我已经关注了这博客文章详细介绍了如何在 kickstart 中创建 luks 加密分区,该分区非常适合加密分区。
我尝试加密的分区应该像我在kickstart 部分中/var/lib安装的一些软件包一样安装。%packages
%packages我遇到的问题是,在安装该部分中的软件包之前,似乎没有安装加密分区。这意味着它/var/lib是在我的根分区而不是我的加密分区下创建(并安装到)的。
有什么方法可以确保/var/lib在作为 kickstart 的一部分安装软件包之前安装加密分区吗?这应该发生在哪个部分?
答案1
同样的问题在这里......好吧,这是我发现的:
ks.cfg 方法:
根据文档,这是正确的(我是如何阅读的......):
part / --size=8000 --grow --fstype=ext4 --encrypted --passphrase=somepassword
最终结果:
/dev/vda6 on / type ext4 (rw,relatime,errors=remount-ro)
可爱的未加密免费供所有人观看! :)
解决方案:
您必须混合 ks.cfg 和预置文件才能使其在 Ubuntu 上运行(Debian 和 Redhat 自动化技术)。我必须说我有点困惑为什么 Canonical 选择这种方式......但我找到的大多数文档都建议在自动化 Ubuntu 安装中使用 ks.cfg 和 ks.preseed 文件。请注意,如果您使用 mini.iso(网络安装),您只能使用 ks.preseed 并完全遵循 Debian 文档(我已经广泛地这样做了)。要解决上述问题:您必须将以下内容添加到“磁盘配置”下方的 ks.preseed 文件中。
安装程序将挂载文件系统并安装操作系统。最后,如果您愿意,我想您可以使用 %packages 指令 - 但如果您需要控制更多,请考虑再次使用预置文件:
修改已安装的系统:
d-i preseed/late_command string \
# the root filesystem is in /target
mkdir -p /target/opt/scripts; \
# in-target executes everything as if you were in the new system.
in-target chmod +x /opt/rtd/scripts/post-install.sh; \
磁盘配置:
# --------------------------------------------------- #
# Disk layout
# --------------------------------------------------- #
#
## Set option to encrypt the hard disk:
d-i partman-auto/method string crypto
# Option to temporarily set full disk encryption password to automate the install below.
# If you prefer to be propmpted during the system installation process comment out the
# two crypto/passphrase options below. The disk encryption password can be changed at
# anytime once the system is installed using the following command:
#
# tool : command : device and partition number
# cryptsetup luksChangeKey /dev/sda4
#
#
d-i partman-crypto/passphrase password plaintextpassword-or-encrypted
d-i partman-crypto/passphrase-again password plaintextpassword-or-encrypted
# When disk encryption is enabled, skip wiping the partitions beforehand since it takes too much time.
d-i partman-auto-crypto/erase_disks boolean false
# Delete anything on the first hard drive, then define the actual layout of the disk
# using and encrypted LVM volume for security.
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/device_remove_lvm_span boolean true
d-i partman-auto/purge_lvm_from_device boolean true
d-i partman-lvm/confirm boolean true
d-i partman-lvm/confirm_nooverwrite boolean true
d-i partman-auto-lvm/guided_size string max
d-i partman-auto-lvm/new_vg_name string crypt
# Use generic instead of vda & sda to ensure recipie is applied even if this install is run in KVM, vmware, virtualbox IDE or SATA.
# d-i partman-auto/disk string /dev/sdb
d-i partman-auto/choose_recipe select root-encrypted
d-i partman-auto/expert_recipe string \
root-encrypted :: \
538 538 1075 free \
$primary \
$iflabel{ gpt } \
$reusemethod{ } \
method{ efi } format{ } \
. \
500 500 500 ext3 \
$primary{ } $bootable{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /boot } \
\
. \
2000 2000 2000 linux-swap \
$lvmok{ } lv_name{ swap } \
in_vg { crypt } \
$primary{ } \
method{ swap } format{ } \
. \
500 10000 1000000000 ext4 \
$lvmok{ } lv_name{ root } \
in_vg { crypt } \
$primary{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ / } \
. \
2000 2000 2000 ext4 \
$primary{ } \
method{ keep } \
use_filesystem{ } filesystem{ ext4 } \
label{ rescuedisk } \
.
d-i partman-md/device_remove_md boolean true
d-i partman-md/confirm boolean true
d-i partman-basicfilesystems/no_mount_point boolean false
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
# --------------------------------------------------- #