[clug] How to make my server robust for booting

Tony Lewis tony at lewistribe.com
Fri Sep 13 07:49:47 UTC 2019 

On 13/9/19 4:06 pm, steve jenkin wrote:
>
>
>> On 12 Sep 2019, at 10:42, Tony Lewis via linux <linux at lists.samba.org 
>> <mailto:linux at lists.samba.org>> wrote:
>>
>> Thanks for the link.  From that, it recommends making sure root is 
>> not hardcoded as /dev/hd0, which it isn't; it uses /dev/mapper/md1_crypt.
>>
>> So it looks like it should work in the real world.  I'll try it when 
>> I get that far.
>
> Tony,
>
> Did I miss that on the 1st pass - that your boot partition (md1) is 
> encrypted?
Yes
>
> I’ve never played with crypto filesystems, but they all share a common 
> boot problem - feeding in the password(s) to unlock the keys when-ever 
> they (cold) boot.
>
> Does grub (are you using v2 or v1?) support encrypted boot drives 
> without intervention?

I'm not sure, but that would undermine one of the purposes of 
encryption.  If you store the key with or near your system, then someone 
with enough nous could use that to decrypt and gain access.

I'm happy to put in the root fs password on boot, and any other 
encrypted volume has its key on the root filesystem so can be brought up 
once root is up.


>
> I’ve seen boot problems on other POSIX solutions withe RAID 1 / 
> mirroring after a disk failure:
>
>  - the bootloader comes up, finds the remaining disk, loads the RAID 
> software and then ‘fails to proceed'
>  - mirroring driver refuses to boot, because it doesn’t have a 
> ‘quorum’, defined as (N/2) + 1

RAID1 should have a quorum of 1; any one drive should be sufficient.  
However I found that it doesn't like to start degraded, which I'm not 
sure is good behaviour.  That would seem to undermine the resilience 
RAID should give me.  I could manually start the array from initramfs, 
and continue to boot, which is good enough for my use case.

To clarify, my original 'robust for booting' for me means that I can 
enter passwords and start arrays and get up and running.  For me, I 
would still call starting the RAID array from the initramfs prompt 
resilient enough.  What I didn't like was not being able to get GRUB to 
just boot from a second disk.


> In answer to the person that said, “Use a RAID Card”, I’d strongly 
> advise against that.

(snip)

Yeah I'd agree for a home or small business scenario.  Without a deep 
enough sparing strategy and the skills and support, I'm not surprised 
your client got bitten

Tony

More information about the linux mailing list