Ubuntu install RAID Encryption and LVM
Posted on December 29th, 2008
I’ve just spent 2 weeks installing Ubuntu 8.10 on my laptop, using software RAID 1 (mirroring), DM-Crypt / LUKS encrypted volumes and LVM partitions.
I only used the Alternate install CD – and I did it on a notebook without a network or other internet connection. We also only had a single 40GB HD – it was only for practice, and ideally we would do this in a server with 2 or more drives!!
— PROBLEM —
The problem was trying to layer the installation partitions in the following order:
RAID:ENCRYPTION:LVM
After all, the installer offers a guided Encrypted Volume with LVM installation – why shouldnt I try it this way round? Of course, we set an unencrypted 500MB ext3 partition for /boot.
We had a 40GB drive, so we split the remaining space into two 19GB primary partitions, and set the type as PV for RAID. we paired them into the mirror set /dev/md0. The install was happy to use the resulting /dev/md0 as PV for encryption, and accepted a password. We then set the type of the encrypted volume as PV for LVM. We assigned the 19GB PV to the Volume Group vg0, and created two logical volumes, 1GB for swap as lvswap, and used the remaining 18GB for /, as lvroot.
Installation progressed, installing packages for around 30 minutes, until it needed to reboot (not that the machine had booted from a liveCD or LiveUSB stick image, and had dynamically mounted the raided, encrypted, lvm volumes with no prior knowledge of them in any config files before the install)
At this point, I rebooted the machine, and after a while it gave up trying to mount the partitions, dropping to the BusyBox initramfs prompt.
It had mounted the RAID volume, and I could even do a cryptsetup luksOpen /dev/md0 /dev/mapper/vg0-crypt
why wouldnt it work????
— WORKAROUND —
We’ll we tried all sorts of things, generally waiting until the end of the install and pressing ALT+F2 to enter an alternative console. We figured the necessary /etc/fstab and /etc/crypttab files needed at boot time (currently located at /target/etc during the installation phase) were either missing or incorrectly setup, perhaps somthing to do with UUIDs for the block devices (nb not just /dev/sda, but /dev/md0 and the encrypted/LVM volume devices).
We got close. We gave up.
— SOLUTION —
In the end, we fixed it to use all three options. We even managed to mirror the /boot partition, to guard against the boot drive failing (no encryption or LVM for /boot)
Again, we kept RAID at the lowest level possible. We then divided the 19GB mirror set into two LVM phyiscal volumes, and then applied the encryption to each of the resulting volumes.
PV0 was 1GB in size, and assigned to Volume group VG0, which contained only one logical volume, lvswap, and was encrypted with a random key, to effectively scramble the data on each reboot.
PV1 used the remaining 18GB, and was used for a single LV, to contain the ‘/’ partition. This was encrypted with a passphrase. (dont use a random key for a partition with data you need to keep!)
Note that this is the point where you could use additional RAID / mirror sets, assigning more PVs to VGs, and creating even more LVs to contain filesystems mounted on /usr, /home and so on – but each additional mount point would need a passphrase entering to unlock the encrypted volume within, so I kept it to a simple, single ‘/’ volume.
My 40gb drive was laid out as follows:
physical block devs
/dev/sda1 – 500mb PV for RAID } as /dev/md0 {ext3}
/dev/sda2 – 500mb PV for RAID } “
/dev/sda3 – 19gb PV for RAID } as /dev/md1 {as PV for LVM}
/dev/sda4 – 19gb PV for RAID } “
(some unuseable space remained)
logical block devs
-> /dev/md0 mounted on /boot – ext3
-> /dev/md1 { 1gb as LVM – PV0} assigned to {VG0} containing {LVSWAP}
-> /dev/md1 { 18gb as LVM – PV1} assigned to {VG1} containing {LVROOT}
->/dev/mapper/lvswap as PV for ENCRYPTION {*random key*} mounted as swap
->/dev/mapper/lvroot as PV for ENCRYPTION {*passphrase*} mounted on / – ext3
reset a forgotten mysql root pasword
Posted on December 29th, 2008
How to Reset a MySQL Password in 5 Easy Steps
1. Stop the mysqld daemon process.
2. Start the mysqld daemon process with the –skip-grant-tables option.
3. Start the mysql client with the -u root option.
4. Execute the UPDATE mysql.user SET Password=PASSWORD(‘password’) WHERE User=’root’;
5. Execute the FLUSH PRIVILEGES; command.
I posted this because someone just asked me for help – and because I’ve done it a few times myself. 😉
Note the following:
‘&’ is used for launching as a bg process so you don’t lose the terminal while mysqld runs!
Be careful with the spelling of *PRIVILEGES* – there is no ‘D’ in it.
Use these instructions at your own risk!
on Ubuntu I might type the following commands
[edit]
$ sudo -i (enter your password)
# mysqld_safe stop/etc/init.d/mysql stop
# mysqld_safe –skip-grant-tables &
# mysql -u root
mysql> UPDATE mysql.user SET Password=PASSWORD(‘password’) WHERE User=’root’;
mysql> FLUSH PRIVILEGES;
mysql> quit
# mysqld_safe stop/etc/init.d/mysql stop
… now try …
# mysqld_safe /etc/init.d/mysql start &
(if it doesnt work, rebooting may get mysql back up)
$ mysql -u root -p
Enter password: (password)
mysql>
yay!!
Coding is our passion
Usualy accompanied by a caffeinated beverage - although we’re more likely sipping a latte than some Jolt! cola these days!
If you found anything on this site useful and want to say thanks, then you could always:
Microservices and RESTful APIs
We work with your company in a constructive way to refine your vision, exploring the Art-of-the-Possible, help write IaC (Infrastructure-as-Code) with Terraform, promote a DevOps culture and build a World Class Cloud Platform.
We can also provide help to go from the very basics of designing your API contract in Swagger/OAS to building a container by writing a Dockerfile, through to a creating a fully orchestrated CI/CD pipeline in Jenkins to deploy to Rancher, Kubernetes and Istio. We can help set up Kong API Gateways, and lots more besides!
More
Feedback:
“ Kevin is a highly talented developer with excellent dev ops skills and a passion for quality driven work flows. I've had the pleasure of working with Kevin and he has brought many new skills and approaches to the team. He is an undisputed GIT geek. Is overall nice guy dedicated to doing the best work he can do, and has been a great mentor to the less experienced team members. ”
– Stu Craigen
Donec dictum
-
The three pillars
-
Fusce ultrices fringilla metus
Donec leo, vivamus fermentum nibh in augue praesent a lacus at urna congue rutrum.
-
Donec dictum metus in sapien
Donec leo, vivamus fermentum nibh in augue praesent a lacus at urna congue rutrum.
Nulla leifend
Donec placerat odio vel elit. Nullam ante orci, pellentesque eget, tempus quis, ultrices in, est. Curabitur sit amet nulla. Nam in massa. Sed vel tellus. Curabitur sem urna, consequat.
