=== tds0 is now known as tds
lotuspsychjegood morning01:12
lotuspsychjehey daftykins01:22
=== tds2 is now known as tds
lotuspsychjegood luck to all!10:08
tomreynhehe, i didn't know there's this https://launchpad.net/~not-canonical13:10
jeremy31I know of a few team members13:18
oerheksi only met Jan Claeys i think13:20
oerheksoh, and samba-jelmer13:21
jeremy31Didn't the group owner do UWN for a while?13:26
tomreyndidn't he invent the phone?13:27
daftykinsTJ-: just the man! can i pick your brains about something? :)18:02
daftykinsTJ-: i've acquired some old servers for cheap and intend to put one in at my friend's house in England running XCP-ng and some ubuntu 20.04 VMs atop it for running his medical data analysis thing, i was going to follow your 'almost' FDE guide for setting up the VMs but subiquity doesn't seem to lend itself to working with that right now?18:04
daftykinsi know the guide is really for use with the desktop image, but i'd like to stick to server18:05
TJ-daftykins: I've never touched subiquity at all; my opinion about is isn't printable18:06
daftykinsnor mine :D18:06
TJ-daftykins: but the principle is the same ; use commands to pre-prepare the storage system in the cofiguration you want THEN run the installer so it just has to select the LVM/partition for each file-system, rather than create them.18:07
daftykinsTJ-: the server live image lets you get quite far into your guide, it was only at the install partitioner the wheels came off - i selected the vg root to install to and the /boot partition, but it still asks you to pick a disk to boot from - and none of the entries let you do that upon them18:07
daftykinsin my case it was /dev/xvda due to being a Xen VM18:07
TJ-daftykins: In your scenario I'd simply do a manual install - get the storage volumes as I want then I'd use debootstrap to install the minimal system them chroot into the /target/ to complete the install, starting with "apt install ubuntu-server" and then adding user accounts, openssh-server, and setting the default locale, tz, etc. Then reboot it to ensure it works and use SSH from there18:09
daftykinshmm that sounds good, time for some learning then :D18:09
daftykinsi wonder if the live server image is still capable18:10
TJ-If it has the 'try ubuntu' option to run a regular (not castrated) shell then it may be possible18:12
TJ-as in not just a 'drop to root shell' like the debian-installer has that only has busybox and a minimal user-space and no option to install packages into the in-memory live system18:12
daftykins*nod* pretty much, you let it start up into subiquity then drop out to a TTY which has the full shell18:13
daftykinsi still don't know what i'm doing with LVM ;) always avoided it in the past18:13
daftykinsthis seems like a nice way to get stronger encryption whilst still keeping the virtual disk images (VDIs) thin provisioned so i can keep VM backup speedy18:13
daftykinsalternatively i could wimp out and use server's built-in encryption, but it's considered as old as the Ark now isn't it?18:14
TJ-sounds like a good plan to me18:14
daftykinsthanks :)18:17
daftykinsnot a bad machine i got for £150, R820 with 4 x Xeon E5-4620s, 128GB RAM, iDRAC 7 enterprise, over a dozen 15K SAS 300GB disks18:19
TJ-Amazing what you can pick up now that power consumption is the prime concern18:23
daftykinsi made an excellent contact at a big bank :D18:24
daftykinsi may even end up taking 2 of those CPUs out, because i think dividing the RAM between them is suboptimal for my use-case18:24
daftykinstrouble is i'll need to buy the plastic baffle to redirect the airflow then18:24
TJ-which'll cost £25018:26
=== jelly-home is now known as jelly
=== akem_ is now known as TheBomb
=== tds0 is now known as tds
daftykinsTJ-: ok i'm doing a trial run, i've created the disk as per the guide, but then i've formatted /dev/mapper/ubuntu--vg-root as ext4 and mounted it to /mnt, then created /boot upon it and mounted /dev/mapper/LUKS_BOOT to /mnt/boot - does that make sense or am i losing my way?22:15
daftykinsmy VM is BIOS boot only so i'm not sure if i need to do anything with the EFI-SP there before i try to debootstrap install to /mnt22:15
TJ-daftykins: that looks fine. I usually make the mountpoint /target/ since that is what debian-installer and thus ubiquity etc usually use22:18
TJ-daftykins: no EFI-SP required then - I do that for maximum flexibility - doesn't cost much to reserve the space for one (256MB is all that is needed)22:18
daftykinsvery true22:19
TJ-I do use GPT and create a bios boot partition of 2MB for GRUB's core image22:19
daftykinsthat's a point, where should i mount that?22:19
TJ-it isn't a mount point22:20
daftykinsah ok22:20
TJ-it's simply a raw partition that GRUB writes its boot-loader code into22:20
daftykinsdoes it autodetect it's there and do that based on the label?22:20
TJ-the boot sector (MBR) boot-strap code reads and executes that22:20
TJ-it needs the bios boot code which when using gdisk et al is EF0222:21
TJ-that's the friendly version of the full GPT GUID for BIOS boot partition type22:21
daftykinsoh yep, i recall that step22:22
* daftykins runs debootstrap22:23
daftykinsis "#14 Latin1 and Latin5 - western Europe" the sensible console font choice?22:30
daftykinsseems like the best fit xD22:30
jeremy31Is the bios boot partition used for something other than a legacy/bios boot with GPT?22:31
TJ-so long since I did that, I cannot recall22:31
TJ-jeremy31: it's just a marker, depends on the software.22:32
TJ-jeremy31: you could use it as a file-system or anything else as long as that use doesn't conflict with something else22:32
TJ-there are a huge number of reserved GUIDs in GPT to avoid those kind of conflicts though22:33
daftykinsok got all that config done from installing "ubuntu-server", added a user and added it to the 'sudo' group, not sure if i need to do some funky grub-install fu?22:34
daftykinsalso seem to be lacking netplan so presumably i'll have no network at boot22:35
TJ-daftykins: netplan doesn't do networking :D22:36
daftykinshehe you know what i mean!22:36
TJ-it tells other network management tools to do it22:36
TJ-it's a server; just configure systemd-networkd via /etc/systemd/network/ with a .network file22:36
TJ-netplan only generates run-time configs for systemd-networkd, not permanent configs (puts them under /run/systemd/network/ which is a tmpfs)22:37
daftykinshmm will have to look that one up, how about GRUB / otherwise ensuring boot will work now?22:37
TJ-chroot /target grub-install /dev/sda; chroot /target update-grub22:38
TJ-ensure you've installed kernels first!22:38
TJ-with debootstrap it is easy to forget to do that22:38
daftykinsooh yeah nothing there22:38
TJ-chroot /target apt install linux-generic22:38
daftykinsyep was just running "apt install linux-generic"22:39
TJ-also, you may want to generate the locales if you haven't already22:39
daftykinsdpkg-recnfigure locales ?22:39
daftykinswithout the typo22:39
TJ-chroot /target apt install language-pack-en22:39
TJ-and chroot /target dpkg-reconfigure locales22:40
daftykinsoh hello, adding linux-generic has triggered grub-pc22:40
TJ-set /etc/hostname and /etc/hosts correctly22:41
TJ-I hope you've got the /dev/ file-system etc, mounted inside the /target/22:41
daftykinsyep /proc /sys /dev22:41
daftykinsgrub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=y' in file `/etc/default/grub'.22:41
daftykinsfun one :D22:41
TJ-^^^^ vey much needed22:41
TJ-I put that in /etc/default/grub.d/local.cfg22:42
TJ-that way if grub-pc package gets updated you don't suffer a 'diff' prompt for /etc/default/grub22:42
daftykinsah yes22:43
daftykinshopped to a second term and sorted that, installed smoothly to /dev/xvda now22:43
daftykinscryptsetup: WARNING: target 'xvda5_crypt' not found in /etc/crypttab22:44
TJ-yup, you need an entry there22:44
TJ-e.g. I have:22:44
TJ-LUKS_VG UUID=3cd375aa-2b43-4760-9881-7330f7646ca4 /etc/luks/iSSD.keyfile luks,discard22:45
TJ-LUKS_BOOT UUID=db9cd343-9ca9-4115-845f-d27943c14437 /etc/luks/iSSD.keyfile luks,discard22:45
TJ-and of course create a small random data file as the key22:45
TJ-and use 'cryptsetup' to add it to a slot of the LUKS volumes22:46
daftykinshmm for locale do i want en_GB.UTF-822:46
TJ-AND make sure, if you are encrypting /boot/ that it was created using LUKS version 1 NOT version 2 else it'll fail because GRUB doesn't understand version 222:46
TJ-daftykins: yes unless you want to talk gibberish!22:47
TJ-en_US == gibberish :D22:47
daftykinsother choice was some ISO-8859-122:48
TJ-don't get smilies with that; that's the old default MS Windows22:49
daftykinsthe horror!22:50
daftykinshmm keyfile eh, what's an easy way to knock one of those up?22:50
daftykinsbit of /dev/urandom to a file of x length?22:50
TJ-chroot /target dd if=/dev/random of=/etc/luks/file.key bs=64 count=122:51
TJ-make sure to make the /etc/cryptsetup-initramfs/conf-hook with KEYFILE_PATTERN="/etc/luks/*.key" in that case22:52
TJ-and set the /etc/initrams-tools/initramfs.conf with # for cryptsetup-initramfs22:53
TJ-I think that lot was in the tutorial22:53
TJ-but things will break if those are forgotten22:53
daftykinsoh that's a very good point, debootstrap may have bypassed the install but i forgot there was more to go back and look at22:54
TJ-can't do that in ISO-8859 !22:55
daftykinshopping back to your crypttab example, does the "LUKS_VG" part matter that i don't appear to have one called that from my "blkid" output?22:56
daftykinsi'm feeding it the UUID of my root file system but i feel like that's a mistaken guess22:56
daftykinsbecause it's the volume group i want to unlock there and not the partition inside it eh?22:57
TJ-LUKS_VG is the LUKS container that has the LVM inside that has the root-fs etc22:57
TJ-so you might have /dev/sda2 = LUKS > LUKS_VG = LVM > root-fs = ext422:58
daftykinsxvda5 is crypto_LUKS22:59
TJ-created via 'cryptsetup luksFormat --type luks1 /dev/sda2 ...; cryptsetup open /dev/sda2 LUKS_VG; pvcreate /dev/mapper/LUKS_VG; vgcreate MYVG /dev/mapper/LUKS_VG; lvcreate -L 8G -n rootfs MYVG ...23:00
TJ-errr, typo, --type luks2  !23:01
TJ---type luks1 is for the encrypted /boot/23:01
daftykinsmm, xvda2 in my case was the 2MB GRUB, so i think 5 is right23:02
TJ-if '5' is where the OS is installed to, yes23:03
daftykinshmm your guide had a bs=4096 for the keyfile generation23:06
TJ-daftykins: yes, a big mistake that!23:07
daftykinstoo strong? :)23:07
TJ-when I write it I got confused as to how many bits were in a byte and used the number of bits instead of dividing by 8!23:07
TJ-waste of space basically, beyond a certain point. LUKS truncates reading so the rest is not used23:08
daftykinsah ha23:08
daftykinshmm and i need that to read *.key instead / or rename my .key to .keyfile23:10
TJ-I didn't realise my example there wsa different to what I did here23:10
daftykinsi also bypassed an 'error' earlier on where you used p1 or p'n' due to working with a PCIe SSD whereas i am using a conventional virtual disk so i needed to drop the p23:11
daftykinsyou might say i was taking the p...23:12
daftykinsWARNING: Locking directory /run/cryptsetup is missing!23:14
daftykinsoh that was in your example, nm23:14
daftykinsgoing cross-eyed now ;)23:14
TJ-glad you were keeping your eyes open on that one; I had to amend the orinal article to cope with NVME names and that was a challenge. Don't ask me to do it for Xen too!23:21
TJ-yeah - you didn't bind-mount /run/ - always a good thing in my opinion else services in the chroot start and then get confused and won't be stopped23:21
daftykinshrmm update-initramfs spitting another: "cryptsetup: WARNING: target 'xvda5_crypt' not found in /etc/crypttab" must have chosen the wrong one23:22
daftykinsor maybe i need to name it that instead of LUKS_VG23:24
TJ-did you do it with UUID?23:24
TJ-well yes, you need to give the correct reference :D23:24
daftykinsyeah i popped in the UUID but i wasn't feeling 100% on my choice of which drive that is23:24
daftykinshey i'm just bashing the keyboard with patterns 'til i get the right answer ;)23:24
TJ-Monkeys ✓23:25
daftykinscan confirm23:25
daftykinshttps://termbin.com/ayoo - so i was picking the UUID of xvda1 earlier, hmm that's definitely wrong23:26
daftykinsno i wasn't! xvda523:26
TJ-so UUID="2c17c32e-8d32-4947-9347-e49d4d39c342"23:27
daftykinsyep - and i deleted "LUKS_VG" and put "xvda5_crypt" instead23:28
daftykinscompleted without error this time \o/23:28
daftykinsok so i still haven't got networking but i feel brave enough to consider a boot23:28
daftykinslol i made my passphrase 30 characters of gibberish, so i'm going to have to type that in via the command line... nice23:29
daftykinsvia the XCP-ng VM console window23:29
TJ-make sure to finish off with the grub-install/update-grub just in case something changed... ensure update-grub DOES generate a line.. it won't if /boot/initrd.img-$VERSION is missing for example, which can happen if update-initramfs failed23:29
TJ-for testing add a simple passphrase to another slot before you restart it23:30
daftykinsthat executed cleanly23:30
TJ-as in cryptsetup luksAddKey /dev/xvda2 or whatever your /boot/ FS is23:31
TJ-ahh, xvda1 I think23:31
daftykinsboth 1 and 5 surely23:32
daftykinsoh boot only23:32
daftykinsok let's unmount all and test boot :O23:33
daftykinshrmm how do you deal with sys and dev claiming to be busy o023:34
TJ-first ensure you've not got a terminal with its PWD inside the chroot23:35
TJ-then try "umount --lazy ..."23:36
daftykinsah ha \o/23:36
daftykinsBoot Device: Hard Disk - success.23:38
daftykinsAttempting to decrypt master key...23:38
daftykinsEnter passphrase blah blah :)23:38
daftykinsooh it's not receiving keyboard input23:38
TJ-is that the GRUB prompt? because the LVM should be auto-unlocked via keyfile23:38
daftykinsyeah says "Enter passphrase for hd0,gpt1 (<string here>):23:39
TJ-what kind of keyboard connection does the VM have? if it is via USB HID rather than a PS/2 serial GRUB will need additional modules including in its core image23:39
daftykinswhat'd be the easy way to pull that from an existing VM i have?23:40
TJ-ideally it should be an i8042 PS/2 serial keyboard interface23:40
TJ-not sure how Xen handles such things !23:40
daftykinsso close :D23:41
daftykinsoh hello, maybe it take take input - or it times out? it just dropped to GRUB rescue23:42
TJ-right, it doesn't echo anything to screen23:42
TJ-you just type the passphrase and hit enter23:42
daftykinsno carat was present either though so i wasn't even sure what was going on23:42
TJ-if you're at the rescue prompt then do...23:43
TJ-... cryptomount hd0,gpt123:43
daftykinsi think its' error might be relevant, it says there's no such cryptodisk found23:43
TJ-then enter passphrase... once you get it correct you'll see "Slot X open" then do "insmod normal" followed by "normal" and it'll load the grub.cfg and show the menu23:43
TJ-I suspect you did NOT create the /boot/ LUKS container using cryptsetup luksFormat --type luks1 /dev/xvda123:44
TJ-so it is likely LUKS2 (which is the default in cryptsetup nowadays)23:45
daftykinsooh "slot 2 opened"23:45
TJ-ha no, you're good!23:45
daftykinsi think maybe the quirk with the virtual console just took my passphrase incorrectly the first time23:45
daftykinson that grub rescue attempt, i got a proper carat cursor etc23:45
TJ-OK so the insmod normal + normal and you're good to go23:45
daftykinsbooting... black screen so far23:47
daftykinsUbuntu 20.04 plymouth-text type interface :O23:47
TJ-looking good23:48
TJ-tap Esc to see the kernel console messages23:49
daftykinshave i mentioned it's on a 6 x 15K SAS RAID10? :) 6Gb23:49
daftykinschug chug23:49
* TJ- winds the handle23:50
daftykinsstill got the purple background with a blinking cursor top left23:51
daftykinshmm the hypervisor suggests there's no disk activity23:52
DeyaaDoes Facebook block reverse proxy?23:54
TJ-hmmm, if you saw the plymouth splash then the initrd was working23:55
TJ-try tapping a key... might be its a just-in-time login prompt as systemd often does23:55
daftykinsi hit alt+F1 and see the prompt xD23:55
daftykinsgot a bunch of read only file system errors, hrmm i never did write an fstab o023:56
TJ-so maybe it started on the wrong VT? does /proc/cmdline have a vt.handoff= set?23:57
daftykinsyep vt723:57
daftykinshah i'm missing sudo also23:57
daftykinsbut i'm in!23:57
daftykinsi can probably fix those up with another live session boot and chroot23:58
TJ-not even that; get into the GRUB menu, advanced, and choose a recovery option and you'll be in as root23:59
daftykinsah that's true23:59
TJ-tap Esc as soon as Slot 2 open is seen and GRUB should stop at the menu23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!