-
-
Save ghfields/92660bc9199fee6c78e34b6913531722 to your computer and use it in GitHub Desktop.
# Run as root | |
# sudo -i | |
# Prepare LiveCD Environment | |
add-apt-repository -y ppa:jonathonf/zfs | |
apt install -y zfs-dkms | |
systemctl stop zfs-zed.service | |
modprobe -r zfs | |
modprobe zfs | |
# Manually Partition Disk | |
sgdisk -n2:1M:+2G -t2:8300 /dev/vda | |
mkfs /dev/vda2 | |
sgdisk -n3:0:0 -t3:BF07 /dev/vda | |
# Create pool | |
zpool create -o ashift=12 -O compression=lz4 -O relatime=on -O dnodesize=auto -O recordsize=1M -O xattr=sa -O normalization=formD -O acltype=posixacl -O encryption=aes-256-gcm -O keylocation=prompt -O keyformat=passphrase rpool /dev/vda3 | |
# Create temp ZVOL, and run ubiquity installer | |
zfs create -V 10G rpool/ubuntu-temp | |
ubiquity --no-bootloader #(install to /dev/zd0) | |
# Create root dataset and boot mountpoint, mount /boot and rsync | |
zfs create rpool/ROOT | |
zfs create rpool/ROOT/ubuntu-1 | |
mkdir /rpool/ROOT/ubuntu-1/boot | |
mount /dev/vda2 /rpool/ROOT/ubuntu-1/boot | |
rsync -avPX --exclude '/swapfile' /target/. /rpool/ROOT/ubuntu-1/. | |
# Turn off swap and destroy temp ZVOL, set up chroot and enter chroot | |
swapoff -a | |
umount /target | |
zfs destroy rpool/ubuntu-temp | |
for d in proc sys dev; do mount --bind /$d /rpool/ROOT/ubuntu-1/$d; done | |
cp /etc/resolv.conf /rpool/ROOT/ubuntu-1/etc/resolv.conf | |
# Inside chroot, install zfs | |
chroot /rpool/ROOT/ubuntu-1 add-apt-repository -y ppa:jonathonf/zfs | |
chroot /rpool/ROOT/ubuntu-1 apt install -y zfs-dkms zfs-initramfs | |
# Fix fstab and grub defaults | |
sed -e '/\s\/\s/ s/^#*/#/' -i /rpool/ROOT/ubuntu-1/etc/fstab #Comment out / line | |
sed -e '/\sswap\s/ s/^#*/#/' -i /rpool/ROOT/ubuntu-1/etc/fstab #Comment out /swap line | |
echo UUID=$(blkid -s UUID -o value /dev/vda2) /boot ext4 noatime 0 2 >> /rpool/ROOT/ubuntu-1/etc/fstab # Add /boot line | |
echo 'GRUB_DISABLE_OS_PROBER=true' >> /rpool/ROOT/ubuntu-1/etc/default/grub # Silent an error during grub-probe | |
# In my case, vt_handoff kernel option sometimes blocks TTY prompt | |
# # Change vt_handoff="1" to "0" in /etc/default/grub | |
sed -i '/vt_handoff/ s/="[^"][^"]*"/="0"/' /rpool/ROOT/ubuntu-1/etc/grub.d/10_linux | |
#grub-probe doesn't work to produce poolname with encryption enabled. Replaced with "zdb -l" command | |
sed -i 's/.*fs_label*/\trpool=\`zdb -l ${GRUB_DEVICE} \| grep \" name\"\| grep -o \"\x27.*\x27\"\| sed \"s\/\x27\/\/g\"/' /rpool/ROOT/ubuntu-1/etc/grub.d/10_linux | |
# Make grub.cfg and fix grub.cfg, make init, make bios_grub partition, install grub | |
chroot /rpool/ROOT/ubuntu-1 update-grub | |
chroot /rpool/ROOT/ubuntu-1 update-initramfs -u | |
chroot /rpool/ROOT/ubuntu-1 sgdisk -a1 -n1:512:2047 -t1:EF02 /dev/vda | |
chroot /rpool/ROOT/ubuntu-1 grub-install /dev/vda | |
# Unmount everything, set mountpoint, export pool and reboot | |
umount -R /rpool/ROOT/ubuntu-1 | |
zfs set mountpoint=/ rpool/ROOT/ubuntu-1 | |
zpool export rpool | |
# Restart computer | |
# shutdown -r 0 |
@ghfelds: That's an interesting idea, I'll try giving that a shot in a bit. I'm currently doing a "zfs recv" on an encrypted pool after dumping from a normal install, then I was going to try some of your changes above (vt_handoff, prober), to see if that would work. But I'll take a look at your gist a bit later.
I do still want to try @ghfields installer mod, but I was able to get an encrypted setup going using the roundabout method of: install, "zfs send" the rpool/ROOT and rpool/USERDATA, re-create the rpool with encryption, then "zfs recv", and use part of the above workflow. Annoying, but seems to work. I do get an os-prober error during update-grub, but the result seems to work.
Notes for future-me or someone else:
- Do normal install using zfs.
- Boot live CD.
- Recursive snapshot of ROOT and USERDATA: zfs snapshot -r rpool/ROOT@copy; zfs snapshot -r rpool/USERDATA
- Send dumps to another system: zfs send -R rpool/ROOT | gzip | nc REMOTEIP:PORT ; and same for rpool/USERDATA
- "zfs export rpool" and reformat using encryption from line 18 above.
- "zfs load-key rpool"
- Load ROOT and USERDATA from dumps: "nc -l PORT | gunzip | zfs recv -x encryption rpool/ROOT" and same for USERDATA.
- "zfs set mountpoint=/mnt" for the root filesystem and "/mnt/boot" for the /boot.
- zfs mount -a
- Steps 36-37, 45-57 above, but using /mnt instead. I just "chroot /mnt" and modify files as absolute path. I also commented out the swap entry from /etc/fstab.
- Then unmount -R /mnt; change the mountpoints back to absolute; zpool export bpool; zpool export rpool; reboot
@ghfields: Ok, that Ubiquity hack worked totally brilliantly! Thanks!
@linsomniac You could try to modify the Ubiquity zsys installer to make it create an encrypted pool. I did this to 19.10, but here is my gist:
https://gist.github.com/ghfields/b9d070e4e4a3f9e29f03634ac05b5b36
You modify the /usr/share/ubiquity/zsys-setup on the livecd before running the installer. Use it for inspiration since it is for 19.10.