Skip to content

Commit

Permalink
implement nilfs+lvm partitioning
Browse files Browse the repository at this point in the history 
- mark void-live-x86_64-musl-20181111.iso as failing
  - root NILFS2 filesystem is mounted read-only for unknown reasons
    - behavior appeared twice in a row on fresh installs
    - may have something to do with `libmount`
    - see: nilfs-dev/nilfs-utils#12
- implement customizable pool names
  - LVM volume group name = "pool name"
  - add `PoolName` type
    - validated against `man 8 lvm` naming rules
      - most of them, anyway
        - we do not validate dynamically against existing entries in `/dev/`
  - add pool name var to examples
  - add crude warning about naming rules for pool
    - as opposed to ensuring `$vault-name` and `$pool-name` are unique
      - which wouldn't ensure `$pool-name` is unique in `/dev/` anyway
        - we forego an incomplete solution for a crude non-solution and
          trust the user
          - simplifies it quite a bit
- use `/dev/$pool-name/$lv`, not `/dev/mapper/$pool-name-$lv`
  - as recommended by `man 8 lvm` line 162:
    - Links or nodes in /dev/mapper are intended only for internal use
      and the precise format and escaping might change between releases
      and distributions
    - Other software and scripts should use the
      /dev/VolumeGroupName/LogicalVolumeName format to reduce the chance
      of needing amendment when the software is updated
- configure nilfs_cleanerd to reduce overhead
  - credit: [xte on HN](https://news.ycombinator.com/item?id=18754205)
    - xte's posts were the impetus for experimenting with nilfs
- fix scripts/* for nilfs+lvm
- translate btrfs-administration.md to NILFS+LVM
  - rm doc/guides/btrfs-administration.md
- set GRUB_PRELOAD_MODULES=lvm in /etc/default/grub
  - doesn't appear to make any difference, but done out of thoroughness
  • Loading branch information
Andy Weidenbaum committed Feb 28, 2019
1 parent e4d6216 commit c429ff6
Show file tree
Hide file tree
Showing 17 changed files with 684 additions and 521 deletions.
67 changes: 30 additions & 37 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ Voidvault

Last tested | ISO | Result
----------- | --------------------------------------------------------------- | ------
2018-12-01 | [void-live-x86_64-20181111.iso][void-live-iso-x86_64-glibc] | PASS
2018-12-01 | [void-live-x86_64-musl-20181111.iso][void-live-iso-x86_64-musl] | PASS
2018-12-01 | [void-live-i686-20181111.iso][void-live-iso-i686-glibc] | PASS
2019-01-12 | [void-live-x86_64-20181111.iso][void-live-iso-x86_64-glibc] | PASS
2019-01-12 | [void-live-x86_64-musl-20181111.iso][void-live-iso-x86_64-musl] | FAIL
2019-01-12 | [void-live-i686-20181111.iso][void-live-iso-i686-glibc] | PASS


Bootstrap Void with FDE
Expand All @@ -16,7 +16,7 @@ Description

### Overview

Voidvault bootstraps Void with whole system Btrfs on LUKS.
Voidvault bootstraps Void with whole system NILFS+LVM on LUKS.

Voidvault works on Void with Intel or AMD x86 CPU. It assumes you are
comfortable working on the cmdline, and that you have no need for booting
Expand All @@ -27,7 +27,7 @@ could cause catastrophic data loss and system instability.

### Features

- whole system Btrfs on LUKS, including encrypted `/boot`
- whole system [NILFS][NILFS]+LVM on LUKS, including encrypted `/boot`
- [runit][runit] PID 1
- [GPT][GPT] partitioning
- no swap partition, uses [zram][zram] via [zramen][zramen]
Expand Down Expand Up @@ -68,6 +68,7 @@ could cause catastrophic data loss and system instability.
- uses mq-deadline I/O scheduler for SSDs, BFQ for HDDs (see:
[resources/etc/udev/rules.d/60-io-schedulers.rules](resources/etc/udev/rules.d/60-io-schedulers.rules))
- enables runit service for dnscrypt-proxy, nftables and socklog
- configures [nilfs_cleanerd][nilfs_cleanerd] to reduce overhead
- configures [Xorg][Xorg], but does not install any Xorg packages (see:
[resources/etc/X11](resources/etc/X11))
- optionally disables IPv6, and makes IPv4-only adjustments to dhcpcd,
Expand All @@ -77,27 +78,23 @@ could cause catastrophic data loss and system instability.

- `/dev/sdX1` is the BIOS boot sector (size: 2MB)
- `/dev/sdX2` is the EFI system partition (size: 100MB)
- `/dev/sdX3` is the root Btrfs filesystem on LUKS (size: remainder)

Voidvault creates the following Btrfs subvolumes with a [flat layout][flat
layout]:

Subvolume name | Mounting point
--- | ---
`@` | `/`
`@boot` | `/boot`
`@home` | `/home`
`@opt` | `/opt`
`@srv` | `/srv`
`@var` | `/var`
`@var-cache-xbps` | `/var/cache/xbps`
`@var-log` | `/var/log`
`@var-opt` | `/var/opt`
`@var-spool` | `/var/spool`
`@var-tmp` | `/var/tmp`

Voidvault [disables Btrfs CoW][disables Btrfs CoW] on `/home`, `/srv`,
`/var/log`, `/var/spool` and `/var/tmp`.
- `/dev/sdX3` is the root NILFS+LVM filesystem on LUKS (size: remainder)

Voidvault creates the following LVM logical volumes:

Logical Volume name | Mounting point | LVM Extents
--- | --- | ---
`root` | `/` | `12%VG`
`boot` | `/boot` | `2%VG`
`opt` | `/opt` | `1%VG`
`srv` | `/srv` | `5%VG`
`var` | `/var` | `5%VG`
`var-cache-xbps` | `/var/cache/xbps` | `5%VG`
`var-log` | `/var/log` | `1%VG`
`var-opt` | `/var/opt` | `1%VG`
`var-spool` | `/var/spool` | `1%VG`
`var-tmp` | `/var/tmp` | `2%VG`
`home` | `/home` | `100%FREE`

Voidvault mounts directories `/srv`, `/tmp`, `/var/log`, `/var/spool`
and `/var/tmp` with options `nodev,noexec,nosuid`.
Expand Down Expand Up @@ -143,6 +140,7 @@ VOIDVAULT_ROOT_PASS="your root password"
VOIDVAULT_ROOT_PASS_HASH='$6$rounds=700000$xDn3UJKNvfOxJ1Ds$YEaaBAvQQgVdtV7jFfVnwmh57Do1awMh8vTBtI1higrZMAXUisX2XKuYbdTcxgQMleWZvK3zkSJQ4F3Jyd5Ln1'
VOIDVAULT_VAULT_NAME="vault"
VOIDVAULT_VAULT_PASS="your LUKS encrypted volume's password"
VOIDVAULT_POOL_NAME="vg0"
VOIDVAULT_HOSTNAME="vault"
VOIDVAULT_PARTITION="/dev/sdb"
VOIDVAULT_PROCESSOR="other"
Expand Down Expand Up @@ -171,6 +169,7 @@ voidvault --admin-name="live" \
--root-pass="your root password" \
--vault-name="vault" \
--vault-pass="your LUKS encrypted volume's password" \
--pool-name="vg0" \
--hostname="vault" \
--partition="/dev/sdb" \
--processor="other" \
Expand Down Expand Up @@ -240,14 +239,6 @@ voidvault ls partitions
voidvault ls timezones
```

### `voidvault disable-cow`

Disable the Copy-on-Write attribute for Btrfs directories.

```sh
voidvault -r disable-cow dest/
```


Installation
------------
Expand All @@ -260,7 +251,6 @@ Dependencies

Name | Provides | Included in Void ISO¹²?
--- | --- | ---
btrfs-progs | Btrfs support | Y
coreutils | `chmod`, `chown`, `cp`, `rm` | Y
cryptsetup | FDE with LUKS | Y
dosfstools | create VFAT filesystem for UEFI with `mkfs.vfat` | Y
Expand All @@ -273,7 +263,9 @@ grub | FDE on `/boot`, `grub-mkpasswd-pbkdf2` | Y
kbd | keymap data in `/usr/share/kbd/keymaps`, `setfont` | Y
kmod | `modprobe` | Y
libressl | user password salts | Y
lvm2 | LVM disk partitioning | N
musl³ | libcrypt | Y
nilfs-utils | NILFS support | N
procps-ng | `pkill` | Y
rakudo | `voidvault` Perl 6 runtime | N
tzdata | timezone data in `/usr/share/zoneinfo/zone.tab` | Y
Expand Down Expand Up @@ -310,6 +302,7 @@ variable values for all configuration options aside from:
- `--guest-pass`
- `--hostname`
- `--ignore-conf-repos`
- `--pool-name`
- `--repository`
- `--root-pass-hash`
- `--root-pass`
Expand Down Expand Up @@ -345,13 +338,13 @@ information, see http://unlicense.org/ or the accompanying UNLICENSE file.


[denies console login as root]: https://wiki.archlinux.org/index.php/Security#Denying_console_login_as_root
[disables Btrfs CoW]: https://wiki.archlinux.org/index.php/Btrfs#Disabling_CoW
[dnscrypt-proxy]: https://wiki.archlinux.org/index.php/DNSCrypt
[flat layout]: https://btrfs.wiki.kernel.org/index.php/SysadminGuide#Layout
[GPT]: https://wiki.archlinux.org/index.php/Partitioning#GUID_Partition_Table
[GRUB]: https://wiki.archlinux.org/index.php/GRUB
[hides process information]: https://wiki.archlinux.org/index.php/Security#hidepid
[nftables]: https://wiki.archlinux.org/index.php/nftables
[NILFS]: https://nilfs.sourceforge.io/
[nilfs_cleanerd]: https://news.ycombinator.com/item?id=18753858
[OpenSSH]: https://wiki.archlinux.org/index.php/Secure_Shell
[runit]: https://wiki.voidlinux.org/runit
[Sysctl]: https://wiki.archlinux.org/index.php/Sysctl
Expand Down
66 changes: 4 additions & 62 deletions bin/voidvault
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,33 +10,6 @@ use Voidvault::Utils;



# -----------------------------------------------------------------------------
# disable-cow
# -----------------------------------------------------------------------------

multi sub MAIN(
'disable-cow',
Bool :c(:$clean),
Str :g(:$group),
Str :p(:$permissions),
Bool :r(:$recursive),
Str :u(:$user),
*@directory
--> Nil
)
{
my %opts;
%opts<clean> = $clean if $clean;
%opts<group> = $group if $group;
%opts<permissions> = $permissions if $permissions;
%opts<recursive> = $recursive if $recursive;
%opts<user> = $user if $user;
Voidvault::Utils.disable-cow(@directory, |%opts);
}




# -----------------------------------------------------------------------------
# gen-pass-hash
# -----------------------------------------------------------------------------
Expand All @@ -58,11 +31,6 @@ multi sub MAIN('gen-pass-hash', Bool :g(:$grub) --> Nil)
# help
# -----------------------------------------------------------------------------

multi sub MAIN('help', 'disable-cow' --> Nil)
{
USAGE('disable-cow');
}

multi sub MAIN('help', 'gen-pass-hash' --> Nil)
{
USAGE('gen-pass-hash');
Expand Down Expand Up @@ -111,6 +79,7 @@ multi sub MAIN(
Str :keymap($),
Str :locale($),
Str :partition($),
Str :pool-name($),
Str :processor($),
Str :repository($),
Str :root-pass($),
Expand Down Expand Up @@ -182,7 +151,6 @@ multi sub USAGE(--> Nil)
voidvault <command>
Commands:
disable-cow Disable copy-on-write on directories
gen-pass-hash Generate password hash
help Show help for subcommands
ls List keymaps, locales, partitions, timezones
Expand All @@ -197,35 +165,6 @@ multi sub USAGE(--> Nil)
say($HELP);
}

multi sub USAGE('disable-cow' --> Nil)
{
constant $HELP = qq:to/EOF/.trim;
Usage:
voidvault [--clean]
[--permissions=<octal>]
[--user=<username>]
[--group=<groupname>]
disable-cow <directory> [<directory> <directory>..]
voidvault [-r] disable-cow <directory> [<directory> <directory>..]
Options:
-c, --clean
Remake directories with CoW disabled
-r, --recursive
Recursively disable CoW on directories
-p, --permissions=<octal>
Octal file mode bits (defaults to "755")
-u, --user=<username>
Named user to own file (defaults to "$*USER")
-g, --group=<groupname>
Named group to own file (defaults to "$*GROUP")
Positionals:
<directory> Path to directory
EOF
say($HELP);
}

multi sub USAGE('gen-pass-hash' --> Nil)
{
constant $HELP = q:to/EOF/.trim;
Expand Down Expand Up @@ -266,6 +205,7 @@ multi sub USAGE('new' --> Nil)
[--grub-name=<username>] [--grub-pass=<password>]
[--root-pass=<password>]
[--vault-name=<vaultname>] [--vault-pass=<password>]
[--pool-name=<poolname>]
[--hostname=<hostname>] [--partition=<device>]
[--processor=<processor>] [--graphics=<graphics>]
[--disk-type=<disktype>] [--locale=<locale>]
Expand Down Expand Up @@ -312,6 +252,8 @@ multi sub USAGE('new' --> Nil)
Locale
--partition=<device>
Partition target for install
--pool-name=<poolname>
Name for LVM volume group
--processor=<processor>
Processor type
--repository=<repository>
Expand Down
Loading

0 comments on commit c429ff6

Please sign in to comment.