I have try to install a Fedora 32 Beta on a existent previous Fedora 31 system using an encrypted LVM
Something is wrong
I have not format the /home LV volume and format only the other swap, / and /var old LV volume.
The setup keeps the original Encrypted LVM partition but encrypt also the swap, / and /var LV device and make the FS on the encrypted LV device into the VG partition already encrypted.
This is the post install situation.
/dev/mapper/luks-b84fa2fd-1c38-466d-ac79-d4d4a6db9ef3: UUID="cXpRFb- vcUQ-K90X-p1cd-YQBT-M2p6-k36Lrr" TYPE="LVM2_member"/dev/mapper/dododell-root: UUID="3e0bd54f-1aa6-49c5- 8a00-98f18b1526d4" TYPE="crypto_LUKS"/dev/mapper/dododell-home: LABEL="home" UUID="95239f07-6bb0-4fbf-8506-c75f563ae356" BLOCK_SIZE="512" TYPE="xfs"/dev/mapper/dododell-swap: UUID="bdfd5321- f1ce-4382-9897-504f7f3c81d8" TYPE="crypto_LUKS"/dev/mapper/dododell- var: UUID="b855d0eb-1d13-4af2-8880-ea73961b13bd" TYPE="crypto_LUKS"/dev/mapper/luks-b855d0eb-1d13-4af2-8880- ea73961b13bd: LABEL="var" UUID="03abae3d-b344-497e-9c31-e7181c10097c" BLOCK_SIZE="512" TYPE="xfs"/dev/mapper/luks-3e0bd54f-1aa6-49c5-8a00- 98f18b1526d4: LABEL="root" UUID="6cc68b6d-b9d7-4310-b2b6-ba8e5598b7b4" BLOCK_SIZE="512" TYPE="xfs"/dev/mapper/luks-bdfd5321-f1ce-4382-9897- 504f7f3c81d8: LABEL="swap" UUID="2b02cc55-12c0-47ed-b866-e3f3619bb675" TYPE="swap" I do not want this situation, I want only the VG device encrypted and the filesystem created on LV device
In this case, the way to setup a Fedora 32 system on my new Dell G5-15 notebook (previous version do not work on this NB) is setup a Fedora 31 in basic graphic mode then upgrade it to Fedora 32.
It's this behavior a new feature or it's a bug of Anaconda on Fedora 32 ?
Many thanks for some suggest.
This should probably only be on the test@ list for now. Please trim future replies.
On 3/22/20 12:55 PM, Dario Lesca wrote:
I have try to install a Fedora 32 Beta on a existent previous Fedora 31 system using an encrypted LVM
You're overwriting an existing install using the current partitions, not upgrading it?
I have not format the /home LV volume and format only the other swap, / and /var old LV volume.
The setup keeps the original Encrypted LVM partition but encrypt also the swap, / and /var LV device and make the FS on the encrypted LV device into the VG partition already encrypted.
Is this correct? The VG is encrypted. Then each of the /, /var, and swap LVs are getting encrypted as well?
I do not want this situation, I want only the VG device encrypted and the filesystem created on LV device
In this case, the way to setup a Fedora 32 system on my new Dell G5-15 notebook (previous version do not work on this NB) is setup a Fedora 31 in basic graphic mode then upgrade it to Fedora 32.
You were able to configure it this way using the F31 installer?
It's this behavior a new feature or it's a bug of Anaconda on Fedora 32 ?
Which method are you using to configure the partitions?
Il giorno dom, 22/03/2020 alle 13.07 -0700, Samuel Sieb ha scritto:
This should probably only be on the test@ list for now. Please trim future replies.
Ok, I write here.
You're overwriting an existing install using the current partitions, not upgrading it?
Yes, not upgrading, I want keep the /home partition present into Encrypted LVM
The VG is encrypted. Then each of the /, /var, and swap LVs are getting encrypted as well?
Yes this is what happened: The new formatted partition into LVM encrypted are encrypted then formatting with filesystem
You were able to configure it this way using the F31 installer?
I have install a fresh system with Fedora 31, but when I boot the system, after 5 minutes the system freeze and I cannot update it.
Then I have delete all previous partitions using Fedora 32 beta and install it . Whit Fedora 32 all work fine.
But after boot I have see this strange behaviors
Then I have boot with Centos 8 and partition the disk make a encrypted LVM an fileystem into it
I have not verify if Fedora 31 do this double encrypted partition, if you want I can try it.
It's this behavior a new feature or it's a bug of Anaconda on Fedora 32 ?
Which method are you using to configure the partitions?
Custom partition.
Now I have try with blizzed gui partitioning, but when I make the LVM encrypted partition Anaconda crash.
I think this is a bug.
Now I back to try to setup the partition as I want ...
On 3/22/20 1:50 PM, Dario Lesca wrote:
Il giorno dom, 22/03/2020 alle 13.07 -0700, Samuel Sieb ha scritto:
You were able to configure it this way using the F31 installer?
I have install a fresh system with Fedora 31, but when I boot the system, after 5 minutes the system freeze and I cannot update it.
Then I have delete all previous partitions using Fedora 32 beta and install it . Whit Fedora 32 all work fine.
But after boot I have see this strange behaviors
To make sure I understand, you tried to install with F31. The install worked, but you couldn't run it. So you don't know what encryption config the F31 installer setup, right? But then you deleted all the partitions that F31 created and reinstalled with F32. That's when you found this double encryption. I don't understand how you're keeping the /home partition if you deleted everything else. Didn't you recreate that as well?
Il giorno dom, 22/03/2020 alle 17.42 -0700, Samuel Sieb ha scritto:
To make sure I understand, you tried to install with F31.
I have try Fedora 31 and it work as expected: encrypt VG partition and not encrypt LV
The flag "Encrypt" external to VG property is gray and not blue like F32
Seem that Fedora32 respects both the encryption flags, the one inside VG and the one for each LV volume.
If this is a feature, the external flag must be enable/disable, in this case the bug is the flag which cannot be disabled though blue. If this is not a feature is a bug.
The install worked, but you couldn't run it. So you don't know what encryption config the F31 installer setup, right?
Encrypt F31 work great, how I expect
But then you deleted all the partitions that F31 created and reinstalled with F32. That's when you found this double encryption. I don't understand how you're keeping the /home partition if you deleted everything else. Didn't you recreate that as well?
If I maintain the previous layout (VG encrypt and LV not encrypt) It' not possible create a root/var FS during install without formatting it
When Anaconda format it, encrypt partition and create FS into encrypted LV into encrypted VG partition
If you try to do that kind of layer, You see whats happened
If I must fill a bug let me know
On Sun, Mar 22, 2020 at 1:56 PM Dario Lesca d.lesca@solinos.it wrote:
I have try to install a Fedora 32 Beta on a existent previous Fedora 31 system using an encrypted LVM
Something is wrong
I have not format the /home LV volume and format only the other swap, / and /var old LV volume.
The setup keeps the original Encrypted LVM partition but encrypt also the swap, / and /var LV device and make the FS on the encrypted LV device into the VG partition already encrypted.
This is the post install situation.
/dev/mapper/luks-b84fa2fd-1c38-466d-ac79-d4d4a6db9ef3: UUID="cXpRFb-vcUQ-K90X-p1cd-YQBT-M2p6-k36Lrr" TYPE="LVM2_member"
/dev/mapper/dododell-root: UUID="3e0bd54f-1aa6-49c5-8a00-98f18b1526d4" TYPE="crypto_LUKS"
/dev/mapper/dododell-home: LABEL="home" UUID="95239f07-6bb0-4fbf-8506-c75f563ae356" BLOCK_SIZE="512" TYPE="xfs"
/dev/mapper/dododell-swap: UUID="bdfd5321-f1ce-4382-9897-504f7f3c81d8" TYPE="crypto_LUKS"
/dev/mapper/dododell-var: UUID="b855d0eb-1d13-4af2-8880-ea73961b13bd" TYPE="crypto_LUKS"
/dev/mapper/luks-b855d0eb-1d13-4af2-8880-ea73961b13bd: LABEL="var" UUID="03abae3d-b344-497e-9c31-e7181c10097c" BLOCK_SIZE="512" TYPE="xfs"
/dev/mapper/luks-3e0bd54f-1aa6-49c5-8a00-98f18b1526d4: LABEL="root" UUID="6cc68b6d-b9d7-4310-b2b6-ba8e5598b7b4" BLOCK_SIZE="512" TYPE="xfs"
/dev/mapper/luks-bdfd5321-f1ce-4382-9897-504f7f3c81d8: LABEL="swap" UUID="2b02cc55-12c0-47ed-b866-e3f3619bb675" TYPE="swap"
I do not want this situation, I want only the VG device encrypted and the filesystem created on LV device
I think I understand what you want to do: You want a disk partition -> LUKS -> LVM PV -> LVM VG, and then /, /var, /home, swap to be XFS formatted LVs.
I'm not certain it's actually possible to do this, except maybe in Advanced partitioning. Here's why.
If you use Fedora Workstation, Automatic/Default partitioning, at Destination Installation where you pick the drive to install to, there is a checkbox "Encrypt my Data" This does what you want, except it uses ext4and no separate /var. You can get close, if you use Fedora Server netinstaller, but choose to install Fedora Workstation instead of Server - this will use XFS but still no separate /var.
Going back to Workstation ISO, Custom partitioning, each mount point has its own encrypt checkbox. This will separately encrypt each LV, rather than making a partition a LUKS volume into an LVM PV. As I think about it, there's no work around for this custom partitioning.
I'm pretty sure the Advanced (blivet-gui) option can do this. But you have to build each layer yourself. if it crashes, that's a bug that needs to be reported against anaconda component; it might also be a blocker bug.
https://fedoraproject.org/wiki/Fedora_32_Final_Release_Criteria#Disk_layouts https://qa.fedoraproject.org/blockerbugs/propose_bug
Il giorno dom, 22/03/2020 alle 23.04 -0600, Chris Murphy ha scritto:
I'm not certain it's actually possible to do this, except maybe inAdvanced partitioning. Here's why.
IMHO: double encryption must be removed. If the VG is encrypted, it is not necessary to also encrypt the LVs
On Sun, Mar 22, 2020 at 11:04 PM Chris Murphy lists@colorremedies.com wrote:
I think I understand what you want to do: You want a disk partition -> LUKS -> LVM PV -> LVM VG, and then /, /var, /home, swap to be XFS formatted LVs.
I'm not certain it's actually possible to do this,
OK, it is possible to do this in Custom partitioning.
Do not check this encrypt box which is the per LV box:
https://drive.google.com/open?id=1BE3gJpw9FJUaecXLBvLzgogxGsPvY6dO
Instead, click on the Modify button under the Volume Group drop-down menu, and check this encrypt box which applies to the PV/VG.
https://drive.google.com/open?id=1nEzQy-Z03ovE6Ay410lLeK5h4dJ1x-A7
On Mon, Mar 23, 2020 at 1:16 PM Chris Murphy lists@colorremedies.com wrote:
On Sun, Mar 22, 2020 at 11:04 PM Chris Murphy lists@colorremedies.com wrote:
I think I understand what you want to do: You want a disk partition -> LUKS -> LVM PV -> LVM VG, and then /, /var, /home, swap to be XFS formatted LVs.
I'm not certain it's actually possible to do this,
OK, it is possible to do this in Custom partitioning.
Do not check this encrypt box which is the per LV box:
https://drive.google.com/open?id=1BE3gJpw9FJUaecXLBvLzgogxGsPvY6dO
Instead, click on the Modify button under the Volume Group drop-down menu, and check this encrypt box which applies to the PV/VG.
https://drive.google.com/open?id=1nEzQy-Z03ovE6Ay410lLeK5h4dJ1x-A7
I just did an installation doing it this way, and I think the UI is confusing. After choosing to encrypt the VG, and clicking OK to that modify VG dialog, each mount point (each LV) has its own encrypt checkbox also checked. However, they are no individually encrypted.
vda 252:0 0 100G 0 disk ├─vda1 252:1 0 600M 0 part ├─vda2 252:2 0 1G 0 part └─vda3 252:3 0 98.4G 0 part └─f32luks 253:2 0 98.4G 0 crypt ├─f32-swap 253:3 0 3G 0 lvm ├─f32-root 253:4 0 64.1G 0 lvm └─f32-home 253:5 0 31.3G 0 lvm
/dev/vda3 is LUKS encrypted, and the resulting volume 'f32luks' is the LVM PV. Each LV, swap, root, home, are plain LVs that are incidentally encrypted by the fact they're on an encrypted PV. There is no double encryption.
Reproduce steps 1. custom partitioning 2. LVM preset, click here to create automatically 3. Volume Group -> Modify -> check encrypt --- unexpectedly, each LV now has encrypt option checked 4. Done, Begin installation
Il giorno lun, 23/03/2020 alle 13.36 -0600, Chris Murphy ha scritto:
There is no double encryption.
I have try on VM and work as expected: no double encryption are done
Buy yesterday when I have try install on my new Dell G5-15 notebook the behavior was this:
/dev/mapper/luks-b84fa2fd-1c38-466d-ac79-d4d4a6db9ef3: UUID="cXpRFb-vcUQ-K90X-p1cd-YQBT-M2p6-k36Lrr" TYPE="LVM2_member" /dev/mapper/dododell-root: UUID="3e0bd54f-1aa6-49c5-8a00-98f18b1526d4" TYPE="crypto_LUKS" /dev/mapper/dododell-home: LABEL="home" UUID="95239f07-6bb0-4fbf-8506-c75f563ae356" BLOCK_SIZE="512" TYPE="xfs" /dev/mapper/dododell-swap: UUID="bdfd5321-f1ce-4382-9897-504f7f3c81d8" TYPE="crypto_LUKS" /dev/mapper/dododell-var: UUID="b855d0eb-1d13-4af2-8880-ea73961b13bd" TYPE="crypto_LUKS" /dev/mapper/luks-b855d0eb-1d13-4af2-8880-ea73961b13bd: LABEL="var" UUID="03abae3d-b344-497e-9c31-e7181c10097c" BLOCK_SIZE="512" TYPE="xfs" /dev/mapper/luks-3e0bd54f-1aa6-49c5-8a00-98f18b1526d4: LABEL="root" UUID="6cc68b6d-b9d7-4310-b2b6-ba8e5598b7b4" BLOCK_SIZE="512" TYPE="xfs" /dev/mapper/luks-bdfd5321-f1ce-4382-9897-504f7f3c81d8: LABEL="swap" UUID="2b02cc55-12c0-47ed-b866-e3f3619bb675" TYPE="swap"
I have only save lsblk layout
NOTE: VG and all partition are pre existent, /home is only not formatting partition, other I have must formatting in order to install and anaconda have create on all LV a encryption partition, then the FS
Now the notebook is installed, but if it's important I can reinstall it
On Tue, Mar 24, 2020 at 3:20 AM Dario Lesca d.lesca@solinos.it wrote:
Il giorno lun, 23/03/2020 alle 13.36 -0600, Chris Murphy ha scritto:
There is no double encryption.
I have try on VM and work as expected: no double encryption are done
Buy yesterday when I have try install on my new Dell G5-15 notebook the behavior was this:
/dev/mapper/luks-b84fa2fd-1c38-466d-ac79-d4d4a6db9ef3: UUID="cXpRFb-vcUQ-K90X-p1cd-YQBT-M2p6-k36Lrr" TYPE="LVM2_member" /dev/mapper/dododell-root: UUID="3e0bd54f-1aa6-49c5-8a00-98f18b1526d4" TYPE="crypto_LUKS" /dev/mapper/dododell-home: LABEL="home" UUID="95239f07-6bb0-4fbf-8506-c75f563ae356" BLOCK_SIZE="512" TYPE="xfs" /dev/mapper/dododell-swap: UUID="bdfd5321-f1ce-4382-9897-504f7f3c81d8" TYPE="crypto_LUKS" /dev/mapper/dododell-var: UUID="b855d0eb-1d13-4af2-8880-ea73961b13bd" TYPE="crypto_LUKS" /dev/mapper/luks-b855d0eb-1d13-4af2-8880-ea73961b13bd: LABEL="var" UUID="03abae3d-b344-497e-9c31-e7181c10097c" BLOCK_SIZE="512" TYPE="xfs" /dev/mapper/luks-3e0bd54f-1aa6-49c5-8a00-98f18b1526d4: LABEL="root" UUID="6cc68b6d-b9d7-4310-b2b6-ba8e5598b7b4" BLOCK_SIZE="512" TYPE="xfs" /dev/mapper/luks-bdfd5321-f1ce-4382-9897-504f7f3c81d8: LABEL="swap" UUID="2b02cc55-12c0-47ed-b866-e3f3619bb675" TYPE="swap"
I have only save lsblk layout
NOTE: VG and all partition are pre existent, /home is only not formatting partition, other I have must formatting in order to install and anaconda have create on all LV a encryption partition, then the FS
Now the notebook is installed, but if it's important I can reinstall it
I suggest filing a bug against anaconda. The two things it needs: 1. each step to reproduce the problem, with sufficient detail that anyone can reproduce 2. the logs from /var/log/anaconda/ on the installed system; or from /tmp in the installation environment (when booted from the install media)
It is possible to have the PV encrypted and the LVs not encrypted. In the installer, you pick the Advanced Custom (blivet) method for configuring the hard drive. Create a /boot filesystem, then give the rest to the physical volume and set the encrypt flag on that. Create a volume group on it, then you can select that volume group and create all your logical volumes without encryption set.
Il giorno dom, 22/03/2020 alle 23.36 -0700, Samuel Sieb ha scritto:
It is possible to have the PV encrypted and the LVs not encrypted. In the installer, you pick the Advanced Custom (blivet) method for configuring the hard drive. Create a /boot filesystem, then give the rest to the physical volume and set the encrypt flag on that. Create a volume group on it, then you can select that volume group and create all your logical volumes without encryption set.
This is what I have done to install Fedora 32. But for a bliver-gui bugs, it's not possible to create a encrypted LVM partition. Then I start with Centos 8 (I do not have yet a USB support with F31) and create the encrypted LVM partition, stop and restart Fedora32 and use bliver-gui to create other partition and install it Today I have create a F31 USB boot and try to setup a encrypted LVM: work like as expected: Create encrypted VG partition and do not encrypt LV. This is how Fedora 32 should behave
_______________________________________________test mailing list -- test@lists.fedoraproject.org To unsubscribe send an email to test-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
On 3/23/20 2:46 AM, Dario Lesca wrote:
Il giorno dom, 22/03/2020 alle 23.36 -0700, Samuel Sieb ha scritto:
It is possible to have the PV encrypted and the LVs not encrypted. In the installer, you pick the Advanced Custom (blivet) method for configuring the hard drive. Create a /boot filesystem, then give the rest to the physical volume and set the encrypt flag on that. Create a volume group on it, then you can select that volume group and create all your logical volumes without encryption set.
This is what I have done to install Fedora 32.
But for a bliver-gui bugs, it's not possible to create a encrypted LVM partition.
It is possible, follow my steps exactly. There is a fatal crash bug that you found if you do it the wrong way. After creating /boot, create a new partition of "physical volume" type. Then add the volume group, it's the only option you have at that point.
Il giorno dom, 22/03/2020 alle 20.55 +0100, Dario Lesca ha scritto:
It's this behavior a new feature or it's a bug of Anaconda on Fedora 32 ?
It's a Bug. I have fill this bugzilla: "Anaconda create LV filesystem encrypted on a VG already encrypted" https://bugzilla.redhat.com/show_bug.cgi?id=1819360
Thanks