stafwag Blog

staf wagemakers blog

Model-m Tux Update...

"modelm_tux_only.jpg"

I own a Unicomp model-m keyboard. The keyboard has a nice key feel but it has windows super key(s).


I don’t use super key(s), and would prefer to have a keyboard without it. But when it has super keys I’d rather have it without the windows logo on it so it was time to replace them with the tux version

Pictures

modelm_tux_package.jpg modelm_all_keys.jpg modelm_tux_only.jpg modelm_with_tux_keys.jpg

Jenkins Build With 20 Cores

I finally got the time to try out my jenkins build on my new 20 Core Dual Processor Jenkins Build Workstation

I’m able to run all test on multiple operation systems now. I still need to review this setup and perhaps move some tests to docker instead of the virtual machines to save some memory. …but this jenkins setup was configured before docker was a thing.

Have fun

20 Core Dual Processor Jenkins Build Workstation

"Xeon CPU Side"


My jenkins builds are taking too long mainly due the lack of memory. I mainly use jenkins to verify that my software work on different operation systems (GNU/Linux distributions / *BSD / Solaris).

Looking for a solution that is still affordable I ended up with building a dual Xeon workstation. CPU and memory comes from www.ebay.be


 

Part list:

  • CPU: 2 * Intel Xeon E5-2660v2 This CPU has 10 cores and 20 thread, so I get 40 threads.
  • Motherboard: Asrock EP2C602-4L/D16 I choose this motherboard because it has a lot of DIMM slots so I can upgrade the memory in the further. Downside is that layout is SSI EEB that limits the case choose.
  • Memory: 4 * SAMSUNG M393B2G70BH0-CK0 16GB which gives me 64 GB ECC memory
  • CPU Cooler 2 * Thermaltake Water 3.0 Performer C For the first I used watercooling mainly because I wanted to make sure that the cooling will not block the access to the DIMM slots.
  • PSU: Seasonic FOCUS Plus 750 Gold I needed a power supply with 2 * 8 pins CPU connectors.
  • Case: Phanteks Enthoo Pro This case supports SSI EEB and is not too expensive.

Pictures

Xeon CPU side Xeon CPU side Xeon CPU side

Still need to verify if jenkins works on this system :-)

Bacula on FreeBSD (Part 2 Bacula Catalog Over SSL )

"PostgreSSL"

In my previous post, I setup on my PostgresSQL FreeBSD jail, In this post we continue with the bacaula server.

In this post we will continue with the database connection (Catalog) we’ll go the extra mile 1,609344 km and encrypt the catalog connection with ssl. Why? We encrypt.. because we can!

Bacula Components

  • Bacula Director
    The Bacula Director is daemon that runs in the backgroud that control all backup operations.

  • Bacula Console
    The Bacula console is an administrator program that allows an system administrator to control the Bacula director.

  • Bacula File
    The Bacula File is a backup client install on the backup client.

  • Bacula Storage
    The backup media.

  • Catalog
    The Catalog is the index of the backups. Bacula supports three types of index databases mySQL ( mariaDB), PostgreSQL and SQLite

  • Bacula monitor
    A Bacula monitor service is a program that allows the system administrator to cerify the status of the bacula Directors, Bacula File Daemons and Bacula Storage Daemons.

Bacula Server

Jail

Create the Bacula Server Jail

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@rataplan:~ # ezjail-admin create stafbacula "em0|192.168.1.52"
Warning: Some services already seem to be listening on all IP, (including 192.168.1.52)
  This may cause some confusion, here they are:
root     ntpd       754   20 udp6   *:123                 *:*
root     ntpd       754   21 udp4   *:123                 *:*
root     rpc.statd  717   4  udp6   *:846                 *:*
root     rpc.statd  717   5  tcp6   *:846                 *:*
root     rpc.statd  717   6  udp4   *:846                 *:*
root     rpc.statd  717   7  tcp4   *:846                 *:*
root     nfsd       713   5  tcp4   *:2049                *:*
root     nfsd       713   6  tcp6   *:2049                *:*
root     mountd     707   5  udp6   *:823                 *:*
root     mountd     707   6  tcp6   *:823                 *:*
root     mountd     707   7  udp4   *:823                 *:*
root     mountd     707   8  tcp4   *:823                 *:*
root     rpcbind    676   6  udp6   *:111                 *:*
root     rpcbind    676   7  udp6   *:779                 *:*
root     rpcbind    676   8  tcp6   *:111                 *:*
root     rpcbind    676   9  udp4   *:111                 *:*
root     rpcbind    676   10 udp4   *:768                 *:*
root     rpcbind    676   11 tcp4   *:111                 *:*
root     syslogd    656   6  udp6   *:514                 *:*
root     syslogd    656   7  udp4   *:514                 *:*
root@rataplan:~ # 

Start the jail

1
2
3
4
root@rataplan:~ # ezjail-admin start stafbacula
Starting jails: stafbacula.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables  is obsolete.  Please consider migrating to /etc/jail.conf.
root@rataplan:~ # 

Open the console

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@rataplan:~ # ezjail-admin console stafbacula
FreeBSD 11.1-RELEASE-p1 (GENERIC) #0: Wed Sep  9 11:55:48 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
root@stafbacula:~ # 

Bacula installation

Install pkg

Set up dns

1
root@stafbacula:~ # vi /etc/resolv.conf
1
nameserver 192.168.1.1

Bootstrap pkg

1
2
3
4
5
6
7
8
9
10
11
12
root@stafbacula:~ # pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[stafbacula] Installing pkg-1.10.1...
[stafbacula] Extracting pkg-1.10.1: 100%
pkg: not enough arguments
Usage: pkg [-v] [-d] [-l] [-N] [-j <jail name or id>|-c <chroot path>|-r <rootdir>] [-C <configuration file>] [-R <repo config dir>] [-o var=value] [-4|-6] <command> [<args>]

For more information on available commands and options see 'pkg help'.
root@stafbacula:~ # 

Install the bacula server package

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
root@stafbacula:~ # pkg install bacula-server
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Updating database digests format: 100%
The following 8 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        bacula-server: 7.4.7_1
        bacula-client: 7.4.7_1
        readline: 7.0.3
        indexinfo: 0.2.6
        gettext-runtime: 0.19.8.1_1
        lzo2: 2.10_1
        postgresql95-client: 9.5.7_1
        perl5: 5.24.1_1

Number of packages to be installed: 8

The process will require 69 MiB more space.
17 MiB to be downloaded.

Proceed with this action? [y/N]: y
[stafbacula] [1/8] Fetching bacula-server-7.4.7_1.txz: 100%  678 KiB 694.6kB/s    00:01    
[stafbacula] [2/8] Fetching bacula-client-7.4.7_1.txz: 100%  286 KiB 292.8kB/s    00:01    
[stafbacula] [3/8] Fetching readline-7.0.3.txz: 100%  334 KiB 342.4kB/s    00:01    
[stafbacula] [4/8] Fetching indexinfo-0.2.6.txz: 100%    5 KiB   5.3kB/s    00:01    
[stafbacula] [5/8] Fetching gettext-runtime-0.19.8.1_1.txz: 100%  148 KiB 151.1kB/s    00:01    
[stafbacula] [6/8] Fetching lzo2-2.10_1.txz: 100%  113 KiB 115.4kB/s    00:01    
[stafbacula] [7/8] Fetching postgresql95-client-9.5.7_1.txz: 100%    2 MiB 772.9kB/s    00:03    
[stafbacula] [8/8] Fetching perl5-5.24.1_1.txz: 100%   13 MiB 874.0kB/s    00:16    
Checking integrity... done (0 conflicting)
[stafbacula] [1/8] Installing indexinfo-0.2.6...
[stafbacula] [1/8] Extracting indexinfo-0.2.6: 100%
[stafbacula] [2/8] Installing readline-7.0.3...
[stafbacula] [2/8] Extracting readline-7.0.3: 100%
[stafbacula] [3/8] Installing gettext-runtime-0.19.8.1_1...
[stafbacula] [3/8] Extracting gettext-runtime-0.19.8.1_1: 100%
[stafbacula] [4/8] Installing lzo2-2.10_1...
[stafbacula] [4/8] Extracting lzo2-2.10_1: 100%
[stafbacula] [5/8] Installing perl5-5.24.1_1...
[stafbacula] [5/8] Extracting perl5-5.24.1_1: 100%
[stafbacula] [6/8] Installing bacula-client-7.4.7_1...
===> Creating groups.
Creating group 'bacula' with gid '910'.
===> Creating users
Creating user 'bacula' with uid '910'.
[stafbacula] [6/8] Extracting bacula-client-7.4.7_1: 100%
[stafbacula] [7/8] Installing postgresql95-client-9.5.7_1...
[stafbacula] [7/8] Extracting postgresql95-client-9.5.7_1: 100%
[stafbacula] [8/8] Installing bacula-server-7.4.7_1...
===> Creating groups.
Using existing group 'bacula'.
===> Creating users
Using existing user 'bacula'.
[stafbacula] Extracting bacula-server-7.4.7_1: 100%
Message from perl5-5.24.1_1:
The /usr/bin/perl symlink has been removed starting with Perl 5.20.
For shebangs, you should either use:

#!/usr/local/bin/perl

or

#!/usr/bin/env perl

The first one will only work if you have a /usr/local/bin/perl,
the second will work as long as perl is in PATH.
Message from bacula-client-7.4.7_1:
################################################################################

NOTE:
Sample files are installed in /usr/local/etc/bacula:

  bconsole.conf.sample, bacula-fd.conf.sample

################################################################################
Message from postgresql95-client-9.5.7_1:
The PostgreSQL port has a collection of "side orders":

postgresql-docs
  For all of the html documentation

p5-Pg
  A perl5 API for client access to PostgreSQL databases.

postgresql-tcltk
  If you want tcl/tk client support.

postgresql-jdbc
  For Java JDBC support.

postgresql-odbc
  For client access from unix applications using ODBC as access
  method. Not needed to access unix PostgreSQL servers from Win32
  using ODBC. See below.

ruby-postgres, py-PyGreSQL
  For client access to PostgreSQL databases using the ruby & python
  languages.

postgresql-plperl, postgresql-pltcl & postgresql-plruby
  For using perl5, tcl & ruby as procedural languages.

postgresql-contrib
  Lots of contributed utilities, postgresql functions and
  datatypes. There you find pg_standby, pgcrypto and many other cool
  things.

etc...
Message from bacula-server-7.4.7_1:
###############################################################################

bacula server was installed

An auto-changer manipulation script based on FreeBSDs
chio command is included and installed at

  /usr/local/sbin/chio-bacula

Please have a look at it if you want to use an
autochanger. You have to configure the usage in

  /usr/local/etc/bacula/bacula-dir.conf

Take care of correct permissions for changer and
tape device (e.g. /dev/ch0 and /dev/n[r]sa0) i.e.
they must be accessible by user bacula.

Due to lack of some features in the FreeBSD tape driver
implementation you MUST add some OS dependent options to
the bacula-sd.conf file:

  Hardware End of Medium = no;
  Backward Space Record  = no;
  Backward Space File    = no;

With 2 filemarks at EOT (see man mt):
  Fast Forward Space File = no;
  BSF at EOM = yes;
  TWO EOF    = yes;

With 1 filemarks at EOT (see man mt):
  Fast Forward Space File = yes;
  BSF at EOM = no;
  TWO EOF   = no;

NOTE: YOU CAN SWITCH EOT model ONLY when starting
      from scratch with EMPTY tapes.

It is also important that all the scripts accessed
by RunBeforeJob and RunAfterJob will be executed by
the user bacula.  Check your permissions.

For USB support read the bacula manual. It could be necessary
to configure/compile a new kernel.

Look at /usr/local/share/bacula/update_bacula_tables for
database update procedure. Details can be found in the
ReleaseNotes

If you are using sqlite you need to run the make_sqlite_tables script as
the bacula user. Do this using 'sudo su -m bacula'.

################################################################################
root@stafbacula:~ # 

Initialize the bacula catalog

We’ll have a postgreSQL server running in a FreeBSD jail as our catalog (see http://stafwag.github.io/blog/blog/2017/08/06/bacula-on-freebsd:w_part1/ howto install PostgreSQL into a FreeBSD jail).

PostgreSQL setup

The setup below describes howto configure the PostgreSQL catalog with certificate and username/password authentication. This might be overkill the bacula server runs on the same physical host so no data is going out on the network. But I wanted to setup the database conneection as secure as possible and will reuse this setup for my other database connection. We’ll setup a “self signed” root ca for now, but I replace this with my own CA in further.

PostgreSQL authentication methods

PostgreSQL support a lot of authentication methods you’ll find a description of the supported of the support authentication methods below (without too much details):

  • Trust Authentication
    With trust authentication the postgreSQL trust the connection from the remote host, this is the default for localhost host connection and “socket” connections.
     
  • Password Authentication
    Authentication with login/password
     
  • GSSAPI Authentication
    Authentication with the Generic Security Services Application Program Interface
     
  • SSPI Authentication
    Authentication with the Security Support Provider Interface - SSPI is a proprietary variant of GSSAPI with extensions and very Windows-specific data types -
     
  • Kerberos Authentication
    Authentication using the Kerberos protocol
     
  • Ident Authentication
    Authentication using the ident protocol
     
  • Peer Authentication
    Authentication using the getpeereid() kernel function, only supported for local connection on BSD, MacOS and GNU/Linux.
     
  • LDAP Authentication
    LDAP authentication.
     
  • RADIUS Authentication
    Radius authentication.
     
  • Certificate Authentication
    Authentication with a PKI certificate.
     
  • PAM Authentication
    PAM based authentication
     

     
    I wanted to use password authentication over ssl with a client certificate. The bacula documents isn’t very clear on howto configure it. After a quick lot at the bacula source code it should be supported, so let’s give it a try…

Configure the PostgreSQL jail

Allow network connections

Logon the postgreSQL server jail move to the postgreSQL data directory and edit postgresql.conf to allow TCP/IP connections.

1
2
3
root@stafdb:/var/db/postgres/data96 # pwd
/var/db/postgres/data96
root@stafdb:/var/db/postgres/data96 # vim postgresql.conf
1
2
3
4
5
6
7
8
# - Connection Settings -

listen_addresses = '192.168.1.51'               # what IP address(es) to listen on;
# listen_addresses = 'localhost'                # what IP address(es) to listen on;
                                        # comma-separated list of addresses;
                                        # defaults to 'localhost'; use '*' for all
                                        # (change requires restart)
#port = 5432                            # (change requires restart)

SSL encryption

It’s always a good idea to encrypt your connections.

SSL Server setup
Umask

set the umask to prevent somebody can read you private key.

1
2
3
root@stafdb:/var/db/postgres/data96 # su - postgres
$ umask 077 
$ 
Create a private key

Create a private key without encrypting it.

1
2
3
4
5
6
openssl genrsa -out server.key 4096
Generating RSA private key, 4096 bit long modulus
........................................................................................................................................................................................................................++
......++
e is 65537 (0x10001)
$ 
Create a self-signed certificate
1
2
3
4
5
$ openssl req -new -key server.key -days 3650 -out server.crt -x509 -subj '/C=BE/ST=Flanders/L=Antwerp/O=stafnet/CN=stafdb'
$ ls -ltr                                                                                               total 23
-rw-------   1 postgres  postgres  3247 Sep  9 11:47 server.key
-rw-------   1 postgres  postgres  1964 Sep  9 11:52 server.crt
$ 
Root ca

We created a self signed certificate so the server certificate is our trusted ca root.

1
2
3
4
5
6
7
$ ln -s server.crt root.crt
$ ls -ltr
total 24
-rw-------   1 postgres  postgres  3247 Sep  9 11:47 server.key
-rw-------   1 postgres  postgres  1964 Sep  9 11:52 server.crt
lrwx------   1 postgres  postgres    10 Sep  9 11:53 root.crt -> server.crt
$ 
Enable ssl

Edit postgresql.conf and update the ssl setting

1
$ vi postgresql.conf

By default ssl_ca_file is not set but this directive is required so don’t forget to set it. We disable the 3DES ciphers they’re obsolete… We don’t speficy a crl for now.

1
2
3
4
5
6
7
8
9
10
11
#authentication_timeout = 1min          # 1s-600s
ssl = on                                # (change requires restart)
ssl_ciphers = 'HIGH:MEDIUM:!3DES:!aNULL' # allowed SSL ciphers
                                        # (change requires restart)
ssl_prefer_server_ciphers = on          # (change requires restart)
#ssl_ecdh_curve = 'prime256v1'          # (change requires restart)
ssl_cert_file = 'server.crt'            # (change requires restart)
ssl_key_file = 'server.key'             # (change requires restart)
ssl_ca_file = 'root.crt'                        # (change requires restart)
#ssl_crl_file = ''                      # (change requires restart)
#password_encryption = on
SSL Client setup
Become bacula

Logon to the bacula jail and become the bacula user. We use “su -m …” to logon to the locked daemon account, this will take over the root environment.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@rataplan:~ # ezjail-admin console stafbacula
Last login: Wed Sep  9 09:33:16 on pts/0
FreeBSD 11.1-RELEASE-p1 (GENERIC) #0: Wed Sep  9 11:55:48 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
You have new mail.
root@stafbacula:~ # su -m bacula -c "/bin/sh"
$ id
uid=910(bacula) gid=910(bacula) groups=910(bacula)
$ 
umask

Set the umask to prevent somebody can read you private key.

1
2
$ umask 077
$ 
move to the bacula home directory
1
2
3
$ cat /etc/passwd | grep bacula
bacula:*:910:910:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
$ cd /var/db/bacula
create the .postges directory
1
2
3
4
5
6
7
8
$ mkdir .postgres
$ ls -la
total 12
drwxrwx---   3 bacula  bacula   3 Sep  9 09:41 .
drwxr-xr-x  14 root    wheel   18 Sep  9 14:41 ..
drwx------   2 bacula  bacula   2 Sep  9 09:41 .postgres
$ cd .postgres/
$ 
Create a private key

We took over the root evironment therefor we need to set the RANDFILE variable to randfile in the bacula home directory.

1
2
3
4
$ pwd
/var/db/bacula/.postgres
$ export RANDFILE=/var/db/bacula/.rnd
$ 

Create the private key.

1
2
3
4
5
6
$ openssl genrsa -out `hostname`.key 4096
Generating RSA private key, 4096 bit long modulus
..........++
.......................................................++
e is 65537 (0x10001)
$ 
Create the client csr
1
2
$ openssl req -new -key stafbacula.key -out stafbacula.csr -subj '/C=BE/ST=Flanders/L=Antwerp/O=stafnet/CN=stafbacula'
$ 
Create the client certifocate

Logon to the postgreSQL jail as postgres and sign the client csr.

1
2
3
4
5
[postgres@stafdb ~/data96]$ openssl x509 -req -in stafbacula.csr -CAcreateserial -CA root.crt -CAkey server.key -out stafbacula.crt 
Signature ok
subject=/C=BE/ST=Flanders/L=Antwerp/O=stafnet/CN=stafbacula
Getting CA Private Key
[postgres@stafdb ~/data96]$ 
Copy the client certificate and the trusted root certificate to bacula jail
1
2
3
4
5
6
7
8
9
10
11
$ uname -a
FreeBSD stafbacula 11.1-RELEASE-p1 FreeBSD 11.1-RELEASE-p1 #0: Wed Sep  9 11:55:48 UTC 2017     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
$ pwd
/var/db/bacula/.postgres
$ ls -ltr
total 24
-rw-------  1 bacula  bacula  3243 Sep  9 09:47 stafbacula.key
-rw-------  1 bacula  bacula  1679 Sep  9 09:54 stafbacula.csr
-rw-------  1 bacula  bacula  1964 Sep  9 10:04 root.crt
-rw-------  1 bacula  bacula  1850 Sep  9 10:06 stafbacula.crt
$ 

Host file on the bacula jail

The hostname of the posgresql jail has to match with the CN of the server certificate. So we’ll add the hostname to /etc/hosts

1
root@stafbacula:~ # vi /etc/hosts
1
192.168.1.51    stafdb

Setup the bacula database

Create the bacula database user

1
2
3
4
5
6
7
8
9
[postgres@stafdb ~/data96]$ id
uid=770(postgres) gid=770(postgres) groups=770(postgres)
[postgres@stafdb ~/data96]$ psql postgres
psql (9.6.3)
Type "help" for help.

postgres=# create user bacula WITH PASSWORD 'xxxxxx';
CREATE ROLE
postgres=# 

To update the user password;

1
2
3
postgres=# alter user bacula PASSWORD 'yyyyyyy';
ALTER ROLE
postgres=# 

You can view the new permissions in the pg_user table or by execute the \du (describe user shortcut), by default the user has minimal permissions.

1
2
3
4
5
6
7
postgres=# select * from pg_user where usename = 'bacula';
 usename | usesysid | usecreatedb | usesuper | userepl | usebypassrls |  passwd  | valuntil | useconfig 
---------+----------+-------------+----------+---------+--------------+----------+----------+-----------
 bacula  |    16386 | f           | f        | f       | f            | ******** |          | 
(1 row)

postgres=# 
1
2
3
4
5
6
7
8
postgres=# \du
                                   List of roles
 Role name |                         Attributes                         | Member of 
-----------+------------------------------------------------------------+-----------
 bacula    |                                                            | {}
 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

postgres=# 

Allow the bacula user to create databases

The bacula database script will try to create the bacula catalog database. We’ll allow the bacula user to create databases,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
postgres=# alter user bacula CREATEDB;
ALTER ROLE
postgres=# select * from pg_user where usename = 'bacula';
 usename | usesysid | usecreatedb | usesuper | userepl | usebypassrls |  passwd  | valuntil | useconfig 
---------+----------+-------------+----------+---------+--------------+----------+----------+-----------
 bacula  |    16386 | t           | f        | f       | f            | ******** |          | 
(1 row)

postgres=# \du
                                   List of roles
 Role name |                         Attributes                         | Member of 
-----------+------------------------------------------------------------+-----------
 bacula    | Create DB                                                  | {}
 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

postgres=# 

Create the bacula database

We’ll create a bacula database so we can verify the database connection from the bacula user to the bacula database.

Create a new bacula database

1
2
3
postgres=# create database bacula;
CREATE DATABASE
postgres=# 

Grant all permissions to the bacula user

1
2
3
postgres=# grant ALL on DATABASE bacula to bacula;
GRANT
postgres=# 

Update pg_hba

The pg_hba.conf configuration controls the Host Based Access to your postgreSQL database(s).

1
2
3
4
5
[postgres@stafdb ~/data96]$ pwd
/var/db/postgres/data96
[postgres@stafdb ~/data96]$ id
uid=770(postgres) gid=770(postgres) groups=770(postgres)
[postgres@stafdb ~/data96]$ vi pg_hba.conf 

And add the next lines;

1
2
3
4
5
# TYPE  DATABASE        USER            ADDRESS                 METHOD
hostssl bacula          bacula          192.168.1.52/32         md5 clientcert=1
hostssl template0       bacula          192.168.1.52/32         md5 clientcert=1
hostssl template1       bacula          192.168.1.52/32         md5 clientcert=1
hostssl postgres        bacula          192.168.1.52/32         md5 clientcert=1

Our bacula jail 192.168.1.52 only needs to have to the bacula database with the bacula user over ssl hostssl passwords will be send as a md5 hash and a client certificate is required clientcert=1.

We could also used the cert method and map the client certificate to postgresql user so we could authenticate with the client certificate only…

We allow access to the template* and the postgres database because it’s required for the bacula database xcreate script. We can remove them ( only allow access to the bacula database ) after the catalog database is created.

Restart postgresql

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root@stafdb:/var/db/postgres/data96 # service postgresql restart
DEBUG:  postgres: PostmasterMain: initial environment dump:
DEBUG:  -----------------------------------------
DEBUG:          LC_TIME=C
DEBUG:          LC_NUMERIC=C
DEBUG:          LC_MONETARY=C
DEBUG:          LC_MESSAGES=C
DEBUG:          LC_CTYPE=C
DEBUG:          LC_COLLATE=C
DEBUG:          MAIL=/var/mail/postgres
DEBUG:          PGLOCALEDIR=/usr/local/share/locale
DEBUG:          PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/var/db/postgres/bin
DEBUG:          PGDATA=/var/db/postgres/data96
DEBUG:          PWD=/var/db/postgres
DEBUG:          PGSYSCONFDIR=/usr/local/etc/postgresql
DEBUG:          HOME=/var/db/postgres
DEBUG:          USER=postgres
DEBUG:          SHELL=/bin/sh
DEBUG:          PG_GRANDPARENT_PID=79045
DEBUG:          BLOCKSIZE=K
DEBUG:  -----------------------------------------
LOG:  could not create IPv6 socket: Protocol not supported
LOG:  could not bind IPv4 socket: Address already in use
HINT:  Is another postmaster already running on port 5432? If not, wait a few seconds and retry.
WARNING:  could not create listen socket for "192.168.1.51"
DEBUG:  invoking IpcMemoryCreate(size=148480000)
DEBUG:  SlruScanDirectory invoking callback on pg_notify/0000
DEBUG:  removing file "pg_notify/0000"
DEBUG:  dynamic shared memory system will support 288 segments
DEBUG:  created dynamic shared memory control segment 773439544 (2316 bytes)
DEBUG:  max_safe_fds = 984, usable_fds = 1000, already_open = 6
LOG:  ending log output to stderr
HINT:  Future log output will go to log destination "syslog".
DEBUG:  CommitTransaction
DEBUG:  name: unnamed; blockState:       STARTED; state: INPROGR, xid/subid/cid: 0/1/0, nestlvl: 1, children: 
root@stafdb:/var/db/postgres/data96 #

Test the database connection

Verify

Verify the database connection for the bacula jail. See https://www.postgresql.org/docs/9.6/static/libpq-connect.html

1
2
3
4
5
6
7
8
9
10
[bacula@stafbacula /var/db/bacula/.postgres]$ psql "sslmode=verify-full host=stafdb dbname=bacula sslcert=`pwd`/postgresql.crt sslkey=`pwd`/postgresql.key sslrootcert=`pwd`/root.crt"
Password:
DEBUG:  CommitTransaction
DEBUG:  name: unnamed; blockState:       STARTED; state: INPROGR, xid/subid/cid: 0/1/0, nestlvl: 1, children:
psql (9.5.7, server 9.6.3)
WARNING: psql major version 9.5, server major version 9.6.
         Some psql features might not work.
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
bacula=>

Create environment script

Bacula comes with a few scripts to popilate the catalog we will create an “environment” script to setup the required environment variabeles to connect to the database. https://www.postgresql.org/docs/9.6/static/libpq-envars.html gives an overview of PostgreSQL environment variabeles.

1
[bacula@stafbacula /var/db/bacula]$ vi psql_env.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
PGHOST=stafdb
PGUSER=bacula
PGSSLMODE=verify-full
PGSSLCERT=/var/db/bacula/.postgres/postgresql.crt
PGSSLKEY=/var/db/bacula/.postgres/postgresql.key
PGSSLROOTCERT=/var/db/bacula/.postgres/root.crt

export PGHOST
export PGUSER
export PGSSLMODE
export PGSSLCERT
export PGSSLKEY
export PGSSLROOTCERT

Test the environment script

1
2
3
4
5
6
7
8
9
10
11
12
13
root@stafbacula:~ # su -m bacula -c /bin/sh
$ . /var/db/bacula/psql_env.sh
$ psql bacula
Password: 
DEBUG:  CommitTransaction
DEBUG:  name: unnamed; blockState:       STARTED; state: INPROGR, xid/subid/cid: 0/1/0, nestlvl: 1, children: 
psql (9.5.8, server 9.6.4)
WARNING: psql major version 9.5, server major version 9.6.
         Some psql features might not work.
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

bacula=> 

Configure the bacula catalog

Configuration directives

I found the bacula documention not very clear howto setup the catalog connection with certificate authentication - or I looked at the wrong place - so I downloaded the bacula source code ( version 7.4.7 )to verify the required directives. ./src/dird/d/dird_conf.c

1
[staf@vicky bacula-7.4.7]$ vim ./src/dird/dird_conf.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
/*
   Bacula(R) - The Network Backup Solution

   Copyright (C) 2000-2016 Kern Sibbald

   The original author of Bacula is Kern Sibbald, with contributions
   from many others, a complete list can be found in the file AUTHORS.

   You may use this file and others of this release according to the
   license defined in the LICENSE file, which includes the Affero General
   Public License, v3.0 ("AGPLv3") and some additional permissions and
   terms pursuant to its AGPLv3 Section 7.

   This notice must be preserved when any source code is
   conveyed and/or propagated.

   Bacula(R) is a registered trademark of Kern Sibbald.
*/

<snip>

/*
 *    Catalog Resource Directives
 *
 *   name          handler     value                 code flags    default_value
 */
static RES_ITEM cat_items[] = {
   {"Name",     store_name,     ITEM(res_cat.hdr.name),    0, ITEM_REQUIRED, 0},
   {"Description", store_str,   ITEM(res_cat.hdr.desc),    0, 0, 0},
   {"dbaddress", store_str,     ITEM(res_cat.db_address),  0, 0, 0},
   {"Address",  store_str,      ITEM(res_cat.db_address),  0, 0, 0},
   {"DbPort",   store_pint32,   ITEM(res_cat.db_port),      0, 0, 0},
   /* keep this password as store_str for the moment */
   {"dbpassword", store_str,    ITEM(res_cat.db_password), 0, 0, 0},
   {"Password", store_str,      ITEM(res_cat.db_password), 0, 0, 0},
   {"dbuser",   store_str,      ITEM(res_cat.db_user),     0, 0, 0},
   {"User",     store_str,      ITEM(res_cat.db_user),     0, 0, 0},
   {"DbName",   store_str,      ITEM(res_cat.db_name),     0, ITEM_REQUIRED, 0},
   {"dbdriver", store_str,      ITEM(res_cat.db_driver),   0, 0, 0},
   {"DbSocket", store_str,      ITEM(res_cat.db_socket),   0, 0, 0},
   {"dbsslkey", store_str,      ITEM(res_cat.db_ssl_key),  0, 0, 0},
   {"dbsslcert", store_str,     ITEM(res_cat.db_ssl_cert),  0, 0, 0},
   {"dbsslca", store_str,       ITEM(res_cat.db_ssl_ca),  0, 0, 0},
   {"dbsslcapath", store_str,   ITEM(res_cat.db_ssl_capath),  0, 0, 0},
   {"dbsslcipher", store_str,   ITEM(res_cat.db_ssl_cipher),  0, 0, 0},
   /* Turned off for the moment */
   {"MultipleConnections", store_bit, ITEM(res_cat.mult_db_connections), 0, 0, 0},
   {"DisableBatchInsert", store_bool, ITEM(res_cat.disable_batch_insert), 0, ITEM_DEFAULT, false},
   {NULL, NULL, {0}, 0, 0, 0}
};

The ssl directives didn’t seem to work with postgresql :-( If we feed the postgresql environment variables with the correct ssl settings to the bacula director it seems to work.

Initialize the database

Drop the existing bacula database

The bacacla create script will try to create a new bacaula database so we’ll to drop or test database on our database server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@stafdb:~ # su - postgres
$ psql
psql (9.6.4)
Type "help" for help.

postgres=# drop database bacula ;
DROP DATABASE
postgres=# \l
                             List of databases
   Name    |  Owner   | Encoding | Collate | Ctype |   Access privileges   
-----------+----------+----------+---------+-------+-----------------------
 postgres  | postgres | UTF8     | C       | C     | 
 template0 | postgres | UTF8     | C       | C     | =c/postgres          +
           |          |          |         |       | postgres=CTc/postgres
 template1 | postgres | UTF8     | C       | C     | =c/postgres          +
           |          |          |         |       | postgres=CTc/postgres
(3 rows)

postgres=# 

Create the database

Logon the bacula jail and create the bacula database.

1
2
3
4
5
6
7
8
9
10
11
$ . /var/db/bacula/psql_env.sh
$ ./create_bacula_database
Creating postgresql database
Password: 
Password: 
CREATE DATABASE
ALTER DATABASE
Creation of bacula database succeeded.
Password: 
Password: 
Database encoding OK

Populate the bacula tables

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
$ ./make_bacula_tables 
Making postgresql tables
Password: 
CREATE TABLE
ALTER TABLE
CREATE INDEX
CREATE TABLE
ALTER TABLE
CREATE INDEX
CREATE TABLE
CREATE INDEX
CREATE INDEX
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE INDEX
CREATE INDEX
CREATE INDEX
CREATE TABLE
CREATE TABLE
CREATE TABLE
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE TABLE
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE TABLE
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE INDEX
CREATE TABLE
CREATE TABLE
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
CREATE TABLE
CREATE INDEX
INSERT 0 1
Creation of Bacula PostgreSQL tables succeeded.
$ 

Verify

Logon the bacula database and verify that the database populated.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
$ psql
Password: 
psql (9.5.8, server 9.6.4)
WARNING: psql major version 9.5, server major version 9.6.
         Some psql features might not work.
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

bacula=> \d
                       List of relations
 Schema |               Name                |   Type   | Owner  
--------+-----------------------------------+----------+--------
 public | basefiles                         | table    | bacula
 public | basefiles_baseid_seq              | sequence | bacula
 public | cdimages                          | table    | bacula
 public | client                            | table    | bacula
 public | client_clientid_seq               | sequence | bacula
 public | counters                          | table    | bacula
 public | device                            | table    | bacula
 public | device_deviceid_seq               | sequence | bacula
 public | file                              | table    | bacula
 public | file_fileid_seq                   | sequence | bacula
 public | filename                          | table    | bacula
 public | filename_filenameid_seq           | sequence | bacula
 public | fileset                           | table    | bacula
 public | fileset_filesetid_seq             | sequence | bacula
 public | job                               | table    | bacula
 public | job_jobid_seq                     | sequence | bacula
 public | jobhisto                          | table    | bacula
 public | jobmedia                          | table    | bacula
 public | jobmedia_jobmediaid_seq           | sequence | bacula
 public | location                          | table    | bacula
 public | location_locationid_seq           | sequence | bacula
 public | locationlog                       | table    | bacula
 public | locationlog_loclogid_seq          | sequence | bacula
 public | log                               | table    | bacula
 public | log_logid_seq                     | sequence | bacula
 public | media                             | table    | bacula
 public | media_mediaid_seq                 | sequence | bacula
 public | mediatype                         | table    | bacula
 public | mediatype_mediatypeid_seq         | sequence | bacula
 public | path                              | table    | bacula
 public | path_pathid_seq                   | sequence | bacula
 public | pathhierarchy                     | table    | bacula
 public | pathvisibility                    | table    | bacula
 public | pool                              | table    | bacula
 public | pool_poolid_seq                   | sequence | bacula
 public | restoreobject                     | table    | bacula
 public | restoreobject_restoreobjectid_seq | sequence | bacula
 public | snapshot                          | table    | bacula
 public | snapshot_snapshotid_seq           | sequence | bacula
--More--(byte 2667)

Cleanup

Disable the access to template? and postgres databases.

1
root@stafdb:/var/db/postgres/data96 # vi pg_hba.conf
1
2
3
4
5
host    all             all             ::1/128                 trust
hostssl bacula          bacula          192.168.1.52/32         md5 clientcert=1
# hostssl       template0       bacula          192.168.1.52/32         md5 clientcert=1
# hostssl       template1       bacula          192.168.1.52/32         md5 clientcert=1
# hostssl       postgres        bacula          192.168.1.52/32         md5 clientcert=1

Reload

1
2
root@stafdb:/var/db/postgres/data96 # service postgresql reload
root@stafdb:/var/db/postgres/data96 # 

Test it. Verify that access to the postgres database is denied from the bacula host.

1
2
3
$ psql postgres
psql: FATAL:  no pg_hba.conf entry for host "192.168.1.52", user "bacula", database "postgres", SSL on
$ 

Bacula catalog configuration

Update the bacula director configuration

1
root@stafbacula:/usr/local/etc/bacula # vi bacula-dir.conf
1
2
3
4
5
6
7
8
# Generic catalog service
Catalog { 
  Name = MyCatalog
  dbname = "bacula"; dbuser = "bacula"; dbpassword = "********" ; dbsslkey = "/var/db/bacula/.postgres
/postgresql.key"; dbsslcert = "/var/db/bacula/.postgres/postgresql.crt"; dbsslca= "/var/db/bacula/.postgres
/root.crt"

}

Test the catalog connection

bacula include a program to verify the bacula catalog “dbcheck”, the -c switch select the bacula director configuration file the -B switch print out the configuration.

1
2
3
4
5
6
7
8
9
10
11
12
bacula@stafbacula /usr/local]$ dbcheck -c /usr/local/etc/bacula/bacula-dir.conf -B -v
catalog=MyCatalog
db_name=bacula
db_driver=
db_user=bacula
db_password=*******
db_address=stafdb
db_port=0
db_socket=
db_type=PostgreSQL
working_dir=/var/db/bacula
[bacula@stafbacula /usr/local]$ 

For some reason the ssl directives aren’t include and the connection fails

1
2
3
4
5
6
7
8
[bacula@stafbacula /usr/local/etc/rc.d]$ dbcheck -c /usr/local/etc/bacula/bacula-dir.conf -v
dbcheck: Fatal Error at dbcheck.c:303 because:
postgresql.c:271 Unable to connect to PostgreSQL server. Database=bacula User=bacula
Possible causes: SQL server not running; password incorrect; max_connections exceeded.
09-Sep 14:22 dbcheck: Fatal Error at dbcheck.c:303 because:
postgresql.c:271 Unable to connect to PostgreSQL server. Database=bacula User=bacula
Possible causes: SQL server not running; password incorrect; max_connections exceeded.
[bacula@stafbacula /usr/local/etc/rc.d]$ 

On our postgres host we get the error message that the bacula host tries to connect without SSL.

1
2
3
4
5
6
7
8
9
10
11
oot@stafdb:/var/db/postgres/data96 # tail -f /var/log/messages
Sep  9 14:22:10 stafdb postgres[14183]: [10-1] FATAL:  connection requires a valid client certificate
Sep  9 14:22:10 stafdb postgres[14184]: [10-1] FATAL:  no pg_hba.conf entry for host "192.168.1.52", user "bacula", database "bacula", SSL off
Sep  9 14:22:15 stafdb postgres[14185]: [10-1] FATAL:  connection requires a valid client certificate
Sep  9 14:22:15 stafdb postgres[14186]: [10-1] FATAL:  no pg_hba.conf entry for host "192.168.1.52", user "bacula", database "bacula", SSL off
Sep  9 14:22:20 stafdb postgres[14187]: [10-1] FATAL:  connection requires a valid client certificate
Sep  9 14:22:20 stafdb postgres[14188]: [10-1] FATAL:  no pg_hba.conf entry for host "192.168.1.52", user "bacula", database "bacula", SSL off
Sep  9 14:22:25 stafdb postgres[14190]: [10-1] FATAL:  connection requires a valid client certificate
Sep  9 14:22:25 stafdb postgres[14191]: [10-1] FATAL:  no pg_hba.conf entry for host "192.168.1.52", user "bacula", database "bacula", SSL off
Sep  9 14:22:30 stafdb postgres[14193]: [10-1] FATAL:  connection requires a valid client certificate
Sep  9 14:22:30 stafdb postgres[14194]: [10-1] FATAL:  no pg_hba.conf entry for host "192.168.1.52", user "bacula", database "bacula", SSL off

When set the postgresql varialables with the correct ssl settings the connnection works fine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[bacula@stafbacula /usr/local/etc/rc.d]$ dbcheck -c /usr/local/etc/bacula/bacula-dir.conf -v
Hello, this is the database check/correct program.
Modify database is off. Verbose is on.
Please select the function you want to perform.

     1) Toggle modify database flag
     2) Toggle verbose flag
     3) Check for bad Filename records
     4) Check for bad Path records
     5) Check for duplicate Filename records
     6) Check for duplicate Path records
     7) Check for orphaned Jobmedia records
     8) Check for orphaned File records
     9) Check for orphaned Path records
    10) Check for orphaned Filename records
    11) Check for orphaned FileSet records
    12) Check for orphaned Client records
    13) Check for orphaned Job records
    14) Check for all Admin records
    15) Check for all Restore records
    16) All (3-15)
    17) Quit
Select function number: 

Bacula director

Enable the bacula director

1
2
3
root@stafbacula:/usr/local/etc/rc.d # sysrc bacula_dir_enable=yes
bacula_dir_enable:  -> yes
root@stafbacula:/usr/local/etc/rc.d # 

Create the bacula.log

1
2
root@stafbacula:/var/log # touch /var/log/bacula.log
root@stafbacula:/var/log # chown bacula:bacula /var/log/bacula.log

Include the postgreSQL ssl settings in the bacula director startup script

Update the bacula-dir startup sript to include the ssl settings.

1
2
3
4
5
6
7
8
9
10
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service:
#
# bacula_dir_enable  (bool):   Set to NO by default.
#                Set it to YES to enable bacula_dir.
# bacula_dir_flags (params):   Set params used to start bacula_dir.
#

. /etc/rc.subr
. /var/db/bacula/psql_env.sh

bconsole access

To test that the catalog works correctly with the director we need to setup bconsole access. Open the bacula director configuration file.

1
[root@stafbacula /usr/local/etc/bacula]# vim bacula-dir.conf

And defined and Password

1
2
3
4
5
6
7
8
9
10
Director {                            # define myself
  Name = MyBaculaDirector
  DIRport = 9101                # where we listen for UA connections
  QueryFile = "/usr/local/share/bacula/query.sql"
  WorkingDirectory = "/var/db/bacula"
  PidDirectory = "/var/run"
  Maximum Concurrent Jobs = 20
  Password = "*******"         # Console password
  Messages = Daemon
}

Open the bconsole configuration file

1
[root@stafbacula /usr/local/etc/bacula]# vi bconsole.conf

and setup the same password

1
2
3
4
5
6
7
8
9
10
11
12
# Bacula User Agent (or Console) Configuration File
#
# Copyright (C) 2000-2015 Kern Sibbald
# License: BSD 2-Clause; see file LICENSE-FOSS
#

Director {
  Name = MyBaculaDirector
  DIRport = 9101
  address = localhost
  Password = "*****"
}

Start the director & test

Start the bacula-dir service

1
2
3
4
5
6
7
root@stafbacula /usr/local/etc/bacula]# service bacula-dir start
Starting bacula_dir.
[root@stafbacula /usr/local/etc/bacula]# ps aux | grep -i bacula 
bacula 14416  0.0  0.1 51424 6588  -  SsJ  14:40   0:00.12 /usr/local/sbin/bacula-dir -u bacula -g bacula 
root   14420  0.0  0.0 14796 1968  0  R+J  14:40   0:00.00 grep -i bacula
root   13530  0.0  0.0  8300 1596  2  I+J  13:47   0:00.00 tail -f /var/log/bacula.log
[root@stafbacula /usr/local/etc/bacula]#

And test the console access

1
2
3
4
5
6
7
8
bacula@stafbacula:/usr/local/etc/bacula % bconsole
Connecting to Director localhost:9101
1000 OK: 102 MyBaculaDirector Version: 7.4.7 (16 March 2017)
Enter a period to cancel a command.
*version
MyBaculaDirector Version: 7.4.7 (16 March 2017) amd64-portbld-freebsd11.0 freebsd 11.0-RELEASE-p12 
You have messages.
*

In a next blog post we’ll continue with the bacula configuration.

Have fun!

Links

Bacula on FreeBSD (Part 1 PostgresSQL in a Jail)

I do take backups; my current solution are couple of shell script wrapper around dump/zfs send/btrfs send/rsync which is a mess. So decided give bacula a try

I use ezjail to manage my FreeBSD jails. PostgresSQL is my favorite database and will use this database as the backend for bacula and will use this database as the backend for bacula. I want to move all my databases to 1 FreeBSD jail this should make the easier to create reliable database backup in the further. For this reason we’ll setup 2 FreeBSD jails 1 for the database and 1 for bacula.

You’ll find my journey of installing PostgreSQL on a FreeBSD jail. In another blog post we will continue with the installation of baccula.

PostgreSQL

Jail

Create the PostgreSQL Jail

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@rataplan:~ # ezjail-admin create stafdb "em0|192.168.1.51"
Warning: Some services already seem to be listening on all IP, (including 192.168.1.51)
  This may cause some confusion, here they are:
root     ntpd       754   20 udp6   *:123                 *:*
root     ntpd       754   21 udp4   *:123                 *:*
root     rpc.statd  717   4  udp6   *:640                 *:*
root     rpc.statd  717   5  tcp6   *:640                 *:*
root     rpc.statd  717   6  udp4   *:640                 *:*
root     rpc.statd  717   7  tcp4   *:640                 *:*
root     nfsd       713   5  tcp4   *:2049                *:*
root     nfsd       713   6  tcp6   *:2049                *:*
root     mountd     707   5  udp6   *:753                 *:*
root     mountd     707   6  tcp6   *:753                 *:*
root     mountd     707   7  udp4   *:753                 *:*
root     mountd     707   8  tcp4   *:753                 *:*
root     rpcbind    676   6  udp6   *:111                 *:*
root     rpcbind    676   7  udp6   *:847                 *:*
root     rpcbind    676   8  tcp6   *:111                 *:*
root     rpcbind    676   9  udp4   *:111                 *:*
root     rpcbind    676   10 udp4   *:766                 *:*
root     rpcbind    676   11 tcp4   *:111                 *:*
root     syslogd    657   6  udp6   *:514                 *:*
root     syslogd    657   7  udp4   *:514                 *:*
root@rataplan:~ # 

PostgreSQL requires shared memory

PostgreSQL uses shared memory it’s required to set “allow.sysvipc=1” for the jail. I don’t want to enable this globaly since this might be a security risk. Shared memory has permissions set based on the uid enabling sysvipc on a jail might cause the jail to read shared memory from the host system or another jail.

To enable “allow.sysvipc=1” a jail we can update the ezjail configuration. Ezjail keep the jail configuration in /usr/local/etc/ezjail

1
2
3
4
5
root@rataplan:~ # cd /usr/local/etc/ezjail
root@rataplan:/usr/local/etc/ezjail # ls
stafansible     staffs          stafproxy       staftestbuild
stafdb          stafmail        stafpuppet
root@rataplan:/usr/local/etc/ezjail # 

Open the database jail file and update the configuration.

1
root@rataplan:/usr/local/etc/ezjail # vi stafdb
1
2
3
4
5
#
# Required to run PostgeSQL in the jail
#

export jail_stafdb_parameters="allow.sysvipc=1"

Start the database jail

1
2
3
4
root@rataplan:~ # ezjail-admin start stafdb
Starting jails: stafdb.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables  is obsolete.  Please consider migrating to /etc/jail.conf.
root@rataplan:~ #

Console access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@rataplan:~ # ezjail-admin console stafdb
FreeBSD 11.0-RELEASE-p9 (GENERIC) #0: Tue Apr 11 08:48:40 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
root@stafdb:~ # 
root@stafdb:~ # 

ProgreSQL installation

Install pkg

Set up dns

1
root@stafdb:~ # vi /etc/resolv.conf
1
nameserver 192.168.1.1

Bootstrap pkg

1
2
3
4
5
6
7
8
9
10
11
12
root@stafdb:~ # pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[stafdb] Installing pkg-1.10.1...
[stafdb] Extracting pkg-1.10.1: 100%
pkg: not enough arguments
Usage: pkg [-v] [-d] [-l] [-N] [-j <jail name or id>|-c <chroot path>|-r <rootdir>] [-C <configuration file>] [-R <repo config dir>] [-o var=value] [-4|-6] <command> [<args>]

For more information on available commands and options see 'pkg help'.
root@stafdb:~ # 

Install PostgreSQL

Search for the latest PostgreSQL server version.

1
2
3
4
5
6
7
8
9
10
11
12
root@stafdb:~ # pkg search postgresql | grep server
pgtcl-postgresql92-2.0.0_1     TCL extension for accessing a PostgreSQL server (PGTCL-NG)
pgtcl-postgresql93-2.0.0_1     TCL extension for accessing a PostgreSQL server (PGTCL-NG)
pgtcl-postgresql94-2.0.0_1     TCL extension for accessing a PostgreSQL server (PGTCL-NG)
pgtcl-postgresql95-2.0.0_1     TCL extension for accessing a PostgreSQL server (PGTCL-NG)
pgtcl-postgresql96-2.0.0_1     TCL extension for accessing a PostgreSQL server (PGTCL-NG)
postgresql92-server-9.2.21_1   PostgreSQL is the most advanced open-source database available anywhere
postgresql93-server-9.3.17_1   PostgreSQL is the most advanced open-source database available anywhere
postgresql94-server-9.4.12_1   PostgreSQL is the most advanced open-source database available anywhere
postgresql95-server-9.5.7_1    PostgreSQL is the most advanced open-source database available anywhere
postgresql96-server-9.6.3_1    PostgreSQL is the most advanced open-source database available anywhere
root@stafdb:~ # 

Install the PostgreSQL package.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
root@stafdb:~ # pkg install postgresql96-server
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 8 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        postgresql96-server: 9.6.3_1
        libxml2: 2.9.4
        icu: 58.2_2,1
        gettext-runtime: 0.19.8.1_1
        indexinfo: 0.2.6
        postgresql96-client: 9.6.3_2
        perl5: 5.24.1_1
        readline: 7.0.3

Number of packages to be installed: 8

The process will require 131 MiB more space.
30 MiB to be downloaded.

Proceed with this action? [y/N]: y
[stafdb] [1/8] Fetching postgresql96-server-9.6.3_1.txz: 100%    4 MiB 357.1kB/s    00:11    
[stafdb] [2/8] Fetching libxml2-2.9.4.txz: 100%  802 KiB 410.4kB/s    00:02    
[stafdb] [3/8] Fetching icu-58.2_2,1.txz: 100%    9 MiB 313.3kB/s    00:30    
[stafdb] [4/8] Fetching gettext-runtime-0.19.8.1_1.txz: 100%  147 KiB 151.0kB/s    00:01    
[stafdb] [5/8] Fetching indexinfo-0.2.6.txz: 100%    5 KiB   5.3kB/s    00:01    
[stafdb] [6/8] Fetching postgresql96-client-9.6.3_2.txz: 100%    2 MiB 300.0kB/s    00:08    
[stafdb] [7/8] Fetching perl5-5.24.1_1.txz: 100%   13 MiB 341.5kB/s    00:41    
[stafdb] [8/8] Fetching readline-7.0.3.txz: 100%  334 KiB 342.3kB/s    00:01    
Checking integrity... done (0 conflicting)
[stafdb] [1/8] Installing indexinfo-0.2.6...
[stafdb] [1/8] Extracting indexinfo-0.2.6: 100%
[stafdb] [2/8] Installing gettext-runtime-0.19.8.1_1...
[stafdb] [2/8] Extracting gettext-runtime-0.19.8.1_1: 100%
[stafdb] [3/8] Installing perl5-5.24.1_1...
[stafdb] [3/8] Extracting perl5-5.24.1_1: 100%
[stafdb] [4/8] Installing readline-7.0.3...
[stafdb] [4/8] Extracting readline-7.0.3: 100%
[stafdb] [5/8] Installing libxml2-2.9.4...
[stafdb] [5/8] Extracting libxml2-2.9.4: 100%
[stafdb] [6/8] Installing icu-58.2_2,1...
[stafdb] [6/8] Extracting icu-58.2_2,1: 100%
[stafdb] [7/8] Installing postgresql96-client-9.6.3_2...
[stafdb] [7/8] Extracting postgresql96-client-9.6.3_2: 100%
[stafdb] [8/8] Installing postgresql96-server-9.6.3_1...
===> Creating groups.
Creating group 'postgres' with gid '770'.
===> Creating users
Creating user 'postgres' with uid '770'.

  =========== BACKUP YOUR DATA! =============
  As always, backup your data before
  upgrading. If the upgrade leads to a higher
  minor revision (e.g. 8.3.x -> 8.4), a dump
  and restore of all databases is
  required. This is *NOT* done by the port!
  ===========================================
[stafdb] Extracting postgresql96-server-9.6.3_1: 100%
Message from perl5-5.24.1_1:
The /usr/bin/perl symlink has been removed starting with Perl 5.20.
For shebangs, you should either use:

#!/usr/local/bin/perl

or

#!/usr/bin/env perl

The first one will only work if you have a /usr/local/bin/perl,
the second will work as long as perl is in PATH.
Message from postgresql96-client-9.6.3_2:
The PostgreSQL port has a collection of "side orders":

postgresql-docs
  For all of the html documentation

p5-Pg
  A perl5 API for client access to PostgreSQL databases.

postgresql-tcltk 
  If you want tcl/tk client support.

postgresql-jdbc
  For Java JDBC support.

postgresql-odbc
  For client access from unix applications using ODBC as access
  method. Not needed to access unix PostgreSQL servers from Win32
  using ODBC. See below.

ruby-postgres, py-PyGreSQL
  For client access to PostgreSQL databases using the ruby & python
  languages.

postgresql-plperl, postgresql-pltcl & postgresql-plruby
  For using perl5, tcl & ruby as procedural languages.

postgresql-contrib
  Lots of contributed utilities, postgresql functions and
  datatypes. There you find pg_standby, pgcrypto and many other cool
  things.

etc...
Message from postgresql96-server-9.6.3_1:
For procedural languages and postgresql functions, please note that
you might have to update them when updating the server.

If you have many tables and many clients running, consider raising
kern.maxfiles using sysctl(8), or reconfigure your kernel
appropriately.

The port is set up to use autovacuum for new databases, but you might
also want to vacuum and perhaps backup your database regularly. There
is a periodic script, /usr/local/etc/periodic/daily/502.pgsql, that
you may find useful. You can use it to backup and perform vacuum on all
databases nightly. Per default, it performs `vacuum analyze'. See the
script for instructions. For autovacuum settings, please review
~pgsql/data/postgresql.conf.

If you plan to access your PostgreSQL server using ODBC, please
consider running the SQL script /usr/local/share/postgresql/odbc.sql
to get the functions required for ODBC compliance.

Please note that if you use the rc script,
/usr/local/etc/rc.d/postgresql, to initialize the database, unicode
(UTF-8) will be used to store character data by default.  Set
postgresql_initdb_flags or use login.conf settings described below to
alter this behaviour. See the start rc script for more info.

To set limits, environment stuff like locale and collation and other
things, you can set up a class in /etc/login.conf before initializing
the database. Add something similar to this to /etc/login.conf:
---
postgres:\
        :lang=en_US.UTF-8:\
        :setenv=LC_COLLATE=C:\
        :tc=default:
---
and run `cap_mkdb /etc/login.conf'.
Then add 'postgresql_class="postgres"' to /etc/rc.conf.

======================================================================

To initialize the database, run

  /usr/local/etc/rc.d/postgresql initdb

You can then start PostgreSQL by running:

  /usr/local/etc/rc.d/postgresql start

For postmaster settings, see ~pgsql/data/postgresql.conf

NB. FreeBSD's PostgreSQL port logs to syslog by default
    See ~pgsql/data/postgresql.conf for more info

======================================================================

To run PostgreSQL at startup, add
'postgresql_enable="YES"' to /etc/rc.conf

Enable the postgresql daemon at the jail startup

1
2
3
4
5
root@stafdb:~ # sysrc postgresql_enable="YES"
postgresql_enable:  -> YES
root@stafdb:~ # grep postgresql_enable /etc/rc.conf
postgresql_enable="YES"
root@stafdb:~ # 

Initialize the database

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@stafdb:~ # service postgresql initdb
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "C".
The default text search configuration will be set to "english".

Data page checksums are disabled.

creating directory /var/db/postgres/data96 ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    /usr/local/bin/pg_ctl -D /var/db/postgres/data96 -l logfile start

root@stafdb:~ # 

Start the database

1
2
3
4
5
Droot@stafdb:~ # service postgresql start
LOG:  could not create IPv6 socket: Protocol not supported
LOG:  ending log output to stderr
HINT:  Future log output will go to log destination "syslog".
root@stafdb:~ # 

Verify the database

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@stafdb:~ # su - postgres                                                                                                   
$ psql -l                                                                                                                       
psql: could not connect to server: No such file or directory                                                                    
        Is the server running locally and accepting                                                                             
        connections on Unix domain socket "/tmp/.s.PGSQL.5432"?                                                                 
$ ^Droot@stafdb:~ # service postgresql start
LOG:  could not create IPv6 socket: Protocol not supported                                                                      
LOG:  ending log output to stderr                                                                                               
HINT:  Future log output will go to log destination "syslog".                                                                   
root@stafdb:~ # su - postgres
$ psql -l
                             List of databases
   Name    |  Owner   | Encoding | Collate | Ctype |   Access privileges   
-----------+----------+----------+---------+-------+-----------------------
 postgres  | postgres | UTF8     | C       | C     | 
 template0 | postgres | UTF8     | C       | C     | =c/postgres          +
           |          |          |         |       | postgres=CTc/postgres
 template1 | postgres | UTF8     | C       | C     | =c/postgres          +
           |          |          |         |       | postgres=CTc/postgres
(3 rows)

$ 

Have fun!

Links

Install Parabola GNU/Linux on an Encrypted Btrfs Logical Volume

"413px-Gnu10-mascot-logo_100ppi.png"

I finally found time to complete the installation of my Libreboot laptop

I decided to give Parabola GNU/Linux a try as my daily driver to get a fully Free Software Laptop/tablet.

Download the Parabola GNU/Linux iso and boot it

After Parabola GNU/Linux is booted verify that you have internet access if the network card is support and dhcp is enabled on you network you should get a network address.

Network access

To setup the system remotely we first need to setup network to our system.

Verify the interface

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1 root@parabolaiso ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:16:d3:b7:3a:96 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.11/24 brd 192.168.1.255 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::e5db:c85f:4478:1f44/64 scope link 
       valid_lft forever preferred_lft forever
3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:1b:77:4d:5a:57 brd ff:ff:ff:ff:ff:ff
root@parabolaiso ~ # 

Verify internet access

1
2
3
4
5
6
7
8
9
10
root@parabolaiso ~ # ping -c 3 www.google.be
PING www.google.be (172.217.17.67) 56(84) bytes of data.
64 bytes from ams16s30-in-f3.1e100.net (172.217.17.67): icmp_seq=1 ttl=56 time=91.3 ms
64 bytes from ams16s30-in-f3.1e100.net (172.217.17.67): icmp_seq=2 ttl=56 time=48.7 ms
64 bytes from ams16s30-in-f3.1e100.net (172.217.17.67): icmp_seq=3 ttl=56 time=47.9 ms

--- www.google.be ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 47.998/62.714/91.366/20.264 ms
root@parabolaiso ~ # 

ssh access

If you want to install Parabola GNU/Linux over ssh you need to assign a root passwd and start the sshd service.

root password

1
2
3
4
5
root@parabolaiso ~ # passwd root
New password: 
Retype new password: 
passwd: password updated successfully
root@parabolaiso ~ # 

create a user account

Parabola doesn’t allow remote ssh root logons. Create a new account to access the system remotely.

1
2
3
4
5
6
root@parabolaiso ~ # useradd install
root@parabolaiso ~ # passwd install
New password: 
Retype new password: 
passwd: password updated successfully
root@parabolaiso ~ # 

start sshd

1
2
root@parabolaiso ~ # systemctl start sshd
root@parabolaiso ~ # 

Logon remotely

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[staf@vicky ~]$ ssh install@petronella 
install@petronella's password: 

===============================================================================
                                                                          
         Parabola live media 2016.11.03                                
                                                                          
    To install Parabola, the system must be connected to the internet.    
    For instructions, enter this command:                                 
      lynx network.html                                           
                                                                          
    Press the number keys while holding Alt to switch virtual terminals.  
    This allows entering commands without closing lynx.                   
                                                                          
===============================================================================

Could not chdir to home directory /home/install: No such file or directory
[install@parabolaiso /]$ su -
Password: 
root@parabolaiso ~ # 

Partition your harddisk

Find your harddisk device name

1
2
3
4
5
6
7
8
9
10
11
12
13
root@parabolaiso ~ # lsblk -o NAME,VENDOR,MODEL,TYPE,SIZE 
NAME                  VENDOR   MODEL            TYPE   SIZE
loop1                                           loop   1.9G
`-parabola_root-image                           dm     1.9G
sdb                   ATA      OCZ-VERTEX2      disk 107.1G
`-sdb1                                          part 107.1G
loop2                                           loop   1.9G
`-parabola_root-image                           dm     1.9G
loop0                                           loop 269.7M
sda                   Kingston DataTraveler 2.0 disk   7.2G
|-sda2                                          part    31M
`-sda1                                          part   613M
root@parabolaiso ~ # 

Overwrite it with random data

Because we are creating an ecrypted filesystem it’s a good idea to overwrite it with random data.

We’ll use badblocks for this another method is to use “dd if=/dev/random of=/dev/xxx” the “dd” method is probably the best method but is a lot slower.

1
2
3
4
5
6
7
8
9
10
root@parabolaiso ~ # badblocks -c 10240 -s -w -t random -v /dev/sdb


Checking for bad blocks in read-write mode
From block 0 to 112337063
Testing with random pattern: done                                                 
Reading and comparing: done                                                 
Pass completed, 0 bad blocks found. (0/0/0 errors)
badblocks -c 10240 -s -w -t random -v /dev/sdb  82.82s user 20.08s system 3% cpu 48:12.29 total
root@parabolaiso ~ # 

Partition the harddisk

We’ll use lvm is this setup, while it should be possible to boot from an encrypted partition with Libreboot partition I create a small unencrypted boot partition.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
root@parabolaiso ~ # fdisk /dev/sdb

Welcome to fdisk (util-linux 2.28.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x2640923c.

Command (m for help): p
Disk /dev/sdb: 107.1 GiB, 115033153536 bytes, 224674128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x2640923c

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 
First sector (2048-224674127, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-224674127, default 224674127): +1G

Created a new partition 1 of type 'Linux' and of size 1 GiB.

Command (m for help): n
Partition type
   p   primary (1 primary, 0 extended, 3 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 
First sector (2099200-224674127, default 2099200): 
Last sector, +sectors or +size{K,M,G,T,P} (2099200-224674127, default 224674127): 

Created a new partition 2 of type 'Linux' and of size 106.1 GiB.

Command (m for help): p
Disk /dev/sdb: 107.1 GiB, 115033153536 bytes, 224674128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x2640923c

Device     Boot   Start       End   Sectors   Size Id Type
/dev/sdb1          2048   2099199   2097152     1G 83 Linux
/dev/sdb2       2099200 224674127 222574928 106.1G 83 Linux

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

root@parabolaiso ~ # 

Encrypt the LVM physical volume

Benchmark

We bechmark the encryption to decide which encryption we’ll use.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@parabolaiso ~ # cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1       382134 iterations per second for 256-bit key
PBKDF2-sha256     479239 iterations per second for 256-bit key
PBKDF2-sha512     347671 iterations per second for 256-bit key
PBKDF2-ripemd160  319687 iterations per second for 256-bit key
PBKDF2-whirlpool  221032 iterations per second for 256-bit key
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b    79.1 MiB/s    93.9 MiB/s
 serpent-cbc   128b    30.0 MiB/s   112.0 MiB/s
 twofish-cbc   128b    77.5 MiB/s   102.5 MiB/s
     aes-cbc   256b    62.7 MiB/s    71.0 MiB/s
 serpent-cbc   256b    30.0 MiB/s   111.9 MiB/s
 twofish-cbc   256b    77.5 MiB/s   102.4 MiB/s
     aes-xts   256b    93.0 MiB/s    93.3 MiB/s
 serpent-xts   256b   100.3 MiB/s   104.5 MiB/s
 twofish-xts   256b    93.8 MiB/s    95.0 MiB/s
     aes-xts   512b    70.5 MiB/s    70.7 MiB/s
 serpent-xts   512b   100.3 MiB/s   104.4 MiB/s
 twofish-xts   512b    93.9 MiB/s    94.9 MiB/s
cryptsetup benchmark  3.91s user 24.02s system 99% cpu 28.093 total
root@parabolaiso ~ # 

Create Luks volume

The serpent xts with a 512 bits keys seems to give a pretty good performance while sha256 hashing gives the best performance.

1
2
3
4
5
6
7
8
9
10
root@parabolaiso ~ # cryptsetup luksFormat --cipher serpent-xts-plain64 --key-size 512 --hash sha256 --use-random /dev/sdb2 

WARNING!
========
This will overwrite data on /dev/sdb2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
root@parabolaiso ~ # 

LVM setup

Create the volumes

Open the LUKS volume

1
2
3
root@parabolaiso ~ #  cryptsetup luksOpen /dev/sdb2 pv
Enter passphrase for /dev/sdb2: 
root@parabolaiso ~ # 

This create /dev/mapper/pv

Create the physical volume

1
2
3
root@parabolaiso ~ # pvcreate /dev/mapper/pv                 
  Physical volume "/dev/mapper/pv" successfully created.
root@parabolaiso ~ # 

Show the pv

1
2
3
4
root@parabolaiso ~ # pvs
  PV             VG Fmt  Attr PSize   PFree  
  /dev/mapper/pv    lvm2 ---  106.13g 106.13g
root@parabolaiso ~ # 

Create the volume group

1
2
3
root@parabolaiso ~ # vgcreate vg /dev/mapper/pv
  Volume group "vg" successfully created
root@parabolaiso ~ # 

Show the created volume group

1
2
3
4
root@parabolaiso ~ # vgs
  VG #PV #LV #SN Attr   VSize   VFree  
  vg   1   0   0 wz--n- 106.13g 106.13g
root@parabolaiso ~ # 

Create the swap logical volume

1
2
3
root@parabolaiso ~ # lvcreate -L 4G vg -n lv_swap 
  Logical volume "lv_swap" created.
root@parabolaiso ~ # 

Create the root logical volume

1
2
3
root@parabolaiso ~ # lvcreate -L 20G vg -n lv_root   
  Logical volume "lv_root" created.
root@parabolaiso ~ # 

Display the create logical volumes

1
2
3
4
5
root@parabolaiso ~ # lvs
  LV      VG Attr       LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  lv_root vg -wi-a----- 20.00g                                                    
  lv_swap vg -wi-a-----  4.00g                                                    
root@parabolaiso ~ # 

Format the logical volumes

Create the swapspace

1
2
3
4
root@parabolaiso ~ # mkswap /dev/mapper/vg-lv_swap       
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=32f6e5d4-67a3-42e3-8a90-6ee3ae0fdaa3
root@parabolaiso ~ # 

And activate it;

1
2
root@parabolaiso ~ # swapon /dev/mapper/vg-lv_swap       
root@parabolaiso ~ # 

Create the root filesystem

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@parabolaiso ~ # mkfs.btrfs /dev/mapper/vg-lv_root       
btrfs-progs v4.8.2
See http://btrfs.wiki.kernel.org for more information.

Detected a SSD, turning off metadata duplication.  Mkfs with -m dup if you want to force metadata duplication.
Label:              (null)
UUID:               
Node size:          16384
Sector size:        4096
Filesystem size:    20.00GiB
Block group profiles:
  Data:             single            8.00MiB
  Metadata:         single            8.00MiB
  System:           single            4.00MiB
SSD detected:       yes
Incompat features:  extref, skinny-metadata
Number of devices:  1
Devices:
   ID        SIZE  PATH
    1    20.00GiB  /dev/mapper/vg-lv_root

root@parabolaiso ~ # 

Create the boot filesystem

1
2
3
4
5
6
7
8
9
10
11
12
13
root@parabolaiso ~ # mkfs.ext2 /dev/sdb1 
mke2fs 1.43.3 (04-Sep-2016)
Discarding device blocks: done                            
Creating filesystem with 262144 4k blocks and 65536 inodes
Filesystem UUID: e3fd741d-d0e0-483f-a9cd-3fbd3f9d66d1
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

root@parabolaiso ~ # 

Mount the filesystems

Mount the root filesystem;

1
2
3
root@parabolaiso ~ # 
root@parabolaiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults /dev/mapper/vg-lv_root /mnt
root@parabolaiso ~ # 

Create the /home and /boot directories

1
root@parabolaiso ~ # mkdir -p /mnt/{boot,home}

Mount the boot filesystem

1
2
root@parabolaiso ~ # mount /dev/sdb1 /mnt/boot
root@parabolaiso ~ # 

Show;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@parabolaiso ~ # df -h
Filesystem                       Size  Used Avail Use% Mounted on
dev                              1.6G     0  1.6G   0% /dev
run                              1.6G   26M  1.6G   2% /run
/dev/sda1                        613M  613M     0 100% /run/parabolaiso/bootmnt
cowspace                         2.4G  8.9M  2.4G   1% /run/parabolaiso/cowspace
/dev/loop0                       270M  270M     0 100% /run/parabolaiso/sfs/root-image
/dev/mapper/parabola_root-image  1.9G  885M 1003M  47% /
tmpfs                            1.6G     0  1.6G   0% /dev/shm
tmpfs                            1.6G     0  1.6G   0% /sys/fs/cgroup
tmpfs                            1.6G     0  1.6G   0% /tmp
tmpfs                            1.6G  1.6M  1.6G   1% /etc/pacman.d/gnupg
tmpfs                            320M     0  320M   0% /run/user/0
tmpfs                            320M     0  320M   0% /run/user/1001
/dev/mapper/vg-lv_root            20G   17M   20G   1% /mnt
/dev/sdb1                       1008M  1.3M  956M   1% /mnt/boot
root@parabolaiso ~ # 

System installation

boostrap the system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@parabolaiso ~ # pacstrap /mnt base base-devel btrfs-progs
==> Creating install root at /mnt
==> Installing packages to /mnt
:: Synchronizing package databases...
 libre                                              437.7 KiB   228K/s 00:02 [############################################] 100%
 core                                               111.1 KiB   280K/s 00:00 [############################################] 100%
 extra                                             1535.4 KiB   544K/s 00:03 [############################################] 100%
 community                                            3.6 MiB   615K/s 00:06 [############################################] 100%
 pcr                                                620.0 KiB   662K/s 00:01 [############################################] 100%
:: There are 52 members in group base:
:: Repository libre
   1) filesystem  2) licenses  3) linux-libre  4) pacman  5) pacman-mirrorlist  6) systemd-sysvcompat  7) your-freedom
:: Repository core
   8) bash  9) bzip2  10) coreutils  11) cryptsetup  12) device-mapper  13) dhcpcd  14) diffutils  15) e2fsprogs  16) file
   17) findutils  18) gawk  19) gcc-libs  20) gettext  21) glibc  22) grep  23) gzip  24) inetutils  25) iproute2  26) iputils
   27) jfsutils  28) less  29) logrotate  30) lvm2  31) man-db  32) man-pages  33) mdadm  34) nano  35) netctl  36) pciutils
   37) pcmciautils  38) perl  39) procps-ng  40) psmisc  41) reiserfsprogs  42) s-nail  43) sed  44) shadow  45) sysfsutils
   46) tar  47) texinfo  48) usbutils  49) util-linux  50) vi  51) which  52) xfsprogs

Enter a selection (default=all): 

< snip >

1
2
3
4
5
6
7
8
(2/7) Updating udev hardware database...
(3/7) Updating system user accounts...
(4/7) Creating temporary files...
(5/7) Arming ConditionNeedsUpdate...
(6/7) Updating the info directory file...
(7/7) Rebuilding certificate stores...
pacstrap /mnt base base-devel btrfs-progs  62.07s user 14.31s system 1% cpu 1:13:22.44 total
root@parabolaiso ~ # 

Generate /etc/fstab

1
2
3
root@parabolaiso ~ #
root@parabolaiso ~ # genfstab -U -p /mnt  >> /mnt/etc/fstab
root@parabolaiso ~ # 

review

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@parabolaiso ~ # cat /mnt/etc/fstab
# 
# /etc/fstab: static file system information
#
# <file system> <dir>   <type>  <options>       <dump>  <pass>
# UUID=3731a69b-7240-4618-8e5e-4684d7e719e3
# /dev/mapper/vg-lv_root
UUID=3731a69b-7240-4618-8e5e-4684d7e719e3       /               btrfs           rw,relatime,ssd,space_cache,subvolid=5,subvol=/0 0

# /dev/sdb1
UUID=e3fd741d-d0e0-483f-a9cd-3fbd3f9d66d1       /boot           ext2            rw,relatime,block_validity,barrier,user_xattr,acl       0 2

# /dev/mapper/vg-lv_swap
UUID=32f6e5d4-67a3-42e3-8a90-6ee3ae0fdaa3       none            swap            defaults        0 0

root@parabolaiso ~ # 

chroot

1
2
root@parabolaiso ~ # arch-chroot /mnt
[root@parabolaiso /]# 

Set the timezone

Set the link for the correct timezone

1
2
[root@parabolaiso /]# ln -sf /usr/share/zoneinfo/Europe/Brussels /etc/localtime
[root@parabolaiso /]# 

Set the hardwareclock to UTC

1
2
[root@parabolaiso /]# hwclock --systohc --utc
[root@parabolaiso /]# 

Generate the required locales

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@parabolaiso /]# vi /etc/locale.gen 
[root@parabolaiso /]# local 
local       locale      locale-gen  localectl   localedef   
[root@parabolaiso /]# locale-gen
Generating locales...
  en_IE.UTF-8... done
  en_IE.ISO-8859-1... done
  en_IE.ISO-8859-15@euro... done
  en_US.UTF-8... done
  en_US.ISO-8859-1... done
  nl_BE.UTF-8... done
  nl_BE.ISO-8859-1... done
  nl_BE.ISO-8859-15@euro... done
Generation complete.
[root@parabolaiso /]# 

Hostname

1
2
[root@parabolaiso /]# vi /etc/hostname
[root@parabolaiso /]# 

mkinitcpio

HOOKS

Add “encrypt lvm2” to HOOKS before filesystems in /etc/mkinitcpio.conf

1
[root@parabolaiso /]# vi /etc/mkinitcpio.conf
1
HOOKS="base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck"

Create boot image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[root@parabolaiso /]#  mkinitcpio -p linux-libre
==> Building image from preset: /etc/mkinitcpio.d/linux-libre.preset: 'default'
  -> -k /boot/vmlinuz-linux-libre -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-libre.img
==> Starting build: 4.10.6-gnu-1
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [sd-encrypt]
/usr/lib/initcpio/install/sd-encrypt: line 21: add_systemd_unit: command not found
/usr/lib/initcpio/install/sd-encrypt: line 25: add_systemd_unit: command not found
/usr/lib/initcpio/install/sd-encrypt: line 26: add_systemd_unit: command not found
  -> Running build hook: [lvm2]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-libre.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux-libre.preset: 'fallback'
  -> -k /boot/vmlinuz-linux-libre -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-libre-fallback.img -S autodetect
==> Starting build: 4.10.6-gnu-1
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: isci
  -> Running build hook: [sd-encrypt]
/usr/lib/initcpio/install/sd-encrypt: line 21: add_systemd_unit: command not found
/usr/lib/initcpio/install/sd-encrypt: line 25: add_systemd_unit: command not found
/usr/lib/initcpio/install/sd-encrypt: line 26: add_systemd_unit: command not found
  -> Running build hook: [lvm2]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-libre-fallback.img
==> Image generation successful
[root@parabolaiso /]# 

set the root password

1
2
3
4
5
[root@parabolaiso /]# passwd root
New password: 
Retype new password: 
passwd: password updated successfully
[root@parabolaiso /]# 

GRUB

install Grub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[root@parabolaiso /]#  pacman -Sy grub
:: Synchronizing package databases...
 libre is up to date
 core is up to date
 extra is up to date
 community is up to date
 pcr is up to date
resolving dependencies...
looking for conflicting packages...

Packages (1) grub-1:2.02.rc2-1.parabola1

Total Download Size:    6.04 MiB
Total Installed Size:  35.87 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 grub-1:2.02.rc2-1.parabola1-x86_64                   6.0 MiB   128K/s 00:48 [############################################] 100%
(1/1) checking keys in keyring                                               [############################################] 100%
(1/1) checking package integrity                                             [############################################] 100%
(1/1) loading package files                                                  [############################################] 100%
(1/1) checking for file conflicts                                            [############################################] 100%
(1/1) checking available disk space                                          [############################################] 100%
:: Processing package changes...
(1/1) installing grub                                                        [############################################] 100%
Generating grub.cfg.example config file...
This may fail on some machines running a custom kernel.
done.
Optional dependencies for grub
    freetype2: For grub-mkfont usage
    fuse: For grub-mount usage
    dosfstools: For grub-mkrescue FAT FS and EFI support
    efibootmgr: For grub-install EFI support
    libisoburn: Provides xorriso for generating grub rescue iso using grub-mkrescue
    os-prober: To detect other OSes when generating grub.cfg in BIOS systems
    mtools: For grub-mkrescue FAT FS support
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Updating the info directory file...
[root@parabolaiso /]# 

Install grub to your boot disk

1
2
3
4
[root@parabolaiso /]# grub-install --target=i386-pc /dev/sdb
Installing for i386-pc platform.
Installation finished. No error reported.
[root@parabolaiso /]# 

Create grub.cfg

We’ll use the uuid for the crypted device.

Get the UUID for the encrypted physical volume
1
2
3
4
5
6
7
8
9
10
[root@parabolaiso /]# ls -l /dev/disk/by-uuid/
total 0
lrwxrwxrwx 1 root root 10 Apr  3 10:07 2016-11-03-15-52-21-00 -> ../../sda1
lrwxrwxrwx 1 root root 10 Apr  3 10:09 32f6e5d4-67a3-42e3-8a90-6ee3ae0fdaa3 -> ../../dm-2
lrwxrwxrwx 1 root root 10 Apr  3 10:09 3731a69b-7240-4618-8e5e-4684d7e719e3 -> ../../dm-3
lrwxrwxrwx 1 root root 10 Apr  3 10:07 BD3C-9D8E -> ../../sda2
lrwxrwxrwx 1 root root 10 Apr  3 10:07 e3fd741d-d0e0-483f-a9cd-3fbd3f9d66d1 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Apr  3 10:09 eb600d4a-a2fd-4698-8847-14e6dc1b5e6c -> ../../sdb2
lrwxrwxrwx 1 root root 10 Apr  3 10:07 f6312bc5-7593-4b6d-8427-0cf92d9de40b -> ../../dm-0
[root@parabolaiso /]# 
Update /etc/default/grub
1
2
3
4
5
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Parabola"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/eb600d4a-a2fd-4698-8847-14e6dc1b5e6c:pv"
Generate grub.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@parabolaiso /]# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Found linux image: /boot/vmlinuz-linux-libre
Found initrd image: /boot/initramfs-linux-libre.img
Found fallback initramfs image: /boot/initramfs-linux-libre-fallback.img
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
done
[root@parabolaiso /]# 

Reboot

1
2
3
4
5
6
7
8
9
10
11
[root@parabolaiso /]# exit
root@parabolaiso ~ # umount /mnt/boot
root@parabolaiso ~ # umount /mnt/    
root@parabolaiso ~ # lvchange -an /dev/vg/lv_root  
root@parabolaiso ~ # swapoff /dev/vg/lv_swap
root@parabolaiso ~ # lvchange -an /dev/vg/lv_swap
root@parabolaiso ~ # cryptsetup luksClose  /dev/mapper/pv
root@parabolaiso ~ # reboot
Connection to petronella closed by remote host.
Connection to petronella closed.
[staf@vicky octopress]$ 

First boot

If everything goes well GNU/Linux get booted, … if not. You’ll have some fun to resolve the boot issues :-)

Have fun!

Links

How to Install Libreboot on a ThinkPad X60


 
I got a ThinkPad x60 (tablet version) from ebay.be to install libreboot on it.
 
I tried to compile libreboot on Debian and Parabola GNU/Linux but both failed, compling Libreboot on Trisquel 7 works fine so I’ll use Trisquel to replace the BIOS with libreboot.
 
I’m not sure that I’ll use Trisquel 7 as my daily driver since it is a bit outdated… I might go with Debian Strech without the non-free repositories to get a fully Free Software Laptop/tablet. I’ll need to replace the Intel wifi adapter since this requires non-free firmware.
 
You’ll find a small howto install libreboot on a Thinkpad X60 below.
 

"Thinkpad x60 open"

Build Libreboot

The latest version of libreboot isn’t available via a binary distribution so I decided to build it from source.

Download the Libreboot source

Download the latest libreboot image from https://libreboot.org/download/

Download the source tarball

1
2
3
4
5
6
7
8
9
10
11
12
13
14
staf@petronella:~/libreboot$ wget https://libreboot.org/release/stable/20160907/libreboot_r20160907_src.tar.xz
--2017-02-11 10:24:41--  https://libreboot.org/release/stable/20160907/libreboot_r20160907_src.tar.xz
Resolving libreboot.org (libreboot.org)... 149.56.232.100
Connecting to libreboot.org (libreboot.org)|149.56.232.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 438622508 (418M) [application/x-xz]
Saving to: libreboot_r20160907_src.tar.xz

100%[==========================================================>] 438.622.508  541KB/s   in 18m 35s


2017-02-11 10:43:17 (384 KB/s) - libreboot_r20160907_src.tar.xz saved [438622508/438622508]

staf@petronella:~/libreboot$ 

Verify

As always verify the checksums and the gpg signature, the gpg public key is available at: https://libreboot.org/gpg/

Download the SHA512SUMS and SHA512SUMS.sig

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
staf@petronella:~/libreboot$ wget https://libreboot.org/release/stable/20160907/SHA512SUMS                                                      
--2017-02-11 10:52:23--  https://libreboot.org/release/stable/20160907/SHA512SUMS                                                                          
Resolving libreboot.org (libreboot.org)... 149.56.232.100                                                                                                            
Connecting to libreboot.org (libreboot.org)|149.56.232.100|:443... connected.                                                                                                  
HTTP request sent, awaiting response... 200 OK                                                                                                                                 
Length: 5112 (5,0K) [application/octet-stream]                                                                                                                                        
Saving to: 'SHA512SUMS'                                                                                                                                                                          
                                                                                                                                                                                                         
100%[=====================================================================================================================================================================================================>] 5.112       --.-K/s   in 0,006s  
                                                                                                                                                                                                                          
2017-02-11 10:52:24 (852 KB/s) - 'SHA512SUMS' saved [5112/5112]                                                                                                                                                                      
                                                                                                                                                                                                                                             
staf@petronella:~/libreboot$ wget https://libreboot.org/release/stable/20160907/SHA512SUMS.sig
--2017-02-11 10:52:39--  https://libreboot.org/release/stable/20160907/SHA512SUMS.sig
Resolving libreboot.org (libreboot.org)... 149.56.232.100
Connecting to libreboot.org (libreboot.org)|149.56.232.100|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 543 [application/pgp-signature]
Saving to: 'SHA512SUMS.sig'

100%[=====================================================================================================================================================================================================>] 543         --.-K/s   in 0s      

2017-02-11 10:52:39 (11,4 MB/s) - 'SHA512SUMS.sig' saved [543/543]

staf@petronella:~/libreboot$ 

Import the public gpg key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
staf@petronella:~/libreboot$ gpg --recv-keys 0x05E8C5B2
gpg: directory `/home/staf/.gnupg' created
gpg: new configuration file `/home/staf/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/staf/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/staf/.gnupg/secring.gpg' created
gpg: keyring `/home/staf/.gnupg/pubring.gpg' created
gpg: no keyserver known (use option --keyserver)
gpg: keyserver receive failed: bad URI
staf@petronella:~/libreboot$ gpg --recv-keys 0x05E8C5B2
gpg: requesting key 05E8C5B2 from hkp server keys.gnupg.net
gpg: /home/staf/.gnupg/trustdb.gpg: trustdb created
gpg: key 05E8C5B2: public key "Leah Rowe (Libreboot signing key) <info@minifree.org>" imported
gpg: key 05E8C5B2: public key "Leah Rowe (Libreboot signing key) <info@minifree.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg:               imported: 2  (RSA: 2)
staf@petronella:~/libreboot$ 

Verify the checksum file

1
2
3
4
5
6
7
staf@petronella:~/libreboot$ gpg --verify SHA512SUMS.sig SHA512SUMS
gpg: Signature made Don 08 Sep 2016 00:15:17 CEST using RSA key ID 05E8C5B2
gpg: Good signature from "Leah Rowe (Libreboot signing key) <info@minifree.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CDC9 CAE3 2CB4 B7FC 84FD  C804 969A 9795 05E8 C5B2
staf@petronella:~/libreboot$ 

Verify the checksum

1
2
3
4
5
6
7
8
staf@petronella:~/libreboot$ sha512sum -c SHA512SUMS | head -2
sha512sum: ./libreboot_r20160907_util.tar.xz: No such file or directory
sha512sum: ./rom/depthcharge/libreboot_r20160907_depthcharge_veyron_speedy.tar.xz: No such file or directory
sha512sum: ./rom/grub/libreboot_r20160907_grub_d510mo.tar.xz: No such file or directory
sha512sum: ./libreboot_r20160907_src.tar.xz: OK
./rom/grub/libreboot_r20160907_grub_ga-g41m-es2l.tar.xz./libreboot_r20160907_util.tar.xz: FAILED open or read
: No such file or directory
staf@petronella:~/libreboot$ 

Build the modules

Git

It’s required to have git installed and to set the user email & name if you don’t do this the complilation will fail.

Install git

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
staf@petronella:~/libreboot$ sudo apt-get install git
[sudo] password for staf: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  git-man liberror-perl
Suggested packages:
  git-daemon-run git-daemon-sysvinit git-doc git-el git-email git-gui gitk
  gitweb git-arch git-bzr git-cvs git-mediawiki git-svn
The following NEW packages will be installed:
  git git-man liberror-perl
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 3.306 kB of archives.
After this operation, 21,9 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://fr.archive.trisquel.info/trisquel/ belenos/main liberror-perl all 0.17-1.1 [21,1 kB]
Get:2 http://fr.archive.trisquel.info/trisquel/ belenos-security/main git-man all 1:1.9.1-1ubuntu0.3 [699 kB]
Get:3 http://fr.archive.trisquel.info/trisquel/ belenos-security/main git amd64 1:1.9.1-1ubuntu0.3 [2.586 kB]
Fetched 3.306 kB in 4s (723 kB/s)
Selecting previously unselected package liberror-perl.
(Reading database ... 206214 files and directories currently installed.)
Preparing to unpack .../liberror-perl_0.17-1.1_all.deb ...
Unpacking liberror-perl (0.17-1.1) ...
Selecting previously unselected package git-man.
Preparing to unpack .../git-man_1%3a1.9.1-1ubuntu0.3_all.deb ...
Unpacking git-man (1:1.9.1-1ubuntu0.3) ...
Selecting previously unselected package git.
Preparing to unpack .../git_1%3a1.9.1-1ubuntu0.3_amd64.deb ...
Unpacking git (1:1.9.1-1ubuntu0.3) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Setting up liberror-perl (0.17-1.1) ...
Setting up git-man (1:1.9.1-1ubuntu0.3) ...
Setting up git (1:1.9.1-1ubuntu0.3) ...
staf@petronella:~/libreboot$ 

Set the git username and password.

1
2
3
staf@petronella:~/libreboot$ git config --global user.email "staf@wagemakers.be"
staf@petronella:~/libreboot$ git config --global user.name "staf wagemakers"
staf@petronella:~/libreboot$ 

Extract the source

1
2
staf@petronella:~/libreboot$ tar xf libreboot_r20160907_src.tar.xz 
staf@petronella:~/libreboot$ 

Install the dependencies

cd into the extracted directory

1
2
3
staf@petronella:~/libreboot$ ls
SHA512SUMS  SHA512SUMS.sig  libreboot_r20160907_src  libreboot_r20160907_src.tar.xz
staf@petronella:~/libreboot$ cd libreboot_r20160907_src

run dependencies trisquel7 to install the software dependencies.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
staf@petronella:~/libreboot/libreboot_r20160907_src$ sudo ./build dependencies trisquel7
Reading package lists... Done
Building dependency tree       
Reading state information... Done
wget is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
git is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  fonts-lmodern fonts-texgyre latex-beamer latex-xcolor libintl-perl
  liblua5.1-0 libpaper-utils libptexenc1 libruby1.9.1 libtext-unidecode-perl
  libxml-libxml-perl libxml-namespacesupport-perl libxml-sax-base-perl
  libxml-sax-expat-perl libxml-sax-perl libyaml-0-2 lmodern luatex pandoc-data
  pgf prosper ps2eps ruby ruby1.9.1 tcl tcl8.6 tex-common tex-gyre
  texlive-base texlive-binaries texlive-extra-utils texlive-font-utils

< snip >

1
2
3
4
5
6
7
8
9
10
(Reading database ... 236394 files and directories currently installed.)
Preparing to unpack .../lib32z1_1%3a1.2.8.dfsg-1ubuntu1_amd64.deb ...
Unpacking lib32z1 (1:1.2.8.dfsg-1ubuntu1) ...
Selecting previously unselected package lib32z1-dev.
Preparing to unpack .../lib32z1-dev_1%3a1.2.8.dfsg-1ubuntu1_amd64.deb ...
Unpacking lib32z1-dev (1:1.2.8.dfsg-1ubuntu1) ...
Setting up lib32z1 (1:1.2.8.dfsg-1ubuntu1) ...
Setting up lib32z1-dev (1:1.2.8.dfsg-1ubuntu1) ...
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...
staf@petronella:~/libreboot/libreboot_r20160907_src$ 

Build module all

Build the modules by excuting build module all

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
staf@petronella:~/libreboot/libreboot/libreboot_r20160907_src$ ./build module all
Building bucts
rm -f bucts bucts.o
gcc  -DVERSION='"withoutgit"' -c bucts.c
gcc -o bucts bucts.o  -lpci


Building the utilities in coreboot
make: Entering directory `/home/staf/libreboot/libreboot_r20160907_src/coreboot/15fca66bf08db45937ce88b950491963654805b9/15fca66bf08db45937ce88b950491963654805b9/util/cbfstool'
    HOSTCC     cbfstool/cbfstool.o
    HOSTCC     cbfstool/common.o
    HOSTCC     cbfstool/compress.o
    HOSTCC     cbfstool/cbfs_hash.o
    HOSTCC     cbfstool/cbfs_image.o
    HOSTCC     cbfstool/cbfs-mkstage.o
    HOSTCC     cbfstool/cbfs-mkpayload.o
    HOSTCC     cbfstool/elfheaders.o
    HOSTCC     cbfstool/rmodule.o
    HOSTCC     cbfstool/xdr.o
    HOSTCC     cbfstool/fit.o
    HOSTCC     cbfstool/partitioned_file.o

< snip >

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
  Compile checking out/vgasrc/stdvgamodes.o
  Compile checking out/vgasrc/stdvgaio.o
  Compile checking out/vgasrc/clext.o
  Compile checking out/vgasrc/bochsvga.o
  Compile checking out/vgasrc/geodevga.o
  Compile checking out/vgasrc/cbvga.o
  Compiling whole program out/vgaccode16.raw.s
  Fixup VGA rom assembler
  Compiling (16bit) out/vgaentry.o
  Precompiling out/vgasrc/vgalayout.lds
  Linking out/vgarom.o
Version: ?-20170211_123929-petronella
  Extracting binary out/vgabios.bin.raw
  Finalizing rom out/vgabios.bin
staf@petronella:~/libreboot/libreboot_r20160907_src$ 

Build the ROMS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
staf@petronella:~/libreboot/libreboot_r20160907_src$ ./build roms withgrub
Building ROM images with the GRUB payload
Creating GRUB ELF executable for configuration 'txtmode'


Creating GRUB ELF executable for configuration 'vesafb'


GRUB Helper script: build ROM images for 'd510mo'
M       3rdparty/vboot
Switched to branch 'grub_d510mo'
Switched to branch 'grub_d510mo'
No submodule mapping found in .gitmodules for path '3rdparty/vboot'
No submodule mapping found in .gitmodules for path '3rdparty/vboot'

< snip >

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
12288 bytes (12 kB) copied, 0,026113 s, 471 kB/s
12288+0 records in
12288+0 records out
12288 bytes (12 kB) copied, 0,0259776 s, 473 kB/s
12288+0 records in
12288+0 records out
12288 bytes (12 kB) copied, 0,0261767 s, 469 kB/s
12288+0 records in
12288+0 records out
12288 bytes (12 kB) copied, 0,0261144 s, 471 kB/s
12288+0 records in
12288+0 records out
12288 bytes (12 kB) copied, 0,0282761 s, 435 kB/s
12288+0 records in
12288+0 records out
12288 bytes (12 kB) copied, 0,0271539 s, 453 kB/s
12288+0 records in
12288+0 records out
12288 bytes (12 kB) copied, 0,0295147 s, 416 kB/s


staf@petronella:~/libreboot/libreboot_r20160907_src$ 

The rom build command creates a bin directory, verify that required roms are available.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
staf@petronella:~/libreboot/libreboot_r20160907_src$ cd bin/
staf@petronella:~/libreboot/libreboot_r20160907_src/bin$ ls -l
total 4
drwxrwxr-x 23 staf staf 4096 Feb  11 15:58 grub
staf@petronella:~/libreboot/libreboot_r20160907_src/bin$ cd grub/
staf@petronella:~/libreboot/libreboot_r20160907_src/bin/grub$ ls -l
total 84
drwxrwxr-x 2 staf staf 4096 Feb  11 15:28 d510mo
drwxrwxr-x 2 staf staf 4096 Feb  11 15:29 ga-g41m-es2l
drwxrwxr-x 2 staf staf 4096 Feb  11 15:30 kcma-d8
drwxrwxr-x 2 staf staf 4096 Feb  11 15:31 kgpe-d16
drwxrwxr-x 2 staf staf 4096 Feb  11 15:32 macbook21
drwxrwxr-x 2 staf staf 4096 Feb  11 15:33 qemu_i440fx_piix4
drwxrwxr-x 2 staf staf 4096 Feb  11 15:34 qemu_q35_ich9
drwxrwxr-x 2 staf staf 4096 Feb  11 15:59 r400_16mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:59 r400_4mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:59 r400_8mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:59 t400_16mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:59 t400_4mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:59 t400_8mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:59 t500_16mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:59 t500_4mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:59 t500_8mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:58 t60
drwxrwxr-x 2 staf staf 4096 Feb  11 15:59 x200_16mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:58 x200_4mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:58 x200_8mb
drwxrwxr-x 2 staf staf 4096 Feb  11 15:58 x60
staf@petronella:~/libreboot/libreboot_r20160907_src/bin/grub$ 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
staf@petronella:~/libreboot/libreboot_r20160907_src/bin/grub$ cd x60
staf@petronella:~/libreboot/libreboot_r20160907_src/bin/grub/x60$ ls -l
total 40960
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_deqwertz_txtmode.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_deqwertz_vesafb.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_esqwerty_txtmode.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_esqwerty_vesafb.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_frazerty_txtmode.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_frazerty_vesafb.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_frdvbepo_txtmode.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_frdvbepo_vesafb.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_itqwerty_txtmode.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_itqwerty_vesafb.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_svenska_txtmode.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_svenska_vesafb.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_ukdvorak_txtmode.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_ukdvorak_vesafb.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_ukqwerty_txtmode.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_ukqwerty_vesafb.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_usdvorak_txtmode.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_usdvorak_vesafb.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_usqwerty_txtmode.rom
-rw-rw-r-- 1 staf staf 2097152 Feb  11 15:58 x60_usqwerty_vesafb.rom

Libreboot Installation

Backup

Backups are important. We’ll first backup the orginal proprietary BIOS before we free the laptop and install a Free Software firmware

The documentation that I found (see Links below) describes that the backup has 2 step flashrom_lenovobios_sst & flashrom_lenovobios_macronix.

The flashrom_lenovobios_macronix command fails on my Laptop/Table but I decided to continue with the installation since I didn’t pay a lot for the laptop on ebay.be.

1
2
3
4
5
6
7
8
9
10
11
12
staf@petronella:~/libreboot/libreboot_r20160907_src$ sudo flashrom/flashrom_lenovobios_sst -p internal -r factory.bin
[sudo] password for staf: 
flashrom v0.9.9-unknown on Linux 3.13.0-108-lowlatency (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7M".
Enabling flash write... WARNING: SPI Configuration Lockdown activated.
OK.
Found SST flash chip "SST25VF016B" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
Reading flash... done.
staf@petronella:~/libreboot/libreboot_r20160907_src$ 
1
2
3
4
5
6
7
8
9
10
11
staf@petronella:~/libreboot/libreboot_r20160907_src/flashrom$ sudo ./flashrom_lenovobios_macronix -p internal -r factory.bin
flashrom v0.9.9-unknown on Linux 3.13.0-108-lowlatency (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7M".
Enabling flash write... WARNING: SPI Configuration Lockdown activated.
OK.
No EEPROM/flash device found.
Note: flashrom can never write if the flash chip isn't found automatically.
staf@petronella:~/libreboot/libreboot_r20160907_src/flashrom$ 

Install the rom

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
staf@petronella:~/libreboot/libreboot_r20160907_src$ sudo ./flash i945lenovo_firstflash bin/grub/x
x200_16mb/ x200_4mb/  x200_8mb/  x60/       
staf@petronella:~/libreboot/libreboot_r20160907_src$ sudo ./flash i945lenovo_firstflash bin/grub/x60/x60_
x60_deqwertz_txtmode.rom  x60_frazerty_txtmode.rom  x60_itqwerty_txtmode.rom  x60_ukdvorak_txtmode.rom  x60_usdvorak_txtmode.rom
x60_deqwertz_vesafb.rom   x60_frazerty_vesafb.rom   x60_itqwerty_vesafb.rom   x60_ukdvorak_vesafb.rom   x60_usdvorak_vesafb.rom
x60_esqwerty_txtmode.rom  x60_frdvbepo_txtmode.rom  x60_svenska_txtmode.rom   x60_ukqwerty_txtmode.rom  x60_usqwerty_txtmode.rom
x60_esqwerty_vesafb.rom   x60_frdvbepo_vesafb.rom   x60_svenska_vesafb.rom    x60_ukqwerty_vesafb.rom   x60_usqwerty_vesafb.rom
staf@petronella:~/libreboot/libreboot_r20160907_src$ sudo ./flash i945lenovo_firstflash bin/grub/x60/x60_us
x60_usdvorak_txtmode.rom  x60_usdvorak_vesafb.rom   x60_usqwerty_txtmode.rom  x60_usqwerty_vesafb.rom   
staf@petronella:~/libreboot/libreboot_r20160907_src$ sudo ./flash i945lenovo_firstflash bin/grub/x60/x60_usqwerty_vesafb.rom 
[sudo] password for staf: 
Mode selected: i945lenovo_firstflash
bucts utility version 'withoutgit'
Using LPC bridge 8086:27b9 at 0000:1f.00
Current BUC.TS=0 - 128kb address range 0xFFFE0000-0xFFFFFFFF is untranslated
Updated BUC.TS=1 - 64kb address ranges at 0xFFFE0000 and 0xFFFF0000 are swapped
flashrom v0.9.9-unknown on Linux 3.13.0-108-lowlatency (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7M".
Enabling flash write... WARNING: SPI Configuration Lockdown activated.
OK.
Found SST flash chip "SST25VF016B" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
Reading old flash chip contents... done.
Erasing and writing flash chip... spi_block_erase_20 failed during command execution at address 0x0
Reading current flash chip contents... done. Looking for another erase function.
spi_block_erase_52 failed during command execution at address 0x0
Reading current flash chip contents... done. Looking for another erase function.
Transaction error!
spi_block_erase_d8 failed during command execution at address 0x1f0000
Reading current flash chip contents... done. Looking for another erase function.
spi_chip_erase_60 failed during command execution
Reading current flash chip contents... done. Looking for another erase function.
spi_chip_erase_c7 failed during command execution
Looking for another erase function.
No usable erase functions left.
FAILED!
Uh oh. Erase/write failed. Checking if anything has changed.
Reading current flash chip contents... done.
Apparently at least some data has changed.
Your flash chip is in an unknown state.
Get help on IRC at chat.freenode.net (channel #flashrom) or
mail flashrom@flashrom.org with the subject "FAILED: <your board name>"!
-------------------------------------------------------------------------------
DO NOT REBOOT OR POWEROFF!
flashrom v0.9.9-unknown on Linux 3.13.0-108-lowlatency (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found chipset "Intel ICH7M".
Enabling flash write... WARNING: SPI Configuration Lockdown activated.
OK.
No EEPROM/flash device found.
Note: flashrom can never write if the flash chip isn't found automatically.
staf@petronella:~/libreboot/libreboot_r20160907_src$ 

Power down your system

1
2
3
4
5
6
7
8
9
staf@petronella:~/libreboot/libreboot_r20160907_src$ sudo poweroff

Broadcast message from staf@petronella
        (/dev/pts/7) at 16:11 ...

The system is going down for power off NOW!
staf@petronella:~/libreboot/libreboot_r20160907_src$ Connection to petronella closed by remote host.
Connection to petronella closed.
[staf@vicky ~]$ 

Wait 2 minutes and boot the system again. If you’re lucky the system will boot with the Free Libreboot firmware. Logon the system again and continue with the secondflash phase

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
[staf@vicky ~]$ ssh petronella 
C_GetAttributeValue failed: 18
no such identity: /home/staf/.ssh/id_rsa: No such file or directory
no such identity: /home/staf/.ssh/id_dsa: No such file or directory
no such identity: /home/staf/.ssh/id_ecdsa: No such file or directory
no such identity: /home/staf/.ssh/id_ed25519: No such file or directory
staf@petronella's password: 
Welcome to Trisquel GNU/Linux 7.0, Belenos (GNU/Linux 3.13.0-108-lowlatency x86_64)
   ___        ___               ___        ___       ___        ___        ___
  /\  \      /\  \      ___    /\  \      /\  \     /\__\      /\  \      /\__\
  \ \  \    /  \  \    /\  \  /  \  \    /  \  \   / /  /     /  \  \    / /  /
   \ \  \  / /\ \  \   \ \  \/ /\ \  \  / /\ \  \ / /  /     / /\ \  \  / /  /
   /  \  \/  \ \ \  \  /  \__\ \ \ \  \/ /  \ \  \ /  /  ___/  \ \ \  \/ /  /
  / /\ \__\/\ \ \ \__\/ /\/__/\ \ \ \__\/__/ \ \__\__/  /\__\/\ \ \ \__\/__/
 / /  \/__/_|  \/ /  / /  /\ \ \ \ \/__/\  \ / /  /  \ / /  /\ \ \ \/__/\  \
/ /  /      | |  /  / /__/  \ \ \ \__\ \ \/\/ /  / \  / /  /\ \ \ \__\ \ \  \
\/__/       | |\/__/\ \__\   \ \/ /  /  \    /  / \ \/ /  /  \ \ \/__/  \ \  \
            | |  |   \/__/    \  /  /    \  /  /   \  /  /    \ \__\     \ \__\
             \|__|             \/__/      \/__/     \/__/      \/__/      \/__/

Welcome to Trisquel GNU/Linux
Documentation: http://trisquel.info/wiki/

Last login: Sat Feb 11 15:43:11 2017 from 192.168.1.10
staf@petronella:~$ cd libreboot/libreboot
libreboot/               libreboot_r20160907_src/ 
staf@petronella:~$ cd libreboot/libreboot_r20160907_src/
staf@petronella:~/libreboot/libreboot_r20160907_src$  ./flash i945lenovo_secondflash bin/grub/x60/x60_usqwerty_vesafb.rom 
This script must be run as root
staf@petronella:~/libreboot/libreboot_r20160907_src$ ^C libreboot/libreboot_r20160907_src/
staf@petronella:~/libreboot/libreboot_r20160907_src$ sudo ./flash i945lenovo_secondflash bin/grub/x60/x60_usqwerty_vesafb.rom
[sudo] password for staf: 
Mode selected: i945lenovo_secondflash
flashrom v0.9.9-unknown on Linux 3.13.0-108-lowlatency (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
coreboot table found at 0xcbe9f000.
Found chipset "Intel ICH7M".
Enabling flash write... OK.
Found SST flash chip "SST25VF016B" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.
bucts utility version 'withoutgit'
Using LPC bridge 8086:27b9 at 0000:1f.00
Current BUC.TS=1 - 64kb address ranges at 0xFFFE0000 and 0xFFFF0000 are swapped
Updated BUC.TS=0 - 128kb address range 0xFFFE0000-0xFFFFFFFF is untranslated
staf@petronella:~/libreboot/libreboot_r20160907_src$ 

The installation is completed! Reboot our system and enjoy your Free As In Freedom Laptop.

"Thinkpad x60 open"

Have fun

Links

Best Wishes 2017!

Best Wishes 2017!

"best_wishes_2017_scaled.jpg"

Install Arch on an Encrypted Btrfs Partition

"Arch Linux Logo"

I’m preparing to move my workstation to arch linux Before I’ll install it on my physical workstation I did the installation on a virtual machine. I’ll use btrfs as the filesystem during the installation. btrfs is a nice filesystem but it had some serious dataloss issue with RAID5/RAID6 recently.

btrfs might not stable enough for a production environment but it has some nice features like snapshots, send/recieve, compression etc. I use zfs for my important date anyway.

To encrypt or not to encrypt…

It’s possible to encrypt your boot partition grub has support for luks volumes. This cause grub to ask for a password during the system startup you’ll need to type in your password a second time during the system startup when you Linux initrd image is booted. It’s possible to avoid this by adding a keyfile to your crypttab - which migh be considered as a security risk -.

In this howto we’ll setup a single root partition to have full disk encryption. I’m not sure I go with an encrypted boot partition during my final installation. I might just create an empty partition of 1G so I can move switch between an encrypted and an non-encrypted boot filesystem.

"00_boot.png"

Download the arch linux iso and boot it

After arch linux is booted verify that you have internet access if the network card is support and dchp is enabled on you network you should get a network address.

Network access

To setup the system remotely we first need to setup network to our system.

Verify the interface

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@archiso ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:69:d4:94 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.23/24 brd 192.168.122.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a7b:481f:2f70:e688/64 scope link 
       valid_lft forever preferred_lft forever
root@archiso ~ # 

Verify internet access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@archiso ~ # ping -c 3 8.8.8.8                                                                                      :(
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=49.2 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=49 time=45.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=49 time=46.8 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 45.896/47.329/49.201/1.406 ms
root@archiso ~ # nslookup www.google.be
Server:         192.168.122.1
Address:        192.168.122.1#53

Non-authoritative answer:
Name:   www.google.be
Address: 64.233.167.94

root@archiso ~ # ping www.google.be
PING www.google.be (64.233.167.94) 56(84) bytes of data.
64 bytes from wl-in-f94.1e100.net (64.233.167.94): icmp_seq=1 ttl=46 time=58.7 ms
64 bytes from wl-in-f94.1e100.net (64.233.167.94): icmp_seq=2 ttl=46 time=58.7 ms
64 bytes from wl-in-f94.1e100.net (64.233.167.94): icmp_seq=3 ttl=46 time=58.4 ms
^C
--- www.google.be ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 58.479/58.645/58.742/0.230 ms
root@archiso ~ #                   

ssh access

If you want to install arch linux over ssh you need to assign a root passwd and start the sshd service.

root password

1
2
3
4
5
root@archiso ~ # passwd root       
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@archiso ~ # 

start sshd

1
2
3
4
5
6
root@archiso ~ # systemctl list-unit-files -t service | grep ssh
sshd.service                               disabled
sshd@.service                              static  
sshdgenkeys.service                        static  
root@archiso ~ # systemctl start sshd                           
root@archiso ~ #

Logon remotely

1
2
3
4
[staf@vicky ~]$ ssh -l root 192.168.122.23
root@192.168.122.23's password: 
Last login: Tue Jun 30 09:06:00 2015 from 192.168.122.1
root@archiso ~ # 

Partition

Find your harddisk device name

1
2
3
4
5
6
7
root@archiso ~ # cat /proc/partitions
major minor  #blocks  name

   8        0  268435456 sda
  11        0     759808 sr0
   7        0     328616 loop0
root@archiso ~ # 

Overwrite it with random data

Because we are creating an ecrypted filesystem it’s a good idea to overwrite it with random data.

We’ll use badblocks for this another method is to use “dd if=/dev/random of=/dev/xxx” the “dd” method is probably the best method but is a lot slower.

1
2
3
4
5
6
7
8
root@archiso ~ # badblocks -c 10240 -s -w -t random -v /dev/sda
Checking for bad blocks in read-write mode
From block 0 to 268435455
Testing with random pattern: done                                                 
Reading and comparing: done                                                 
Pass completed, 0 bad blocks found. (0/0/0 errors)
badblocks -c 10240 -s -w -t random -v /dev/sda  49.22s user 21.72s system 3% cpu 33:48.40 total
root@archiso ~ # 

Partition the harddisk

Create 3 partitions:

  • 1G /boot (we’ll not use this during the installation - see above - )
  • 32G swap
  • root btrfs partition
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
root@archiso ~ # fdisk /dev/sda                                

Welcome to fdisk (util-linux 2.28).                                                    
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x7ff944e5.

Command (m for help): p
Disk /dev/sda: 256 GiB, 274877906944 bytes, 536870912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7ff944e5

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-536870911, default 2048): +1G
Value out of range.
First sector (2048-536870911, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-536870911, default 536870911): 
Do you really want to quit? y
1 root@archiso ~ # fdisk /dev/sda                                                   :(

Welcome to fdisk (util-linux 2.28).                                                    
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xa806e281.

Command (m for help): p
Disk /dev/sda: 256 GiB, 274877906944 bytes, 536870912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa806e281

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-536870911, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-536870911, default 536870911): +1G

Created a new partition 1 of type 'Linux' and of size 1 GiB.

Command (m for help): n
Partition type
   p   primary (1 primary, 0 extended, 3 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 
First sector (2099200-536870911, default 2099200): 
Last sector, +sectors or +size{K,M,G,T,P} (2099200-536870911, default 536870911): +32G

Created a new partition 2 of type 'Linux' and of size 32 GiB.

Command (m for help): n
Partition type
   p   primary (2 primary, 0 extended, 2 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (3,4, default 3): 
First sector (69208064-536870911, default 69208064): 
Last sector, +sectors or +size{K,M,G,T,P} (69208064-536870911, default 536870911): 

Created a new partition 3 of type 'Linux' and of size 223 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

root@archiso ~ # 

Format the root partition

We’ll continue with the root filesystem - we’ll initialize the swapspace after the installation -

Create the root luks volume;

1
2
3
4
5
6
7
8
9
10
11
root@archiso ~ # cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 --use-random /dev/sda3

WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
5.01s user 0.04s system 21% cpu 23.750 total
root@archiso ~ # 

Open the root luks volume

1
2
3
root@archiso ~ # cryptsetup luksOpen /dev/sda3 cryptroot
Enter passphrase for /dev/sda3: 
root@archiso ~ # 

Format the root volume with btrfs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@archiso ~ # mkfs.btrfs /dev/mapper/cryptroot
btrfs-progs v4.6.1
See http://btrfs.wiki.kernel.org for more information.

Label:              (null)
UUID:               cbfcc8d6-0cf9-4656-bcda-2525faeadfe6
Node size:          16384
Sector size:        4096
Filesystem size:    217.00GiB
Block group profiles:
  Data:             single            8.00MiB
  Metadata:         DUP               1.01GiB
  System:           DUP              12.00MiB
SSD detected:       no
Incompat features:  extref, skinny-metadata
Number of devices:  1
Devices:
   ID        SIZE  PATH
    1   217.00GiB  /dev/mapper/cryptroot

root@archiso ~ # 

Mount the root filesystem

1
2
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults /dev/mapper/cryptroot /mnt
root@archiso ~ # 

Create the subvolumes

1
2
3
4
5
6
7
8
9
10
11
12
root@archiso ~ # cd /mnt
root@archiso /mnt # btrfs subvolume create __active
Create subvolume './__active'
root@archiso /mnt # btrfs subvolume create __active/rootvol
Create subvolume '__active/rootvol'
root@archiso /mnt # btrfs subvolume create __active/home
Create subvolume '__active/home'
root@archiso /mnt # btrfs subvolume create __active/var
Create subvolume '__active/var'
root@archiso /mnt # btrfs subvolume create __snapshots
Create subvolume './__snapshots'
root@archiso /mnt #

Mount the subvolumes

1
2
3
4
5
6
7
8
root@archiso /mnt # cd 
root@archiso ~ # umount /mnt
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults,subvol=__active/rootvol /dev/mapper/cryptroot /mnt
root@archiso ~ # mkdir /mnt/{home,var}
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults,subvol=__active/home /dev/mapper/cryptroot /mnt/home
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults,subvol=__active/var /dev/mapper/cryptroot /mnt/var
root@archiso ~ # sync
root@archiso ~ # 

System installation

bootstrap the system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
root@archiso ~ # pacstrap /mnt base base-devel btrfs-progs
==> Creating install root at /mnt
==> Installing packages to /mnt
:: Synchronizing package databases...
 core                     119.9 KiB   652K/s 00:00 [######################] 100%
 extra                   1760.1 KiB   688K/s 00:03 [######################] 100%
 community                  3.6 MiB   906K/s 00:04 [######################] 100%
:: There are 50 members in group base:
:: Repository core
   1) bash  2) bzip2  3) coreutils  4) cryptsetup  5) device-mapper  6) dhcpcd
   7) diffutils  8) e2fsprogs  9) file  10) filesystem  11) findutils  12) gawk
   13) gcc-libs  14) gettext  15) glibc  16) grep  17) gzip  18) inetutils
   19) iproute2  20) iputils  21) jfsutils  22) less  23) licenses  24) linux
   25) logrotate  26) lvm2  27) man-db  28) man-pages  29) mdadm  30) nano
   31) netctl  32) pacman  33) pciutils  34) pcmciautils  35) perl
   36) procps-ng  37) psmisc  38) reiserfsprogs  39) s-nail  40) sed
   41) shadow  42) sysfsutils  43) systemd-sysvcompat  44) tar  45) texinfo
   46) usbutils  47) util-linux  48) vi  49) which  50) xfsprogs

Enter a selection (default=all): 
:: There are 25 members in group base-devel:
:: Repository core
   1) autoconf  2) automake  3) binutils  4) bison  5) fakeroot  6) file
   7) findutils  8) flex  9) gawk  10) gcc  11) gettext  12) grep  13) groff
   14) gzip  15) libtool  16) m4  17) make  18) pacman  19) patch
   20) pkg-config  21) sed  22) sudo  23) texinfo  24) util-linux  25) which

Enter a selection (default=all): 
warning: skipping target: file
warning: skipping target: findutils
warning: skipping target: gawk
warning: skipping target: gettext
warning: skipping target: grep
warning: skipping target: gzip
warning: skipping target: pacman
warning: skipping target: sed
warning: skipping target: texinfo
warning: skipping target: util-linux
warning: skipping target: which
resolving dependencies...
looking for conflicting packages...

Packages (144) acl-2.2.52-2  archlinux-keyring-20160812-1  attr-2.4.47-1
               ca-certificates-20160507-1  ca-certificates-cacert-20140824-3
               ca-certificates-mozilla-3.26-1  ca-certificates-utils-20160507-1
               cracklib-2.9.6-1  curl-7.50.1-1  db-5.3.28-3  dbus-1.10.8-1
               expat-2.2.0-2  gc-7.4.2-4  gdbm-1.12-2  glib2-2.48.1-1
<snip>
               procps-ng-3.3.12-1  psmisc-22.21-3  reiserfsprogs-3.6.25-1
               s-nail-14.8.10-1  sed-4.2.2-4  shadow-4.2.1-3  sudo-1.8.17.p1-1
               sysfsutils-2.1.0-9  systemd-sysvcompat-231-1  tar-1.29-1
               texinfo-6.1-4  usbutils-008-1  util-linux-2.28.1-1
               vi-1:070224-2  which-2.21-2  xfsprogs-4.7.0-1

Total Download Size:   231.85 MiB
Total Installed Size:  801.27 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 linux-api-headers-4...   810.7 KiB   891K/s 00:01 [######################] 100%
 tzdata-2016f-1-any       215.4 KiB   909K/s 00:00 [######################] 100%
 iana-etc-20160513-1-any  352.2 KiB   723K/s 00:00 [######################] 100%
 filesystem-2015.09-...     8.8 KiB   875K/s 00:00 [######################] 100%
 glibc-2.24-2-x86_64        8.1 MiB   918K/s 00:09 [######################] 100%
 gcc-libs-6.1.1-5-x86_64   14.9 MiB   899K/s 00:17 [######################] 100%
<snip>
(144/144) installing btrfs-progs                   [######################] 100%
:: Running post-transaction hooks...
(1/4) Updating manpage index...
mandb: can't set the locale; make sure $LC_* and $LANG are correct
(2/4) Updating the info directory file...
(3/4) Updating udev Hardware Database...
(4/4) Rebuilding certificate stores...
pacstrap /mnt base base-devel btrfs-progs  27.81s user 10.20s system 10% cpu 5:50.56 total
root@archiso ~ # 

Generate /etc/fstab

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@archiso ~ # genfstab -p /mnt >> /mnt/etc/fstab
root@archiso ~ # vi /mnt/etc/fstab
# 
# /etc/fstab: static file system information
#
# <file system> <dir>   <type>  <options>       <dump>  <pass>
# UUID=c8ca38de-4e58-4c7c-8f5b-c9c3f92f6a24
/dev/mapper/cryptroot   /               btrfs           rw,noatime,compress=lzo,ssd,dis
card,space_cache,subvolid=258,subvol=/__active/rootvol,subvol=__active/rootvol  0 0

# UUID=c8ca38de-4e58-4c7c-8f5b-c9c3f92f6a24
/dev/mapper/cryptroot   /home           btrfs           rw,noatime,compress=lzo,ssd,dis
card,space_cache,subvolid=259,subvol=/__active/home,subvol=__active/home        0 0

# UUID=c8ca38de-4e58-4c7c-8f5b-c9c3f92f6a24
/dev/mapper/cryptroot   /var            btrfs           rw,noatime,compress=lzo,ssd,dis
card,space_cache,subvolid=260,subvol=/__active/var,subvol=__active/var  0 0

chroot

1
2
root@archiso ~ # arch-chroot /mnt
[root@archiso /]# 

Set the timezone

Link for timezone to /etc/localtime

1
2
[root@archiso /]# ln -s /usr/share/zoneinfo/Europe/Brussels /etc/localtime
[root@archiso /]# 

Set the hardwareclock to UTC

1
hwclock --systohc --utc

Generate the required locales

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@archiso /]# vi /etc/locale.gen 
[root@archiso /]# locale-gen
Generating locales...
  en_IE.UTF-8... done
  en_IE.ISO-8859-1... done
  en_IE.ISO-8859-15@euro... done
  en_US.UTF-8... done
  en_US.ISO-8859-1... done
  nl_BE.UTF-8... done
  nl_BE.ISO-8859-1... done
  nl_BE.ISO-8859-15@euro... done
Generation complete.
[root@archiso /]# 

Hostname

1
2
[root@archiso /]# vi /etc/hostname
[root@archiso /]# 
1
[root@archiso /]# vi /etc/hosts

mkinitcpio

HOOKS

Add encrypt to HOOKS before filesystems in /etc/mkinitcpio.conf

1
[root@archiso /]# vi /etc/mkinitcpio.conf 
1
HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"

Create boot image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
[root@archiso /]# mkinitcpio -p linux
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 4.7.1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [encrypt]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 4.7.1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: wd719x
==> WARNING: Possibly missing firmware for module: aic94xx
  -> Running build hook: [encrypt]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successful
[root@archiso /]#

set the root password

1
2
3
4
5
[root@archiso /]# passwd root
New password: 
Retype new password: 
passwd: password updated successfully
[root@archiso /]# 

GRUB

install Grub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[root@archiso /]# pacman -Sy grub
:: Synchronizing package databases...
 core is up to date
 extra                   1760.1 KiB   917K/s 00:02 [######################] 100%
 community                  3.6 MiB   896K/s 00:04 [######################] 100%
resolving dependencies...
looking for conflicting packages...

Packages (1) grub-1:2.02.beta3-3

Total Download Size:    5.83 MiB
Total Installed Size:  28.70 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 grub-1:2.02.beta3-3...     5.8 MiB   917K/s 00:07 [######################] 100%
(1/1) checking keys in keyring                     [######################] 100%
(1/1) checking package integrity                   [######################] 100%
(1/1) loading package files                        [######################] 100%
(1/1) checking for file conflicts                  [######################] 100%
(1/1) checking available disk space                [######################] 100%
:: Processing package changes...
(1/1) installing grub                              [######################] 100%
Generating grub.cfg.example config file...
This may fail on some machines running a custom kernel.
done.
Optional dependencies for grub
    freetype2: For grub-mkfont usage
    fuse: For grub-mount usage
    dosfstools: For grub-mkrescue FAT FS and EFI support
    efibootmgr: For grub-install EFI support
    libisoburn: Provides xorriso for generating grub rescue iso using
    grub-mkrescue
    os-prober: To detect other OSes when generating grub.cfg in BIOS systems
    mtools: For grub-mkrescue FAT FS support
:: Running post-transaction hooks...
(1/2) Updating manpage index...
(2/2) Updating the info directory file...
[root@archiso /]# 

Install grub to your boot disk

1
2
3
4
[root@archiso /]# grub-install --target=i386-pc /dev/sda
Installing for i386-pc platform.
grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=y' in file `/etc/default/grub'.
[root@archiso /]# 

Enable cryptodisk

Because we use an encrypted boot disk we need to enable cryptdisk support.

Add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub

1
2
[root@archiso /]# vi /etc/default/grub
[root@archiso /]# 
1
2
3
4
5
6
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""
GRUB_ENABLE_CRYPTODISK=y

And run grub-install again

1
2
3
4
[root@archiso /]# grub-install --target=i386-pc /dev/sda
Installing for i386-pc platform.
Installation finished. No error reported.
[root@archiso /]# 

Create grub.cfg

Add your encrypted root partition to GRUB_CMDLINE_LINUX= in /etc/default/grub

1
2
3
4
5
6
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""cryptdevice=/dev/sda3:cryptroot""
ENABLE_CRYPTODISK=y 

And generate grub.cfg

1
2
3
4
5
6
7
[root@archiso /]# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-linux
Found initrd image(s) in /boot: initramfs-linux.img
Found fallback initrd image(s) in /boot: initramfs-linux-fallback.img
done
[root@archiso /]# 

Reboot

1
2
3
4
5
6
7
[root@archiso /]# vi /boot/grub/grub.cfg
[root@archiso /]# sync
[root@archiso /]# reboot
Running in chroot, ignoring request.
[root@archiso /]# exit
arch-chroot /mnt  9.76s user 1.37s system 0% cpu 23:13.29 total
root@archiso ~ # reboot

Finish the installation

1st boot

As mentioned before the GRUB will as for a passphrase to decrypt the boot partition.

"01_1st_boot.png" "01_1st_boot.png"

You’ll need to type it the password a secod time during the loading of initrd.

"01_1st_boot.png"

Setup swap space

Update /etc/crypttab

1
2
swap         /dev/sda2                                    /dev/urandom            swap,
cipher=aes-cbc-essiv:sha256,size=256

reboot the system to verify that the encrypted swap partition is mapper correctly during the system startup

1
2
3
4
5
6
[root@vicky ~]# ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Aug 29 15:43 control
lrwxrwxrwx 1 root root       7 Aug 29 15:43 cryptroot -> ../dm-0
lrwxrwxrwx 1 root root       7 Aug 29 15:43 swap -> ../dm-1
[root@vicky ~]# 

Create swap

1
2
3
4
[root@vicky ~]# mkswap /dev/mapper/swap 
Setting up swapspace version 1, size = 32 GiB (34359734272 bytes)
no label, UUID=66ea5a08-0833-4e84-8b95-f1a9c2d772b2
[root@vicky ~]# 

Activate swap

1
2
3
4
5
6
[root@vicky ~]# swapon /dev/mapper/swap
[root@vicky ~]# free
              total        used        free      shared  buff/cache   available
Mem:        4051236       85932     3890708         440       74596     3807084
Swap:      33554428           0    33554428
[root@vicky ~]# 

Update /etc/fstab

1
/dev/mapper/swap swap                    swap    defaults,discard,pri=3        0 0 

Have fun

Links