Arch Linux

thorondir

Member

Registered: 2014-10-07

Posts: 5

[SOLVED] LVM on Luks on Raid1, remotely unlockable

Hi guys, i'm trying to encrypt a server that i don't have physical access to, and whose booting process i can't observe.

To achieve remote unlocking i'm using dropbear_initrd_encrypt, but the server never comes back online after rebooting.
I can always reboot a minimal rescue-system, and chroot in though.

so from the top
LVM

# lvscan
  ACTIVE            '/dev/vg0/rootvol'
  ACTIVE            '/dev/vg0/datavol'

# vgscan
  Found volume group "vg0" using metadata type lvm2

# pvscan
  PV /dev/mapper/lvmcontainer   VG vg0   lvm2 [2.73 TiB / 0    free]
  Total: 1 [2.73 TiB] / in use: 1 [2.73 TiB] / in no VG: 0 [0   ]

luks

# cryptsetup luksDump /dev/md1
LUKS header information for /dev/md1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha1
Payload offset: 4096
MK bits:        512
MK digest:    <digest>
MK salt:        <salt>
MK iterations:  345000
UUID:           d363466c-bb85-44cc-b46c-c465924eb8a1

Key Slot 0: ENABLED
...
Key Slot 1: DISABLED

crypttab

# cat /etc/crypttab
lvmcontainer    /dev/md1    none    luks

raid

# cat /etc/mdadm.conf 
DEVICES /dev/[hs]d*
ARRAY /dev/md/0  metadata=1.2 UUID=86f20d2a:1fbf3b81:80b9f660:9706032d name=rescue:0
ARRAY /dev/md/1  metadata=1.2 UUID=87724cda:ec8aa873:8e1b8d7c:f0f197cf name=rescue:1

mkinitcpio.conf

# cat /etc/mkinitcpio.conf
MODULES="dm_mod dm_crypt aes_x86_64 raid1"
BINARIES=""
FILES=""
HOOKS="base udev mdadm_udev net autodetect modconf block dropbear encryptssh lvm2 filesystems keyboard fsck"

here's the relevant part from my grub.cfg:

menuentry 'Arch Linux' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-73134750-8293-45d4-95b5-cad017422d88' {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_gpt gpt 
        insmod diskfilter mdraid1x 
        insmod ext2
        set root='mduuid/86f20d2a1fbf3b8180b9f6609706032d'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint='mduuid/86f20d2a1fbf3b8180b9f6609706032d'  c917d127-8096-44e9-8dfa-02edf0cd3681 #/dev/md0, aka /boot
        else
          search --no-floppy --fs-uuid --set=root c917d127-8096-44e9-8dfa-02edf0cd3681
        fi
        echo    'Loading Linux linux ...'
        linux   /vmlinuz-linux root=/dev/mapper/vg0-rootvol rw nomodeset ip=<server ip>::<server gw>:<netmask>:<hostname>:eth0:off:<dns1>:<dns2> cryptdevice=/dev/md1:vg0
        echo    'Loading initial ramdisk ...'
        initrd  /initramfs-linux.img

# ls -l /dev/disk/by-uuid/
lrwxrwxrwx 1 root root 11 Oct  7 11:00 40c4ea95-0ecc-4c51-9f3e-e49d8f62f160 -> ../../loop0
lrwxrwxrwx 1 root root 10 Oct  7 11:07 4c4cd97d-e15c-4b00-9afc-d6a9966f2119 -> ../../dm-2
lrwxrwxrwx 1 root root 10 Oct  7 11:07 73134750-8293-45d4-95b5-cad017422d88 -> ../../dm-1
lrwxrwxrwx 1 root root  9 Oct  7 11:00 c917d127-8096-44e9-8dfa-02edf0cd3681 -> ../../md0
lrwxrwxrwx 1 root root  9 Oct  7 11:07 d363466c-bb85-44cc-b46c-c465924eb8a1 -> ../../md1

# cat /etc/default/grub
GRUB_DEFAULT=0
GRUB_TIMEOUT=0
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="nomodeset ip=<server ip>::<server gw>:<netmask>:<hostname>:eth0:off:<dns1>:<dns2> cryptdevice=/dev/md1:vg0"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

GRUB_TERMINAL_INPUT=console
GRUB_TERMINAL_OUTPUT=console
GRUB_GFXMODE=auto
GRUB_GFXPAYLOAD_LINUX=keep
GRUB_DISABLE_RECOVERY=true

In the end I installed grub on both HDDs

# grub-install /dev/sda
# grub-install /dev/sdb

as this guide suggested.

So what am i missing?
Thanks in advance.

ps: if it's of any interest. I took some inspiration from here, here, and here.

Last edited by thorondir (2014-10-08 14:26:54)

acothi

Member

Registered: 2014-10-06

Posts: 5

Re: [SOLVED] LVM on Luks on Raid1, remotely unlockable

Have you tried putting dropbear encryptssh hooks between modconf and block that may help. Thats what it says on the guide.

also having the crypt device https://wiki.archlinux.org/index.php/Dm … oot_loader declared in the boot loader as well as a static ip address in the boot loader could help.

https://wiki.archlinux.org/index.php/Mk … #Using_net mkinitcpio using net hook

https://www.kernel.org/doc/Documentatio … fsroot.txt   some other possibly useful material.

Last edited by acothi (2014-10-07 14:33:33)

thorondir

Member

Registered: 2014-10-07

Posts: 5

Re: [SOLVED] LVM on Luks on Raid1, remotely unlockable

Hi acothi, thanks for your reply.

Have you tried putting dropbear encryptssh hooks between modconf and block

yes, i tried that, and a bunch of other combinations that seemed to make sense, but it didn't work either. This is simply the last iteration of the config which doesn't work. I've been trying for the past few days and just can't seem to get it right.

both a static IP and the cryptdevice are present in grub.cfg:

linux   /vmlinuz-linux root=/dev/mapper/vg0-rootvol rw nomodeset ip=<server ip>::<server gw>:<netmask>:<hostname>:eth0:off:<dns1>:<dns2> cryptdevice=/dev/md1:vg0

I read the wiki entry about the net hook in mkinitcpio, but according to that, grub.cfg is fine.

The only thing that might still mess it up, is that the kernel doesn't have nfsroot enabled, which seems highly unlikely due to the fact that it's a mainline kernel. I didn't compile it myself.
Nevertheless, extract_ikconfig.sh to the rescue.

CONFIG_NETWORK_FILESYSTEMS=y
CONFIG_NFS_FS=m
CONFIG_NFS_V2=m
CONFIG_NFS_V3=m
CONFIG_NFS_V3_ACL=y
CONFIG_NFS_V4=m
CONFIG_NFS_SWAP=y
CONFIG_NFS_V4_1=y
CONFIG_NFS_V4_2=y
CONFIG_PNFS_FILE_LAYOUT=m
CONFIG_PNFS_BLOCK=m
CONFIG_PNFS_OBJLAYOUT=m
CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org"
CONFIG_NFS_V4_1_MIGRATION=y
CONFIG_NFS_V4_SECURITY_LABEL=y
CONFIG_NFS_FSCACHE=y
# CONFIG_NFS_USE_LEGACY_DNS is not set
CONFIG_NFS_USE_KERNEL_DNS=y
CONFIG_NFS_DEBUG=y
CONFIG_NFSD=m
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NFSD_V4_SECURITY_LABEL=y
# CONFIG_NFSD_FAULT_INJECTION is not set
CONFIG_LOCKD=m
CONFIG_LOCKD_V4=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_NFS_COMMON=y

so i should be all set on that end.

According to all the documentation i was able to find, this should work...

thorondir

Member

Registered: 2014-10-07

Posts: 5

Re: [SOLVED] LVM on Luks on Raid1, remotely unlockable

I'm not satisfied with how, but i got it to work:
Instead of specifying a static IP-address I simply specified

ip=dhcp

It doesn't tell me why the other config didn't, but it does work now.

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,489

Re: [SOLVED] LVM on Luks on Raid1, remotely unlockable

linux   /vmlinuz-linux root=/dev/mapper/vg0-rootvol rw nomodeset ip=<server ip>::<server gw>:<netmask>:<hostname>:eth0:off:<dns1>:<dns2> cryptdevice=/dev/md1:vg0

You have a double colon "::"  after the server ip, maybe that messed something.

thorondir

Member

Registered: 2014-10-07

Posts: 5

Re: [SOLVED] LVM on Luks on Raid1, remotely unlockable

You have a double colon "::"  after the server ip, maybe that messed something.

That's supposed to be there. It's there to delimit the IP of the NFS-Server that holds your root partition [if that's your setup, anyway.]

Last edited by thorondir (2014-10-08 22:42:58)

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,489

Re: [SOLVED] LVM on Luks on Raid1, remotely unlockable

You have a double colon "::"  after the server ip, maybe that messed something.

That's supposed to be there. It's there to delimit the IP of the NFS-Server that holds your root partition [if that's your setup, anyway.]

Ok, well I have never done such, but why do you omit <client IP> at the beginning?

Doing so makes your <server-ip> the client and the second parameter (<server-ip>) is empty:

<server-ip>    ...     Only required for NFS root. That is autoconfiguration
        will not be triggered if it is missing and NFS root is not
        in operation.