Re: installation on LVM on LUKS

[wolf]

On 2023-03-03 18:03:39 +0100, Emmanuel Beffara wrote:
> Hi Roman,
> 
> Thanks for the suggestions.
> 
> De Roman Scherer le 03/03/2023 à 16:05:
> > did you add the cryptsetup-static and lvm2-static packages to the
> > packages field of your operating system?
> 
> I had not, but I just tried adding them and nothing changed.
> 
> > Apart from that, I think you also need to add the dm-crypt module to the
> > initrd-modules field of the of the operating system.
> 
> Unless I am missing something, tinkering with initrd modules has nothing to do
> with my issue. The missing “insmod lvm” is in grub.cfg, it is related to Grub
> modules, not kernel modules. The required modules for Grub are properly
> installed in /boot/grub (I mount the EFI partition as /boot), it is just that
> the generated configuration file does not load enough of them.

Maybe that is the problem? For me it works out of the box, but I have EFI
mounted as /boot/efi. Could you maybe either try to do that as well, or
(untested idea I just had) provide (dependencies mapped-devices) for the /boot
mount point as well (I know, it is not technically required)?

> 
> > I'm not sure about your other question, but from what I understand the
> > reason why the kernel and the initrd live in the store and not in the
> > EFI partition might be that you actually would need to put the kernel
> > and the initrd for *each* system generation onto the EFI partition, so
> > you can boot different system generations. And that would fill up the
> > EFI partition pretty quickly.
> 
> Indeed, it would require some space, but it would solve the double-passphrase
> issue, among other things.
> 
> Besides, storing kernels and initrds in the EFI boot partition is how NixOS
> proceeds on my system (although it is set up to use systemd-boot and not Grub,
> in case it makes a difference). Filling up the EFI partition has never been a
> problem in a few years of use, because the partition is large enough to hold a
> few generations (512Mib) and I drop old generations often (as soon as the last
> one is checked to be functional, essentially).

I am using 64M EFI partition, so I could imagine that filling up, especially if
one does not clean up the generations very often. Since increasing the EFI size
could be impossible without reinstall, if this is done, it should likely be
opt-in only.

In the future I plan to look into eliminating the second password prompt using a
key file, following similar approach other distributions are using (for example
cryptkey= argument on alpine).

> 
> -- 
> Emmanuel
> 

W.

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

signature.asc
Description: PGP signature