jacobpascual/openzfs-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f121be16dc32f3a1973b99894a5c69b8ec8d0763
openzfs-docs/docs/Getting Started/Arch Linux/Root on ZFS/0-overview.rst
ne9z a1f68c37e0 Add support for NixOS + Fedora, Arch, RH minor changes (#195) 
* Add support for NixOS

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* updated files for immutable root fs

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* update ssh key location

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* change initrd host key name

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* add missing -p switch

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* comments about SSH and encrypted bpool

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* backup hardware-configuration.nix file

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* clearer wording for backup

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* global useDHCP flag is deprecated

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* point user to configuration.nix

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* fixes for systemd-autofs; network; typo

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* force command to return 0

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* fix command to postMount

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* fix mount command

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* escape $i

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* create mountpoints before booting

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* replace postDevice,preMount command

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* disable zfs-mount

Signed-off-by: Maurice Zhou <jasper@apvc.uk>

* generate machine-id

Signed-off-by: Maurice Zhou <jasper@apvc.uk>
2021-09-06 20:48:50 +03:00

152 lines
10 KiB
ReStructuredText
Raw Blame History

.. highlight:: sh
Overview
======================
This document describes how to install Arch Linux with ZFS as root
file system.
Caution
~~~~~~~
- This guide wipes entire physical disks. Back up existing data.
- `GRUB does not and
will not work on 4Kn drive with legacy (BIOS) booting.
<http://savannah.gnu.org/bugs/?46700>`__
Partition layout
~~~~~~~~~~~~~~~~
GUID partition table (GPT) is used.
EFI system partition will be referred to as **ESP** in this document.
+----------------------+----------------------+-----------------------+----------------------+---------------------+-----------------------+-----------------+
| Name | legacy boot | ESP | Boot pool | swap | root pool | remaining space |
+======================+======================+=======================+======================+=====================+=======================+=================+
| File system | | vfat | ZFS | swap | ZFS | |
+----------------------+----------------------+-----------------------+----------------------+---------------------+-----------------------+-----------------+
| Size | 1M | 4G, or 1G w/o ISO | 4G | depends on RAM size | | |
+----------------------+----------------------+-----------------------+----------------------+---------------------+-----------------------+-----------------+
| Optional encryption | | *Secure Boot* | luks 1 | plain dm-crypt or | ZFS native encryption | |
| | | | | luks2 | | |
+----------------------+----------------------+-----------------------+----------------------+---------------------+-----------------------+-----------------+
| Partition no. | 5 | 1 | 2 | 4 | 3 | |
+----------------------+----------------------+-----------------------+----------------------+---------------------+-----------------------+-----------------+
| Mount point | | /boot/efi | /boot | | / | |
| | | /boot/efis/disk-part1 | | | | |
+----------------------+----------------------+-----------------------+----------------------+---------------------+-----------------------+-----------------+
Dataset layout
~~~~~~~~~~~~~~
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| Dataset | canmount | mountpoint | container | notes |
+===========================+======================+======================+=====================================+===========================================+
| bpool | off | /boot | contains sys | |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| rpool | off | / | contains sys | |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| bpool/sys | off | none | contains BOOT | |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| rpool/sys | off | none | contains ROOT | sys is encryptionroot |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| bpool/sys/BOOT | off | none | contains boot environments | |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| rpool/sys/ROOT | off | none | contains boot environments | |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| rpool/sys/DATA | off | none | contains placeholder "default" | |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| rpool/sys/DATA/default | off | / | contains user datasets | child datsets inherits mountpoint |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| rpool/sys/DATA/default/ | on | /home (inherited) | no | |
| home | | | | user datasets, also called "shared |
| | | | | datasets", "persistent datasets"; also |
| | | | | include /var/lib, /srv, ... |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| bpool/sys/BOOT/default | noauto | /boot | no | noauto is used to switch BE. because of |
| | | | | noauto, must use fstab to mount |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| rpool/sys/ROOT/default | noauto | / | no | mounted by initrd zfs hook |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| bpool/sys/BOOT/be1 | noauto | /boot | no | see bpool/sys/BOOT/default |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
| rpool/sys/ROOT/be1 | noauto | / | no | see rpool/sys/ROOT/default |
+---------------------------+----------------------+----------------------+-------------------------------------+-------------------------------------------+
Encryption
~~~~~~~~~~
- Swap
Swap is always encrypted. By default, swap is encrypted
with plain dm-crypt with key generated from ``/dev/urandom``
at every boot. Swap content does not persist between reboots.
LUKS2-encrypted persistent swap can be
enabled after encrypting both boot pool and root pool, see below.
With persistent swap, hibernation (suspend-to-disk) can be enabled.
- Root pool
ZFS native encryption can be optionally enabled for ``rpool/sys``
and child datasets.
User should be aware that, ZFS native encryption does not
encrypt some metadata of the datasets.
ZFS native encryption also does not change master key when ``zfs change-key`` is invoked.
Therefore, you should wipe the disk when password is compromised to protect confidentiality.
See `zfs-load-key.8 <https://openzfs.github.io/openzfs-docs/man/8/zfs-load-key.8.html>`__
and `zfs-change-key.8 <https://openzfs.github.io/openzfs-docs/man/8/zfs-change-key.8.html>`__
for more information regarding ZFS native encryption.
Encryption is enabled at dataset creation and can not be disabled later.
Password can be supplied via SSH.
- Boot pool
After encrypting root pool, boot pool can also be encrypted with LUKS1.
This protects initrd from attacks and also protects key material in initrd.
Password must be interactively entered at boot in GRUB. This disables
password with SSH.
- Bootloader
Bootloader can not be encrypted.
However, with Secure Boot, bootloader
can be verified by motherboard firmware to be untempered,
which should be sufficient for most purposes.
As enabling Secure Boot is device specific, this is not
covered in detail.
Booting with disk failure
~~~~~~~~~~~~~~~~~~~~~~~~~
This guide is written with disk failure in mind.
If disks used in Root on ZFS pool failed, but
sufficient redundancy for both root pool and boot pool
still exists, the system will still boot normally.
Swap partition on the failed disk will fail to mount,
after an 1m30s timeout.
This feature is useful for use cases such
as an unattended remote server.
Example:
- System has disks ``n>1``
- Installed with mirrored setup
- Mirrored setup can tolerate up to ``n-1`` disk failures
- Disconnect one or more disks, keep at least
one disk connected
- System still boots, but fails to mount swap and
EFI partition
Reference in New Issue View Git Blame Copy Permalink