Tag Archives: Ubuntu

Root Drive Encryption

Posted on by

I was pondering what to do about disk encryption on an unattended server. If you want an uninterrupted boot sequence, you can’t use full root disk encryption or it will ask you for your passphrase during init.

You can apparently do some fudge to put dropbear (mini SSH daemon and shell) into your initrd, so you can enter your passphrase over SSH, but that seemed hacky. I’d rather a serial console on a terminal server, for those servers with serial ports or LOM’s.

So I created a Fedora 12 virtual machine to play with my options. I decided to not encrypt the entire boot drive, only the /home partition, and then have a second backup drive entirely encrypted, neither of which are mounted at boot. That way you can use the machine as a remote server, reboot it, power off and back on using Wake-On-Lan, even allow other users to login; and when you have physical access you can use cryptsetup+mount to open your $HOME and backup partitions.

However, no matter what I tried, I kept getting prompted on boot for the passphrase, even though the fstab and crypttab were empty. Upon closer inspection of the files within initrd, it seems that the way of detecting root drive encryption and creating a passphrase prompt is not very picky. The routine ignores the fact that your backup drive does not have the bootable flag set, and is not the boot drive in the fstab or BIOS for that matter, and just assumes that if the entire drive is encrypted it must need opening to allow booting!

Short of recreating my initrd upon every new kernel install (don’t get me started on how shite dracut is compared to mkinitrd) the only way around it I found is to add the kernel parameter rd_NO_LUKS to the /boot/grub/menu.lst

I also header from one of the Fedora devs, that they’re going to move to upstart instead of init (see previous post) by Fedora 14. Hopefully the Ubuntu devs will have fixed the bugs by then!

Upgrade Day 2

Posted on by

When I said in my previous post that the Ubuntu 9.10 upgrade went fine, I spoke too soon……

It seems that the normal Sys-V init system has been replaced by upstart, which is Ubuntu’s attempt at speeding up the boot process by initialising services in parallel. The result being, that /etc/rc.local is no longer the last script to run, and the init scripts are pretty much run in random order, causing all sorts of race conditions. There’s naff all documentation on writing upstart scripts either.

So I’ve moved mounting of encrypted partitions from a nice safe script in /etc/rc.local to adding the entries in /etc/fstab and hoping that device-mapper initialises before fsmount. It also means that fsck has to be turned off (for just those partitions) otherwise the boot process may halt. Luckily services like NFS are started after the mounting is done, or they’d probably fail too. I really can’t see the logic – knocking 10secs of a boot process and screwing up a UNIX standard that has worked since the 1970′s! I thought that kind of crap was limited to the Fedora or Gnome-devs.

I did however upgrade my Fedora 10 machine to F12 without issue (so far – I won’t tempt fate again!) other than a few things I’ve got to recompile like hydra, medusa, amap, john etc.

I saw my first “watch this on ITV1-HD” message tonight, so pressed the red button to watch Law & Order UK in 1080i goodness! I’ve been watching BBC-HD for a while, but ITV’s offerings are pretty few and far between.

Upgrade Day

Posted on by

I finally decided to upgrade my fileserver from Ubuntu 9.04 to 9.10, as 10.04 LTS is due end of April, so its easier to upgrade version-by-version than jump two.

It actually went without issue, I had already gathered the .deb’s needed for PIPS and iScan for my printer/scanner and tested them on a 9.10 virtual machine, although by the looks of it, Gutenprint5 now has Epson RX425 drivers built-in, however I’ve seen reports that the colours are too dark.

I’ll probably upgrade my backup desktop machine from Fedora 10 to 12 tomorrow as F13 isn’t released until mid-May, I’ll do a fresh install with this machine though (Fedora doesn’t upgrade as well as Ubuntu).

I’ve also been checking out some Linux games, they were all pretty poor in comparison to Urban Terror or Alien Arena; some didn’t even work due to no servers being available, others were just tacky. I think I tried Wolfenstein: Enemy Territory, Tremulous Fusion, Nexuiz and Sauerbraten.

I upgraded the Gallery to the final 1.5 version the other day, it seems they never released 1.6 final. I never liked Gallery2, and Gallery3 is way overdue, maybe I’ll try that if they ever finish it.

Talking of printers, I’m thinking of getting an Epson EPL-6200 laser printer for the other house, I can’t believe they can sell a Postscript3/PCL6 laser printer for 60-odd quid! It will work with Linux out of the box of course, toner refills can be sourced with modchips too. I was thinking of getting an all-in-one scanner/laser, but it will take up too much room.

Its still snowing here, although its so sunny today I expect it all to be gone tomorrow.

New server migration

Posted on by

I’ve got one of my new VPS’s setup today. Just got to wait for reverse DNS to propagate and get iptables sorted and NTP enabled:

vzctl set <veid> --capability sys_time:on --save
vzctl set <veid> --iptables ipt_state --save

I’m not going to switch over until I get the German servers up and running though, as the network speed of the American server isn’t so great (a few more hops I guess).

My old host said it was a 64-Bit server but turns out it was running i686 kernel, so the container was 32-Bit no matter what the host node was. This I found out after I tried to rsync my old server to my new 64-Bit one, which promptly stopped working. Luckily the control panel allows you to very quickly rebuild the server using the base install, so I switched to a minimal 32-Bit Ubuntu 8.04 template and rsync’ed again, and now its all running fine.

Dad came over and put the CAT6 to my Mac in conduit today, looks much better than blue cable running along the ceiling! Still got to paint over an exposed section. We also got the satellite cable routed into the Snooker room, so have Sky TV in there now too, as well as one of the Xbox’s.

My cousins/uncle etc. are over so going over there on Monday, sometime this weekend we’re going to be laying the cement path around M&D’s extension.

I just watched Drag Me To Hell, which was an OK horror flick with a predictable ending and some totally irrelevant side-stories. Much better than Dance Flick which was one of the *-Movie franchise films, a spoof of Save The Last Dance, High School Musical etc; not great. Bruno was absolute rubbish.

I’ve got terrible ear-ache and seem to be sleeping a lot lately, so suspect I’m coming down with something….

New Fileserver

Posted on by

M&D are back from their trip to Brighton and have brought my new fileserver components back with them.

The build went pretty well – almost as quick as KK’s Quad build. The main problem was swapping the SATA cables around to get the boot drive on /dev/sda, its a bit tight with all six SATA ports utilised! I put the Intel Retail Core2Quad HSF on instead of the smaller one that came with the Pentium Dual Core, well it fits and is just a bigger bit of aluminium, so why not? I cleaned off that thick grey thermal paste crap they bundle, and applied a thin coat of Artic Silver 5. The whole box would be silent if it wasn’t for the 120mm case fan I have in there, which is whining a bit, never noticed it before with the noisy HSF from the AthlonXP-M. The CPU is at 36c at the moment, pretty much idle, so I’ll have a go at overclocking soon, although the Intel BIOS looks a bit basic for that sort of thing.

I installed Linux last night only to find that Ubuntu 8.04.2 LTS with its 2.6.24 kernel doesn’t see the integrated ICH10 ethernet NIC, so I’ve now gone with the non-LTS 9.04 Desktop, which correctly loads the e1000e driver from its 2.6.28 kernel. Its no real problem as I’ll probably reinstall when 10.04 LTS comes along rather than upgrade to 9.10 in six months or whatever.

I managed to get iScan and PIPS working with a bit of tweaking (had to build a 32-Bit Jaunty VM to use alien on the RPM) although I can’t get ekpstm to work as it looks like getlibs doesn’t support Jaunty. I tested printing and scanning. NFSv4 is working and Compiz works out of the box with the integrated Intel graphics.

I’ve encrypted the two terrabyte drives and am now copying stuff across from the 500Gb’s, then I’ve got to get rsync, sudo, Samba, CUPS and so on configured.

I’m awaiting a new PSU for my ADSL modem as it seems to have died. I’ve had to knick M&D’s for now, so they’re without phone even, bloody pain, but luckily we live near enough to drive quickly and have mobiles. Its amazing that you really can’t do anything with Ubuntu without a broadband connection – even the SSH server is an optional extra not on the CD. Dunno why they don’t make a DVD with a load of packages on like Fedora etc.

Update: I got rsync, Samba, CUPS, sudoers, SSH and so on sorted and tested. I think GimpPrint (Gutenprint) may have had a driver for my Epson, but I went with the PIPS driver anyway. All my files are copied across and my backup regimen works (backup desktop to fileserver, fileserver to backup machine). It seems that you can no longer disable IPv6 as its not a kernel module but a core part of the kernel now, so I’ve changed all my services to only listen on IPv4, I guess I should configure ip6tables.

nmap v5.00 has been released as the new stable version, so I’ve downloaded and tried it out. There’s a few things that I’ve got to look into that may be useful, the OS detection and version scan seems to have come along a lot, as has scanning speed.