我想设置一个双磁盘 RAID1 mdadm 设备,dm-完整性实现冗余功能。
我知道如何使用 mdadm 对 RAID1 设备进行分区和添加驱动器,但我不知道如何确保 dm-integrity 设置正确,而且由于正确执行此操作至关重要,如果有更多经验的人可以解释一种安全的方法,我会很高兴。
我是否必须添加启动脚本以在每次启动时打开设备?是否需要手动检查错误或是否自动报告?
答案1
我用这个作为例子
https://gist.github.com/MawKKe/caa2bbf7edcc072129d73b61ae7815fb
使用 luksFormat 格式化磁盘:
dd if=/dev/urandom of=key.bin bs=512 count=1
cryptsetup luksFormat -q --type luks2 --integrity hmac-sha256 disk1.img key.bin
cryptsetup luksFormat -q --type luks2 --integrity hmac-sha256 disk2.img key.bin
打开/附加加密磁盘
cryptsetup luksOpen disk1.img disk1luks --key-file key.bin
cryptsetup luksOpen disk2.img disk2luks --key-file key.bin
创建raid1:
mdadm \
--create \
--verbose --level 1 \
--metadata=1.2 \
--raid-devices=2 \
/dev/md/mdtest \
/dev/mapper/disk1luks \
/dev/mapper/disk2luks
创建文件系统,添加到 LVM 卷组等...
mkfs.ext4 /dev/md/mdtest
答案2
简短答案
创建设备后,使用:
integritysetup status <name>
长答案
在终端中,您可以使用它man dm-integrity
来读取您的选项。其他人都可以在互联网上阅读相同的内容:
姓名
integritysetup - manage dm-integrity (block level integrity) volumes
概要
integritysetup <options> <action> <action args>
描述
Integritysetup is used to configure dm-integrity managed device-
mapper mappings.
Device-mapper integrity target provides read-write transparent
integrity checking of block devices. The dm-integrity target emulates
additional data integrity field per-sector. You can use this
additional field directly with integritysetup utility, or indirectly
(for authenticated encryption) through cryptsetup.
Integritysetup supports these operations:
format <device>
Formats <device> (calculates space and dm-integrity superblock
and wipes the device).
<options> can be [--data-device, --batch-mode, --no-wipe,
--journal-size, --interleave-sectors, --tag-size, --integrity,
--integrity-key-size, --integrity-key-file, --sector-size,
--progress-frequency]
open <device> <name>
create <name> <device> (OBSOLETE syntax)
Open a mapping with <name> backed by device <device>.
<options> can be [--data-device, --batch-mode,
--journal-watermark, --journal-commit-time, --buffer-sectors,
--integrity, --integrity-key-size, --integrity-key-file,
--integrity-no-journal, --integrity-recalculate,
--integrity-recovery-mode]
close <name>
Removes existing mapping <name>.
For backward compatibility, there is remove command alias for
the close command.
status <name>
Reports status for the active integrity mapping <name>.
dump <device>
Reports parameters from on-disk stored superblock.