简短答案

简短答案

我想设置一个双磁盘 RAID1 mdadm 设备,dm-完整性实现冗余功能。

我知道如何使用 mdadm 对 RAID1 设备进行分区和添加驱动器,但我不知道如何确保 dm-integrity 设置正确,而且由于正确执行此操作至关重要,如果有更多经验的人可以解释一种安全的方法,我会很高兴。

我是否必须添加启动脚本以在每次启动时打开设备?是否需要手动检查错误或是否自动报告?

答案1

我用这个作为例子

https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb

使用 luksFormat 格式化磁盘:

 dd if=/dev/urandom of=key.bin bs=512 count=1

 cryptsetup luksFormat -q --type luks2 --integrity hmac-sha256 disk1.img key.bin
 cryptsetup luksFormat -q --type luks2 --integrity hmac-sha256 disk2.img key.bin

打开/附加加密磁盘

cryptsetup luksOpen disk1.img disk1luks --key-file key.bin
cryptsetup luksOpen disk2.img disk2luks --key-file key.bin

创建raid1:

mdadm \
  --create \
  --verbose --level 1 \
  --metadata=1.2 \
  --raid-devices=2 \
  /dev/md/mdtest \
  /dev/mapper/disk1luks \
  /dev/mapper/disk2luks

创建文件系统,添加到 LVM 卷组等...

 mkfs.ext4 /dev/md/mdtest

答案2

简短答案

创建设备后,使用:

integritysetup status <name>

长答案

在终端中,您可以使用它man dm-integrity来读取您的选项。其他人都可以在互联网上阅读相同的内容:

姓名

   integritysetup - manage dm-integrity (block level integrity) volumes

概要

   integritysetup <options> <action> <action args>

描述

   Integritysetup is used to configure dm-integrity managed device-
   mapper mappings.

   Device-mapper integrity target provides read-write transparent
   integrity checking of block devices. The dm-integrity target emulates
   additional data integrity field per-sector. You can use this
   additional field directly with integritysetup utility, or indirectly
   (for authenticated encryption) through cryptsetup.

   Integritysetup supports these operations:

   format <device>

          Formats <device> (calculates space and dm-integrity superblock
          and wipes the device).

          <options> can be [--data-device, --batch-mode, --no-wipe,
          --journal-size, --interleave-sectors, --tag-size, --integrity,
          --integrity-key-size, --integrity-key-file, --sector-size,
          --progress-frequency]

   open <device> <name>
   create <name> <device> (OBSOLETE syntax)

          Open a mapping with <name> backed by device <device>.

          <options> can be [--data-device, --batch-mode,
          --journal-watermark, --journal-commit-time, --buffer-sectors,
          --integrity, --integrity-key-size, --integrity-key-file,
          --integrity-no-journal, --integrity-recalculate,
          --integrity-recovery-mode]

   close <name>

          Removes existing mapping <name>.

          For backward compatibility, there is remove command alias for
          the close command.

   status <name>

          Reports status for the active integrity mapping <name>.

   dump <device>

          Reports parameters from on-disk stored superblock.

相关内容