[buildd-tools-devel] Bug#639105: Bug#639105: please consider adding support for lvm-snapshot on crypted LV
Roger Leigh
rleigh at codelibre.net
Sun May 13 00:12:34 UTC 2012
On Sun, May 13, 2012 at 01:30:06AM +0200, Marc Haber wrote:
> Hi Roger,
>
> sorry for not getting back to you any sooner.
Please don't worry--after finishing my PhD and starting a new job,
this weekend is the first time I've had to really get into schroot
development, so the timing is perfect!
> On Wed, Aug 24, 2011 at 10:32:24AM +0100, Roger Leigh wrote:
> > I'll be happy to add this to schroot. Currently the 05lvm setup
> > script is simply doing an lvcreate when creating and lvremove
> > when removing a session, respectively. Could you please provide
> > an example of the commands you would need to run to do this for
> > an encrypted PV/LV (I guess we should support both; is the PV
> > method more transparent)?
>
> Encrypted PV will work with current schroot setup, you can just take a
> snapshot from the LV and directly use it.
>
> Encrypted LV is a little bit harder.
>
> I would suggest configuration like:
>
> [sid_build64]
> type=crypted-lvm-snapshot
> device=/dev/salida/c_sid_build64
> mapping-name=sid_build64
> script-config=zg2-build/config
> description=sid amd64 for building packages
> users=mh
> source-users=mh
> personality=linux
> lvm-snapshot-options=-L 4G
>
> You could also auto-generate the mapping-name for the unlocked volume.
> That way, things would just work without a new configuration key.
> Optionally, you could implement this inside the normal lvm-snapshot
> type by trying cryptsetup isLuks <device> which will indicate whether
> the device is encrypted or not.
>
> To enable this chroot, you would need:
>
> lvcreate --snapshot <lvm-snapshot-options> --name <mapping-name> <device>
> cryptdisks_start <mapping-name>
> mount /dev/mapper/<mapping-name> <mountpoint>
>
> This would need the crypttabl line for <device> to be repeated for
> <mapping-name>, and the cryptdisks_start call will probably go
> interactive, querying the user for the passphrase.
>
> This is horribly untested.
Thanks for the hints to get started with this. With 1.5.2, you
should potentially be able to experiment with this using user
options--you can just add the mapping-name and anything else
you need. You'll get MAPPING_NAME set in the setup scripts, so
the script can then use that to set up.
This one might need deferring for 1.5.3 in a week or so, due
to being a bit harder than the first two, and me lacking a
system with any crypted LVs to test on. If you would be
willing to give 1.5.2 a try with some custom setup scripts, that
would greatly speed up getting this working.
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools
`- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800
More information about the Buildd-tools-devel
mailing list