[clug] How to make my server robust for booting
Tony Lewis
tony at lewistribe.com
Fri Sep 13 07:49:47 UTC 2019
On 13/9/19 4:06 pm, steve jenkin wrote:
>
>
>> On 12 Sep 2019, at 10:42, Tony Lewis via linux <linux at lists.samba.org
>> <mailto:linux at lists.samba.org>> wrote:
>>
>> Thanks for the link. From that, it recommends making sure root is
>> not hardcoded as /dev/hd0, which it isn't; it uses /dev/mapper/md1_crypt.
>>
>> So it looks like it should work in the real world. I'll try it when
>> I get that far.
>
> Tony,
>
> Did I miss that on the 1st pass - that your boot partition (md1) is
> encrypted?
Yes
>
> I’ve never played with crypto filesystems, but they all share a common
> boot problem - feeding in the password(s) to unlock the keys when-ever
> they (cold) boot.
>
> Does grub (are you using v2 or v1?) support encrypted boot drives
> without intervention?
I'm not sure, but that would undermine one of the purposes of
encryption. If you store the key with or near your system, then someone
with enough nous could use that to decrypt and gain access.
I'm happy to put in the root fs password on boot, and any other
encrypted volume has its key on the root filesystem so can be brought up
once root is up.
>
> I’ve seen boot problems on other POSIX solutions withe RAID 1 /
> mirroring after a disk failure:
>
> - the bootloader comes up, finds the remaining disk, loads the RAID
> software and then ‘fails to proceed'
> - mirroring driver refuses to boot, because it doesn’t have a
> ‘quorum’, defined as (N/2) + 1
RAID1 should have a quorum of 1; any one drive should be sufficient.
However I found that it doesn't like to start degraded, which I'm not
sure is good behaviour. That would seem to undermine the resilience
RAID should give me. I could manually start the array from initramfs,
and continue to boot, which is good enough for my use case.
To clarify, my original 'robust for booting' for me means that I can
enter passwords and start arrays and get up and running. For me, I
would still call starting the RAID array from the initramfs prompt
resilient enough. What I didn't like was not being able to get GRUB to
just boot from a second disk.
> In answer to the person that said, “Use a RAID Card”, I’d strongly
> advise against that.
(snip)
Yeah I'd agree for a home or small business scenario. Without a deep
enough sparing strategy and the skills and support, I'm not surprised
your client got bitten
Tony
More information about the linux
mailing list