Preeseding a debian stable install with a complex partitioning scheme - missing physical volume

Question

My personal systems run on:

An open /boot partition
separately random key encrypted /tmp and swap partitions and
a password encrypted btrfs lvm volume holding everything else.

My latest project is to use preseeding of the debian installer and try to recreate that automatically. Below is what I've come up with. This fails with the error that the automated partitioning recipe contains the definition of a volume group that does not contain any physical volume.

There is woefully little documentation about for the encryptio n case in particular - can someone figure out how to fix this setup?

Thank you for your time, Joh

d-i partman-auto/disk string /dev/sda
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-lvm/confirm_nooverwrite boolean true
d-i partman-auto-lvm/new_vg_name multiselect vg_crypto_swap, vg_crypto_tmp, \
  vg_crypto_root    
d-i partman-auto/expert_recipe string                         \
  joh-complex ::                                          \
          100 150 200 ext3                                \
                  $primary{ }                             \
                  $bootable{ }                            \
                  label{ boot_nocrypto }                  \
                  method{ format }                        \
                  format{ }                               \
                  use_filesystem{ }                       \
                  filesystem{ ext4 }                      \
                  mountpoint{ /boot }                     \
                  options/discard{ discard }              \
                  options/relatime{ relatime }            \
                  device{ /dev/sda1 }                     \
          .                                               \
          1000 5000 5000 lvm                              \
                  $primary{ }                             \
                  $defaultignore{ }                       \
                  method{ lvm }                           \
                  device{ /dev/sda2 }                     \
                  vg_name{ vg_crypto_tmp }                \
          .                                               \
          1000 5000 5000 ext3                             \
                  $lvmok{ }                               \
                  method{ format }                        \
                  format{ }                               \
                  in_vg{ vg_crypto_tmp }                  \
                  lv_name{ tmp_crypto }                   \
                  use_filesystem{ }                       \
                  filesystem{ ext2 }                      \
                  mountpoint{ /tmp }                      \
                  options/relatime{ relatime }            \
                  options/noexec{ noexec }                \
          .                                               \
          100% 300% 300% lvm                              \
                  $primary{ }                             \
                  $defaultignore{ }                       \
                  method{ lvm }                           \
                  device{ /dev/sda3 }                     \
                  vg_name{ vg_crypto_swap }               \
          .                                               \
          100% 300% 300% linux-swap                       \
                  $lvmok{ }                               \
                  method{ swap }                          \
                  format{ }                               \
                  in_vg{ vg_crypto_swap }                 \
                  lv_name{ swap_crypto }                  \
          .                                               \
      1000 10000 1000000000 lvm                       \
                  $primary{ }                             \
                  $defaultignore{ }                       \
                  method{ lvm }                           \
                  device{ /dev/sda4 }                     \
                  vg_name{ vg_crypto_root }               \
          .                                               \
          1000 10000 1000000000 ext3                      \
                  $lvmok{ }                               \
                  method{ format }                        \
                  format{ }                               \
                  in_vg{ vg_crypto_root }                 \
                  lv_name{ root_crypto }                  \
                  use_filesystem{ }                       \
                  filesystem{ btrfs }                     \
                  mountpoint{ / }                         \
                  options/discard{ discard }              \
                  options/relatime{ relatime }            \
                  options/ssd{ ssd }                      \
          .                                               \

d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
d-i partman-md/confirm boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

My latest attempt tries to provide explicit partiton names (as in "sda1") to the multiple volume groups, yet continues failing as before ... — balin, Mar 11 '15 at 12:57

score 1 · Answer 1 · answered Mar 09 '15 at 23:38

I used the following recipe with great success to automate creation of encrypted partitions on many user systems. This recipe assumes /dev/sda as the volume to use and uses xfs as the default filesystem (my preferred filesystem).

In addition it uses a simplified partitioning scheme of a small /boot, ~50 GB of /, ~200% of RAM as swap (probably limit it to 64 GB, if system ram > 32 GB) and the rest of the available disk space is /home. If you want to create a more robust system use separate partitions for /var, /usr, /tmp etc. For the logic behind using multiple partitions see: https://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.2

One thing to note is that as far as I know you need to use lvm to get encryption to work, or at least I didn't get it to work otherwise.

d-i partman/default_filesystem string xfs
d-i partman-auto/disk string /dev/sda
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-auto-lvm/guided_size string max
d-i partman-auto/method string crypto
d-i partman-auto/choose_recipe select boot-crypto
d-i partman-auto-lvm/new_vg_name string crypt
d-i partman-auto/expert_recipe string boot-crypto :: \
        1000 2000 3000 xfs $primary{ } $bootable{ } \
        method{ format } format{ } \
        use_filesystem{ } filesystem{ xfs } \
        mountpoint{ /boot } \
        .\
        45000 50000 55000 xfs $lvmok{ } lv_name{ root } \
        in_vg { crypt } method{ format } format{ } \
        use_filesystem{ } filesystem{ xfs } mountpoint{ / } \
        .\
        100% 200% 300% linux-swap $lvmok{ } lv_name{ swap } \
        in_vg { crypt } method{ swap } format{ } \
        .\
        3000 35000 1000000000 xfs $lvmok{ } lv_name{ home } \
        in_vg { crypt } method{ format } format{ } \
        use_filesystem{ } filesystem{ xfs } mountpoint{ /home } \
        .\
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

Credit where credit is due, I got the idea in turn from: http://ptomusk.blogspot.com/2012/09/ubuntu-preseedcfg-with-encrypted-lvm.html

Thank you, but this does not answer the underlying question I have: is it possible to get multiple INDEPENDENT lvm/crypto volume groups going on the same underlying hard disk? Your recipe is using a syngle crypted partition, which I also can get, but I have described above what I am aiming for ... — balin, Mar 11 '15 at 12:56
I didn't bother trying to expand upon it. Since at least at the filesystem level it deals with separate encrypted partitions, I had what I needed and these are mostly laptops, not servers. Multiple partitions make a system more robust with regards to things such as /home (or /var/log etc.) filling up rather than disk errors, these days. — aseq, Mar 11 '15 at 21:49

score 1 · Answer 2 · answered Aug 21 '17 at 15:03

1

For d-i partman-auto/method string crypto, you need to put a space character between in_vg and { (braces) like so:

in_vg{ vg_crypto_tmp } -> in_vg { vg_crypto_tmp }

answered Aug 21 '17 at 15:03

dirgnirg

11
1

Preeseding a debian stable install with a complex partitioning scheme - missing physical volume

2 Answers2