[opensuse-factory] How to enable boot into snapshot on TW?
Hi all, I read, that it should be possible to boot into a snapshot now. However, I do not have this option in my grub2 menu, although I have installed the grub2- snapper-plugin and have a root partition using btrfs and snapshots shown by snapper list. Any ideas? -- Jabber: robby81@jabber.de -- Vertrauliche Kommunikation ist die Basis der Demokratie! Jede meiner Mails ist mittels PGP signiert. Die Signatur kann einfach mit meinem öffentlichen Schlüssel auf den Standard Key-Servern geprüft werden und zum Senden von verschluesselten Mails an mich genutzt werden. http://www.kuketz-blog.de/verschluesselte-e-mails-mit-gnupg-als-supergrundre... Anleitung für Windows: https://www.youtube.com/watch?v=ieuHHu4MoMo Anleitung für den Mac: https://www.youtube.com/watch?v=3hGlzPzjU-0 Einfach Schlüssel erzeugen uns los geht es ... -----------------------------------------------------
2015-11-25 16:03 GMT+03:00 Robby Engelmann <robby.engelmann@igfs-ev.de>:
Check SUSE_BTRFS_SNAPSHOT_BOOTING=true in /etc/default/grub. Probably there is also check box somewhere in YaST. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
I checked it and it has been set to true ... but nevertheless no boot-entry for booting into a snapshot. are there other options? -- Jabber: robby81@jabber.de -- Vertrauliche Kommunikation ist die Basis der Demokratie! Jede meiner Mails ist mittels PGP signiert. Die Signatur kann einfach mit meinem öffentlichen Schlüssel auf den Standard Key-Servern geprüft werden und zum Senden von verschluesselten Mails an mich genutzt werden. http://www.kuketz-blog.de/verschluesselte-e-mails-mit-gnupg-als-supergrundre... Anleitung für Windows: https://www.youtube.com/watch?v=ieuHHu4MoMo Anleitung für den Mac: https://www.youtube.com/watch?v=3hGlzPzjU-0 Einfach Schlüssel erzeugen uns los geht es ... ----------------------------------------------------- On Wednesday, November 25, 2015 04:17:54 PM Andrei Borzenkov wrote:
First thing: TOP posting is EVIL, do not do it. Further reply below. On Wed, 25 Nov 2015 19:23, Robby Engelmann <robby.engelmann@...> wrote:
Did you refresh the 'active' grub boot code? e.g. calling "update-bootloader --refresh" as root? (Yes, there is a grub2 command, but is do not know the syntax offhand) Background: changeing the config is easy, but forgetting to write out the boot-code (the update command) will get you nothing, back to step one. - Yamaban. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, 25 Nov 2015 19:50:07 +0100, Yamaban <foerster@lisas.de> wrote:
The boot-menu should look like this: https://openqa.opensuse.org/tests/101730/modules/livecdreboot/steps/9 How does your boot menu look like instead? Maybe the snapshot functionality on your computer was only recently enabled but your grub menu has not been updated? Oliver -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Instead of Boot into snapshot, I have the option Memtest as third and last menu point. The others are the same. -- Jabber: robby81@jabber.de -- Vertrauliche Kommunikation ist die Basis der Demokratie! Jede meiner Mails ist mittels PGP signiert. Die Signatur kann einfach mit meinem öffentlichen Schlüssel auf den Standard Key-Servern geprüft werden und zum Senden von verschluesselten Mails an mich genutzt werden. http://www.kuketz-blog.de/verschluesselte-e-mails-mit-gnupg-als-supergrundre... Anleitung für Windows: https://www.youtube.com/watch?v=ieuHHu4MoMo Anleitung für den Mac: https://www.youtube.com/watch?v=3hGlzPzjU-0 Einfach Schlüssel erzeugen uns los geht es ... ----------------------------------------------------- On Wednesday, November 25, 2015 09:42:14 PM Oliver Kurz wrote:
On Thu, Nov 26, 2015 at 8:53 AM, Robby Engelmann <robby.engelmann@igfs-ev.de> wrote:
Instead of Boot into snapshot, I have the option Memtest as third and last menu point. The others are the same.
Repeating the question - is your /boot/grub2 on btrfs or other filesystem type? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
sorry, I overlooked that... boot is on ext4. root, home and swap is a lukscrypt lvm setup with root btrfs and home xfs. -- Jabber: robby81@jabber.de -- Vertrauliche Kommunikation ist die Basis der Demokratie! Jede meiner Mails ist mittels PGP signiert. Die Signatur kann einfach mit meinem öffentlichen Schlüssel auf den Standard Key-Servern geprüft werden und zum Senden von verschluesselten Mails an mich genutzt werden. http://www.kuketz-blog.de/verschluesselte-e-mails-mit-gnupg-als-supergrundre... Anleitung für Windows: https://www.youtube.com/watch?v=ieuHHu4MoMo Anleitung für den Mac: https://www.youtube.com/watch?v=3hGlzPzjU-0 Einfach Schlüssel erzeugen uns los geht es ... ----------------------------------------------------- On Thursday, November 26, 2015 09:49:29 AM Andrei Borzenkov wrote:
26.11.2015 20:38, Robby Engelmann пишет:
Boot from snapshot is offered only if /boot is on btrfs (actually check is probably wrong, it should check that /boot is on the same filesystem and subvolume as /, but that is another matter).
On Thursday 26 November 2015 20.49:32 Andrei Borzenkov wrote:
Then this is a huge limitation on what we offer. TW is advertised with the rollback feature, as a recover measure. In the new world of sensitive information and privacy, this is a really a problem. People that need to have / encrypted for whatever reason (they are all valid: list of package, database content etc) are just left on the side. What kind of effort we can do to have grub2 asking luks keypass when starting ? and then being able to decrypt the snapshots ... -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member & Board, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot
On 5 December 2015 at 19:50, Bruno Friedmann <bruno@ioda-net.ch> wrote:
Can't be done In order for Boot to Snapshot to work, Grub needs to be able to read /.snapshots on the root filesystem - this is where the snapshots are stored after all Grub can't do that if / is encrypted - The only way that would be theretically possible is if you instructed Grub to decrypt root BEFORE showing you the boot menu (this is an option I've seen done in the past) But in order for that to work, Grub needs to be in it's own partition outside of the / root filesystem and as soon as you do that, you are NOT going to get the full benefit of snapshot/rollback - /boot isn't on your root filesystem, you wont be able to rollback any bootloader/initrd related problems - which is precisely the sort of thing that boot to snapshot is *NEEDED* for (otherwise you could just boot normally and snapper rollback normally) So, yes, this is a chicken and egg problem - if you come up with a way of Grub decrypting itself and the snapshots so it can show you snapshots, that would be awesome, but I do not think that's feasible Encryption, sadly, comes at costs. Performance is one, the removal of the boot to snapshot feature is another -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
06.12.2015 01:49, Richard Brown пишет:
LUKS support was added to GRUB2 more than 4 years ago.
Can't be done
Please get your facts right. Installing on encrypted LVM has been possible for quite some time (and a lot of people do it and we even fix bug reports related to it). What is missing is easy to use YaST support to install on simple encrypted partition without jumping through manual encrypted LVM creation hoops. Given demand, it should really be exposed as check box on top level partition proposal. Like another functionality that GRUB2 offers but YaST not - installing on arbitrary Linux MD array, not only on exactly 2 disks RAID1. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 06/12/15 17:23, Andrei Borzenkov wrote:
Oh dear.
Can't be done
Please get your facts right.
Oh dear, oh dear.
Are you sure about all this? Richard is listed as the SUSE's QA Engineer (not simply a programmer but Engineer!) afteral. Ooosh...tippy-toeing on egg shells I am on your behalf....... BC -- Using openSUSE 13.2, KDE 4.14.9 & kernel 4.3.0-21 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
*snip* I have to wonder if you really have to send this mail at all? Is there some technical information or any positive addition for all those people subscribed here? You would not believe how happy I am not having to read carlos and his bullshit everyday and now you start with this? Unless you have technical addition to discussion please consider in future not sending an email. Tomas
On 06/12/15 22:22, Tomáš Chvátal wrote:
And in turn I have to ask the very same of you. What technical information have YOU provided in the diatribe you post here?
You would not believe how happy I am not having to read carlos and his bullshit everyday and now you start with this?
Oh. Not nice at all. Text containing crude references to bovine excrement are frowned upon in family lists such as these but it doesn't seem to worry you. However, what I wrote appears to have you wetting your knickers. I, for one, am not interested in any form or shape of what makes you happy or does not make you happy. I have never heard of you, have never heard from you as far as I know, and don't really care if I hear from your ever again. How you feel does not matter to me 'per se' but I would be concerned if you were being bombed or tortured or otherwise being physically abused for no reason. But as far as you being unhappy about what you read here means zilch to me.
Unless you have technical addition to discussion please consider in future not sending an email.
Then also please pay attention to what you have just requested. I, too, don't give a tinker's to have to read about your whinges or what your desires or otherwise are or wish them to be. From your name I can assume that English is not your first language so there is some leeway I have to give you for your diatribe your wrote above. (I am not using this to attack you in any way because, you see, English is really my third language - but I learnt to cope with it.) If you have fully understood and paid attention to what I had written then you would have understood quite plainly what I wrote. And that means that I *was* being on topic about the technical aspects of what was stated. If you aren't capable of understanding what is being expressed then don't come up with the above diatribe. But now that you bring it up, there is this interesting point which you have raised by stating what you did above: were you the one, or one of the ones, who complained about Carlos to Richard? You certainly sound as if you could be the one who complained. So, please confirm or deny. BC -- Using openSUSE 13.2, KDE 4.14.9 & kernel 4.3.0-21 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Dne Ne 6. prosince 2015 23:08:01, Basil Chupin napsal(a):
None, I am just asking you to stop doing it so I don't have to read useless stuff all the time.
So insults it be... Carlos mostly wrote unfounded FUD, which seems exactly what you are doing on opensuse main mailinglist, which I don't give c**p because contrary others that have to deal with you I am not needed by SUSE to be subscribed and crawl over your rambling. [1] http://lists.opensuse.org/opensuse/2015-12/msg00054.html [2] http://lists.opensuse.org/opensuse/2015-11/msg00209.html [3] http://lists.opensuse.org/opensuse/2015-10/msg00023.html Can find more for each month of your subscription, but I get others can easily pick up and read.
Well too bad for you not knowing the developer audience of openSUSE. It shows how well versed you are in the community apart from the complaining and spreading nonsense above.
I did not complain to board about Carols and his behaviour on this mailinglist. I should've because he was quite not what I would expect from somebody adhering to our code of conduct. What I did is to complain about him in the past for his behaviour on different list for which he was warned at the time. With that on mind. I would like to complain about you. Which I am proply to do so. Esp. because of mail [2] which is definetly not acceptable. @board: could you please look on the above and [2]. Tomas
Dne 06.12.2015 v 12:01 Basil Chupin napsal(a):
Please consider that not all people involved in development of Tumbleweed or Leap, subscribed to this ml are interested in your witty remarks or ad hominems - perhaps you might consider moving them to more suitable place. Cheers Martin Pluskal
On 06/12/15 22:34, Martin Pluskal wrote:
What "ad hominems"!? Do you even know what it means? Aaaah...... it has just dawned on me..... You, and the previous fellow, read into what I wrote what you want to read into it -- which really is exposing your inner feelings about what I wrote but which must be denied in public :-) . If I was Freud I could have all the material I need for a book here :-D .
Cheers
Martin Pluskal
BC -- Using openSUSE 13.2, KDE 4.14.9 & kernel 4.3.0-21 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 6 December 2015 at 07:23, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
My facts are correct, but were not necessarily totally complete ;) It's been pointed out to me that in fact you can, in the advanced partitioner only, set a btrfs root filesystem to encrypted and Grub2 will be able to boot it. I did not know that..probably because it isn't clearly documented anywhere and the LVM+Crypt method is the one we DO have documented, is obvious in YaST, and is what we recommend and test for everyone because it's documented and obvious in YaST ;) My facts are 'true' from the perspective of what is generally accepted as the 'supported' mechanism for full-disk-encryption in openSUSE.
Encryption + LVM is a 'top level partition proposal' already https://openqa.opensuse.org/tests/103311/modules/partitioning_lvm/steps/2 It's Encryption without LVM which we need to be at the same level of availability in order to support the Boot-To-Snapshot feature. This is easier said than done - I can imagine the screams of yast-storage developers the second they read that people are suggesting changes to the storage proposal algorithms :) and there are actually a number of dependencies that prevent it from being as simple as you make out here For starters, grub can only boot an encrypted btrfs root if the disk has a GPT disk label, not MSDOS YaST's simple partitioner does not change with the disk label type by default, so whatever implementation would have to probe the disk more aggressively than currently, possibly change the disk more aggressively than currently, possibly offer the user more options than currently..all the while trying to be nice and 'simple' for people to use Meanwhile, it's simpler to say 'YaST doesn't really do that' but at least I can now add "but you can do it manually in the advanced partitioner if you know what you're doing" :) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
06.12.2015 15:47, Richard Brown пишет:
Really? That's news to me. Last time I looked into it it was not possible to tell YaST to create filesystem on encrypted partition. I need to download latest snapshot again. It's good if it has been fixed.
You stated that having /boot/grub on encrypted container was not possible. That is what I replied to. Not the ability to install everything else encrypted.
Good. So we finally have it. Of course, using LVM just adds yet another layer of complication for those people who do not need it.
It's Encryption without LVM which we need to be at the same level of availability in order to support the Boot-To-Snapshot feature.
Sorry? And why exactly is Boot-To-Snapshot is not possible using encrypted LVM, i.e. what we have today?
Where have I said it is simple to implement?
For starters, grub can only boot an encrypted btrfs root if the disk has a GPT disk label, not MSDOS
Oh, really? Or do you again mean "YaST allows it only in GPT"? Because GRUB2 obviously has no issues doing it on MSDOS.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 6 December 2015 at 13:59, Andrei Borzenkov <arvidjaar@gmail.com> wrote:
I stated a few things - I stated that /boot/grub on an encrypted container was not possible, yes - and this is true - the default/readily available LVM+Crypt solution created by YaST has a separate, unencrypted /boot. The fact you can do something differently manually is a fair point, but what I said was certainly true from the 'this is what YaST does for you' perspective :) I also stated that boot-to-snapshot is not useful/possible when grub (/boot) is in a different partition than the / root filesystem - this is also true, and because our readily available LVM+crypt option has a seperate /boot, this renders boot-to-snapshot with LVM+Crypt both broken and useless.
We've had it since openSUSE 11.2 , there is nothing 'finally' about it. It was implemented in 2009 as Feature #305633 https://features.opensuse.org/305633 I've been ticking the tickbox for it in YaST and using it on all of my laptops since at least 11.4
Because of the reasons I've already explained - Boot To Snapshot makes no practical sense when /boot is separate from /, and in the case of /boot is separate from an encrypted / held in an LVM group, Grub cannot read any of the snapshots in the encrypted LVM group, and therefore Boot To Snapshot is not just useless, but broken.
Oh, really? Or do you again mean "YaST allows it only in GPT"? Because GRUB2 obviously has no issues doing it on MSDOS.
In order to do btrfs + encryption with a root filesystem, Grub requires the additional space available in a GPT partition table type, in order to install a second stage loader which makes it possible to decrypt the encrypted btrfs filesystem I've been told this by SUSE's Senior Architect for SLES, who knows more about this stuff in his little finger than anyone else I know, so if he says that you require GPT in order to do do (non-LVM) btrfs with Encryption, then I absolutely trust what he says to be true. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
06.12.2015 16:14, Richard Brown пишет:
I just installed TW with a single encrypted partition containing single / on btrfs on MSDOS partition table. I am asked by GRUB to provide passphrase to be able to boot at all, and I am able to select read-only snapshots and boot from them. I used YaST for it. What am I doing wrong? P.S. I thought it was technical list, where people are expected to provide technical arguments, not refer to His Highness Senior Architect. P.P.S. The word "SUSE" probably means that all bets for me are off and I am wrong by definition because I do not belong to "SUSE". -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sunday 06 December 2015 17.23:58 Andrei Borzenkov wrote:
Okay so finally (except the Pandora b branch on this thread) we move forward. If GPT is mandatory, I don't care that much, any new computer will need GPT for UEFI anyway. Richard Thanks for the point about the grub+init, I've forgot those, I was sure we can have a root=subvol@id to point to a ro snapshot. but yes if grub itself is broken by an update (I wonder how it can happen right ? :-) I will try to get this kind of setup on a vm before making it real on my future lappy. Thanks Richard, Andrei for those interesting inputs. -- Bruno Friedmann openSUSE Member & Board, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
06.12.2015 18:09, Bruno Friedmann пишет:
Actually GRUB itself is exempted from snapshots; which is the exact reason for /boot/grub/i386-pc and /boot/grub/x86_64-efi volumes (as we learned recently we do have 64 bit systems with 32 bit firmware so i386-efi is missing). What is snapshotted is grub.cfg.
I will try to get this kind of setup on a vm before making it real on my future lappy.
The challenge is to be able to check "Encrypt partition". It appears completely random whether checkbox is active or not and I cannot see any pattern when YaST allows it. Oh, and you must use LVM, YaST won't allow filesystem on encrypted partition directly (or better it won't ever allow checking Encrypt when usage is filesystem).
Thanks Richard, Andrei for those interesting inputs.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sunday 06 December 2015 19.49:12 Andrei Borzenkov wrote:
and the rest of /boot I guess otherwise kernel and initrd are simply lost no ?
If I have to use LVM + luks then I stick with ext4 this work nicely from more than 6 years now ... With some trick snapshots is available ... I've read that it could be possible to prepare the disk so no big yast involvement. But at term, the idea is to make it work. so by default for roaming user with sensitive data we have something ready to use. ps : Please respond only to the mailing list. no need to have a second copy ;-) I don't care about if this possible or not for gmail ... -- Bruno Friedmann openSUSE Member & Board, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2015-12-06 16:57 GMT-03:00 Bruno Friedmann <bruno@ioda-net.ch>:
I got similar problems with Opensuse 13.2 on the SDB1 HD partition, and Leap 42.1 on the SDA1 HD partition, using the same home on the sdb2 partition. I used a dirty trickOpensuse 13.2 to resolve this: Running Leap 42.1 on the sda1, I mounted the sdb1 on /mnt, and copied the principal section of Opensuse 13.2 from the file /boot/grub/grub.cfg (sdb1 hd) inside the file /etc/grub.d/40_custom (sda1 hd) Then the last file look like this: #!/bin/sh exec tail -n +3 $0 # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. Opensuse 13.2 menuentry 'openSUSE 13.2' --class opensuse --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-d829a0d3-2166-4a6c-8836-0cba393b74a1' { load_video set gfxpayload=keep insmod gzio insmod part_msdos insmod btrfs set root='hd0,msdos1' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd1,msdos1 --hint-efi=hd1,msdos1 --hint-baremetal=ahci1,msdos1 --hint='hd0,msdos1' d829a0d3-2166-4a6c-8836-0cba393b74a1 else search --no-floppy --fs-uuid --set=root d829a0d3-2166-4a6c-8836-0cba393b74a1 fi echo 'Cargando Linux 3.16.7-29-desktop...' linux /boot/vmlinuz-3.16.7-29-desktop root=UUID=d829a0d3-2166-4a6c-8836-0cba393b74a1 ${extra_cmdline} resume=/dev/disk/by-uuid/b72cc926-db3a-427b-8aad-bdc1e812bb6b splash=silent quiet showopts echo 'Cargando imagen de memoria inicial...' initrd /boot/initrd-3.16.7-29-desktop } After this file edit, I executed: "grub2-mkconfig -o /boot/grub2/grub.cfg" This trick works ok, but has the problem if I upgrade the kernel on opensuse 13.2, it will no work, until I make this trick again. Regards, Juan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/06/2015 03:50 PM, Juan Erbes wrote:
I'm doing it differently. I use the grub "configfile" command to run the "grub.cfg" from the other linux. So 40_custom for Leap 42.1 has a few lines to boot 13.2: --- cut here --- ### Entry to boot opensuse 13.2 on sdb2 menuentry "configfile for opensuse 13.2 on /dev/sdb2" { set bootdir='hd2,gpt2' search --fs-uuid --set=bootdir 7668845f-5c7e-4fc7-93b2-ddd398765b2e configfile (${bootdir})/boot/grub2/grub.cfg } --- cut here --- It searches by UUID to find the partition. Then loads the "grub.cfg" using "configfile". The downside is that this uses two menu screens. On the plus side, it is fine with kernel updates, because it is loading the "grub.cfg" which has already been updated for the new kernel. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWZLh7AAoJEGSXLIzRJwiF0bUH+gLO+xTKiaChcg5QEkqED4Yq iI9X8EevV598/Gb0Bkovu5CeHIxQVcY3kzrNuPpt0RsjANKNthEYq7nhcdoBNGCP aNpsc1z1LPs7X66L/eDCnz9FqNjqsWJS8hBLQovt8Dvu/+JV8Oj1aMV0vpSGJuom jwrqDt3IxxnaEOVJKlTM4DpS4n1rMLIWQusfOJedjlYwkWX/U7DKzpCBQpMLBHPZ OL9j8hiMVb8poUh3Ca3pivk39c1r1UC0PrhWnpx8Wz62M474+30Tx3lxJ+jiSAWd dfJyKbzywpWc0mkF0lgOnYNqEfN0coqcdnoGPaELOzH4tw9bteD7zH0g6shIM3U= =bcRb -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2015-12-06 19:36 GMT-03:00 Neil Rickert <nrickert@ameritech.net>:
Thank You! I said "a dirty method". With no kernel updates on the older system, it works ok. I will try Your method with time. Regards, Juan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, On Sat, Dec 05, Richard Brown wrote:
Ok, since I already told Richard that I don't think that his analysis is fully correct, here now a short description how to setup btrfs, snapshots and rollback with full root filesystem encryption on openSUSE Leap 42.1: - Use GPT disk label - In the partitioner, select encrypted LVM, btrfs for the root filesystem and make sure that the snapshot checkbox is activated. - Install. To do the rollback: Select the approbiate snapshot in the grub2 menu or call "snapper rollback <id>" on the commandline. Both works. And yes, due to old legacy code, it is currently not possible to do this without LVM. But we will work on this. Thorsten -- Thorsten Kukuk, Senior Architect SLES & Common Code Base SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
17.12.2015 15:55, Thorsten Kukuk пишет:
Why is it required?
OK, so *if* YaST detects pre-existing GPT label it indeed creates single encrypted volume without separate /boot partition. Unfortunately there is no way to say 'I want GPT label' on partitioner proposal; it defaults to MSDOS (at least for conventionally sized HDDs) and as soon as you change it in expert settings all proposed encrypted configuration is lost. If you insist on having GPT it should be integrated in main proposal, otherwise most users won't be even aware that it is possible. Of course much more simple would be to drop GPT requirement here. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi Thorsten, On 17 December 2015 at 12:55, Thorsten Kukuk <kukuk@suse.de> wrote:
Thank you for the feedback, but I'm very disappointed to report that even following your instructions to the letter, the resulting system does not have Boot to Snapshot working The steps I took are as follows First - started with a nice blank disk (dd if=/dev/zero to wipe it all out) Gave it a GPT partition table Confirmed the GPT partition table with parted -l
Booted from a USB stick - tested with both Leap 42.1 and Tumbleweed In the partitioner, I clicked on encrypted LVM, btrfs for the root filesystem, and snapshots were ticked This results in a system with the following partition configuration /dev/sda1 156MB FAT mounted as /boot/efi /dev/sda2 400MB btrfs mounted as /boot /dev/sda3 237.93GB LVM /dev/system LVM Volume Group /dev/system/root 40GB btrfs mounted as / /dev/system/swap 2GB swap I then installed as normal, nothing fancy, GNOME picked as DE, nothing else customised To do the rollback, I CANNOT select *any* snapshot on the grub2 menu, there is no Grub Menu item for "Boot to Read Only Snapshot" I can either boot the OS, or pick advanced Options, no chance for using Boot to Snapshot Snapper IS working, if I boot the system I can use snapper to rollback just fine, but that is no good if the problem is one which would necessitate the use of the Boot to Snapshot feature. I want to file a bug about this, obviously, but if you could please indicate either what I did wrong, or where you think the flaw might be so I can narrow down the focus of the bug and provide detailed information on the areas of suspicion Right now, my experience in this area leads me to believe that Boot to Snapshot just downright does-not-work when LVM encryption is used. I realise this is contrary to your instructions above, but I do have a machine right in front of me now that seems to confirm my past experiences.. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
17.12.2015 22:08, Richard Brown пишет:
That's different from legacy BIOS
Try legacy BIOS with disk labeled as GPT before running installer.
Right now, my experience in this area leads me to believe that Boot to Snapshot just downright does-not-work when LVM encryption is used.
It works on legacy BIOS.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi Richard, On Thu, Dec 17, Richard Brown wrote:
Why is there a /boot partition? I don't get that on my testsystem in the office. Of course, with an extra /boot partition, this will not work. Independent of, if LVM is encrypted or not. Thorsten -- Thorsten Kukuk, Senior Architect SLES & Common Code Base SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 12/17/2015 02:48 PM, Thorsten Kukuk wrote:
I agree. Having a separate /boot partition is the problem. When BTRFS was first released for testing we had to create a separate /boot partition. It is no longer needed. Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 17 December 2015 at 19:48, Thorsten Kukuk <kukuk@suse.de> wrote:
It's there because YaST put it there :) Andrei's advice was correct, repeating the same steps (fresh gpt label on disk > click on LVM + encryption with btrfs + snapshot) with my system set to use Legacy BIOS results in a system with a BIOS/Grub partition and an LVM group that contains root and swap This differs from my previously reported UEFI results where YaST produces a setup with /boot/efi, /boot, and an LVM group containing root and swap This (incorrect?) setup is the only proposal available with LVM+Encryption when booting UEFI, regardless of SecureBoot or not Collecting logs and such for a decent bug report now - thanks to all for the advice that has helped narrow this down -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 12/17/2015 03:44 PM, Richard Brown wrote:
When I use expert partitioning I never follow Yast. I add everything manually. ;-) Good luck! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Thorsten Kukuk wrote:
When / is encrypted one needs a plain /boot partition so the boot loader can load the kernel and initrd. Otherwise the kernel would be within the encrypted partition ie unreachable for grub. Also, all snapshots are obviously within the encrypted partition. So grub cannot access them. Therefore with the current way of doing things I fail to see how one can have both encryption and a list of snapshots in grub. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
18.12.2015 15:40, Ludwig Nussel пишет:
When / is encrypted one needs a plain /boot partition so the boot loader can load the kernel and initrd.
Which bootloader? LILO?
Otherwise the kernel would be within the encrypted partition ie unreachable for grub.
You do not even support grub anymore. How is it relevant? OK, arm port decided to use U-Boot directly, so for them it remains an issue, indeed.
If you fail to see it after this thread I give up. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (14)
-
Andrei Borzenkov -
Basil Chupin -
Bruno Friedmann -
Juan Erbes -
Ludwig Nussel -
Martin Pluskal -
Neil Rickert -
Oliver Kurz -
Richard Brown -
Robby Engelmann -
Roman Bysh -
Thorsten Kukuk -
Tomáš Chvátal -
Yamaban