Ezjail host: Difference between revisions

Revision as of 13:28, 24 May 2012

Basic install with mfsbsd

After receiving the server from Hetzner I boot it using the rescue system which puts me at an mfsbsd prompt. I then edit the zfsinstall script /root/bin/zfsinstall and add "usr" to FS_LIST near the top of the script. I do this because I like to have /usr as a seperate ZFS dataset.

I then run the zfsinstall script like below. I am going to export the majority of the available diskspace as a ZVOL which will be used for a GELI device with another zfs pool on top. This pool will house the actual jails and data.

Note that the disks are new-ish (Power_On_Hours is 73 on both drives according to smartctl, which the mfsbsd author has been clever enough to include on mfsbsd) but I still found an MBR partition that needed to be deleted first. This can be done with the destroygeom command like shown below:

[root@rescue ~]# zfsinstall -d ad4 -d ad6 -r mirror -s 5G -t /nfs/mfsbsd/9.0-amd64-zfs.tar.xz
Error: /dev/ad4 already contains a partition table.

=>        63  5860533105  ad4  MBR  (2.7T)
          63  5860533105       - free -  (2.7T)

You may erase the partition table manually with the destroygeom command
[root@rescue ~]# destroygeom
Usage: /root/bin/destroygeom [-h] -d geom [-d geom ...] [-p zpool ...]
[root@rescue ~]# destroygeom -d ad4 -d ad6
Destroying geom ad4:
Destroying geom ad6:
[root@rescue ~]# zfsinstall -d ad4 -d ad6 -r mirror -s 5G -t /nfs/mfsbsd/9.0-amd64-zfs.tar.xz
Creating GUID partitions on ad4 ... done
Configuring ZFS bootcode on ad4 ... done
=>        34  5860533101  ad4  GPT  (2.7T)
          34        2014       - free -  (1.0M)
        2048         128    1  freebsd-boot  (64K)
        2176    10485760    2  freebsd-swap  (5.0G)
    10487936  5850045199    3  freebsd-zfs  (2.7T)

Creating GUID partitions on ad6 ... done
Configuring ZFS bootcode on ad6 ... done
=>        34  5860533101  ad6  GPT  (2.7T)
          34        2014       - free -  (1.0M)
        2048         128    1  freebsd-boot  (64K)
        2176    10485760    2  freebsd-swap  (5.0G)
    10487936  5850045199    3  freebsd-zfs  (2.7T)

Creating ZFS pool tank on ad4p3 ad6p3 ... done
Creating tank root partition: ... done
Creating tank partitions: var tmp usr ... done
Setting bootfs for tank to tank/root ... done
NAME            USED  AVAIL  REFER  MOUNTPOINT
tank            210K  2.68T    21K  none
tank/root        88K  2.68T    25K  /mnt
tank/root/tmp    21K  2.68T    21K  /mnt/tmp
tank/root/usr    21K  2.68T    21K  /mnt/usr
tank/root/var    21K  2.68T    21K  /mnt/var
Extracting FreeBSD distribution ... done
Writing /boot/loader.conf... done
Writing /etc/fstab...Writing /etc/rc.conf... done
Copying /boot/zfs/zpool.cache ... done

Installation complete.
The system will boot from ZFS with clean install on next reboot

You may type "chroot /mnt" and make any adjustments you need.
For example, change the root password or edit/create /etc/rc.conf for
for system services. 

WARNING - Don't export ZFS pool "tank"!
[root@rescue] ~

Post install configuration (before reboot)

Before rebooting into the installed FreeBSD I need to make certain I can reach the server through SSH after the reboot. This means adding network settings to /etc/rc.conf along with sshd_enable="YES". I also go change PermitRootLogin to Yes in /etc/ssh/sshd_config. Finally I set the root password. All of these steps are essential if I am going to have any chance of logging in after reboot. Most of these changes can be done from the mfsbsd shell but the password change requires chroot into the newly installed environment.

I use the chroot command but start another shell as bash is not installed in /mnt:

[root@rescue ~]# chroot /mnt/ csh
rescue# ee /etc/rc.conf
rescue# ee /etc/ssh/sshd_config
rescue# passwd
New Password:
Retype New Password:
rescue#

So, the network settings are sorted, root password is set, and root is permitted to ssh in. Time to reboot (this is the exciting part).

Encrypted zvol

[root@ ~]# zfs list
NAME            USED  AVAIL  REFER  MOUNTPOINT
tank            359M  2.68T    21K  none
tank/root       359M  2.68T  84.8M  /
tank/root/tmp    28K  2.68T    28K  /tmp
tank/root/usr   274M  2.68T   274M  /usr
tank/root/var   412K  2.68T   412K  /var
[root@ ~]# zfs create -V 2640G tank/gelizvol 
[root@ ~]# zfs list
NAME            USED  AVAIL  REFER  MOUNTPOINT
tank           2.66T  17.0G    21K  none
tank/gelizvol  2.66T  2.68T    16K  -
tank/root       359M  17.0G  84.8M  /
tank/root/tmp    28K  17.0G    28K  /tmp
tank/root/usr   274M  17.0G   274M  /usr
tank/root/var   412K  17.0G   412K  /var
[root@ ~]# 

[root@ ~]# ls -l /dev/zvol/tank/gelizvol    
crw-r-----  1 root  operator    0, 124 May 24 13:10 /dev/zvol/tank/gelizvol
[root@ ~]#

Now create a key from /dev/random and initialize the geli provider:

[root@ ~]# dd if=/dev/random of=/root/encrypted.key bs=64 count=1 
1+0 records in
1+0 records out
64 bytes transferred in 0.000031 secs (2064888 bytes/sec)
[root@ ~]# ls -l /root/encrypted.key 
-rw-r--r--  1 root  wheel  64 May 24 13:14 /root/encrypted.key
[root@ ~]# geli init -s 512 -K /root/encrypted.key /dev/zvol/tank/gelizvol 
Enter new passphrase:
Reenter new passphrase: 

Metadata backup can be found in /var/backups/zvol_tank_gelizvol.eli and
can be restored with the following command:

        # geli restore /var/backups/zvol_tank_gelizvol.eli /dev/zvol/tank/gelizvol

[root@ ~]#

Next is to attach the newly created geli provider:


[root@ ~]# geli attach -k /root/encrypted.key /dev/zvol/tank/gelizvol    
Enter passphrase:
[root@ ~]# ls -l /dev/zvol/tank/             
total 0
crw-r-----  1 root  operator    0, 124 May 24 13:20 gelizvol
crw-r-----  1 root  operator    0, 127 May 24 13:22 gelizvol.eli
[root@ ~]#

Now to create the zpool on top of the unlocked geli provider:

[root@ ~]# zpool create cryptopool /dev/zvol/tank/gelizvol.eli 
[root@ ~]# zpool list
NAME         SIZE  ALLOC   FREE    CAP  DEDUP  HEALTH  ALTROOT
cryptopool  2.56T   108K  2.56T     0%  1.00x  ONLINE  -
tank        2.72T   363M  2.72T     0%  1.00x  ONLINE  -
[root@ ~]# zpool status cryptopool
  pool: cryptopool
 state: ONLINE
 scan: none requested
config:

        NAME                      STATE     READ WRITE CKSUM
        cryptopool                ONLINE       0     0     0
          zvol/tank/gelizvol.eli  ONLINE       0     0     0

errors: No known data errors
[root@ ~]#

The last remaining thing is to create a filesystem in the new zfs pool:

[root@ ~]# zfs list
NAME            USED  AVAIL  REFER  MOUNTPOINT
cryptopool       91K  2.52T    31K  /cryptopool
tank           2.66T  17.0G    21K  none
tank/gelizvol  2.66T  2.68T  1.16M  -
tank/root       359M  17.0G  84.8M  /
tank/root/tmp    28K  17.0G    28K  /tmp
tank/root/usr   274M  17.0G   274M  /usr
tank/root/var   419K  17.0G   419K  /var
[root@ ~]# zfs set mountpoint=none cryptopool
[root@ ~]# zfs create -o compression=gzip -o mountpoint=/usr/jails cryptopool/jails
[root@ ~]# zfs list
NAME               USED  AVAIL  REFER  MOUNTPOINT
cryptopool         149K  2.52T    31K  none
cryptopool/jails    31K  2.52T    31K  /usr/jails
tank              2.66T  17.0G    21K  none
tank/gelizvol     2.66T  2.68T  1.33M  -
tank/root          359M  17.0G  84.8M  /
tank/root/tmp       28K  17.0G    28K  /tmp
tank/root/usr      274M  17.0G   274M  /usr
[root@ ~]#

Ezjail host: Difference between revisions

Revision as of 13:28, 24 May 2012

Basic install with mfsbsd

Post install configuration (before reboot)

Encrypted zvol

Navigation menu

Page actions

Page actions

Personal tools

Navigation

Search

Categories

Tools