From 35013dbf153a59bfe845d087942a366e9fd9a801 Mon Sep 17 00:00:00 2001 From: Andy Weidenbaum Date: Tue, 25 Dec 2018 17:21:46 +1300 Subject: [PATCH] implement nilfs+lvm partitioning - mark void-live-x86_64-musl-20181111.iso as failing - root NILFS2 filesystem is mounted read-only for unknown reasons - behavior appeared twice in a row on fresh installs - may have something to do with `libmount` - see: https://github.com/nilfs-dev/nilfs-utils/issues/12 - implement customizable pool names - LVM volume group name = "pool name" - add `PoolName` type - validated against `man 8 lvm` naming rules - most of them, anyway - we do not validate dynamically against existing entries in `/dev/` - add pool name var to examples - add crude warning about naming rules for pool - as opposed to ensuring `$vault-name` and `$pool-name` are unique - which wouldn't ensure `$pool-name` is unique in `/dev/` anyway - we forego an incomplete solution for a crude non-solution and trust the user - simplifies it quite a bit - use `/dev/$pool-name/$lv`, not `/dev/mapper/$pool-name-$lv` - as recommended by `man 8 lvm` line 162: - Links or nodes in /dev/mapper are intended only for internal use and the precise format and escaping might change between releases and distributions - Other software and scripts should use the /dev/VolumeGroupName/LogicalVolumeName format to reduce the chance of needing amendment when the software is updated - configure nilfs_cleanerd to reduce overhead - credit: [xte on HN](https://news.ycombinator.com/item?id=18754205) - xte's posts were the impetus for experimenting with nilfs - fix scripts/* for nilfs+lvm - translate btrfs-administration.md to NILFS+LVM - rm doc/guides/btrfs-administration.md - set GRUB_PRELOAD_MODULES=lvm in /etc/default/grub - doesn't appear to make any difference, but done out of thoroughness - lvcreate with mainly absolute --size values - set minimum size of lv to 200M - nilfs has minimum size of 134217728 bytes --- README.md | 73 ++-- bin/voidvault | 66 +-- doc/guides/btrfs-administration.md | 180 -------- doc/guides/nilfs-lvm-administration.md | 135 ++++++ examples/new-from-cli-passhash.sh | 1 + examples/new-from-cli.sh | 1 + examples/new-from-env-vars-passhash.sh | 1 + examples/new-from-env-vars.sh | 1 + lib/Voidvault.pm6 | 1 + lib/Voidvault/Bootstrap.pm6 | 577 ++++++++++++++++++------- lib/Voidvault/Config.pm6 | 40 ++ lib/Voidvault/Grammar.pm6 | 15 + lib/Voidvault/Types.pm6 | 6 + lib/Voidvault/Utils.pm6 | 85 ---- scripts/mount-system.sh | 55 ++- scripts/umount-system.sh | 14 +- 16 files changed, 714 insertions(+), 537 deletions(-) delete mode 100644 doc/guides/btrfs-administration.md create mode 100644 doc/guides/nilfs-lvm-administration.md diff --git a/README.md b/README.md index a128328b..16a43407 100644 --- a/README.md +++ b/README.md @@ -3,9 +3,9 @@ Voidvault Last tested | ISO | Result ----------- | --------------------------------------------------------------- | ------ -2021-11-08 | [void-live-x86_64-20210930.iso][void-live-iso-x86_64-glibc] | PASS -2021-11-08 | [void-live-x86_64-musl-20210930.iso][void-live-iso-x86_64-musl] | PASS -2021-11-08 | [void-live-i686-20210930.iso][void-live-iso-i686-glibc] | PASS +2020-09-07 | [void-live-x86_64-20191109.iso][void-live-iso-x86_64-glibc] | PASS +2020-09-07 | [void-live-x86_64-musl-20191109.iso][void-live-iso-x86_64-musl] | FAIL +2020-09-07 | [void-live-i686-20191109.iso][void-live-iso-i686-glibc] | PASS Bootstrap Void with FDE @@ -16,7 +16,7 @@ Description ### Overview -Voidvault bootstraps Void with whole system Btrfs on LUKS. +Voidvault bootstraps Void with whole system NILFS+LVM on LUKS. Voidvault works on Void with Intel or AMD x86 CPU. It assumes you are comfortable working on the cmdline, and that you have no need for booting @@ -27,7 +27,7 @@ could cause catastrophic data loss and system instability. ### Features -- whole system Btrfs on LUKS, including encrypted `/boot` +- whole system [NILFS][NILFS]+LVM on LUKS, including encrypted `/boot` - [runit][runit] PID 1 - [GPT][GPT] partitioning - no swap partition, uses [zram][zram] via [zramen][zramen] @@ -70,6 +70,7 @@ could cause catastrophic data loss and system instability. - uses mq-deadline I/O scheduler for SSDs, BFQ for HDDs (see: [resources/etc/udev/rules.d/60-io-schedulers.rules](resources/etc/udev/rules.d/60-io-schedulers.rules)) - enables runit service for dnscrypt-proxy, nftables and socklog +- configures [nilfs_cleanerd][nilfs_cleanerd] to reduce overhead - configures [Xorg][Xorg], but does not install any Xorg packages (see: [resources/etc/X11](resources/etc/X11)) - optionally disables IPv6, and makes IPv4-only adjustments to dhcpcd, @@ -79,27 +80,23 @@ could cause catastrophic data loss and system instability. - `/dev/sdX1` is the BIOS boot sector (size: 2MB) - `/dev/sdX2` is the EFI system partition (size: [550MB][550MB]) -- `/dev/sdX3` is the root Btrfs filesystem on LUKS (size: remainder) - -Voidvault creates the following Btrfs subvolumes with a [flat layout][flat -layout]: - -Subvolume name | Mounting point ---- | --- -`@` | `/` -`@home` | `/home` -`@opt` | `/opt` -`@srv` | `/srv` -`@var` | `/var` -`@var-cache-xbps` | `/var/cache/xbps` -`@var-lib-ex` | `/var/lib/ex` -`@var-log` | `/var/log` -`@var-opt` | `/var/opt` -`@var-spool` | `/var/spool` -`@var-tmp` | `/var/tmp` - -Voidvault [disables Btrfs CoW][disables Btrfs CoW] on `/srv`, -`/var/lib/ex`, `/var/log`, `/var/spool` and `/var/tmp`. +- `/dev/sdX3` is the root NILFS+LVM filesystem on LUKS (size: remainder) + +Voidvault creates the following LVM logical volumes: + +Logical Volume name | Mounting point | Sizing +--- | --- | --- +`root` | `/` | `8G` +`opt` | `/opt` | `200M` +`srv` | `/srv` | `200M` +`var` | `/var` | `1G` +`var-cache-xbps` | `/var/cache/xbps` | `2G` +`var-lib-ex` | `/var/lib/ex` | `200M` +`var-log` | `/var/log` | `200M` +`var-opt` | `/var/opt` | `200M` +`var-spool` | `/var/spool` | `200M` +`var-tmp` | `/var/tmp` | `800M` +`home` | `/home` | `100%FREE` Voidvault mounts directories `/srv`, `/tmp`, `/var/lib/ex`, `/var/log`, `/var/spool` and `/var/tmp` with options `nodev,noexec,nosuid`. @@ -145,6 +142,7 @@ VOIDVAULT_ROOT_PASS="your root password" VOIDVAULT_ROOT_PASS_HASH='$6$rounds=700000$xDn3UJKNvfOxJ1Ds$YEaaBAvQQgVdtV7jFfVnwmh57Do1awMh8vTBtI1higrZMAXUisX2XKuYbdTcxgQMleWZvK3zkSJQ4F3Jyd5Ln1' VOIDVAULT_VAULT_NAME="vault" VOIDVAULT_VAULT_PASS="your LUKS encrypted volume's password" +VOIDVAULT_POOL_NAME="vg0" VOIDVAULT_HOSTNAME="vault" VOIDVAULT_PARTITION="/dev/sdb" VOIDVAULT_PROCESSOR="other" @@ -173,6 +171,7 @@ voidvault --admin-name="live" \ --root-pass="your root password" \ --vault-name="vault" \ --vault-pass="your LUKS encrypted volume's password" \ + --pool-name="vg0" \ --hostname="vault" \ --partition="/dev/sdb" \ --processor="other" \ @@ -242,14 +241,6 @@ voidvault ls partitions voidvault ls timezones ``` -### `voidvault disable-cow` - -Disable the Copy-on-Write attribute for Btrfs directories. - -```sh -voidvault -r disable-cow dest/ -``` - Installation ------------ @@ -262,7 +253,6 @@ Dependencies Name | Provides | Included in Void ISO¹? --- | --- | --- -btrfs-progs | Btrfs support | Y coreutils | `chmod`, `chown`, `chroot`, `cp`, `rm` | Y cryptsetup | FDE with LUKS | Y dosfstools | create VFAT filesystem for UEFI with `mkfs.vfat` | Y @@ -274,7 +264,9 @@ gptfdisk | GPT disk partitioning with `sgdisk` grub | FDE on `/boot`, `grub-mkpasswd-pbkdf2` | Y kbd | keymap data in `/usr/share/kbd/keymaps`, `setfont` | Y kmod | `modprobe` | Y +lvm2 | LVM disk partitioning | N musl² | libcrypt | Y +nilfs-utils | NILFS support | N openssl | user password salts | Y procps-ng | `pkill` | Y rakudo | `voidvault` Raku runtime | N @@ -310,6 +302,7 @@ variable values for all configuration options aside from: - `--guest-pass` - `--hostname` - `--ignore-conf-repos` +- `--pool-name` - `--repository` - `--root-pass-hash` - `--root-pass` @@ -345,20 +338,20 @@ information, see http://unlicense.org/ or the accompanying UNLICENSE file. [550MB]: https://wiki.archlinux.org/index.php/EFI_system_partition#Create_the_partition [denies console login as root]: https://wiki.archlinux.org/index.php/Security#Denying_console_login_as_root -[disables Btrfs CoW]: https://wiki.archlinux.org/index.php/Btrfs#Disabling_CoW [dnscrypt-proxy]: https://wiki.archlinux.org/index.php/DNSCrypt [double password entry avoidance]: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice -[flat layout]: https://btrfs.wiki.kernel.org/index.php/SysadminGuide#Layout [GPT]: https://wiki.archlinux.org/index.php/Partitioning#GUID_Partition_Table [GRUB]: https://wiki.archlinux.org/index.php/GRUB [hides process information]: https://wiki.archlinux.org/index.php/Security#hidepid [nftables]: https://wiki.archlinux.org/index.php/nftables +[NILFS]: https://nilfs.sourceforge.io/ +[nilfs_cleanerd]: https://news.ycombinator.com/item?id=18753858 [OpenSSH]: https://wiki.archlinux.org/index.php/Secure_Shell [runit]: http://smarden.org/runit [Sysctl]: https://wiki.archlinux.org/index.php/Sysctl -[void-live-iso-i686-glibc]: https://alpha.de.repo.voidlinux.org/live/current/void-live-i686-20210930.iso -[void-live-iso-x86_64-glibc]: https://alpha.de.repo.voidlinux.org/live/current/void-live-x86_64-20210930.iso -[void-live-iso-x86_64-musl]: https://alpha.de.repo.voidlinux.org/live/current/void-live-x86_64-musl-20210930.iso +[void-live-iso-i686-glibc]: https://alpha.de.repo.voidlinux.org/live/current/void-live-i686-20191109.iso +[void-live-iso-x86_64-glibc]: https://alpha.de.repo.voidlinux.org/live/current/void-live-x86_64-20191109.iso +[void-live-iso-x86_64-musl]: https://alpha.de.repo.voidlinux.org/live/current/void-live-x86_64-musl-20191109.iso [Xorg]: https://wiki.archlinux.org/index.php/Xorg [zram]: https://www.kernel.org/doc/Documentation/blockdev/zram.txt [zramen]: https://github.com/atweiden/zramen diff --git a/bin/voidvault b/bin/voidvault index 448bddd9..b7d6140f 100755 --- a/bin/voidvault +++ b/bin/voidvault @@ -10,33 +10,6 @@ use Voidvault::Utils; -# ----------------------------------------------------------------------------- -# disable-cow -# ----------------------------------------------------------------------------- - -multi sub MAIN( - 'disable-cow', - Bool :c(:$clean), - Str :g(:$group), - Str :p(:$permissions), - Bool :r(:$recursive), - Str :u(:$user), - *@directory - --> Nil -) -{ - my %opts; - %opts = $clean if $clean; - %opts = $group if $group; - %opts = $permissions if $permissions; - %opts = $recursive if $recursive; - %opts = $user if $user; - Voidvault::Utils.disable-cow(@directory, |%opts); -} - - - - # ----------------------------------------------------------------------------- # gen-pass-hash # ----------------------------------------------------------------------------- @@ -58,11 +31,6 @@ multi sub MAIN('gen-pass-hash', Bool :g(:$grub) --> Nil) # help # ----------------------------------------------------------------------------- -multi sub MAIN('help', 'disable-cow' --> Nil) -{ - USAGE('disable-cow'); -} - multi sub MAIN('help', 'gen-pass-hash' --> Nil) { USAGE('gen-pass-hash'); @@ -111,6 +79,7 @@ multi sub MAIN( Str :keymap($), Str :locale($), Str :partition($), + Str :pool-name($), Str :processor($), Str :repository($), Str :root-pass($), @@ -182,7 +151,6 @@ multi sub USAGE(--> Nil) voidvault Commands: - disable-cow Disable copy-on-write on directories gen-pass-hash Generate password hash help Show help for subcommands ls List keymaps, locales, partitions, timezones @@ -197,35 +165,6 @@ multi sub USAGE(--> Nil) say($HELP); } -multi sub USAGE('disable-cow' --> Nil) -{ - constant $HELP = qq:to/EOF/.trim; - Usage: - voidvault [--clean] - [--permissions=] - [--user=] - [--group=] - disable-cow [ ..] - voidvault [-r] disable-cow [ ..] - - Options: - -c, --clean - Remake directories with CoW disabled - -r, --recursive - Recursively disable CoW on directories - -p, --permissions= - Octal file mode bits (defaults to "755") - -u, --user= - Named user to own file (defaults to "$*USER") - -g, --group= - Named group to own file (defaults to "$*GROUP") - - Positionals: - Path to directory - EOF - say($HELP); -} - multi sub USAGE('gen-pass-hash' --> Nil) { constant $HELP = q:to/EOF/.trim; @@ -266,6 +205,7 @@ multi sub USAGE('new' --> Nil) [--grub-name=] [--grub-pass=] [--root-pass=] [--vault-name=] [--vault-pass=] + [--pool-name=] [--hostname=] [--partition=] [--processor=] [--graphics=] [--disk-type=] [--locale=] @@ -312,6 +252,8 @@ multi sub USAGE('new' --> Nil) Locale --partition= Partition target for install + --pool-name= + Name for LVM volume group --processor= Processor type --repository= diff --git a/doc/guides/btrfs-administration.md b/doc/guides/btrfs-administration.md deleted file mode 100644 index 0187a465..00000000 --- a/doc/guides/btrfs-administration.md +++ /dev/null @@ -1,180 +0,0 @@ -# Btrfs Administration - -## Setup - -```sh -# create base directories -mkdir -p /opt/{snapshots,subvolumes} -chmod 700 /opt/{snapshots,subvolumes} - -# create example-alpha subvolume -btrfs subvolume create /opt/subvolumes/example-alpha - -# mount example-alpha subvolume -_mount_opts+="compress=zstd," -_mount_opts+="noatime," -_mount_opts+="rw," -_mount_opts+="space_cache=v2," -_mount_opts+="ssd," -_mount_opts+="subvol=@opt/subvolumes/example-alpha" -mount -t btrfs -o "$_mount_opts" /dev/mapper/vault /home/admin/.example-alpha -chown -R admin:admin /home/admin/.example-alpha - -# add example-alpha subvolume mount to fstab -genfstab -U -p / | vipe -``` - -## Backup subvolumes - -```sh -# create read-only snapshot of example-alpha at time A -_snaptime_a="$(date '+%FT%H:%M')" -mkdir -p "/opt/snapshots/$_snaptime_a" -btrfs subvolume snapshot -r /opt/subvolumes/example-alpha "/opt/snapshots/$_snaptime_a" -sync - -# create read-only snapshot of example-alpha at time B -_snaptime_b="$(date '+%FT%H:%M')" -mkdir -p "/opt/snapshots/$_snaptime_b" -btrfs subvolume snapshot -r /opt/subvolumes/example-alpha "/opt/snapshots/$_snaptime_b" -sync - -# backup read-only incremental snapshot of example-alpha -btrfs send -p "/opt/snapshots/$_snaptime_a/example-alpha" "/opt/snapshots/$_snaptime_b/example-alpha" -``` - -```sh -MASTER_INTERFACE="enp4s0f2" -SLAVE_IPV6="fe80::6497:17de:fee3:1942" -SLAVE_USER_NAME="admin" - -# [master] snapshot example-alpha -_seconds_since_epoch="$(date --utc '+%s')" -_snapshot="example-alpha.snapshot.$_seconds_since_epoch" -btrfs subvolume snapshot -r /opt/subvolumes/example-alpha "/opt/snapshots/$_snapshot" -sync - -# [master] send/receive full example-alpha snapshot -btrfs send -v "/opt/snapshots/$_snapshot" \ - | ssh -T -i "/path/to/id_ed25519" \ - ${SLAVE_USER_NAME}@${SLAVE_IPV6}%${MASTER_INTERFACE} \ - "btrfs receive /opt/snapshots" - -# [master] save full example-alpha snapshot to file for sending -_snapshot_type="full" -_snapshot_file="$_snapshot.$_snapshot_type" -btrfs send -f "$_snapshot_file" "/opt/snapshots/$_snapshot" -sync -chown $USER:$USER "$_snapshot_file" - -# [master] rsync the full example-alpha snapshot file to slave -rsync \ - --dry-run \ - --recursive \ - --perms \ - --times \ - --partial \ - --inplace \ - --verbose \ - --human-readable \ - --progress \ - --itemize-changes \ - --itemize-changes \ - --rsh 'ssh -T -i /path/to/id_ed25519' \ - "$_snapshot_file" \ - ${SLAVE_USER_NAME}@[${SLAVE_IPV6}]:/home/staged/snapshots/$_snapshot_file - -# [slave] receive snapshot from file -btrfs receive -f "/home/staged/snapshots/$_snapshot_file" /opt/snapshots -rm "/home/staged/snapshots/$_snapshot_file" -sync - -# [slave] take rw snapshot of ro snapshot -btrfs subvolume snapshot "/opt/snapshots/$_snapshot" /opt/subvolumes/example-alpha -sync -``` - -```sh -#!/bin/bash - -MASTER_INTERFACE="enp4s0f2" -SLAVE_IPV6="fe80::6497:17de:fee3:1942" -SLAVE_USER_NAME="admin" - -# send / receive -ssh -T -i "$HOME/.ssh/box/id_ed25519" \ - ${SLAVE_USER_NAME}@${SLAVE_IPV6}%${MASTER_INTERFACE} \ - "btrfs send /opt/snapshots/$_snapshot" \ - | btrfs receive -v /opt/snapshots - -# incremental send / receive -ssh -T -i "$HOME/.ssh/box/id_ed25519" \ - ${SLAVE_USER_NAME}@${SLAVE_IPV6}%${MASTER_INTERFACE} \ - "btrfs send -p /opt/snapshots/$_snapshot_parent /opt/snapshots/$_snapshot" \ - | btrfs receive -v /opt/snapshots - -# syncing file -rsync \ - --dry-run \ - --recursive \ - --perms \ - --times \ - --partial \ - --inplace \ - --verbose \ - --human-readable \ - --progress \ - --itemize-changes \ - --itemize-changes \ - --rsh "ssh -T -i \"$HOME/.ssh/box/id_ed25519\"" \ - ${SLAVE_USER_NAME}@[${SLAVE_IPV6}%${MASTER_INTERFACE}]:/home/${SLAVE_USER_NAME}/${_snapshot_file} \ - "$HOME" -``` - -## Refresh snapshots - -```sh -#!/bin/bash - -# delete existing snapshots -# btrfs subvolume list / -# btrfs subvolume delete /opt/snapshots/... - -_seconds_since_epoch="$(date --utc '+%s')" -# refresh snapshots -for _name in example-alpha \ - example-bravo; do - _snapshot="$_name.snapshot.$_seconds_since_epoch" - sudo btrfs subvolume snapshot -r "/opt/subvolumes/$_name" "/opt/snapshots/$_snapshot" -done -sudo sync -``` - -## Restore from snapshot - -For when you have accidentally deleted `~/.example-alpha/important-file`. - -```sh -# unmount ~/.example-alpha -umount ~/.example-alpha - -# delete example-alpha subvolume -btrfs subvolume delete /opt/subvolumes/example-alpha - -# take rw snapshot of most recent example-alpha snapshot -btrfs subvolume snapshot "/opt/snapshots/example-alpha.snapshot.1476147345" /opt/subvolumes/example-alpha - -# retrieve subvolume ID of newly created example-alpha subvolume -btrfs subvolume list / -_NEW_ID=701 - -# the `mount` command, run as root, needs the absolute path to your `~` -_HOME="$HOME" - -# mount this new snapshot as example-alpha at ~/.example-alpha -# /dev/mapper/vault is root -mount -t btrfs -o rw,nodatacow,noatime,compress=zstd,ssd,space_cache=v2,subvolid=$_NEW_ID,subvol=/@opt/subvolumes/example-alpha /dev/mapper/vault "$_HOME/.example-alpha" - -# update fstab (with `subvolid=$_NEW_ID`) -genfstab -U / -``` diff --git a/doc/guides/nilfs-lvm-administration.md b/doc/guides/nilfs-lvm-administration.md new file mode 100644 index 00000000..9146c3ea --- /dev/null +++ b/doc/guides/nilfs-lvm-administration.md @@ -0,0 +1,135 @@ +# NILFS+LVM Administration + +## Create and mount new LVM logical volume + +```sh +# create lvm logical volume +lvcreate --name sandbox --extents 100%FREE vg0 + +# activate lvm logical volume +vgchange --activate y + +# format lvm logical volume +mkfs.nilfs2 -L sandbox /dev/vg0/sandbox + +# mount lvm logical volume +mkdir /path/to/sandbox +_mount_opts='rw,noatime' +mount \ + --types nilfs2 \ + --options "$_mount_opts" \ + /dev/vg0/sandbox \ + /path/to/sandbox + +# add lvm logical volume mount to fstab (may require reboot to obtain UUID) +_uuid="$(blkid --match-tag UUID --output value /dev/vg0/sandbox)" +cat >> /etc/fstab <<"EOF" +# /dev/vg0/sandbox LABEL=sandbox +UUID=$_uuid /path/to/sandbox nilfs2 $_mount_opts 0 0 +EOF +``` + +## Resize LVM logical volume + +Shrink: + +```sh +# shrink NILFS to under target size +nilfs-resize /dev/vg0/srv 430M +# resize logical volume to target size +lvresize --size 500M vg0/srv +# grow NILFS without dimension to occupy all logical volume free space +nilfs-resize /dev/vg0/srv +``` + +Grow: + +```sh +# resize logical volume to target size +lvresize --size +2G vg0/srv +# grow NILFS without dimension to occupy all logical volume free space +nilfs-resize /dev/vg0/srv +``` + +Shrink and grow operations must be carried out on live, mounted NILFS +filesystems. They won't work otherwise. + +## Restore LVM logical volume from NILFS snapshot + +Take NILFS snapshot: + +```sh +mkcp --snapshot /dev/vg0/sandbox +``` + +Create and mount logical volume for holding data restored from NILFS +snapshot: + +```sh +lvcreate --name restore --extents 100%FREE vg0 +vgchange --activate y +mkfs.nilfs2 -L restore /dev/vg0/restore +mkdir /path/to/restore +mount \ + --types nilfs2 \ + --options 'rw,noatime' \ + /dev/vg0/restore \ + /path/to/restore +``` + +Mount NILFS snapshot: + +```sh +mkdir /path/to/staging +# must mount snapshot read-only +mount \ + --types nilfs2 \ + --options 'cp=7,ro,noatime' \ + /dev/vg0/sandbox \ + /path/to/staging +``` + +Conserve disk space by `rm -rf`ing the original contents after staging +contains read-only mount of snapshot. Do not destroy the original +filesystem (yet). + +Copy snapshotted contents: + +```sh +rsync \ + --recursive \ + --perms \ + --times \ + --partial \ + --inplace \ + --verbose \ + --human-readable \ + --progress \ + --itemize-changes \ + --itemize-changes \ + /path/to/staging/ \ + /path/to/restore +``` + +Unmount staging: + +``` +umount /path/to/staging +``` + +Securely delete original LVM logical volume: + +```sh +umount /path/to/sandbox +shred -fvz -n 7 /dev/vg0/sandbox +lvremove vg0/sandbox +``` + +## Work around NILFS2 lack of file capabilities support + +Add suid bit to affected binaries: + +```sh +chmod u+s /usr/bin/nanoklogd +chmod u+s /usr/bin/iputils-ping +``` diff --git a/examples/new-from-cli-passhash.sh b/examples/new-from-cli-passhash.sh index d7ff173e..afe1061d 100755 --- a/examples/new-from-cli-passhash.sh +++ b/examples/new-from-cli-passhash.sh @@ -15,6 +15,7 @@ voidvault --admin-name='live' --root-pass-hash='$6$rounds=700000$xDn3UJKNvfOxJ1Ds$YEaaBAvQQgVdtV7jFfVnwmh57Do1awMh8vTBtI1higrZMAXUisX2XKuYbdTcxgQMleWZvK3zkSJQ4F3Jyd5Ln1' \ --vault-name='vault' \ --vault-pass='xyzzy' \ + --pool-name='vg0' \ --hostname='vault' \ --partition='/dev/sda' \ --processor='intel' \ diff --git a/examples/new-from-cli.sh b/examples/new-from-cli.sh index 9fd983fc..2de9e450 100755 --- a/examples/new-from-cli.sh +++ b/examples/new-from-cli.sh @@ -14,6 +14,7 @@ voidvault --admin-name="live" \ --root-pass="your root password" \ --vault-name="vault" \ --vault-pass="your LUKS encrypted volume's password" \ + --pool-name="vg0" \ --hostname="vault" \ --partition="/dev/sdb" \ --processor="other" \ diff --git a/examples/new-from-env-vars-passhash.sh b/examples/new-from-env-vars-passhash.sh index 0a2aaad9..113c903c 100755 --- a/examples/new-from-env-vars-passhash.sh +++ b/examples/new-from-env-vars-passhash.sh @@ -15,6 +15,7 @@ export VOIDVAULT_GRUB_PASS_HASH='grub.pbkdf2.sha512.25000.4A7BC4FE022FA7E7D32B0B export VOIDVAULT_ROOT_PASS_HASH='$6$rounds=700000$xDn3UJKNvfOxJ1Ds$YEaaBAvQQgVdtV7jFfVnwmh57Do1awMh8vTBtI1higrZMAXUisX2XKuYbdTcxgQMleWZvK3zkSJQ4F3Jyd5Ln1' export VOIDVAULT_VAULT_NAME='vault' export VOIDVAULT_VAULT_PASS='xyzzy' +export VOIDVAULT_POOL_NAME='vg0' export VOIDVAULT_HOSTNAME='vault' export VOIDVAULT_PARTITION='/dev/sda' export VOIDVAULT_PROCESSOR='intel' diff --git a/examples/new-from-env-vars.sh b/examples/new-from-env-vars.sh index ddc07601..24e9e2be 100755 --- a/examples/new-from-env-vars.sh +++ b/examples/new-from-env-vars.sh @@ -14,6 +14,7 @@ export VOIDVAULT_GRUB_PASS="your grub user's password" export VOIDVAULT_ROOT_PASS="your root password" export VOIDVAULT_VAULT_NAME="vault" export VOIDVAULT_VAULT_PASS="your LUKS encrypted volume's password" +export VOIDVAULT_POOL_NAME="vg0" export VOIDVAULT_HOSTNAME="vault" export VOIDVAULT_PARTITION="/dev/sdb" export VOIDVAULT_PROCESSOR="other" diff --git a/lib/Voidvault.pm6 b/lib/Voidvault.pm6 index 538ded46..d56f5efc 100644 --- a/lib/Voidvault.pm6 +++ b/lib/Voidvault.pm6 @@ -25,6 +25,7 @@ method new( Str :keymap($), Str :locale($), Str :partition($), + Str :pool-name($), Str :processor($), Str :repository($), Str :root-pass($), diff --git a/lib/Voidvault/Bootstrap.pm6 b/lib/Voidvault/Bootstrap.pm6 index 68323084..8dab4ff5 100644 --- a/lib/Voidvault/Bootstrap.pm6 +++ b/lib/Voidvault/Bootstrap.pm6 @@ -46,6 +46,7 @@ method bootstrap(::?CLASS:D: --> Nil) self!install-bootloader; self!configure-sysctl; self!configure-nftables; + self!configure-nilfs; self!configure-openssh; self!configure-udev; self!configure-hidepid; @@ -71,7 +72,6 @@ method !setup(--> Nil) # fetch dependencies needed prior to voidstrap my Str:D @dep = qw< - btrfs-progs coreutils cryptsetup dialog @@ -83,6 +83,9 @@ method !setup(--> Nil) grub kbd kmod + libnilfs + lvm2 + nilfs-utils openssl procps-ng tzdata @@ -164,8 +167,8 @@ multi sub build-xbps-install-dep-cmdline( # secure disk configuration method !mkdisk(--> Nil) { - my DiskType:D $disk-type = $.config.disk-type; my Str:D $partition = $.config.partition; + my PoolName:D $pool-name = $.config.pool-name; my VaultName:D $vault-name = $.config.vault-name; my VaultPass $vault-pass = $.config.vault-pass; @@ -182,14 +185,11 @@ method !mkdisk(--> Nil) Voidvault::Utils.gen-partition('vault', $partition); mkvault($partition-vault, $vault-name, :$vault-pass); - # create and mount btrfs volumes - mkbtrfs($disk-type, $vault-name); + # create and mount nilfs+lvm + mknilfslvm($pool-name, $vault-name); # mount efi boot mount-efi($partition-efi); - - # disable Btrfs CoW - disable-cow(); } # partition disk with gdisk @@ -445,37 +445,18 @@ multi sub build-cryptsetup-luks-open-cmdline( EOF } -# create and mount btrfs volumes on open vault -sub mkbtrfs(DiskType:D $disk-type, VaultName:D $vault-name --> Nil) +# create and mount nilfs+lvm structure on open vault +sub mknilfslvm(PoolName:D $pool-name, VaultName:D $vault-name --> Nil) { - # create btrfs filesystem on opened vault - run(qw); - run(qqw); + # create lvm physical volume (pv) on open vault + run(qqw); - # set mount options - my Str:D @mount-options = qw< - rw - noatime - compress=zstd - space_cache=v2 - >; - push(@mount-options, 'ssd') if $disk-type eq 'SSD'; - my Str:D $mount-options = @mount-options.join(','); + # create lvm volume group (vg) hosting physical volume + run(qqw); - # mount main btrfs filesystem on open vault - mkdir('/mnt2'); - run(qqw< - mount - --types btrfs - --options $mount-options - /dev/mapper/$vault-name - /mnt2 - >); - - # btrfs subvolumes, starting with root / ('') - my Str:D @btrfs-dir = - '', - 'home', + # logical volume (lv), deliberately custom ordered + my Str:D @lv = + 'root', 'opt', 'srv', 'var', @@ -484,167 +465,357 @@ sub mkbtrfs(DiskType:D $disk-type, VaultName:D $vault-name --> Nil) 'var-log', 'var-opt', 'var-spool', - 'var-tmp'; + 'var-tmp', + 'home'; + + # create lvm lvs + lvcreate(@lv, $pool-name); - # create btrfs subvolumes - chdir('/mnt2'); - @btrfs-dir.map(-> Str:D $btrfs-dir { - run(qqw); + # activate lvm lvs + run(qw); + + # make nilfs on each lvm lv + mknilfs(@lv, $pool-name); + + # mount nilfs lvm structure + mount-nilfslvm(@lv, $pool-name); +} + +multi sub lvcreate( + Str:D @lv, + PoolName:D $pool-name + --> Nil +) +{ + @lv.map(-> Str:D $lv { + lvcreate($lv, $pool-name); }); - chdir('/'); +} + +multi sub lvcreate( + Str:D $lv where 'root', + PoolName:D $pool-name + --> Nil +) +{ + # root (C) sized at 8G + my Str:D $size = '8G'; + lvcreate($lv, :$size, $pool-name); +} + +multi sub lvcreate( + Str:D $lv where 'opt', + PoolName:D $pool-name + --> Nil +) +{ + # opt (C) sized at 200M + my Str:D $size = '200M'; + lvcreate($lv, :$size, $pool-name); +} + +multi sub lvcreate( + Str:D $lv where 'srv', + PoolName:D $pool-name + --> Nil +) +{ + # srv (C) sized at 200M + my Str:D $size = '200M'; + lvcreate($lv, :$size, $pool-name); +} + +multi sub lvcreate( + Str:D $lv where 'var', + PoolName:D $pool-name + --> Nil +) +{ + # var (C) sized at 1G + my Str:D $size = '1G'; + lvcreate($lv, :$size, $pool-name); +} + +multi sub lvcreate( + Str:D $lv where 'var-cache-xbps', + PoolName:D $pool-name + --> Nil +) +{ + # var-cache-xbps (C) sized at 2G + my Str:D $size = '2G'; + lvcreate($lv, :$size, $pool-name); +} + +multi sub lvcreate( + Str:D $lv where 'var-lib-ex', + PoolName:D $pool-name + --> Nil +) +{ + # var-lib-ex (C) sized at 200M + my Str:D $size = '200M'; + lvcreate($lv, :$size, $pool-name); +} + +multi sub lvcreate( + Str:D $lv where 'var-log', + PoolName:D $pool-name + --> Nil +) +{ + # var-log (C) sized at 200M + my Str:D $size = '200M'; + lvcreate($lv, :$size, $pool-name); +} + +multi sub lvcreate( + Str:D $lv where 'var-opt', + PoolName:D $pool-name + --> Nil +) +{ + # var-opt (C) sized at 200M + my Str:D $size = '200M'; + lvcreate($lv, :$size, $pool-name); +} + +multi sub lvcreate( + Str:D $lv where 'var-spool', + PoolName:D $pool-name + --> Nil +) +{ + # var-spool (C) sized at 200M + my Str:D $size = '200M'; + lvcreate($lv, :$size, $pool-name); +} + +multi sub lvcreate( + Str:D $lv where 'var-tmp', + PoolName:D $pool-name + --> Nil +) +{ + # var-tmp (C) sized at 800M + my Str:D $size = '800M'; + lvcreate($lv, :$size, $pool-name); +} + +multi sub lvcreate( + Str:D $lv where 'home', + PoolName:D $pool-name + --> Nil +) +{ + # home (C) sized at 100% of remaining free space in vg + my Str:D $extents = '100%FREE'; + lvcreate($lv, :$extents, $pool-name); +} + +multi sub lvcreate( + Str:D $name, + PoolName:D $pool-name, + Str:D :$extents! where .so + --> Nil +) +{ + run(qqw); +} - # mount btrfs subvolumes - @btrfs-dir.map(-> Str:D $btrfs-dir { - mount-btrfs-subvolume($btrfs-dir, $mount-options, $vault-name); +multi sub lvcreate( + Str:D $name, + PoolName:D $pool-name, + Str:D :$size! where .so + --> Nil +) +{ + run(qqw); +} + +multi sub mknilfs(Str:D @lv, PoolName:D $pool-name --> Nil) +{ + run(qw); + @lv.map(-> Str:D $lv { + mknilfs($lv, $pool-name); }); +} - # unmount /mnt2 and remove - run(qw); - rmdir('/mnt2'); +multi sub mknilfs(Str:D $lv, PoolName:D $pool-name --> Nil) +{ + run(qqw); } -multi sub mount-btrfs-subvolume( - 'srv', - Str:D $mount-options, - VaultName:D $vault-name +multi sub mount-nilfslvm( + Str:D @lv, + PoolName:D $pool-name --> Nil ) { - my Str:D $btrfs-dir = 'srv'; - mkdir("/mnt/$btrfs-dir"); + @lv.map(-> Str:D $lv { + mount-nilfslvm($lv, $pool-name); + }); +} + +multi sub mount-nilfslvm( + Str:D $lv where 'root', + PoolName:D $pool-name + --> Nil +) +{ + # set mount options + my Str:D $mount-options = 'rw,noatime'; + + # mount nilfs+lvm root on open vault run(qqw< mount - --types btrfs - --options $mount-options,nodev,noexec,nosuid,subvol=@$btrfs-dir - /dev/mapper/$vault-name - /mnt/$btrfs-dir + --types nilfs2 + --options $mount-options + /dev/$pool-name/$lv + /mnt >); } -multi sub mount-btrfs-subvolume( - 'var-cache-xbps', - Str:D $mount-options, - VaultName:D $vault-name +multi sub mount-nilfslvm( + Str:D $lv where 'srv', + PoolName:D $pool-name --> Nil ) { - my Str:D $btrfs-dir = 'var/cache/xbps'; - mkdir("/mnt/$btrfs-dir"); + mkdir("/mnt/$lv"); + my Str:D $mount-options = 'rw,noatime,nodev,noexec,nosuid'; run(qqw< mount - --types btrfs - --options $mount-options,subvol=@var-cache-xbps - /dev/mapper/$vault-name - /mnt/$btrfs-dir + --types nilfs2 + --options $mount-options + /dev/$pool-name/$lv + /mnt/$lv >); } -multi sub mount-btrfs-subvolume( - 'var-lib-ex', - Str:D $mount-options, - VaultName:D $vault-name +multi sub mount-nilfslvm( + Str:D $lv where 'var-cache-xbps', + PoolName:D $pool-name --> Nil ) { - my Str:D $btrfs-dir = 'var/lib/ex'; - mkdir("/mnt/$btrfs-dir"); + my Str:D $dir = $lv.subst('-', '/', :g); + mkdir("/mnt/$dir"); + my Str:D $mount-options = 'rw,noatime'; run(qqw< mount - --types btrfs - --options $mount-options,nodev,noexec,nosuid,subvol=@var-lib-ex - /dev/mapper/$vault-name - /mnt/$btrfs-dir + --types nilfs2 + --options $mount-options + /dev/$pool-name/$lv + /mnt/$dir >); - run(qqw); } -multi sub mount-btrfs-subvolume( - 'var-log', - Str:D $mount-options, - VaultName:D $vault-name +multi sub mount-nilfslvm( + Str:D $lv where 'var-lib-ex', + PoolName:D $pool-name --> Nil ) { - my Str:D $btrfs-dir = 'var/log'; - mkdir("/mnt/$btrfs-dir"); + my Str:D $dir = $lv.subst('-', '/', :g); + mkdir("/mnt/$dir"); + my Str:D $mount-options = 'rw,noatime,nodev,noexec,nosuid'; run(qqw< mount - --types btrfs - --options $mount-options,nodev,noexec,nosuid,subvol=@var-log - /dev/mapper/$vault-name - /mnt/$btrfs-dir + --types nilfs2 + --options $mount-options + /dev/$pool-name/$lv + /mnt/$dir >); } -multi sub mount-btrfs-subvolume( - 'var-opt', - Str:D $mount-options, - VaultName:D $vault-name +multi sub mount-nilfslvm( + Str:D $lv where 'var-log', + PoolName:D $pool-name --> Nil ) { - my Str:D $btrfs-dir = 'var/opt'; - mkdir("/mnt/$btrfs-dir"); + my Str:D $dir = $lv.subst('-', '/', :g); + mkdir("/mnt/$dir"); + my Str:D $mount-options = 'rw,noatime,nodev,noexec,nosuid'; run(qqw< mount - --types btrfs - --options $mount-options,subvol=@var-opt - /dev/mapper/$vault-name - /mnt/$btrfs-dir + --types nilfs2 + --options $mount-options + /dev/$pool-name/$lv + /mnt/$dir >); } -multi sub mount-btrfs-subvolume( - 'var-spool', - Str:D $mount-options, - VaultName:D $vault-name +multi sub mount-nilfslvm( + Str:D $lv where 'var-opt', + PoolName:D $pool-name --> Nil ) { - my Str:D $btrfs-dir = 'var/spool'; - mkdir("/mnt/$btrfs-dir"); + my Str:D $dir = $lv.subst('-', '/', :g); + mkdir("/mnt/$dir"); + my Str:D $mount-options = 'rw,noatime'; run(qqw< mount - --types btrfs - --options $mount-options,nodev,noexec,nosuid,subvol=@var-spool - /dev/mapper/$vault-name - /mnt/$btrfs-dir + --types nilfs2 + --options $mount-options + /dev/$pool-name/$lv + /mnt/$dir >); } -multi sub mount-btrfs-subvolume( - 'var-tmp', - Str:D $mount-options, - VaultName:D $vault-name +multi sub mount-nilfslvm( + Str:D $lv where 'var-spool', + PoolName:D $pool-name --> Nil ) { - my Str:D $btrfs-dir = 'var/tmp'; - mkdir("/mnt/$btrfs-dir"); + my Str:D $dir = $lv.subst('-', '/', :g); + mkdir("/mnt/$dir"); + my Str:D $mount-options = 'rw,noatime,nodev,noexec,nosuid'; run(qqw< mount - --types btrfs - --options $mount-options,nodev,noexec,nosuid,subvol=@var-tmp - /dev/mapper/$vault-name - /mnt/$btrfs-dir + --types nilfs2 + --options $mount-options + /dev/$pool-name/$lv + /mnt/$dir >); - run(qqw); } -multi sub mount-btrfs-subvolume( - Str:D $btrfs-dir, - Str:D $mount-options, - VaultName:D $vault-name +multi sub mount-nilfslvm( + Str:D $lv where 'var-tmp', + PoolName:D $pool-name --> Nil ) { - mkdir("/mnt/$btrfs-dir"); + my Str:D $dir = $lv.subst('-', '/', :g); + mkdir("/mnt/$dir"); + my Str:D $mount-options = 'rw,noatime,nodev,noexec,nosuid'; run(qqw< mount - --types btrfs - --options $mount-options,subvol=@$btrfs-dir - /dev/mapper/$vault-name - /mnt/$btrfs-dir + --types nilfs2 + --options $mount-options + /dev/$pool-name/$lv + /mnt/$dir + >); + run(qqw); +} + +multi sub mount-nilfslvm( + Str:D $lv, + PoolName:D $pool-name + --> Nil +) +{ + my Str:D $mount-options = 'rw,noatime'; + mkdir("/mnt/$lv"); + run(qqw< + mount + --types nilfs2 + --options $mount-options + /dev/$pool-name/$lv + /mnt/$lv >); } @@ -655,18 +826,6 @@ sub mount-efi(Str:D $partition-efi --> Nil) run(qqw); } -sub disable-cow(--> Nil) -{ - my Str:D @directory = qw< - srv - var/lib/ex - var/log - var/spool - var/tmp - >.map(-> Str:D $directory { sprintf(Q{/mnt/%s}, $directory) }); - Voidvault::Utils.disable-cow(|@directory, :recursive); -} - # bootstrap initial chroot with voidstrap method !voidstrap-base(--> Nil) { @@ -694,7 +853,6 @@ method !voidstrap-base(--> Nil) bash bash-completion binutils - btrfs-progs bzip2 ca-certificates cdrtools @@ -739,6 +897,7 @@ method !voidstrap-base(--> Nil) linux-firmware linux-firmware-network logrotate + lvm2 lynx lz4 man-db @@ -748,6 +907,7 @@ method !voidstrap-base(--> Nil) ncurses-term net-tools nftables + nilfs-utils openresolv openssh openssl @@ -1343,10 +1503,18 @@ method !install-bootloader(--> Nil) my Str:D $partition = $.config.partition; my Str:D $partition-vault = Voidvault::Utils.gen-partition('vault', $partition); + my PoolName:D $pool-name = $.config.pool-name; my UserName:D $user-name-grub = $.config.user-name-grub; my Str:D $user-pass-hash-grub = $.config.user-pass-hash-grub; my VaultName:D $vault-name = $.config.vault-name; - replace('grub', $disable-ipv6, $graphics, $partition-vault, $vault-name); + replace( + 'grub', + $disable-ipv6, + $graphics, + $partition-vault, + $pool-name, + $vault-name + ); replace('10_linux'); configure-bootloader('superusers', $user-name-grub, $user-pass-hash-grub); install-bootloader($partition); @@ -1479,6 +1647,11 @@ method !configure-nftables(--> Nil) }); } +method !configure-nilfs(--> Nil) +{ + replace('nilfs_cleanerd.conf'); +} + method !configure-openssh(--> Nil) { my Bool:D $disable-ipv6 = $.config.disable-ipv6; @@ -1639,6 +1812,7 @@ method !unmount(--> Nil) # resume after error with C, obsolete but harmless CATCH { default { .resume } }; run(qw); + run(qw); run(qqw); } @@ -2206,10 +2380,10 @@ multi sub replace( my Str:D $file = sprintf(Q{/mnt/etc/dracut.conf.d/%s.conf}, $subject); # modules are found in C my Str:D @module = qw< - btrfs crypt dm kernel-modules + lvm >; my Str:D $replace = sprintf(Q{%s=" %s "}, $subject, @module.join(' ')); spurt($file, $replace ~ "\n"); @@ -2227,10 +2401,10 @@ multi sub replace( # drivers are C<*.ko*> files in C my Str:D @driver = qw< ahci - btrfs libcrc32c lz4 lz4hc + nilfs2 >; push(@driver, 'crc32c-intel') if $processor eq 'INTEL'; push(@driver, 'i915') if $graphics eq 'INTEL'; @@ -2312,6 +2486,7 @@ multi sub replace( Bool:D $disable-ipv6, Graphics:D $graphics, Str:D $partition-vault, + PoolName:D $pool-name, VaultName:D $vault-name ) --> Nil @@ -2325,7 +2500,8 @@ multi sub replace( ==> replace('grub', 'GRUB_DISABLE_RECOVERY') ==> replace('grub', 'GRUB_ENABLE_CRYPTODISK') ==> replace('grub', 'GRUB_TERMINAL_INPUT') - ==> replace('grub', 'GRUB_TERMINAL_OUTPUT'); + ==> replace('grub', 'GRUB_TERMINAL_OUTPUT') + ==> replace('grub', 'GRUB_PRELOAD_MODULES'); my Str:D $replace = @replace.join("\n"); spurt($file, $replace ~ "\n"); } @@ -2336,6 +2512,7 @@ multi sub replace( Bool:D $disable-ipv6, Graphics:D $graphics, Str:D $partition-vault, + PoolName:D $pool-name, VaultName:D $vault-name, Str:D @line --> Array[Str:D] @@ -2345,10 +2522,11 @@ multi sub replace( my Str:D $vault-uuid = qqx.trim; my Str:D @grub-cmdline-linux = qqw< - rootflags=subvol=@ rd.luks=1 rd.luks.name=$vault-uuid=$vault-name rd.luks.uuid=$vault-uuid + rd.lvm.vg=$pool-name + root=/dev/$pool-name/root loglevel=6 >; # enable slub/slab allocator free poisoning (needs CONFIG_SLUB_DEBUG=y) @@ -2443,6 +2621,21 @@ multi sub replace( @line; } +multi sub replace( + 'grub', + Str:D $subject where 'GRUB_PRELOAD_MODULES', + Str:D @line + --> Array[Str:D] +) +{ + # if C not found, append to bottom of file + my UInt:D $index = @line.first(/^'#'?$subject/, :k) // @line.elems; + # preload lvm module + my Str:D $replace = sprintf(Q{%s="lvm"}, $subject); + @line[$index] = $replace; + @line; +} + # --- end grub }}} # --- 10_linux {{{ @@ -2679,6 +2872,98 @@ multi sub replace( } # --- end 99-sysctl.conf }}} +# --- nilfs_cleanerd.conf {{{ + +multi sub replace( + 'nilfs_cleanerd.conf' + --> Nil +) +{ + my Str:D $file = '/mnt/etc/nilfs_cleanerd.conf'; + my Str:D @replace = + $file.IO.lines + # do continuous cleaning + ==> replace('nilfs_cleanerd.conf', 'min_clean_segments') + # increase maximum number of clean segments + ==> replace('nilfs_cleanerd.conf', 'max_clean_segments') + # decrease clean segment check interval + ==> replace('nilfs_cleanerd.conf', 'clean_check_interval') + # decrease cleaning interval + ==> replace('nilfs_cleanerd.conf', 'cleaning_interval') + # increase minimum number of reclaimable blocks in a segment + # before it can be cleaned + ==> replace('nilfs_cleanerd.conf', 'min_reclaimable_blocks'); + my Str:D $replace = @replace.join("\n"); + spurt($file, $replace ~ "\n"); +} + +multi sub replace( + 'nilfs_cleanerd.conf', + Str:D $subject where 'min_clean_segments', + Str:D @line + --> Array[Str:D] +) +{ + my UInt:D $index = @line.first(/^$subject/, :k); + my Str:D $replace = sprintf(Q{%s 0}, $subject); + @line[$index] = $replace; + @line; +} + +multi sub replace( + 'nilfs_cleanerd.conf', + Str:D $subject where 'max_clean_segments', + Str:D @line + --> Array[Str:D] +) +{ + my UInt:D $index = @line.first(/^$subject/, :k); + # double C<%> symbol is quirk of sprintf syntax for C<90%> + my Str:D $replace = sprintf(Q{%s 90%%}, $subject); + @line[$index] = $replace; + @line; +} + +multi sub replace( + 'nilfs_cleanerd.conf', + Str:D $subject where 'clean_check_interval', + Str:D @line + --> Array[Str:D] +) +{ + my UInt:D $index = @line.first(/^$subject/, :k); + my Str:D $replace = sprintf(Q{%s 2}, $subject); + @line[$index] = $replace; + @line; +} + +multi sub replace( + 'nilfs_cleanerd.conf', + Str:D $subject where 'cleaning_interval', + Str:D @line + --> Array[Str:D] +) +{ + my UInt:D $index = @line.first(/^$subject/, :k); + my Str:D $replace = sprintf(Q{%s 2}, $subject); + @line[$index] = $replace; + @line; +} + +multi sub replace( + 'nilfs_cleanerd.conf', + Str:D $subject where 'min_reclaimable_blocks', + Str:D @line + --> Array[Str:D] +) +{ + my UInt:D $index = @line.first(/^$subject/, :k); + my Str:D $replace = sprintf(Q{%s 60%%}, $subject); + @line[$index] = $replace; + @line; +} + +# --- end nilfs_cleanerd.conf }}} # --- sshd_config {{{ multi sub replace( diff --git a/lib/Voidvault/Config.pm6 b/lib/Voidvault/Config.pm6 index f5f91d8c..063ed752 100644 --- a/lib/Voidvault/Config.pm6 +++ b/lib/Voidvault/Config.pm6 @@ -103,6 +103,12 @@ has VaultPass $.vault-pass = ?? Voidvault::Config.gen-vault-pass(%*ENV) !! Nil; +# name for LVM volume group (default: vg0) +has PoolName:D $.pool-name = + %*ENV + ?? Voidvault::Config.gen-pool-name(%*ENV) + !! prompt-name(:pool); + # name for host (default: vault) has HostName:D $.host-name = %*ENV @@ -213,6 +219,7 @@ submethod BUILD( Str :$keymap, Str :$locale, Str :$partition, + Str :$pool-name, Str :$processor, Str :$repository, Str :$root-pass, @@ -244,6 +251,8 @@ submethod BUILD( if $locale; $!partition = $partition if $partition; + $!pool-name = Voidvault::Config.gen-pool-name($pool-name) + if $pool-name; $!processor = Voidvault::Config.gen-processor($processor) if $processor; $!repository = $repository @@ -304,6 +313,7 @@ method new( Str :keymap($), Str :locale($), Str :partition($), + Str :pool-name($), Str :processor($), Str :repository($), Str :root-pass($), @@ -356,6 +366,12 @@ method gen-locale(Str:D $l --> Locale:D) my Locale:D $locale = $l or die("Sorry, invalid locale 「$l」"); } +# confirm pool name $p is valid PoolName and return PoolName +method gen-pool-name(Str:D $p --> PoolName:D) +{ + my PoolName:D $pool-name = $p or die("Sorry, invalid pool name 「$p」"); +} + # confirm processor $p is valid Processor and return Processor method gen-processor(Str:D $p --> Processor:D) { @@ -660,6 +676,30 @@ multi sub prompt-name( } } +multi sub prompt-name( + Bool:D :pool($)! where .so + --> PoolName:D +) +{ + my PoolName:D $pool-name = do { + my PoolName:D $response-default = 'vg0'; + my Str:D $prompt-text = "Enter pool name [$response-default]: "; + my Str:D $help-text = q:to/EOF/.trim; + Determining name of LVM volume group... + + Cannot be named the same as vault. Name should be unique in /dev/. + + Leave blank if you don't know what this is + EOF + tprompt( + PoolName, + $response-default, + :$prompt-text, + :$help-text + ); + } +} + multi sub prompt-name( Bool:D :user($)! where .so, Bool:D :admin($)! where .so diff --git a/lib/Voidvault/Grammar.pm6 b/lib/Voidvault/Grammar.pm6 index 7f52833b..b322edf6 100644 --- a/lib/Voidvault/Grammar.pm6 +++ b/lib/Voidvault/Grammar.pm6 @@ -38,6 +38,21 @@ regex host-name $ } +# LVM volume group name validation +token pool-name +{ + # from `man 8 lvm` line 136: + # - VG name can only contain valid chars: A-Z a-z 0-9 + _ . - + # - VG name cannot begin with a hyphen + # - VG name cannot be anything that exists in /dev/ at the time of creation + # - VG name cannot be `.` or `..` + ( + <+alnum +[+] +[_] +[\.]> + <+alnum +[+] +[_] +[\.] +[-]>* + ) + { $0 !~~ /^^ '.' ** 1..2 $$/ or fail } +} + # linux username validation regex user-name { diff --git a/lib/Voidvault/Types.pm6 b/lib/Voidvault/Types.pm6 index d1e6d8d6..b95e8916 100644 --- a/lib/Voidvault/Types.pm6 +++ b/lib/Voidvault/Types.pm6 @@ -1116,6 +1116,12 @@ subset LibcFlavor of Str is export where { @libc.grep($_) }; # locale subset Locale of Str is export where { %locales.keys.grep($_) }; +# LVM volume group name +subset PoolName of Str is export where +{ + Voidvault::Grammar.parse($_, :rule); +} + # processor subset Processor of Str is export where { %processors.keys.grep($_) }; diff --git a/lib/Voidvault/Utils.pm6 b/lib/Voidvault/Utils.pm6 index 8d5e9f5a..d774a509 100644 --- a/lib/Voidvault/Utils.pm6 +++ b/lib/Voidvault/Utils.pm6 @@ -25,91 +25,6 @@ constant $PBKDF2-LENGTH-HASH = 100; constant $PBKDF2-LENGTH-SALT = 100; -# ----------------------------------------------------------------------------- -# copy-on-write -# ----------------------------------------------------------------------------- - -method disable-cow( - *%opt ( - Bool :clean($), - Bool :recursive($), - Str :permissions($), - Str :user($), - Str :group($) - ), - *@directory - --> Nil -) -{ - # https://wiki.archlinux.org/index.php/Btrfs#Disabling_CoW - @directory.map(-> Str:D $directory { disable-cow($directory, |%opt) }); -} - -multi sub disable-cow( - Str:D $directory, - Bool:D :clean($)! where .so, - # ignored, recursive is implied with :clean - Bool :recursive($), - Str:D :$permissions = '755', - Str:D :$user = $*USER, - Str:D :$group = $*GROUP - --> Nil -) -{ - my Str:D $orig-dir = ~$directory.IO.resolve; - $orig-dir.IO.e && $orig-dir.IO.r && $orig-dir.IO.d - or die('directory failed exists readable directory test'); - my Str:D $backup-dir = sprintf(Q{%s-old}, $orig-dir); - rename($orig-dir, $backup-dir); - mkdir($orig-dir); - run(qqw); - run(qqw); - run(qqw); - dir($backup-dir).map(-> IO::Path:D $file { - run(qqw< - cp - --no-dereference - --preserve=links,mode,ownership,timestamps - $file - $orig-dir - >); - }); - run(qqw); -} - -multi sub disable-cow( - Str:D $directory, - Bool :clean($), - Bool:D :recursive($)! where .so, - Str :permissions($), - Str :user($), - Str :group($) - --> Nil -) -{ - my Str:D $orig-dir = ~$directory.IO.resolve; - $orig-dir.IO.e && $orig-dir.IO.r && $orig-dir.IO.d - or die('directory failed exists readable directory test'); - run(qqw); -} - -multi sub disable-cow( - Str:D $directory, - Bool :clean($), - Bool :recursive($), - Str :permissions($), - Str :user($), - Str :group($) - --> Nil -) -{ - my Str:D $orig-dir = ~$directory.IO.resolve; - $orig-dir.IO.e && $orig-dir.IO.r && $orig-dir.IO.d - or die('directory failed exists readable directory test'); - run(qqw); -} - - # ----------------------------------------------------------------------------- # password hashes # ----------------------------------------------------------------------------- diff --git a/scripts/mount-system.sh b/scripts/mount-system.sh index 577a12a3..b13f0747 100755 --- a/scripts/mount-system.sh +++ b/scripts/mount-system.sh @@ -1,38 +1,49 @@ #!/bin/bash # ---------------------------------------------------------------------------- -# mount-system: mount voidvault btrfs subvolumes and efi partition +# mount-system: mount voidvault nilfs+lvm on luks and efi partition # ---------------------------------------------------------------------------- # instructions # - modify target partition (`_partition=/dev/sda`) as needed # - run `cryptsetup luksOpen /dev/sda3 vault` before running this script # setup -_btrfs_subvolumes=('' - 'home' - 'opt' - 'srv' - 'var' - 'var-cache-xbps' - 'var-lib-ex' - 'var-log' - 'var-opt' - 'var-spool' - 'var-tmp') -_compression='zstd' -_mount_options="rw,noatime,compress=$_compression,space_cache=v2" +_lvs=('opt' + 'srv' + 'var' + 'var-cache-xbps' + 'var-lib-ex' + 'var-log' + 'var-opt' + 'var-spool' + 'var-tmp' + 'home') +_mount_options='rw,noatime' _partition='/dev/sda' +_pool_name='vg0' _vault_name='vault' -# mount btrfs subvolumes starting with root ('') -for _btrfs_subvolume in "${_btrfs_subvolumes[@]}"; do - _btrfs_dir="${_btrfs_subvolume//-//}" - mkdir --parents "/mnt/$_btrfs_dir" +# activate lvm lvs +vgchange --activate y + +# mount root lv +mkdir --parents /mnt +mount \ + --types nilfs2 \ + --options "$_mount_options" \ + "/dev/$_pool_name/root" \ + /mnt + +# mount remaining lvs +for _lv in "${_lvs[@]}"; do + # replace hyphen in volume name with forward slash + _dir="${_lv//-//}" + mkdir --parents "/mnt/$_dir" mount \ - --types btrfs \ - --options "$_mount_options,subvol=@$_btrfs_subvolume" \ - "/dev/mapper/$_vault_name" \ - "/mnt/$_btrfs_dir" + --types nilfs2 \ + --options "$_mount_options" \ + "/dev/$_pool_name/$_lv" \ + "/mnt/$_dir" done # mount uefi boot partition diff --git a/scripts/umount-system.sh b/scripts/umount-system.sh index 2b0b6a82..018e9fa9 100755 --- a/scripts/umount-system.sh +++ b/scripts/umount-system.sh @@ -1,9 +1,19 @@ #!/bin/bash # ---------------------------------------------------------------------------- -# umount-system: unmount voidvault btrfs subvolumes and efi partition +# umount-system: unmount voidvault nilfs+lvm on luks and efi partition # ---------------------------------------------------------------------------- # instructions -# - run `cryptsetup luksClose vault` after running this script +# - modify vault name (`_vault_name='vault'`) as needed +# setup +_vault_name='vault' + +# unmount filesystems umount --recursive /mnt + +# deactivate lvm lvs +vgchange --activate n + +# close vault +cryptsetup luksClose "$_vault_name"