-10 12:43:05

Re: Installing devuan to lvm partitions within dm-crypt container

#11 2018-04-10 13:25:17

Re: Installing devuan to lvm partitions within dm-crypt container

#12 2018-06-20 22:00:51

Re: Installing devuan to lvm partitions within dm-crypt container

#13 2018-06-20 23:17:29

Re: Installing devuan to lvm partitions within dm-crypt container

#14 2018-08-01 16:55:49

Re: Installing devuan to lvm partitions within dm-crypt container

#15 2018-08-27 13:03:05

Re: Installing devuan to lvm partitions within dm-crypt container

#16 2018-08-28 15:38:55

Re: Installing devuan to lvm partitions within dm-crypt container

#17 2018-08-28 16:49:43

Re: Installing devuan to lvm partitions within dm-crypt container

#18 2018-08-28 17:49:29

Re: Installing devuan to lvm partitions within dm-crypt container

#19 2018-08-29 06:06:40

Re: Installing devuan to lvm partitions within dm-crypt container

#20 2019-04-22 12:57:21

Re: Installing devuan to lvm partitions within dm-crypt container

#21 2019-04-22 13:06:36

Re: Installing devuan to lvm partitions within dm-crypt container

#22 2019-04-22 16:18:37

Re: Installing devuan to lvm partitions within dm-crypt container

#23 2019-04-22 16:48:48

Re: Installing devuan to lvm partitions within dm-crypt container

#24 2019-04-22 16:49:53

Re: Installing devuan to lvm partitions within dm-crypt container

#25 2019-04-22 17:32:14

Re: Installing devuan to lvm partitions within dm-crypt container

Board footer