Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Error setting up encrypted RAID swap

  1. #1
    Join Date
    Apr 2010
    Location
    USA
    Beans
    79
    Distro
    Ubuntu 10.04 Lucid Lynx

    Question Error setting up encrypted RAID swap

    This is my first time attempting to do this with Linux, and I wasn't following a particular guide, just figuring it out as I go... perhaps I should have... but here's the situation. I have an old computer I use as a VMware ESXi 3.5 server. It's known working and I've been running other VMs in it for a while. I've decided I want to add an Ubuntu server to the mix, mostly as a learning experience and for possible use in a production environment later.

    I have two physical hard drives in the ESX server. Since I have no redundancy at the hardware level in this old rig, I want to set up software RAID. For learning purposes, I also would like to encrypt everything to the extent possible (I understand /boot cannot be encrypted). I've given the VM two hard drives, one stored on each physical hard drive. The first one looks like this:


    • 100MB used as RAID
    • 20.4GB used as RAID
    • 1GB used as RAID

    The second virtual drive has an identical size and layout. RAID volumes are configured as follows:


    • 100MB used as RAID1 EXT4 mounted as /boot
    • 20.4GB used as RAID1 for encryption
    • 1GB used as RAID0 for encryption

    After setting up encryption on the latter two RAID volumes, the 20.4GB is used as EXT4 and mounted as /. The last one is used as SWAP.

    As I'm leaving the partitioner during setup, I get this error:

    The attempt to mount a file system with type swap in Encrypted volume (md2_crypt) at none failed.

    You may resume partitioning from the partitioning menu.

    Do you want to resume partitioning?
    <Go Back> <Yes> <No>
    What was my mistake here?
    Last edited by Karl1982; May 3rd, 2010 at 02:53 AM. Reason: typo

  2. #2
    Join Date
    Apr 2010
    Location
    USA
    Beans
    79
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Error setting up encrypted RAID swap

    Well, I thought I'd try simply bypassing it and hopefully it would pick up the swap area when it boots, but no such luck -- the installer won't let me continue while this error is present. My installation is on hold until I can resolve this. Any help is much appreciated.

  3. #3
    Join Date
    Apr 2010
    Location
    USA
    Beans
    79
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Error setting up encrypted RAID swap

    I deleted the disks the virtual disks from the ESX server and gave it new ones, started over as clean as it could possibly be, made sure the drives were set up exactly the same in every way. I'm still getting the same error.

  4. #4
    Join Date
    Apr 2010
    Location
    USA
    Beans
    79
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Error setting up encrypted RAID swap

    Well, I finally caved. I was able to bypass the problem by setting up the third partition of each disk as an individual encrypted swap area, rather than a combined RAID0 encrypted swap area. Whether this is better or worse depends on how smart it is about I/O between disks. If it was going to split reads between the mirrors, which I was hoping it would, then it would make sense to have a striped swap area. I'm just afraid it's going to read everything from one disk of the mirror and try to do half of its swapping on the opposite disk.

    I would still like to know what I was doing wrong originally, though. Can anyone help me with this?

  5. #5
    Join Date
    Apr 2010
    Location
    USA
    Beans
    79
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Error setting up encrypted RAID swap

    Now this is strange. After proceeding with the installation, I was prompted for settings for postfix, which I was never asked whether I wanted or not. I was never given the menu to choose components to install. After configuring postfix for local only, the installation failed.

    The failing step is: Install the base system
    Maybe I'll just forget about storage redundancy and encryption for now if no one has anything to say about this...

  6. #6
    Join Date
    Apr 2010
    Location
    USA
    Beans
    79
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Error setting up encrypted RAID swap

    I decided to give it one more shot and have Ubuntu show me how it does guided LVM with encryption, then I copied that scheme manually, but with software RAID at the bottom. It looks like this:


    • Two hard drives, each 21.5GB. They have identical partition tables. One 256MB primary, and the remaining 21.2GB as one logical.
    • I applied software RAID-1 to both, resulting in MD0 and MD1, respectively.
    • MD0 is formatted ext2 and mounted as /boot. No further changes to MD0.
    • MD1 is configured for encryption.
    • MD1_crypt is configured for LVM, creating two volumes, 20.2GB and 1GB.
    • The 20.2GB LVM volume is formatted ext4 and mounted as /.
    • The 1GB LVM volume is used as swap.

    This is exactly how guided LVM with encryption decided to use my drive, except without the underlying software RAID. The error I got this time is:

    The attempt to mount a file system with type ext2 in RAID1 device #0 at /boot failed.

    You may resume partitioning from the partitioning menu.

    Do you want to resume partitioning? <go back|yes|no>
    It wasn't a swap space this time. I get the feeling the software RAID is what's killing it. What I intend to do now is remove one drive and let it install via guided LVM+crypto, with no redundancy... I'll report back with what happens.

  7. #7
    Join Date
    Jan 2010
    Location
    not here
    Beans
    31
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    Re: Error setting up encrypted RAID swap

    I have set up a RAID5 on 3 640GB disks for /home and /usr, plus a non-RAID 40GB SSD for /boot, /, swap, /opt, /srv, and /tmp, with LVM for each except /boot and and encryption for each except /boot and /. I was like you, just started in at it without reading much, finally got it to work. Having done about 5 or 6 installs since January, I have gotten kind of good at it. Don't give up!

    (Note that the partitioner will restart in between each of these steps.)

    The order I have found to work best in the partitioner is to:
    1. Set up RAID;
    2. Set up LVM volume groups and logical volumes (it helps to name them with whatever partition you intend to use them as; e.g., name / as 'root' in the partition set up screen, name /home 'home' (without quotes of course), etc.);
    3. Select 'set up encryption volumes' (or something like that) from the partitioner menu, and encrypt the logical volumes (the encryption doesn't actually happen until after partitioning is finished - you will be prompted for passwords);
    4. Select the encrypted logical volumes and assign a file system, mount point, name, etc.

    If you designate a swap area before encrypting, you will get an error, since an unencrypted swap area might potentially allow your encrypted data to pass into the clear, which of course defeats the purpose of encryption. This is why you will not designate the swap area until step 4.

    Once you exit the partitioner and the install is complete, you will get prompts for passwords for each encrypted volume on boot up. Swap is always first, then the others will come up in no particular order, which is why Lucid's new scheme (see below) prevents using multiple passwords - unless I missed something in the documentation that would allow me to see which encrypted volume I am unlocking.

    Sure, it's kind of a pain to enter a 20+ character password eight times on start up (if you are as partition-mad as I am), but it's worth it. I mean, you're paranoid, aren't you? You don't trust other people not to try to see what's on your hard drives and then try to steal it or screw it up or whatever, right? So go for it, and think up funny answers to people who ask you why you would want to configure your system that way.

    Actually, in practice, if you have eight encrypted partitions, you will have to enter your 20+ character password more like nine or ten or eleven or even fourteen times, since for some reason volumes don't always mount the first time you enter the password. Just keep entering it until you run out of prompts. Occasionally in Karmic it would jump ahead after entering only one or two characters of the password - that volume always got another prompt.

    If you get a password wrong, the screen will freeze with a bunch of text crap (yeah, I know, "error messages") ending in 'terminated with error 1.' Translated, this means 'do a hard reboot and start over.'

    Once the volumes are unlocked and mounted, you will get your regular password prompt as usual.

    PLEASE NOTE: If you are using 10.04 Lucid Lynx, you will want to use the same password (preferably 20 characters or more) for each and every volume, since for some reason the developers changed the boot screen prompts in Lucid so that they do not tell you which volume you are unlocking. (Developers: please change this!!) (Yes, I'll find the proper thread and post my request there, but not tonight.)

    9.10 Karmic does list the UUID for each volume on the boot screen at the password prompt, which, if you name each volume the same as the partition (without the forward slash), allows you to use different passwords for each encrypted partition, providing further security but also requiring more memory from your gray matter, and perhaps less security if all that makes you think about writing down the passwords and thus opening yourself to a physical security risk that does not exist if you can remember just one password for all volumes / partitions.

    I haven't found much discussion of encrypting RAID LVM disks on the ubuntu forums - apparently, it's too much work for most people, or they just don't care, or whatever. So, cheer up - there is at least one other who is crazy like that here. And if you figure out how to do it during the Gentoo install, please let me know - I tried, and made a hash of my drives. At least ubuntu is relatively easy.
    Last edited by JayRobert; May 5th, 2010 at 08:35 AM.

  8. #8
    Join Date
    Apr 2010
    Location
    USA
    Beans
    79
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Error setting up encrypted RAID swap

    Many thanks for the info. I am indeed using 10.04 LTS, I guess I forgot to mention that up front. I shall persevere. I've gotten a Windows 2003 server to boot reliably out of dynamic disks that I'd chopped up into several different flavors of software RAID, so I'm sure I can work this out eventually. I'm assuming of course this is going to be more stable than Windows.

    I didn't realize I would have to enter the password at boot. I suppose I've grown accustomed to using EFS in Windows environments. It's remarkably hassle-free. Not that I mind entering passwords... You and I have a symbiotic relationship with passwords... it's just that it may mean something different to me than it does to you. Are you familiar with VMware ESXi? (if not, you should check it out -- it's free). Since the server is virtual, the only way to access its console session is to use the VMware vSphere client to connect to the ESXi server over the network. I'm assuming of course there's no way to unlock these volumes remotely, via SSH or some other fashion. I don't actually know.

    None of that matters if uptime is good, though.

    So if I'm understanding this correctly, what you did differently was RAID -> LVM -> encryption, versus my RAID -> encryption -> LVM. I was following the partitioner's guided example, which was two partitions, one ext2 for /boot, and one crypto, which was then used for LVM and subdivided into / and swap. I'm thinking maybe the reason they did that was so entering the password once would unlock both encrypted volumes. But that doesn't seem to be working for me, so I'll try your way.

    I find it highly unlikely that incompatibility with VMware ESX is the cause of my problems, but I suppose I can't rule it out. And maybe it's a moot point -- in a production environment, I would likely have hardware RAID-5 on the ESX server anyway. This is the ESX server that sits in my computer room at home with a couple of good old 80GB PATAs.

    I do have a 10.04 LTS virtual server running at work, running Nagios on an otherwise purely Windows domain. But it doesn't contain any sensitive data, so I didn't encrypt it, and the PowerEdge T300 that's running ESX and Ubuntu has hardware RAID-5 underneath it all, so I didn't use software RAID either. I had absolutely no trouble with that installation.

    You know what, maybe I'll also try this at work on a physical box. We've got a Proliant ML350 sitting around that we virtualized a while back. It used to run our IP security cameras, but now it's not doing anything. I'll unRAID the drives and try this with software RAID on it when I have time.

  9. #9
    Join Date
    Jan 2010
    Location
    not here
    Beans
    31
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    Re: Error setting up encrypted RAID swap

    Yes, I found RAID -> LVM -> encryption -> assign mount points to work better. I didn't use the guided example; I went straight to manual. I haven't tried the guided partitioning, so I'm not sure what they suggest. I have noticed that there seems to be precious little support in the community for help with software RAID and encryption, though there is a little more support for LVM. Probably the people that know about it are super-busy with other stuff, since they have skills.

    I would have preferred to do it your way, since that would mean one or two passwords for one or two big encrypted volumes that the logical volumes sit on (I'm really not that into memorizing eleventeen passwords!), but I couldn't make it work either. I don't remember how I figured out to try it the other way; I just remember being tired and frustrated and trying one more thing, which thankfully worked.

    I am not sure whether it is possible to unlock the volumes remotely, since I haven't had a need to try it. (This is a home system, so all this exercise is really just for fun. I know, weird. Hey, I'm a geek, what'd you expect?) I did set up a virtual server on my home box (just for fun) but uninstalled it when I decided to completely abandon Windows (at home) a little while back. I will look into the VMware ESXi when I get a chance - right now I'm still fighting little annoyances with the 10.04 install, and I don't have much time or energy for tackling another virtual install at the moment.

    Let me know how it goes!

  10. #10
    Join Date
    Apr 2010
    Location
    USA
    Beans
    79
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Error setting up encrypted RAID swap

    I failed with this setup (same error, couldn't mount the one used for /boot):


    • RAID1


    • LVM
      • 256MB ext2 /boot
      • 20.2GB crypto
        • ext4 /root

      • 1GB crypto
        • swap


    Maybe I'm going about this the wrong way. I decided to try something exceedingly simple, using only one of those three subsystems, just to see if it'd mount and install. Of the two drives, I made one large RAID1 for /, and one small RAID0 for swap. That installation appears to be proceeding just fine. Next I'll try one big RAID1 with LVM layered on top into /, /boot, and swap. We'll see if that works.

    EDIT: Also, what's up with it automatically installing postfix? Does 10.04 no longer ask you what components to install?
    Last edited by Karl1982; May 6th, 2010 at 01:47 AM.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •