[PC-BSD Testing] should /home be in default partitioning

Gour gour at atmarama.net
Tue Mar 22 04:18:26 PDT 2011

On Mon, 21 Mar 2011 23:14:01 +0000
Dru Lavigne <drulavigne at sympatico.ca> wrote:

> Currently, the encryption page of the PC-BSD Handbook suggests that
> one should not encrypt /usr as most of its contents are known and
> that could provide too much data for a cryptographic attack (this was
> the result of a suggestion by cpercival last year). Yet, the
> installer by default offers to encrypt /usr. Further, the default
> partitioning scheme does not make /home which is probably what users
> are interested in encrypting anyways.

Moreover, I can say that out if the 4 combinations which I tried to
install under vbox, whenever I tried with separate & encrypted /home,
installer fails.

The other failing combo is trying to setup mirror mode, while the only
combination which works is: auto-setup partitioning, ZFS.eli.

> 1. the default partitioning scheme separates /usr and /home


> 2. the default encryption option offers to encrypt /home instead
> of /usr

 +1 although here I'm not clear whether it means that in this case
/home should be created as separate zfs pool or it's possible, which I
doubt, that only /home existing with the common pool can be encrypted?

Based on what I've found...on Solaris one can use something like:

zfs set encryption=on mypool/home

but this is not possible on FreeBSD so I wonder how one can encrypt
/home only by keeping it withing the same pool (which is, afaik,
recommended usage of ZFS)?

Here is the log where installer fails with mirror:

Running: find-update-parts
mount: no : No such file or directory
kern.geom.debugflags: 0 -> 16
Running gpart modify on ada0
Running: gpart modify -t freebsd -i 1 ada0
ada0s1 modified
Cleaning up ada0s1
Running: dd if=/dev/zero of=/dev/ada0s1 count=1024
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.181305 secs (2891747 bytes/sec)
Running: gpart create -s BSD ada0s1
ada0s1 created
Running: gpart add -s 1024M -t freebsd-ufs -i 1 ada0s1
ada0s1a added
Running: gpart add -s 2046M -t freebsd-swap -i 2 ada0s1
ada0s1b added
Running: gpart add -s 17403M -t freebsd-zfs -i 4 ada0s1
ada0s1d added
Running: gpart bootcode -b /boot/boot ada0s1
bootcode written to ada0s1
NEWFS: /dev/ada0s1a - UFS
Running: newfs /dev/ada0s1a
/dev/ada0s1a: 1024.0MB (2097152 sectors) block size 16384, fragment
size 2048
     using 6 cylinder groups of 183.72MB, 11758 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
 160, 376416, 752672, 1128928, 1505184, 1881440
Running: sync
Running: glabel label boot0 /dev/ada0s1a
Running: sync
Running: sync
Running: glabel label swap0 /dev/ada0s1b
Running: sync
Creating geli provider for ada0s1d
Running: dd if=/dev/random
of=/tmp/.pc-sysinstall/.geli-keys/ada0s1d.key bs=64 count=1
1+0 records in
1+0 records out
64 bytes transferred in 0.000045 secs (1420293 bytes/sec)
Running: geli init -b -s 4096 -P -K
/tmp/.pc-sysinstall/.geli-keys/ada0s1d.key /dev/ada0s1d

Metadata backup can be found in /var/backups/ada0s1d.eli and
can be restored with the following command:

    # geli restore /var/backups/ada0s1d.eli /dev/ada0s1d

Running: geli attach -p -k /tmp/.pc-sysinstall/.geli-keys/ada0s1d.key
NEWFS: /dev/ada0s1d - ZFS
Running: zpool create -m none -f tank0 ada0s1d.eli
Running: zfs set atime=off tank0
Running: zfs set mountpoint=/mnt tank0
Running: zfs set atime=off tank0
zfs create -p tank0/home
Running: zfs create -p tank0/home
Running: zfs set mountpoint=/mnt/home tank0/home
Running: zfs set atime=off tank0/home
zfs create -p tank0/usr
Running: zfs create -p tank0/usr
Running: zfs set mountpoint=/mnt/usr tank0/usr
Running: zfs set atime=off tank0/usr
zfs create -p tank0/var
Running: zfs create -p tank0/var
Running: zfs set mountpoint=/mnt/var tank0/var
Running: zfs set atime=off tank0/var
mount -o rw /dev/ada0s1a -> /mnt/boot
Running: mount -o rw /dev/ada0s1a /mnt/boot
swapon ada0s1b
Running: swapon /dev/ada0s1b
FOUND DVD: /dev/cd0
pc-sysinstall: Starting Extraction
pc-sysinstall: Extraction Finished
Extracting FREEBSD source tree...
Running chroot command: /usr/bin/cap_mkdb /etc/login.conf
Setting em0 to DHCP on the system.
Running chroot command: cat /.tmpPass | pw useradd -n gour -c "Gour"
-h 0 -s "/usr/local/bin/zsh" -m -d "/home/gour" -G "wheel,operator"
Running: rm /mnt/.tmpPass
Running external command: mount -t devfs devfs ${FSMNT}/dev
Running chroot command: touch /var/.runxsetup
Running chroot command: /usr/local/bin/pc-xdgutil updatemenu
Running external command: cp /etc/X11/xorg.conf
Running chroot command: sh
Running external command: sh /root/insMetaPkgs.sh
base-system,Base-Devel,Base-I18N,XFCE4,XFCE4-Plugins CD
Running external command: umount ${FSMNT}/dev
Setting hostname: nitai
Setting root password
Running chroot command: cat /.rootpw | pw usermod root -h 0
Running: rm /mnt/.rootpw
Running: mkdir -p /mnt//boot-mount/boot
Running: mv /mnt/boot/* /mnt/boot-mount/boot/
Running: mv /mnt/boot-mount/boot /mnt/boot/
Running: umount /dev/mirror/gm0s1a
umount: /dev/mirror/gm0s1a: statfs: No such file or directory
umount: /dev/mirror/gm0s1a: unknown file system
Error 1: umount /dev/mirror/gm0s1a
Running: umount -f /dev/ada0s1a
Running: umount -f /mnt/boot
umount: /mnt/boot: not a file system root directory
Running: umount -f /mnt
Running: umount /cdmnt-install
Trying DHCP on em0  <Intel(R) PRO/1000 Legacy Network Connection 1.0.3>

By looking at the above log, I believe that installer is doing the
wrong thing by using GEOM to provide mirror, while the method to do
it, afaict*, is to use: zfs attach /device, so the installer should
take care when handling ZFS-based mirror.

*disclaimer: I'm very new with Free/PCBSD and may be totally wrong


“In the material world, conceptions of good and bad are
all mental speculations…” (Sri Caitanya Mahaprabhu)

http://atmarama.net | Hlapicina (Croatia) | GPG: CDBF17CA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.pcbsd.org/pipermail/testing/attachments/20110322/8fec0bc6/attachment.pgp>

More information about the Testing mailing list