Has anyone managed to create an encrypted disk partition with CentOS 8 kickstart?
1 reqpart --add-boot 2 part /boot --fstype ext3 --size=1024 --ondrive=sda 3 part pv.1 --size=1 --grow --ondrive=sda --encrypted --pashphrase="bla" 4 volgroup vol0 pv.100000 5 logvol / --vgname=vg_00 --name=lv_root --size=102400 --fstype=ext4 ...
No matter what I specify in line 3, the installer bombs out. The only way to successful kickstart is to not encrypt the lvm pv. The contents of the passphrase are not to blame, installer still dies after accepting a passphrase from the console.
15:57:45,280 DBG kickstart: Looking for platform-specific boot requirements. 15:57:45,281 DBG kickstart: Applying requirements: PartSpec instance (0x7fbd40f44320) -- mountpoint = /boot/efi lv = False thin = False btrfs = False ... PartSpec instance (0x7fbd4048b4e0) -- mountpoint = /boot lv = False thin = False btrfs = False ... 15:57:45,283 DBG bootloader: stage1 device cannot be of type disk 15:57:45,334 DBG exception: running handleException 15:57:45,334 CRT exception: Traceback (most recent call last):
Hi,
(Sorry, Thunderbird crashed while writing the previous message and seems to have sent it while closing...)
I successfully installed servers with kickstart using the following:
``` clearpart --all --initlabel ignoredisk --only-use=sda
part /boot --asprimary --ondisk=sda --label=BOOT --fstype="ext4" --size=256 part /boot/efi --asprimary --ondisk=sda --label=EFI --fstype="efi" --size=256 --fsoptions=umask=0077,shortname=winnt part pv.01 --ondisk=sda --fstype="lvmpv" --grow --encrypted --luks-version=luks2 --cipher=aes-xts-plain64 --passphrase=mysecret
volgroup system --pesize=4096 pv.01 logvol swap --vgname=system --name=swap --label="SWAP" --fstype="swap" --recommended --fsoptions=swap logvol / --vgname=system --name=root --label="ROOT" --fstype="xfs" --percent=50 logvol /backup --vgname=system --name=backup --label="BACKUP" --fstype="xfs" --percent=50 ```
I didn't know about the `reqpart` option (which seems to cause trouble here as the installation fails while creating `/boot/efi`).
Nevertheless, I was also wondering whether this scheme could be "optimized":
* only create a `/boot` partition (no `/boot/efi`) that will contain both boot and EFI files (hence formatted with `fstype="efi"`)
* do not use LVM to hold the encrypted partitions, but create a simple encrypted partition, mount it to `/dev/mapper` and create partitions (for `/`, swap, etc.) inside it.
The latter doesn't seem to be possible with pure-kickstart commands but using `%pre` commands[1].
Has anyone successfully experienced one or both of the options?
Thanks in advance.
[1] https://dark.ca/2009/08/03/complex-partitioning-in-kickstart/
On 2020-08-27 18:19, isdtor wrote:
Has anyone managed to create an encrypted disk partition with CentOS 8 kickstart?
1 reqpart --add-boot 2 part /boot --fstype ext3 --size=1024 --ondrive=sda 3 part pv.1 --size=1 --grow --ondrive=sda --encrypted --pashphrase="bla" 4 volgroup vol0 pv.100000 5 logvol / --vgname=vg_00 --name=lv_root --size=102400 --fstype=ext4 ...
No matter what I specify in line 3, the installer bombs out. The only way to successful kickstart is to not encrypt the lvm pv. The contents of the passphrase are not to blame, installer still dies after accepting a passphrase from the console.
15:57:45,280 DBG kickstart: Looking for platform-specific boot requirements. 15:57:45,281 DBG kickstart: Applying requirements: PartSpec instance (0x7fbd40f44320) -- mountpoint = /boot/efi lv = False thin = False btrfs = False ... PartSpec instance (0x7fbd4048b4e0) -- mountpoint = /boot lv = False thin = False btrfs = False ... 15:57:45,283 DBG bootloader: stage1 device cannot be of type disk 15:57:45,334 DBG exception: running handleException 15:57:45,334 CRT exception: Traceback (most recent call last):
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
isdtor writes:
Has anyone managed to create an encrypted disk partition with CentOS 8 kickstart?
1 reqpart --add-boot 2 part /boot --fstype ext3 --size=1024 --ondrive=sda 3 part pv.1 --size=1 --grow --ondrive=sda --encrypted --pashphrase="bla" 4 volgroup vol0 pv.100000 5 logvol / --vgname=vg_00 --name=lv_root --size=102400 --fstype=ext4 ...
So, yeah, apologies for the typos. The actual ks file is correct and consistent.
The problem was line 3 - apparently, "--size=1 --grow" doesn't cut it anymore. Increasing size to a reasonable number, e.g in the order of "sum of all lvols", got me over the hump.
-
Guillaume-Jean Herbiet -
isdtor