ZFS Filesystem for FUSE/Linux progressing

About
ZFS is an advanced modern filesystem from Sun Microsystems, originally designed for Solaris/OpenSolaris.
This project is a port of ZFS to the FUSE framework for the Linux operating system.
It is being sponsored by Google, as part of the Google Summer of Code 2006 program.
Features
ZFS has many features which can benefit all kinds of users - from the simple end-user to the biggest enterprise systems. ZFS list of features:
Provable integrity - it checksums all data (and meta-data), which makes it possible to detect hardware errors (hard disk corruption, flaky IDE cables..). Read how ZFS helped to detect a faulty power supply after only two hours of usage, which was previously silently corrupting data for almost a year!
Atomic updates - means that the on-disk state is consistent at all times, there's no need to perform a lengthy filesystem check after forced reboots/power failures.
Instantaneous snapshots and clones - it makes it possible to have hourly, daily and weekly backups efficiently, as well as experiment with new system configurations without any risks.
Built-in (optional) compression
Highly scalable
Pooled storage model - creating filesystems is as easy as creating a new directory. You can efficiently have thousands of filesystems, each with it's own quotas and reservations, and different properties (compression algorithm, checksum algorithm, etc..).
Built-in stripes (RAID-0), mirrors (RAID-1) and RAID-Z (it's like software RAID-5, but more efficient due to ZFS's copy-on-write transactional model).
Among others (variable sector sizes, adaptive endianness, ...)
http://www.wizy.org/wiki/ZFS_on_FUSE
http://developer.berlios.de/project/sho … up_id=6836

One workaround for this test was to drop down to NFSv3. That's fine for testing, but when I get ready to roll this thing into production, I hope there are no problems doing v4 from my NetApp hardware.

Similar Messages

Lessfs - deduplicating filesystem for Linux

Hi all!
I've created PKGBUILD for the lessfs FUSE filesystem, it's already in AUR.
The software is nearly perfect for backup purposes and it's one of the few open source deduplicating file systems (other being btrfs and ZFS, both unstable on Linux).
Cheers!
Tomato

gagejd wrote:How bad is this instability with hfs+? Am I going to lose some files or corrupt a few documents when I randomly reboot the computer, or shutdown improperly?
I rarely reboot or shutdown improperly, so I have no insights to offer into the impacts of these behaviours on HFS+ in Linux.
IIRC, I once had a catastrophic and irreparable error when I used the command line in Linux to change a directory name on an HFS+ filesystem from being all lowercase to start with an uppercase letter. I had to restore the filesystem contents from backup.
Other than that, I have lots of minor, easily fixable, but somewhat troublingly frequent errors with incorrect numbers of inodes and such like.
If you are bringing Windows into the equation, I seem to recall a Slashdot article from within the last couple of years which had a question re: sharing files in a triple-boot environment (Windows, OS X, and Linux). If you can track down the article, the comments may be useful.

DskPercent not returned for ZFS filesystems?

Hello.
I'm trying to monitor the space usage of some ZFS filesystems on a Solaris 10 10/08 (137137-09) Sparc system with SNMP. I'm using the Systems Management Agent (SMA) agent.
To monitor the stuff, I added the following to /etc/sma/snmp/snmpd.conf and restarted svc:/application/management/sma:default:
# Bug in SMA?
# Reporting - NET-SNMP, Solaris 10 - has a bug parsing config file for disk space.
# -> http://forums.sun.com/thread.jspa?threadID=5366466
disk /proc 42% # Dummy Wert; wird fälschlicherweise ignoriert werden...
disk / 5%
disk /tmp 10%
disk /apps 4%
disk /data 3%Now I'm checking what I get via SNMP:
--($ ~)-- snmpwalk -v2c -c public 10.0.1.26 dsk
UCD-SNMP-MIB::dskIndex.1 = INTEGER: 1
UCD-SNMP-MIB::dskIndex.2 = INTEGER: 2
UCD-SNMP-MIB::dskIndex.3 = INTEGER: 3
UCD-SNMP-MIB::dskIndex.4 = INTEGER: 4
UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskPath.2 = STRING: /tmp
UCD-SNMP-MIB::dskPath.3 = STRING: /apps
UCD-SNMP-MIB::dskPath.4 = STRING: /data
UCD-SNMP-MIB::dskDevice.1 = STRING: /dev/md/dsk/d200
UCD-SNMP-MIB::dskDevice.2 = STRING: swap
UCD-SNMP-MIB::dskDevice.3 = STRING: apps
UCD-SNMP-MIB::dskDevice.4 = STRING: data
UCD-SNMP-MIB::dskMinimum.1 = INTEGER: -1
UCD-SNMP-MIB::dskMinimum.2 = INTEGER: -1
UCD-SNMP-MIB::dskMinimum.3 = INTEGER: -1
UCD-SNMP-MIB::dskMinimum.4 = INTEGER: -1
UCD-SNMP-MIB::dskMinPercent.1 = INTEGER: 5
UCD-SNMP-MIB::dskMinPercent.2 = INTEGER: 10
UCD-SNMP-MIB::dskMinPercent.3 = INTEGER: 4
UCD-SNMP-MIB::dskMinPercent.4 = INTEGER: 3
UCD-SNMP-MIB::dskTotal.1 = INTEGER: 25821143
UCD-SNMP-MIB::dskTotal.2 = INTEGER: 7150560
UCD-SNMP-MIB::dskTotal.3 = INTEGER: 0
UCD-SNMP-MIB::dskTotal.4 = INTEGER: 0
UCD-SNMP-MIB::dskAvail.1 = INTEGER: 13584648
UCD-SNMP-MIB::dskAvail.2 = INTEGER: 6471520
UCD-SNMP-MIB::dskAvail.3 = INTEGER: 0
UCD-SNMP-MIB::dskAvail.4 = INTEGER: 0
UCD-SNMP-MIB::dskUsed.1 = INTEGER: 11978284
UCD-SNMP-MIB::dskUsed.2 = INTEGER: 679040
UCD-SNMP-MIB::dskUsed.3 = INTEGER: 0
UCD-SNMP-MIB::dskUsed.4 = INTEGER: 0
UCD-SNMP-MIB::dskPercent.1 = INTEGER: 47
UCD-SNMP-MIB::dskPercent.2 = INTEGER: 9
UCD-SNMP-MIB::dskPercent.3 = INTEGER: 0
UCD-SNMP-MIB::dskPercent.4 = INTEGER: 0
UCD-SNMP-MIB::dskPercentNode.1 = INTEGER: 9
UCD-SNMP-MIB::dskPercentNode.2 = INTEGER: 0
UCD-SNMP-MIB::dskPercentNode.3 = INTEGER: 0
UCD-SNMP-MIB::dskPercentNode.4 = INTEGER: 0
UCD-SNMP-MIB::dskErrorFlag.1 = INTEGER: noError(0)
UCD-SNMP-MIB::dskErrorFlag.2 = INTEGER: noError(0)
UCD-SNMP-MIB::dskErrorFlag.3 = INTEGER: noError(0)
UCD-SNMP-MIB::dskErrorFlag.4 = INTEGER: noError(0)
UCD-SNMP-MIB::dskErrorMsg.1 = STRING:
UCD-SNMP-MIB::dskErrorMsg.2 = STRING:
UCD-SNMP-MIB::dskErrorMsg.3 = STRING:
UCD-SNMP-MIB::dskErrorMsg.4 = STRING: As expected, dskPercent.1 and dskPercent.2 (ie. */* and */tmp*) returned good values. But why did Solaris/SNMP/??? return 0 for dskPercent.3 (*/apps*) and dskPercent.4 (*/data*)? Those directories are on two ZFS which are on seperate zpools:
--($ ~)-- zpool list
NAME   SIZE   USED AVAIL    CAP HEALTH ALTROOT
apps 39.2G 20.4G 18.9G    51% ONLINE -
data   136G   121G 15.2G    88% ONLINE -
--($ ~)-- zfs list apps data
NAME   USED AVAIL REFER MOUNTPOINT
apps 20.4G 18.3G    20K /apps
data   121G 13.1G   101K /dataOr is it supposed to be that way? I'm pretty much confused, because I found some blog posting by a guy called asyd at http://sysadmin.asyd.net/home/en/blog/asyd/zfs+snmp. Copying from there:
snmpwalk -v2c -c xxxx katsuragi.global.asyd.net UCD-SNMP-MIB::dskTable
UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskPath.2 = STRING: /home
UCD-SNMP-MIB::dskPath.3 = STRING: /data/pkgsrc
UCD-SNMP-MIB::dskDevice.1 = STRING: /dev/dsk/c1d0s0
UCD-SNMP-MIB::dskDevice.2 = STRING: data/home
UCD-SNMP-MIB::dskDevice.3 = STRING: data/pkgsrc
UCD-SNMP-MIB::dskTotal.1 = INTEGER: 1017935
UCD-SNMP-MIB::dskTotal.2 = INTEGER: 0
UCD-SNMP-MIB::dskTotal.3 = INTEGER: 0
UCD-SNMP-MIB::dskAvail.1 = INTEGER: 755538
UCD-SNMP-MIB::dskAvail.2 = INTEGER: 0
UCD-SNMP-MIB::dskAvail.3 = INTEGER: 0
UCD-SNMP-MIB::dskPercent.1 = INTEGER: 21
UCD-SNMP-MIB::dskPercent.2 = INTEGER: 18
UCD-SNMP-MIB::dskPercent.3 = INTEGER: 5What I find confusing, are his dskPercent.2 and dskPercent.3 outputs - for him, he got back dskPercent for what seems to be directories on ZFS filesystems.
Because of that I'm wondering about how it is supposed to be - should Solaris return dskPercent values for ZFS?+
Thanks a lot,
Alexander

I don't have the ability to test out my theory, but I suspect that you are using the default mount created for the zpools you've created (apps & data) as opposed to specific ZFS files systems, which is what the asyd blog shows.
Remember, the elements reported on in the asyd blog ARE zfs file systems; they are not just directories. They are indeed mountpoints, and it is reporting the utilization of those zfs file systems in the pool ("data") on which they are constructed. In the case of /home, the administrator has specifically set the mountpoint of the ZFS file system to be /home instead of the default /data/home.
To test my theory, instead of using your zpool default mount point, try creating a zfs file system under each of your pools and using that as the entry point for your application to write data into the zpools. I suspect you will be rewarded with the desired result: reporting of "disk" (really, pool) percent usage.

Mount options for ZFS filesystem on Solaris 10

Do you know some recomendation
about mount options for SAP on Oracle
with data on ZFS filesystem?
Also recomended block size required.
We assume that file system with datafiles has 8kb block size
and offline redologs has default (128kB).
But what about ONLINE REDOLOGS?
Best regards
Andy

SUN Czech installed new production HW for one Czech customer with ZFS filesystem on data-, redo- and archivelog files.
Now we have performance problem and currently there is no SAP recomendation
for ZFS file system.
The HW which are by benchmark about tvice power has worst responses than
old hardware.
a) There is bug in Solaris 10 - ZFS buffers once allocated are not released
(generally we do not want to use buffering due to prevence of double
buffering)
b) ZFS buffers takes about 20GB (32GB total) of memory on DB server
and we are not able to define huge shared pool and db cache. (it may be possible
to set special parameter in /etc/system to reduce maximum size of ZFS buffers to e.g. 4GB )
c) We are looking for proven mount option for ZFS to enable asynchronious/concurent io for database filesystems
d) There is no proven clear answer for support of ZFS/SOLARIS/Oracle/SAP.
SAP says It is Oracle problem, Oracle does not certify filesystems from Jan2007
any more and says ask your OS provider and SUN looks happy, but performance
goes down and it is not so funny for system with 1TG DB with over 30GB grow
per month.
Andy

What is the best way to backup ZFS filesystem on solaris 10?

Normally on Linux environment, I'd use mondorescue to create image (full & incremental) so it can be easily restored (full or file/folders) to a new similar server environment for restore purposes in case of disaster.
I'd like to know the best way to backup a ZFS filesystem to a SAN storage and to restore it from there with minimal downtime. Preferrably with tools already available on Solaris 10.
Thanks.

the plan is to backup whole OS, and configuration files
2 servers to be backed up
server A zpool:
- rootpool
- usr
- usrtmp
server B zpool:
- rootpool
- usr
- usrtmp
if we were to cut hardware cost, it is possible to back up to samba share?
any suggestions?

Failover-proof filesystem for iSCSI on a 7410?

Hello,
I've started playing with iSCSI on our clustered 7410 system, and created an ext3 filesystem on a LUN, which is mounted on a RHEL server. This works fine, however when the 7410 fails over to passive head, the client remounts the filesystem as readonly:
EXT3-fs error (device dm-4): ext3_journal_start_sb: Detected aborted journal
Remounting filesystem read-onlyThe filesystem can be umounted and mounted rw again quite happily, but is not exactly a seamless process.
Any suggestions for a linux filesystem which can robustly handle these failovers?
Thanks,
James

Sorry guys for the late reply,
I tried to switch the owners of RG to both the nodes simultaniously,which is taking reasonable time.But the failover for a dry run is taking 30mts
The same setup with SVM is working fine, but i want to have ZFS in my zone cluster
Thanks in advance
Sid

Does SAP support Solaris 10 ZFS filesystem when using DB2 V9.5 FP4?

Hi,
I'm installing NW7 (BI usage). SAPINST has failed in the step "ABAP LOAD due to the DB2 error message
"Unsupported file system type zfs for Direct I/O". It appears my Unix Admin must have decided to set these filesystems as ZFS on this new server.
I have several questions requiring your expertise.
1) Does SAP support ZFS filesystems on Solaris 10 (SPARC hardware)? I can not find any reference in SDN or Service Market Place? Any reference will be much appreciated.
2) How can I confirm my sapdata fielsystems are ZFS?
3) What actions do you recommend for me to resolve the SAPINST errors? Do I follow the note "Note 995050 - DB6: NO FILE SYSTEM CACHING for Tablespaces" to disable "Direct I/O" for all DB2 tablespaces? I have seen Markus Doehr's forum Link:[ thread|Re: DB2 on Solaris x64 - ZFS as filesystem possible?; but it does not state exactly how he overcame the error.
regards
Benny

Hi Frank,
Thanks for your input.
I have also found the command "zfs list" that would display any ZFS filesystems.
We have also gone back to UFS as the ZFS deployment schedule does not meet this particular SAP BW implementation timeline.
Has any one come across any SAP statement that states NW7 can be deployed with ZFS for DB2 database on Solaris SPARC platform. If not, I'll open an OSS message.
regards
Benny

How to count number of files on zfs filesystem

Hi all,
Is there a way to count the number of files on a zfs filesystem similar to how "df -o i /ufs_filesystm" works? I am looking for a way to do this without using find as I suspect there are millions of files on a zfs filesystem that is causing slow performance sometimes on a particular zfs file system
Thanks.

So I have finished 90% of my testing and I have accepted _df -t /filesystem | awk ' { if ( NR==1) F=$(NF-1) ; if ( NR==2) print $(NF-1) - F }'_ as acceptable in the absence of a known built in zfs method. My main conern was with the reduction of available files from the df -t output as more files were added. I used a one liner for loop to just create empty files to conserve on space used up so I would have a better chance of seeing what happens if the available files reached 0.
root@fj-sol11:/zfstest/dir4# df -t /zfstest | awk ' { if ( NR==1) F=$(NF-1) ; if ( NR==2) print $(NF-1) - F }'
_5133680_
root@fj-sol11:/zfstest/dir4# df -t /zfstest
/zfstest (pool1 ): 7237508 blocks *7237508* files
total: 10257408 blocks 12372310 files
root@fj-sol11:/zfstest/dir4#
root@fj-sol11:/zfstest/dir7# df -t /zfstest | awk ' { if ( NR==1) F=$(NF-1) ; if ( NR==2) print $(NF-1) - F }'
_6742772_
root@fj-sol11:/zfstest/dir7# df -t /zfstest
/zfstest (pool1 ): 6619533 blocks *6619533* files
total: 10257408 blocks 13362305 files
root@fj-sol11:/zfstest/dir7# df -t /zfstest | awk ' { if ( NR==1) F=$(NF-1) ; if ( NR==2) print $(NF-1) - F }'
_7271716_
root@fj-sol11:/zfstest/dir7# df -t /zfstest
/zfstest (pool1 ): 6445809 blocks *6445809* files
total: 10257408 blocks 13717010 files
root@fj-sol11:/zfstest# df -t /zfstest | awk ' { if ( NR==1) F=$(NF-1) ; if ( NR==2) print $(NF-1) - F }'
_12359601_
root@fj-sol11:/zfstest# df -t /zfstest
/zfstest (pool1 ): 4494264 blocks *4494264* files
total: 10257408 blocks 16853865 files
I noticed the total files kept increasing and the creation of 4 millions files (4494264) after the above example was taking up more time than I had after already creating 12 million plus ( _12359601_ ) which took 2 days on a slow machine on and off (mostly on). If anyone has any idea of creating them quicker than "touch filename$loop" in a for loop let me know :)
In the end I decided to use a really small file system 100mb on a virtual machine to test what happens as the free files approached 0. Turns out if never does ... it somehow increased
bash-3.00# df -t /smalltest/
/smalltest (smalltest ): 31451 blocks *31451* files
total: 112640 blocks 278542 files
bash-3.00# pwd
/smalltest
bash-3.00# mkdir dir4
bash-3.00# cd dir4
bash-3.00# for arg in {1..47084}; do touch file$arg; done <--- I created 47084 files here, more that the free listed above ( *31451* )
bash-3.00# zfs list smalltest
NAME USED AVAIL REFER MOUNTPOINT
smalltest 47.3M 7.67M 46.9M /smalltest
bash-3.00# df -t /smalltest/
/smalltest (smalltest ): 15710 blocks *15710* files
total: 112640 blocks 309887 files
bash-3.00#
The other 10% of my testing will be to see what happens when I try to a find on 12 million plus files and try to pipe it to wc -l :)

System encryption using LUKS and GPG encrypted keys for arch linux

Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
Update: 2013-01-13: Updated the hook files using the corrections by Deth.
Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.
I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome
Intro
Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.
Conventions
In this short guide, I use the following disk/partition names:
/dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
/dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
/dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.
Credits
Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!
Guide
1. Boot the arch live cd
I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.
2. Set keymap
Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...
3. Wipe your discs
ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.
shred -v /dev/sda
shred -v /dev/sdb
4. Partitioning
Fire up fdisk and create the following partitions:
/dev/sda1, type linux swap.
/dev/sda2: type linux
/dev/sda3: type linux
/dev/sdb1, type linux
Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.
5. Format and mount the usb stick
Create an ext2 filesystem on /dev/sdb1:
mkfs.ext2 /dev/sdb1
mkdir /root/usb
mount /dev/sdb1 /root/usb
cd /root/usb # this will be our working directory for now.
Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.
6. Configure the network (if not already done automatically)
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
route add default gw 192.168.0.1
echo "nameserver 192.168.0.1" >> /etc/resolv.conf
(this is just an example, your mileage may vary)
7. Install gnupg
pacman -Sy
pacman -S gnupg
Verify that gnupg works by launching gpg.
8. Create the keys
Just to be sure, make sure swap is off:
cat /proc/swaps
should return no entries.
Create gpg encrypted keys (remember, we're still in our working dir /root/usb):
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > root.gpg
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg
Choose a strong password!!
Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!
Note that the default cipher for gpg is cast5, I just chose to use a different one.
9. Create the encrypted devices with cryptsetup
Create encrypted swap:
cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1
You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.
Important: From the Cryptsetup 1.1.2 Release notes:
Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
as normal binary file and no new line is interpreted.
if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
stop after new line is detected.
If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.
gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2
Check for any errors.
10. Open the luks devices
gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var
If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.
11. Start the installer /arch/setup
Follow steps 1 to 3.
At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.
Select DONE to start formatting.
At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.
Start step 6 (Install packages).
Go to step 7 (Configure System).
By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.
Edit /etc/fstab:
/dev/mapper/root / ext4 defaults 0 1
/dev/mapper/swap swap swap defaults 0 0
/dev/mapper/var /var ext4 defaults 0 1
# /dev/sdb1 /boot ext2 defaults 0 1
Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.
Go to step 8 (install boot loader).
Be sure to change the kernel line in menu.lst:
kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg
Don't forget the :root suffix in cryptdevice!
Also, my root line was set to (hd1,0). Had to change that to
root (hd0,0)
Install grub to /dev/sdb (the usb stick).
Now, we can exit the installer.
12. Install mkinitcpio with the etwo hook.
Create /mnt/lib/initcpio/hooks/etwo:
#!/usr/bin/ash
run_hook() {
/sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
if [ -e "/sys/class/misc/device-mapper" ]; then
if [ ! -e "/dev/mapper/control" ]; then
/bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
fi
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
# Get keyfile if specified
ckeyfile="/crypto_keyfile"
usegpg="n"
if [ "x${cryptkey}" != "x" ]; then
ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
if poll_device "${ckdev}" ${rootdelay}; then
case ${ckarg1} in
*[!0-9]*)
# Use a file on the device
# ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
if [ "${ckarg2#*.}" = "gpg" ]; then
ckeyfile="${ckeyfile}.gpg"
usegpg="y"
fi
mkdir /ckey
mount -r -t ${ckarg1} ${ckdev} /ckey
dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
umount /ckey
# Read raw data from the block device
# ckarg1 is numeric: ckarg1=offset, ckarg2=length
dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
esac
fi
[ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
fi
if [ -n "${cryptdevice}" ]; then
DEPRECATED_CRYPT=0
cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
else
DEPRECATED_CRYPT=1
cryptdev="${root}"
cryptname="root"
fi
warn_deprecated() {
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
if poll_device "${cryptdev}" ${rootdelay}; then
if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
dopassphrase=1
# If keyfile exists, try to use that
if [ -f ${ckeyfile} ]; then
if [ "${usegpg}" = "y" ]; then
# gpg tty fixup
if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
cp -a /dev/console /dev/tty
while [ ! -e /dev/mapper/${cryptname} ];
do
sleep 2
/usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
dopassphrase=0
done
rm /dev/tty
if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
else
if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
dopassphrase=0
else
echo "Invalid keyfile. Reverting to passphrase."
fi
fi
fi
# Ask for a passphrase
if [ ${dopassphrase} -gt 0 ]; then
echo ""
echo "A password is required to access the ${cryptname} volume:"
#loop until we get a real password
while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
sleep 2;
done
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
elif [ -n "${crypto}" ]; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
msg "Non-LUKS encrypted device found..."
if [ $# -ne 5 ]; then
err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
err "Non-LUKS decryption not attempted..."
return 1
fi
exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
tmp=$(echo "${crypto}" | cut -d: -f1)
[ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f2)
[ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f3)
[ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f4)
[ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f5)
[ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
if [ -f ${ckeyfile} ]; then
exe="${exe} --key-file ${ckeyfile}"
else
exe="${exe} --verify-passphrase"
echo ""
echo "A password is required to access the ${cryptname} volume:"
fi
eval "${exe} ${CSQUIET}"
if [ $? -ne 0 ]; then
err "Non-LUKS device decryption failed. verify format: "
err " crypto=hash:cipher:keysize:offset:skip"
exit 1
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
else
err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
fi
fi
rm -f ${ckeyfile}
fi
Create /mnt/lib/initcpio/install/etwo:
#!/bin/bash
build() {
local mod
add_module dm-crypt
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules '/crypto/'
fi
add_dir "/dev/mapper"
add_binary "cryptsetup"
add_binary "dmsetup"
add_binary "/usr/bin/gpg"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_runscript
help ()
cat<<HELPEOF
This hook allows for an encrypted root device with support for gpg encrypted key files.
To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
to your BINARIES var in /etc/mkinitcpio.conf.
HELPEOF
Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):
MODULES=”ext2 ext4” # not sure if this is really nessecary.
BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)
Copy the initcpio stuff over to the live cd:
cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
cp /mnt/etc/mkinitcpio.conf /etc/
Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!
Now reinstall the initcpio:
mkinitcpio -g /mnt/boot/kernel26.img
Make sure there were no errors and that all hooks were included.
13. Decrypt the "var" key to the encrypted root
mkdir /mnt/keys
chmod 500 /mnt/keys
gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
chmod 400 /mnt/keys/var
14. Setup crypttab
Edit /mnt/etc/crypttab:
swap /dev/sda1 SWAP -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
var /dev/sda2 /keys/var
15. Reboot
We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. . If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names. I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.
Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...
Last edited by fabriceb (2013-01-15 22:36:23)

I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885
Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.
any idea ?
#!/bin/bash
# This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.
# prereqs:
# EFI "BIOS" set to boot *only* from EFI
# successful EFI boot of Archboot USB
# mount /dev/sdb1 /src
set -o nounset
#set -o errexit
# Host specific configuration
# this whole script needs to be customized, particularly disk partitions
# and configuration, but this section contains global variables that
# are used during the system configuration phase for convenience
HOSTNAME=daniel
USERNAME=user
# Globals
# We don't need to set these here but they are used repeatedly throughout
# so it makes sense to reuse them and allow an easy, one-time change if we
# need to alter values such as the install target mount point.
INSTALL_TARGET="/install"
HR="--------------------------------------------------------------------------------"
PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
FILE_URL="file:///packages/core-$(uname -m)/pkg"
FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
# Functions
# I've avoided using functions in this script as they aren't required and
# I think it's more of a learning tool if you see the step-by-step
# procedures even with minor duplciations along the way, but I feel that
# these functions clarify the particular steps of setting values in config
# files.
SetValue () {
# EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
sed -i "s+^#\?$${VALUENAME}$=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
CommentOutValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^$${VALUENAME}.*$$/#\1/" "${FILEPATH}"
UncommentValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^#$${VALUENAME}.*$$/\1/" "${FILEPATH}"
# Initialize
# Warn the user about impending doom, set up the network on eth0, mount
# the squashfs images (Archboot does this normally, we're just filling in
# the gaps resulting from the fact that we're doing a simple scripted
# install). We also create a temporary pacman.conf that looks for packages
# locally first before sourcing them from the network. It would be better
# to do either *all* local or *all* network but we can't for two reasons.
# 1. The Archboot installation image might have an out of date kernel
# (currently the case) which results in problems when chrooting
# into the install mount point to modprobe efivars. So we use the
# package snapshot on the Archboot media to ensure our kernel is
# the same as the one we booted with.
# 2. Ideally we'd source all local then, but some critical items,
# notably grub2-efi variants, aren't yet on the Archboot media.
# Warn
timer=9
echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
while [[ $timer -gt 0 ]]
do
sleep 1
let timer-=1
echo -en "$timer seconds..."
done
echo "STARTING"
# Get Network
echo -n "Waiting for network address.."
#dhclient eth0
dhcpcd -p eth0
echo -n "Network address acquired."
# Mount packages squashfs images
umount "/packages/core-$(uname -m)"
umount "/packages/core-any"
rm -rf "/packages/core-$(uname -m)"
rm -rf "/packages/core-any"
mkdir -p "/packages/core-$(uname -m)"
mkdir -p "/packages/core-any"
modprobe -q loop
modprobe -q squashfs
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"
# Create temporary pacman.conf file
cat << PACMANEOF > /tmp/pacman.conf
[options]
Architecture = auto
CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
CacheDir = /packages/core-$(uname -m)/pkg
CacheDir = /packages/core-any/pkg
[core]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
[extra]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
#Uncomment to enable pacman -Sy yaourt
[archlinuxfr]
Server = http://repo.archlinux.fr/\$arch
PACMANEOF
# Prepare pacman
[[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
[[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
${PACMAN} -Sy
${TARGET_PACMAN} -Sy
# Install prereqs from network (not on archboot media)
echo -e "\nInstalling prereqs...\n$HR"
#sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg
# Configure Host
# Here we create three partitions:
# 1. efi and /boot (one partition does double duty)
# 2. swap
# 3. our encrypted root
# Note that all of these are on a GUID partition table scheme. This proves
# to be quite clean and simple since we're not doing anything with MBR
# boot partitions and the like.
echo -e "format\n"
# shred -v /dev/sda
# disk prep
sgdisk -Z /dev/sda # zap all on disk
#sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
#sgdisk -a 2048 -o /dev/mmcb1k0
# create partitions
sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
#sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg
# set partition types
sgdisk -t 1:ef00 /dev/sda
sgdisk -t 2:8200 /dev/sda
sgdisk -t 3:8300 /dev/sda
#sgdisk -t 1:0700 /dev/mmcb1k0
# label partitions
sgdisk -c 1:"UEFI Boot" /dev/sda
sgdisk -c 2:"Swap" /dev/sda
sgdisk -c 3:"LUKS" /dev/sda
#sgdisk -c 1:"Key" /dev/mmcb1k0
echo -e "create gpg file\n"
# create gpg file
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg
echo -e "format LUKS on root\n"
# format LUKS on root
gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3
echo -e "open LUKS on root\n"
gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root
# NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
# NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf
# make filesystems
# following swap related commands not used now that we're encrypting our swap partition
#mkswap /dev/sda2
#swapon /dev/sda2
#mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
echo -e "\nCreating Filesystems...\n$HR"
# make filesystems
mkfs.ext4 /dev/mapper/root
mkfs.vfat -F32 /dev/sda1
#mkfs.vfat -F32 /dev/mmcb1k0p1
echo -e "mount targets\n"
# mount target
#mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
mount /dev/mapper/root ${INSTALL_TARGET}
# mount target
mkdir ${INSTALL_TARGET}
# mkdir ${INSTALL_TARGET}/key
# mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
mkdir ${INSTALL_TARGET}/boot
mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot
# Install base, necessary utilities
mkdir -p ${INSTALL_TARGET}/var/lib/pacman
${TARGET_PACMAN} -Sy
${TARGET_PACMAN} -Su base
# curl could be installed later but we want it ready for rankmirrors
${TARGET_PACMAN} -S curl
${TARGET_PACMAN} -S libusb-compat gnupg
${TARGET_PACMAN} -R grub
rm -rf ${INSTALL_TARGET}/boot/grub
${TARGET_PACMAN} -S grub2-efi-x86_64
# Configure new system
SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
sed -i "s/^$127\.0\.0\.1.*$$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
#following replaced due to netcfg
#SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf
# write fstab
# You can use UUID's or whatever you want here, of course. This is just
# the simplest approach and as long as your drives aren't changing values
# randomly it should work fine.
cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
# /etc/fstab: static file system information
# <file system> <dir> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs nodev,nosuid 0 0
/dev/sda1 /boot vfat defaults 0 0
/dev/mapper/cryptswap none swap defaults 0 0
/dev/mapper/root / ext4 defaults,noatime 0 1
FSTAB_EOF
# write etwo
mkdir -p /lib/initcpio/hooks/
mkdir -p /lib/initcpio/install/
cp /src/etwo_hooks /lib/initcpio/hooks/etwo
cp /src/etwo_install /lib/initcpio/install/etwo
mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/
cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo
cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo
# write crypttab
# encrypted swap (random passphrase on boot)
echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab
# copy configs we want to carry over to target from install environment
mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf
mkdir -p ${INSTALL_TARGET}/tmp
cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf
# mount proc, sys, dev in install root
mount -t proc proc ${INSTALL_TARGET}/proc
mount -t sysfs sys ${INSTALL_TARGET}/sys
mount -o bind /dev ${INSTALL_TARGET}/dev
echo -e "umount boot\n"
# we have to remount /boot from inside the chroot
umount ${INSTALL_TARGET}/boot
# Create install_efi script (to be run *after* chroot /install)
touch ${INSTALL_TARGET}/install_efi
chmod a+x ${INSTALL_TARGET}/install_efi
cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?$\${VALUENAME}$=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^$\${VALUENAME}.*$\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#$\${VALUENAME}.*$\$/\1/" "\${FILEPATH}"; }
echo -e "mount boot\n"
# remount here or grub et al gets confused
mount -t vfat /dev/sda1 /boot
# mkinitcpio
# NOTE: intel_agp drm and i915 for intel graphics
SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf
mkinitcpio -p linux
# kernel modules for EFI install
modprobe efivars
modprobe dm-mod
# locale-gen
UncommentValue de_AT /etc/locale.gen
locale-gen
# install and configure grub2
# did this above
#${CHROOT_PACMAN} -Sy
#${CHROOT_PACMAN} -R grub
#rm -rf /boot/grub
#${CHROOT_PACMAN} -S grub2-efi-x86_64
# you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
# even omit the cryptdevice altogether, though it will wag a finger at you for using
# a deprecated syntax, so we're using the correct form here
# NOTE: take out i915.modeset=1 unless you are on intel graphics
SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub
# set output to graphical
SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode
# install the actual grub2. Note that despite our --boot-directory option we will still need to move
# the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck
# create our EFI boot entry
# bug in the HP bios firmware (F.08)
efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"
# copy font for grub2
cp /usr/share/grub/unicode.pf2 /boot/grub
# generate config file
grub-mkconfig -o /boot/grub/grub.cfg
exit
EFI_EOF
# Install EFI using script inside chroot
chroot ${INSTALL_TARGET} /install_efi
rm ${INSTALL_TARGET}/install_efi
# Post install steps
# anything you want to do post install. run the script automatically or
# manually
touch ${INSTALL_TARGET}/post_install
chmod a+x ${INSTALL_TARGET}/post_install
cat > ${INSTALL_TARGET}/post_install <<POST_EOF
set -o errexit
set -o nounset
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?$\${VALUENAME}$=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^$\${VALUENAME}.*$\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#$\${VALUENAME}.*$\$/\1/" "\${FILEPATH}"; }
# root password
echo -e "${HR}\\nNew root user password\\n${HR}"
passwd
# add user
echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
groupadd sudo
useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
passwd ${USERNAME}
# mirror ranking
echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist
# temporary fix for locale.sh update conflict
mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true
# yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf
# additional groups and utilities
pacman --noconfirm -Syu
pacman --noconfirm -S base-devel
pacman --noconfirm -S yaourt
# sudo
pacman --noconfirm -S sudo
cp /etc/sudoers /tmp/sudoers.edit
sed -i "s/#\s*$%wheel\s*ALL=(ALL)\s*ALL.*$$/\1/" /tmp/sudoers.edit
sed -i "s/#\s*$%sudo\s*ALL=(ALL)\s*ALL.*$$/\1/" /tmp/sudoers.edit
visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers
# power
pacman --noconfirm -S acpi acpid acpitool cpufrequtils
yaourt --noconfirm -S powertop2
sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
# following requires my acpi handler script
echo "/etc/acpi/handler.sh boot" > /etc/rc.local
# time
pacman --noconfirm -S ntp
sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf
# wireless (wpa supplicant should already be installed)
pacman --noconfirm -S iw wpa_supplicant rfkill
pacman --noconfirm -S netcfg wpa_actiond ifplugd
mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
# make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf
# sound
pacman --noconfirm -S alsa-utils alsa-plugins
sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
mv /etc/asound.conf /etc/asound.conf.orig || true
#if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2
# video
pacman --noconfirm -S base-devel mesa mesa-demos
# x
#pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
#yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
#TODO: cut down the install size
#pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils
# TODO: wacom
# environment/wm/etc.
#pacman --noconfirm -S xfce4 compiz ccsm
#pacman --noconfirm -S xcompmgr
#yaourt --noconfirm -S physlock unclutter
#pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
#pacman --noconfirm -S gtk2 #gtk3 # for taffybar?
#pacman --noconfirm -S ghc
# note: try installing alex and happy from cabal instead
#pacman --noconfirm -S haskell-platform haskell-hscolour
#yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
#yaourt --noconfirm -S xmobar-git
# TODO: edit xfce to use compiz
# TODO: xmonad, but deal with video tearing
# TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
# switching to cabal
# fonts
pacman --noconfirm -S terminus-font
yaourt --noconfirm -S webcore-fonts
yaourt --noconfirm -S fontforge libspiro
yaourt --noconfirm -S freetype2-git-infinality
# TODO: sed infinality and change to OSX or OSX2 mode
# and create the sym link from /etc/fonts/conf.avail to conf.d
# misc apps
#pacman --noconfirm -S htop openssh keychain bash-completion git vim
#pacman --noconfirm -S chromium flashplugin
#pacman --noconfirm -S scrot mypaint bc
#yaourt --noconfirm -S task-git stellarium googlecl
# TODO: argyll
POST_EOF
# Post install in chroot
#echo "chroot and run /post_install"
chroot /install /post_install
rm /install/post_install
# copy grub.efi file to the default HP EFI boot manager path
mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
cp /root/root.gpg ${INSTALL_TARGET}/boot/
# NOTES/TODO

Mounting ZFS filesystems: (1/10)cannot mount directory is not empt(10/10

Hi
in zone:
bash-3.00# reboot
[NOTICE: Zone rebooting]
SunOS Release 5.10 Version Generic_144488-17 64-bit
Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved.
Hostname: dbspfox1
Reading ZFS config: done.
Mounting ZFS filesystems: (1/10)cannot mount '/zonedev/dbspfox1/biblio/P622/dev': directory is not empt(10/10 )
svc:/system/filesystem/local:default: WARNING: /usr/sbin/zfs mount -a failed: exit status 1
Nov 4 10:07:33 svc.startd[12427]: svc:/system/filesystem/local:default: Method "/lib/svc/method/fs-local" fa iled with exit status 95.
Nov 4 10:07:33 svc.startd[12427]: system/filesystem/local:default failed fatally: transitioned to maintenanc e (see 'svcs -xv' for details)
For sure the directory in not empty, but the others too are not empty.
bash-3.00# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zonedev 236G 57.6G 23K /zonedev
zonedev/dbspfox1 236G 57.6G 1.06G /zonedev/dbspfox1
zonedev/dbspfox1/biblio 235G 57.6G 23K /zonedev/dbspfox1/biblio
zonedev/dbspfox1/biblio/P622 235G 57.6G 10.4G /zonedev/dbspfox1/biblio/P622
zonedev/dbspfox1/biblio/P622/31mars 81.3G 57.6G 47.3G /zonedev/dbspfox1/biblio/P622/31mars
zonedev/dbspfox1/biblio/P622/31mars/data 34.0G 57.6G 34.0G /zonedev/dbspfox1/biblio/P622/31mars/data
zonedev/dbspfox1/biblio/P622/dev 89.7G 57.6G 50.1G /zonedev/dbspfox1/biblio/P622/dev
zonedev/dbspfox1/biblio/P622/dev/data 39.6G 57.6G 39.6G /zonedev/dbspfox1/biblio/P622/dev/data
zonedev/dbspfox1/biblio/P622/preprod 53.3G 57.6G 12.9G /zonedev/dbspfox1/biblio/P622/preprod
zonedev/dbspfox1/biblio/P622/preprod/data 40.4G 57.6G 40.4G /zonedev/dbspfox1/biblio/P622/preprod/data
bash-3.00# svcs -xv
svc:/system/filesystem/local:default (local file system mounts)
State: maintenance since Fri Nov 04 10:07:33 2011
Reason: Start method exited with $SMF_EXIT_ERR_FATAL.
See: http://sun.com/msg/SMF-8000-KS
See: /var/svc/log/system-filesystem-local:default.log
Impact: 33 dependent services are not running:
svc:/system/webconsole:console
svc:/system/filesystem/autofs:default
svc:/system/system-log:default
svc:/milestone/multi-user:default
svc:/milestone/multi-user-server:default
svc:/application/autoreg:default
svc:/application/stosreg:default
svc:/application/graphical-login/cde-login:default
svc:/application/cde-printinfo:default
svc:/network/smtp:sendmail
svc:/application/management/seaport:default
svc:/application/management/snmpdx:default
svc:/application/management/dmi:default
svc:/application/management/sma:default
svc:/network/sendmail-client:default
svc:/network/ssh:default
svc:/system/sysidtool:net
svc:/network/rpc/bind:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/client:default
svc:/network/nfs/status:default
svc:/network/nfs/cbd:default
svc:/network/nfs/mapid:default
svc:/network/inetd:default
svc:/system/sysidtool:system
svc:/system/postrun:default
svc:/system/filesystem/volfs:default
svc:/system/cron:default
svc:/application/font/fc-cache:default
svc:/system/boot-archive-update:default
svc:/network/shares/group:default
svc:/network/shares/group:zfs
svc:/system/sac:default
svc:/network/rpc/gss:default (Generic Security Service)
State: uninitialized since Fri Nov 04 10:07:31 2011
Reason: Restarter svc:/network/inetd:default is not running.
See: http://sun.com/msg/SMF-8000-5H
See: man -M /usr/share/man -s 1M gssd
Impact: 17 dependent services are not running:
svc:/network/nfs/client:default
svc:/system/filesystem/autofs:default
svc:/system/webconsole:console
svc:/system/system-log:default
svc:/milestone/multi-user:default
svc:/milestone/multi-user-server:default
svc:/application/autoreg:default
svc:/application/stosreg:default
svc:/application/graphical-login/cde-login:default
svc:/application/cde-printinfo:default
svc:/network/smtp:sendmail
svc:/application/management/seaport:default
svc:/application/management/snmpdx:default
svc:/application/management/dmi:default
svc:/application/management/sma:default
svc:/network/sendmail-client:default
svc:/network/ssh:default
svc:/application/print/server:default (LP print server)
State: disabled since Fri Nov 04 10:07:31 2011
Reason: Disabled by an administrator.
See: http://sun.com/msg/SMF-8000-05
See: man -M /usr/share/man -s 1M lpsched
Impact: 1 dependent service is not running:
svc:/application/print/ipp-listener:default
svc:/network/rpc/smserver:default (removable media management)
State: uninitialized since Fri Nov 04 10:07:32 2011
Reason: Restarter svc:/network/inetd:default is not running.
See: http://sun.com/msg/SMF-8000-5H
See: man -M /usr/share/man -s 1M rpc.smserverd
Impact: 1 dependent service is not running:
svc:/system/filesystem/volfs:default
svc:/network/rpc/rstat:default (kernel statistics server)
State: uninitialized since Fri Nov 04 10:07:31 2011
Reason: Restarter svc:/network/inetd:default is not running.
See: http://sun.com/msg/SMF-8000-5H
See: man -M /usr/share/man -s 1M rpc.rstatd
See: man -M /usr/share/man -s 1M rstatd
Impact: 1 dependent service is not running:
svc:/application/management/sma:default
bash-3.00# df -h
Filesystem size used avail capacity Mounted on
/ 59G 1.1G 58G 2% /
/dev 59G 1.1G 58G 2% /dev
/lib 261G 7.5G 253G 3% /lib
/platform 261G 7.5G 253G 3% /platform
/sbin 261G 7.5G 253G 3% /sbin
/usr 261G 7.5G 253G 3% /usr
proc 0K 0K 0K 0% /proc
ctfs 0K 0K 0K 0% /system/contract
mnttab 0K 0K 0K 0% /etc/mnttab
objfs 0K 0K 0K 0% /system/object
swap 2.1G 248K 2.1G 1% /etc/svc/volatile
fd 0K 0K 0K 0% /dev/fd
swap 2.1G 0K 2.1G 0% /tmp
swap 2.1G 16K 2.1G 1% /var/run
zonedev/dbspfox1/biblio
293G 23K 58G 1% /zonedev/dbspfox1/biblio
zonedev/dbspfox1/biblio/P622
293G 10G 58G 16% /zonedev/dbspfox1/biblio/P622
zonedev/dbspfox1/biblio/P622/31mars
293G 47G 58G 46% /zonedev/dbspfox1/biblio/P622/31mars
zonedev/dbspfox1/biblio/P622/31mars/data
293G 34G 58G 38% /zonedev/dbspfox1/biblio/P622/31mars/data
zonedev/dbspfox1/biblio/P622/dev/data
293G 40G 58G 41% /zonedev/dbspfox1/biblio/P622/dev/data
zonedev/dbspfox1/biblio/P622/preprod
293G 13G 58G 19% /zonedev/dbspfox1/biblio/P622/preprod
zonedev/dbspfox1/biblio/P622/preprod/data
293G 40G 58G 42% /zonedev/dbspfox1/biblio/P622/preprod/data
What i missed? what happen with zfs dev directory?
thank you
Walter

Hi
I finally found the problem.
ZFS naming restrictions:
names must begin with a letter
Walter

Confused about ZFS filesystems created with Solaris 11 Zone

Hello.
Installing a blank Zone in Solaris *10* with "zonepath=/export/zones/TESTvm01" just creates one zfs filesystem:
+"zfs list+
+...+
+rzpool/export/zones/TESTvm01 4.62G 31.3G 4.62G /export/zones/TESTvm01"+
Doing the same steps with Solaris *11* will ?create? more filesystems:
+"zfs list+
+...+
+rpool/export/zones/TESTvm05 335M 156G 32K /export/zones/TESTvm05+
+rpool/export/zones/TESTvm05/rpool 335M 156G 31K /rpool+
+rpool/export/zones/TESTvm05/rpool/ROOT 335M 156G 31K legacy+
+rpool/export/zones/TESTvm05/rpool/ROOT/solaris 335M 156G 310M /export/zones/TESTvm05/root+
+rpool/export/zones/TESTvm05/rpool/ROOT/solaris/var 24.4M 156G 23.5M /export/zones/TESTvm05/root/var+
+rpool/export/zones/TESTvm05/rpool/export 62K 156G 31K /export+
+rpool/export/zones/TESTvm05/rpool/export/home 31K 156G 31K /export/home"+
I dont understand why Solaris 11 is doing that. Just one FS (like in Solaris 10) would be better for my setup. I want to configure all created volumes by myself.
Is it possible to deactivate this automatic "feature"?

There are several reasons that it works like this, all guided by the simple idea "everything in a zone should work exactly like it does in the global zone, unless that is impractical." By having this layout we get:
* The same zfs administrative practices within a zone that are found in the global zone. This allows, for example, compression, encryption, etc. of parts of the zone.
* beadm(1M) and pkg(1) are able to create boot environments within the zone, thus making it easy to keep the global zone software in sync with non-global zone software as the system is updated (equivalent of patching in Solaris 10). Note that when Solaris 11 updates the kernel, core libraries, and perhaps other things, a new boot environment is automatically created (for the global zone and each zone) and the updates are done to the new boot environment(s). Thus, you get the benefits that Live Upgrade offered without the severe headaches that sometimes come with Live Upgrade.
* The ability to have a separate /var file system. This is required by policies at some large customers, such as the US Department of Defense via the DISA STIG.
* The ability to perform a p2v of a global zone into a zone (see solaris(5) for examples) without losing the dataset hierarchy or properties (e.g. compression, etc.) set on datasets in that hierarchy.
When this dataset hierarchy is combined with the fact that the ZFS namespace is virtualized in a zone (a feature called "dataset aliasing"), you see the same hierarchy in the zone that you would see in the global zone. Thus, you don't have confusing output from df saying that / is mounted on / and such.
Because there is integration between pkg, beadm, zones, and zfs, there is no way to disable this behavior. You can remove and optionally replace /export with something else if you wish.
If your goal is to prevent zone administrators from altering the dataset hierarchy, you may be able to accomplish this with immutable zones (see zones admin guide or file-mac-profile in zonecfg(1M)). This will have other effects as well, such as making all or most of the zone unwritable. If needed, you can add fs or dataset resources which will not be subject to file-mac-profile and as such will be writable.

Slow down in zfs filesystem creation

Solaris 10 10/09 running as VM on Vmware ESX server with 7 GB RAM 1 CPU 64 bit
I wondered if anyone had seen the following issue, or indeed could see if they could replicate it -
Try creating a script that creates thousands of ZFS filesystems in one pool.
For example -
#!/usr/bin/bash
for i in {1..3000}
do
zfs create tank/users/test$i
echo "$i created"
done
I have found that after about 1000 filesystems the creation time slows down massively and it can take up to 4 seconds for,each new filesystem to create within the pool.
If I do the same for ordinary directories (mkdir) then I have no delays at all.
I was under the impression that ZFS filesystem were as easy to create as directories (folders), but this does not seem to be the case.
This sounds like it could be a bug. I have been able to replicate it several times on my system, but need others to verify this.

Might be worth raising on the open solaris forums where theres a least a chance it will be read by a ZFS developer.

If zfs manages /etc in a separate ZFS filesystem it fails to boot

In my most recent installation I wanted to keep /ect in a separed ZFS filesystem to keep it with a higher compression.
But Arch fails to boot, it seems dbus needs the /etc directory mounted before the zfs daemon actually mounts it.
Do anyone had this problem? It is possible to mount the partitions before?
Thanks
Last edited by ezzetabi (2013-02-17 15:29:23)

It happened to me ...
And he does not serve doing a RESET to her BIOS, you must take out the battery for some ten minutes, in my case, I tried with half hour and it worked.
Try with that and you tell us.

Zfs filesystem screwed up?

Hi,
I am running S10U3 (all patches applied).
Today by mistake I extracted a big (4.5G) tar archive into my home directory (on ZFS) which ran out of space and the tar command terminated with the error "Disk quota exceeded" (it should have been something like "No space left on device" ?)
I think the zfs filesystem got screwed. Now I am unable to delete any file with rm as unlink(2) fails with error 49 (EDQUOT).
I can't login because there is no space on left on /home.
I even tried to delete files as root but I still get EDQUOT.
Files can be read though.
I tried zpool scrub (not sure what that does) and it shows no errors.
zpool status shows no errors either.
I am confident that my drive is not faulty.
Restarting the system didn't help either.
I had put all my important stuff on that zfs FS thinking that it would be safe but I never expected that such a problem would ever occur.
What should I do? Any suggestions?
Is zfs completely reliable or are there any known problems?

Robert,
ZFS uses atomic operations to update filesytem metadata.This is implemented as follows. When a directory is updated a shadow copy of it and all its parents is created all the way to the root "superblock".
Then the existing superblock is swapped for the shadow superblock as an atomic operation.
A file deletion is an metadata operation like any other and requires making shadow copies
So what I think has happened is that the filesystem is so full that it can't find space to make the shadow copies to allow a delete.
Thanks for the explanation, probably that's what happened but I would consider it a very weak design if a user can cripple the FS just by filling it up.
So one way out is if you can add an extra device even a small one to the pool.That will give you enough space to delete.
Of course since you can never remove a device from a pool you'll be stuck with it.
I would have certainly liked to do this but this is just my desktop computer and I have only 1 hard disc with no extra space.
You could try asking on the opensolaris zfs forum's.They might have a special technique for dealing with it
The guys at the opensolaris forums don't like to answer Solaris problems but anyway I will give it a try.
Thankfully, I lost no data because I had backups and because the damaged ZFS was readable, so the only damage done was a loss of confidence in ZFS.

Win32 loader for Arch Linux?

Hi all,
Do you know any project like the win32 loader of Debian/Ubuntu for Arch Linux is on-going?
I am really interesting to install Arch Linux this way on my Windows laptop, than to use VMware or VirtualBox.

Pajaro wrote:what is win32 loader?
It is a program (.exe file) on Windows to let you install Debian(or Ubuntu) Linux inside Windows without modifying your disk partitions. Actually, the installed Linux image is a file on Windows filesystem, and you can boot into it via the boot menu of GRUB.
FYI:
For Ubuntu: https://wiki.ubuntu.com/install.exe/Prototype
For Debian: http://goodbye-microsoft.com/more.html

ZFS Filesystem for FUSE/Linux progressing

Similar Messages

Maybe you are looking for