[lug] face plant into glass door...
    duboulder 
    blug-mail at duboulder.com
       
    Mon Dec  9 16:44:25 MST 2019
    
    
  
I've seen Seagate 5TB USB3 2.5" backup drives for ~$90. Might be useful as the data drives.
If you have enough free sata ports, you might be able to install 3 internal 2.5" drives by using a 2x2.5" carrier that fits in a 3.5" bay. The ones we have take 7mm thick drives.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 9, 2019 4:22 PM, Stephen Kraus <ub3ratl4sf00 at gmail.com> wrote:
> FreeNAS will also let you setup a mirror between multiple USB sticks for the OS.
>
> On Mon, Dec 9, 2019 at 6:18 PM Jonathan Eidsness <jonathan.eidsness at gmail.com> wrote:
>
>> You can run FreeNAS from a USB stick if you want. That would leave your bay free for storage.
>>
>> https://www.ixsystems.com/documentation/freenas/11.2-U7/intro.html#the-operating-system-device
>>
>> On Mon, Dec 9, 2019, 3:38 PM Bear Giles <bgiles at coyotesong.com> wrote:
>>
>>> I can make nfsd is brought down before calling 'vgchange -an'. It won't protect me from a power crash but can use this as motivation to actually hood up aspd(?) - the daemon that listens to the USB port on a UPS and sends a 'shutdown' message once the UPS kicks in, or at least after N minutes.
>>>
>>> It's a fairly straightforward setup. I had soft plans to set up FreeNAS but my refurbished dell only supports one 3.5" drive or two 2.5" drives and FreeNAS requires at least two drives since the data drives are dedicated entirely for data. So for now I'm just running of the WD Red drive. It has a moderately large standard partition containing Ubuntu 19.04 server and the rest is an encrypted LVM partition containing a single VG. I've been carving LVs out of it.
>>>
>>> This system will also have an encrypted external drive attached to it but that's not important here.
>>>
>>> The first LV carved out are for my backup partitions. The system 'foo' has a /backups directory that's actually NFS-mounted from /backups/foobar. When I have my act together access is limited to that system - even if a system is compromised the bad actor can't (easily) erase the backups for all systems. They can't even fill the backups partition and prevent other backups from being performed. The backup itself is a simple tar script.
>>>
>>> In the past I've experimented with the script auto-mounting and -unmounting the backup partition. I might try that again.
>>>
>>> On Mon, Dec 9, 2019 at 2:08 PM duboulder <blug-mail at duboulder.com> wrote:
>>>
>>>> Can your initramfs be configured to read the passphrase from a thumb drive? cryptsetup can read passphrases from a file. Or do you have decryption system-init scripts that can use keys on removable drives? In that case try using an empty passphrase for the initrd decryption prompts and then configure your system init decryption to run before LVM and local fs mounts. And if possible rebuild/configure the initramfs to skip encrypted devices.
>>>>
>>>> As you noted shutdown can be a problem. NFS exports prevent a filesystem from unmounting and thus the related VG from deactivating. But it takes more than deactivation of the VGs on the encrypted device to allow cryptsetup to close the partition. The PV must also release its reference. Not sure if pvchange -xn is enough to allow closing the encrypted block device. Then you might need to do pvchange -xy on the next boot.
>>>>
>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>> On Monday, December 9, 2019 9:59 AM, Bear Giles <bgiles at coyotesong.com> wrote:
>>>>
>>>>> An embarrassing story to warn others....
>>>>>
>>>>> Like many people my home test bench is composed of current desktops/laptops that I use and older desktops that have been repurposed as servers. For various reasons I've decided that it makes a lot more sense to install the server version on these systems and treat them as true servers - nothing under /home, etc.
>>>>>
>>>>> Since they're tucked in various corners I don't want to use full-disk encryption - that requires finding them, hooking up a monitor and keyboard when they're booting, etc.. In many cases it's not a problem since they do their thing using a database on a server that does have full-disk encryption.
>>>>>
>>>>> The file server holding backups is an exception. The OS can be unencrypted but I want the partition containing the files to be encrypted. No problem...
>>>>>
>>>>> ... until I actually rebooted. The system started but blocked until I entered the encryption password. The problem was the LVM volume group holding the encrypted files - it's marked as 'active' so the system tried to open it and that requires decryption.
>>>>>
>>>>> Grrr... so much for "I'll still have to ssh in and manually 'cryptsetup' the partition but that's better than digging out a monitor and keyboard.)
>>>>>
>>>>> I haven't decided what to do. I could probably reformat the encrypted partition as a regular partition, not LVM, but I really wanted to be able to isolate the usage. E.g., a different LV for backups for each system instead of one large partition that contains all of them. I could add a shutdown script that de-activates the VG but I don't know if the nfsd daemon would prevent that - and it wouldn't matter if there's a prolonged power hit and the UPS dies.
>>>>>
>>>>> The main thing I know is that I don't want to push the encryption onto the file. My home brew software can directly read the encrypted files but it's a lot slower.
>>>>
>>>> _______________________________________________
>>>> Web Page:  http://lug.boulder.co.us
>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>>
>>> _______________________________________________
>>> Web Page:  http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20191209/ae16a55a/attachment.html>
    
    
More information about the LUG
mailing list