[opensuse] Fresh 13.2 install fail - two problems - help please
Howdy... :~> uname -a Linux msbmainhp.site 3.11.10-21-desktop #1 SMP PREEMPT Mon Jul 21 15:28:46 UTC 2014 (9a9565d) x86_64 x86_64 x86_64 GNU/Linux Tried to do an install of 13.2 from DVD and I had a fail. I did a new/fresh install as I wanted to try the new brtfs/xfs default file systems. Problem #1: Install procedure almost completed but failed when it tried to install the bootloader. The pop-up box message was: "An error occurred during boot loader installation. Retry boot loader configuration? Yes No" I played around with the configuration, changed the bootloader location from MBR where it had defaulted to and moved it to the Extended Partition (where my current 13.1 bootloader resides), tried setting the Active Flag (it was not already set), tried Write generic Boot Code to MBR (it was not already set), etc., but no go, same message. So then I just answered NO and the install finished, system rebooted, and my old 13.1 bootloader appeared. All my various existing OS boots were there but no 13.2 option. Problem #2: I booted into 13.1 and looked at the new 13.2 brtfs and xfs partitions. The brtfs looks fine, or at least I can browse what's in there. The xfs partition, though, appears broken. I had LUKS encrypted it during the install/format process but when I try to mount I get the familiar bad old message about: "Error mounting /dev/dm-2 at /run/media/(..snip..): Command-line `mount -t "xfs" -o "uhelper=udisks2,nodev,nosuid" "/dev/dm-2" "/run/media/(..snip..)"' exited with non-zero exit status 32: mount: wrong fs type, bad option, bad superblock on /dev/mapper/luks-5fd1dd43-e7fc-(..snip..), missing codepage or helper program, or other error" dmesg shows this additional interesting info: [ 2227.799239] XFS (dm-2): Version 5 superblock detected. This kernel has EXPERIMENTAL support enabled! Use of these features in this kernel is at your own risk! [ 2227.799246] XFS (dm-2): Superblock has unknown incompatible features (0x1) enabled. Filesystem can not be safely mounted by this kernel. I tried "xfs_repair -n" (from 13.1) on all 3 possiblities: the normal device (/dev/sdb8), the dm device number shown in the above message (dm-2), and the mapper device also in the above message (/dev/mapper/luks-5fd1dd43-e7fc-(..snip..) but it just goes off hunting endlessly for an alternate superblock. Any ideas, anyone? Keep it simple as I'm just a simple user. Thanks in advance! Ralph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sat, 8 Nov 2014 05:45:29 -0600 listreader <suselist@cableone.net> пишет:
Howdy...
:~> uname -a Linux msbmainhp.site 3.11.10-21-desktop #1 SMP PREEMPT Mon Jul 21 15:28:46 UTC 2014 (9a9565d) x86_64 x86_64 x86_64 GNU/Linux
Tried to do an install of 13.2 from DVD and I had a fail. I did a new/fresh install as I wanted to try the new brtfs/xfs default file systems.
Problem #1: Install procedure almost completed but failed when it tried to install the bootloader. The pop-up box message was: "An error occurred during boot loader installation. Retry boot loader configuration? Yes No"
I played around with the configuration, changed the bootloader location from MBR where it had defaulted to and moved it to the Extended Partition (where my current 13.1 bootloader resides), tried setting the Active Flag (it was not already set), tried Write generic Boot Code to MBR (it was not already set), etc., but no go, same message. So then I just answered NO and the install finished, system rebooted, and my old 13.1 bootloader appeared. All my various existing OS boots were there but no 13.2 option.
fdisk -l output would be helpful. Is your btrfs on extended or primary partition?
[ 2227.799239] XFS (dm-2): Version 5 superblock detected. This kernel has EXPERIMENTAL support enabled! Use of these features in this kernel is at your own risk! [ 2227.799246] XFS (dm-2): Superblock has unknown incompatible features (0x1) enabled. Filesystem can not be safely mounted by this kernel.
I tried "xfs_repair -n" (from 13.1)
As message clearly indicates, filesystem has features that are not supported by your kernel version. Attempt to "fix" it using downlevel tools will simply destroy filesystem. You need newer kernel that is compatible with new filesystem features. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 8 Nov 2014 16:46:20 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote: Hello Andrei. Thanks for reply.
В Sat, 8 Nov 2014 05:45:29 -0600 listreader <suselist@cableone.net> пишет:
Howdy...
:~> uname -a Linux msbmainhp.site 3.11.10-21-desktop #1 SMP PREEMPT Mon Jul 21 15:28:46 UTC 2014 (9a9565d) x86_64 x86_64 x86_64 GNU/Linux
Tried to do an install of 13.2 from DVD and I had a fail. I did a new/fresh install as I wanted to try the new brtfs/xfs default file systems.
Problem #1: Install procedure almost completed but failed when it tried to install the bootloader. The pop-up box message was: "An error occurred during boot loader installation. Retry boot loader configuration? Yes No"
I played around with the configuration, changed the bootloader location from MBR where it had defaulted to and moved it to the Extended Partition (where my current 13.1 bootloader resides), tried setting the Active Flag (it was not already set), tried Write generic Boot Code to MBR (it was not already set), etc., but no go, same message. So then I just answered NO and the install finished, system rebooted, and my old 13.1 bootloader appeared. All my various existing OS boots were there but no 13.2 option.
fdisk -l output would be helpful. Is your btrfs on extended or primary partition?
13.2 btrfs is on an extended partition, as is 13.2 xfs. Here is fdisk of the relevant disk (fdisk run from 13.1, not from 13.2). None of the rest of the disks contain any partitions of 13.2 but I can post those if it would assist. The working grub2 bootloader from 13.1 is also in this extended partition / sdb4. Disk /dev/sdb: 250.1 GB, 250059350016 bytes, 488397168 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk label type: dos Disk identifier: 0x04f9e057 Device Boot Start End Blocks Id System /dev/sdb1 63 40965749 20482843+ 7 HPFS/NTFS/exFAT /dev/sdb2 40966144 122886143 40960000 7 HPFS/NTFS/exFAT /dev/sdb3 122886144 206788607 41951232 c W95 FAT32 (LBA) /dev/sdb4 * 206788608 488396799 140804096 f W95 Ext'd (LBA) /dev/sdb5 206790656 215175167 4192256 82 Linux swap / Solaris /dev/sdb6 215177216 257120255 20971520 83 Linux /dev/sdb7 257122304 341012479 41945088 83 Linux /dev/sdb8 341014528 429096959 44041216 83 Linux Drive use: sdb5 is LUKS swap, used by both 13.1 and 13.2, sdb6 is ext4 / of a 13.1 install, sdb7 is btrfs / of 13.2 install, sdb8 is the xfs /home of the 13.2 install. There is additional unused/unformatted space in this extended partition at the end beyond sdb8.
[ 2227.799239] XFS (dm-2): Version 5 superblock detected. This kernel has EXPERIMENTAL support enabled! Use of these features in this kernel is at your own risk! [ 2227.799246] XFS (dm-2): Superblock has unknown incompatible features (0x1) enabled. Filesystem can not be safely mounted by this kernel.
I tried "xfs_repair -n" (from 13.1)
As message clearly indicates, filesystem has features that are not supported by your kernel version. Attempt to "fix" it using downlevel tools will simply destroy filesystem. You need newer kernel that is compatible with new filesystem features.
Well "xfs_repair -n" does not make any changes to the filesystem, it is informational only. I was looking for information on the problem. I am "looking" at the 13.2 xfs from 13.1 os since I can't boot the 13.2. I would rather not mess with my main/business 13.1 install by changing kernels at this time. When I am satisfied that the 13.2 is usable, I will move the data from existing ext4 /home to the new xfs /home. I do not intend to try to access the xfs drive from any older OSes, once 13.2 is proven functional. Thank you. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sat, 8 Nov 2014 10:24:12 -0600 listreader <suselist@cableone.net> пишет:
Device Boot Start End Blocks Id System /dev/sdb1 63 40965749 20482843+ 7 HPFS/NTFS/exFAT
Yes, that's the problem. grub2 core.img with btrfs support exceeds 63 (actually 62) sectors and cannot be embedded in post-MBR - not enough space. Installation in extended partition is not possible because btrfs does not support blocklists (too advanced for it ...) There is patch submitted to Factory that will install core.img in space reserved for bootloader on btrfs partition in this case while having master boot code in MBR. You can grab packages here http://software.opensuse.org/download.html?project=Base%3ASystem&package=grub2 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 8 Nov 2014 19:47:11 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
В Sat, 8 Nov 2014 10:24:12 -0600 listreader <suselist@cableone.net> пишет:
Device Boot Start End Blocks Id System /dev/sdb1 63 40965749 20482843+ 7 HPFS/NTFS/exFAT
Yes, that's the problem. grub2 core.img with btrfs support exceeds 63 (actually 62) sectors and cannot be embedded in post-MBR - not enough space. Installation in extended partition is not possible because btrfs does not support blocklists (too advanced for it ...)
There is patch submitted to Factory that will install core.img in space reserved for bootloader on btrfs partition in this case while having master boot code in MBR. You can grab packages here
http://software.opensuse.org/download.html?project=Base%3ASystem&package=grub2
Aha! Thanks, Andrei. Perhaps the 13.2 install program should check on this factor before it attempts the full install... I may just try a new install on a different drive with 2048 (2047?) sectors up front as I may not be knowledgeable enough to deal with the patch. I will have a look at it however. Did this also cause the xfs problem or is that problem a totally different issue? Thanks again. Ralph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sat, 8 Nov 2014 11:37:42 -0600 listreader <suselist@cableone.net> пишет:
On Sat, 8 Nov 2014 19:47:11 +0300 Andrei Borzenkov <arvidjaar@gmail.com> wrote:
В Sat, 8 Nov 2014 10:24:12 -0600 listreader <suselist@cableone.net> пишет:
Device Boot Start End Blocks Id System /dev/sdb1 63 40965749 20482843+ 7 HPFS/NTFS/exFAT
Yes, that's the problem. grub2 core.img with btrfs support exceeds 63 (actually 62) sectors and cannot be embedded in post-MBR - not enough space. Installation in extended partition is not possible because btrfs does not support blocklists (too advanced for it ...)
There is patch submitted to Factory that will install core.img in space reserved for bootloader on btrfs partition in this case while having master boot code in MBR. You can grab packages here
http://software.opensuse.org/download.html?project=Base%3ASystem&package=grub2
Aha! Thanks, Andrei. Perhaps the 13.2 install program should check on this factor before it attempts the full install...
Too late. Assuming newer version will be released as update, future installations will work as long as update repository will be available during install.
I may just try a new install on a different drive with 2048 (2047?) sectors up front
Yes, that should work just fine. Or having btrfs partition as primary (so you can install bootloader there and mark it as active). Or having separate /boot with ext2 on primary partition.
Did this also cause the xfs problem or is that problem a totally different issue?
There is no problem with xfs. You need newer kernel than one from 13.1, that's all. Nobody ever promised downward compatibility. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov <arvidjaar@gmail.com> wrote:
В Sat, 8 Nov 2014 10:24:12 -0600 listreader <suselist@cableone.net> пишет:
Device Boot Start End Blocks Id System /dev/sdb1 63 40965749 20482843+ 7 HPFS/NTFS/exFAT
Yes, that's the problem. grub2 core.img with btrfs support exceeds 63 (actually 62) sectors and cannot be embedded in post-MBR - not enough space. Installation in extended partition is not possible because btrfs does not support blocklists (too advanced for it ...)
does this mean 13.2 can't be installed as default on mbr system?? jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2014 10:01 AM, jdd wrote:
Andrei Borzenkov <arvidjaar@gmail.com> wrote:
В Sat, 8 Nov 2014 10:24:12 -0600 listreader <suselist@cableone.net> пишет:
Device Boot Start End Blocks Id System /dev/sdb1 63 40965749 20482843+ 7 HPFS/NTFS/exFAT
Yes, that's the problem. grub2 core.img with btrfs support exceeds 63 (actually 62) sectors and cannot be embedded in post-MBR - not enough space. Installation in extended partition is not possible because btrfs does not support blocklists (too advanced for it ...)
does this mean 13.2 can't be installed as default on mbr system??
jdd
It Worked for me, but I did fiddle the partitions, because I was installing over (wiping out) a previous system, and the damn thing kept insisting it was going to try to cram the whole system into a tiny unused chunk at the end of the disk. I used the custom partitioner, put swap partition first (old habit), then / then /home then /bulkdata. Accepted defaults for the rest, so I have no actual recollection where the boot loader went. It seems to me that there was no option to nuke this disk and use it all. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 08/11/2014 19:09, John Andersen a écrit :
It seems to me that there was no option to nuke this disk and use it all.
there is, but don't remember on what menu (I used it already) may be in "create partitions" jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sat, 08 Nov 2014 19:01:13 +0100 jdd <jdd@dodin.org> пишет:
Andrei Borzenkov <arvidjaar@gmail.com> wrote:
В Sat, 8 Nov 2014 10:24:12 -0600 listreader <suselist@cableone.net> пишет:
Device Boot Start End Blocks Id System /dev/sdb1 63 40965749 20482843+ 7 HPFS/NTFS/exFAT
Yes, that's the problem. grub2 core.img with btrfs support exceeds 63 (actually 62) sectors and cannot be embedded in post-MBR - not enough space. Installation in extended partition is not possible because btrfs does not support blocklists (too advanced for it ...)
does this mean 13.2 can't be installed as default on mbr system??
Why? In this specific case just create extra partition for /boot with ext2 and install bootloader in extended partition. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2014 10:16 AM, Andrei Borzenkov wrote:
В Sat, 08 Nov 2014 19:01:13 +0100 jdd <jdd@dodin.org> пишет:
Andrei Borzenkov <arvidjaar@gmail.com> wrote:
В Sat, 8 Nov 2014 10:24:12 -0600 listreader <suselist@cableone.net> пишет:
Device Boot Start End Blocks Id System /dev/sdb1 63 40965749 20482843+ 7 HPFS/NTFS/exFAT
Yes, that's the problem. grub2 core.img with btrfs support exceeds 63 (actually 62) sectors and cannot be embedded in post-MBR - not enough space. Installation in extended partition is not possible because btrfs does not support blocklists (too advanced for it ...)
does this mean 13.2 can't be installed as default on mbr system??
Why? In this specific case just create extra partition for /boot with ext2 and install bootloader in extended partition.
I think the question implied newbie taking all the defaults, or coexisting with another OS on the drive. We tend to forget how confusing it can be to a totally new user. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sat, 08 Nov 2014 10:23:14 -0800 John Andersen <jsamyth@gmail.com> пишет:
On 11/08/2014 10:16 AM, Andrei Borzenkov wrote:
В Sat, 08 Nov 2014 19:01:13 +0100 jdd <jdd@dodin.org> пишет:
Andrei Borzenkov <arvidjaar@gmail.com> wrote:
В Sat, 8 Nov 2014 10:24:12 -0600 listreader <suselist@cableone.net> пишет:
Device Boot Start End Blocks Id System /dev/sdb1 63 40965749 20482843+ 7 HPFS/NTFS/exFAT
Yes, that's the problem. grub2 core.img with btrfs support exceeds 63 (actually 62) sectors and cannot be embedded in post-MBR - not enough space. Installation in extended partition is not possible because btrfs does not support blocklists (too advanced for it ...)
does this mean 13.2 can't be installed as default on mbr system??
Why? In this specific case just create extra partition for /boot with ext2 and install bootloader in extended partition.
I think the question implied newbie taking all the defaults, or coexisting with another OS on the drive.
We tend to forget how confusing it can be to a totally new user.
Browsing forums, there was reference to release notes: http://doc.opensuse.org/release-notes/x86_64/openSUSE/13.2/#idm1401294430811... which describes exactly this situation "in newbie language" ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 08/11/2014 20:52, Andrei Borzenkov a écrit :
Browsing forums, there was reference to release notes:
http://doc.opensuse.org/release-notes/x86_64/openSUSE/13.2/#idm1401294430811...
which describes exactly this situation "in newbie language" ...
no. I have mbr computers with only linux. If I understand (but may be I don't), it's the mbr that is a problem, not XP, that mean every non uefi computern that is most of the more than 2 years old computers? I have many to install, so why I ask usually I try to keep the install default as much as I can (it's much easier to maintain afterward) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sun, 09 Nov 2014 08:34:22 +0100 jdd <jdd@dodin.org> пишет:
Le 08/11/2014 20:52, Andrei Borzenkov a écrit :
Browsing forums, there was reference to release notes:
http://doc.opensuse.org/release-notes/x86_64/openSUSE/13.2/#idm1401294430811...
which describes exactly this situation "in newbie language" ...
no.
I have mbr computers with only linux. If I understand (but may be I don't), it's the mbr that is a problem, not XP,
The problem is where first partition begins. In the past it was customary to start at 63th sector; if system was installed using Windows XP or earlier it most likely has this layout.
that mean every non uefi computern that is most of the more than 2 years old computers?
I do not know when parted started to use 1MB offset for the first partition.
I have many to install, so why I ask
usually I try to keep the install default as much as I can (it's much easier to maintain afterward)
jdd
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov composed on 2014-11-09 11:22 (UTC+0300):
I do not know when parted started to use 1MB offset for the first partition.
I failed to find a parted changelog going back beyond 2009. I'm guessing it was around the time M$ Vista went into beta testing, at least 8 years ago. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/11/2014 09:22, Andrei Borzenkov a écrit :
The problem is where first partition begins. In the past it was customary to start at 63th sector; if system was installed using Windows XP or earlier it most likely has this layout.
that mean every non uefi computern that is most of the more than 2 years old computers?
I do not know when parted started to use 1MB offset for the first partition.
well, this mean the problem exists if one have to keep the old partitions (or one of them). So wipe all the disk or do not use btrfs. Couldn't this be done by Yast? jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sun, 09 Nov 2014 10:01:18 +0100 jdd <jdd@dodin.org> пишет:
So wipe all the disk or do not use btrfs. Couldn't this be done by Yast?
I'm not sure I understand the question. Yes, you can tell installer to wipe out all existing partitions. Do not ask me exact mouse clicks. If you mean "YaST could decide it itself" - probably. Someone needs to implement it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/11/2014 10:23, Andrei Borzenkov a écrit :
В Sun, 09 Nov 2014 10:01:18 +0100 jdd <jdd@dodin.org> пишет:
So wipe all the disk or do not use btrfs. Couldn't this be done by Yast?
I'm not sure I understand the question. Yes, you can tell installer to wipe out all existing partitions. Do not ask me exact mouse clicks. If you mean "YaST could decide it itself" - probably. Someone needs to implement it.
what could be done by yast is do not default to btrfs if grub can't boot... thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-09 10:01, jdd wrote:
Le 09/11/2014 09:22, Andrei Borzenkov a écrit :
I do not know when parted started to use 1MB offset for the first partition.
well, this mean the problem exists if one have to keep the old partitions (or one of them).
So wipe all the disk or do not use btrfs. Couldn't this be done by Yast?
Why? It is just way easier to install using a separate /boot, as it has been done for ages. I don't see the complication. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Le 08/11/2014 19:23, John Andersen a écrit :
On 11/08/2014 10:16 AM, Andrei Borzenkov wrote:
В Sat, 08 Nov 2014 19:01:13 +0100 jdd <jdd@dodin.org> пишет:
does this mean 13.2 can't be installed as default on mbr system??
I think the question implied newbie taking all the defaults, or coexisting with another OS on the drive.
We tend to forget how confusing it can be to a totally new user.
newbees or other people :-) (and f I have read the release notes) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-08 18:37, listreader wrote:
On Sat, 8 Nov 2014 19:47:11 +0300 Andrei Borzenkov <> wrote:
There is patch submitted to Factory that will install core.img in space reserved for bootloader on btrfs partition in this case while having master boot code in MBR. You can grab packages here
http://software.opensuse.org/download.html?project=Base%3ASystem&package=grub2
Aha! Thanks, Andrei. Perhaps the 13.2 install program should check on this factor before it attempts the full install...
That will be 13.3. A solution for some is to install using a separate /boot partition in ext2. I'm not sure about your case. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/08/2014 06:45 AM, listreader wrote:
The brtfs looks fine, or at least I can browse what's in there. The xfs partition, though, appears broken. I had LUKS encrypted it during the install/format process but when I try to mount I get the familiar bad old message about:
I am massively in favour of encryption, no matter what the FBI says, no matter what the NSA says about it being the death of the 'berry. http://www.zdnet.com/former-nsas-chief-lawyer-blackberrys-encryption-efforts... But you'll note that both of these have to do with mobile devices. You'll also note, I hope, that many of the stolen USB "breaches" were unencrypted data on a _mobile_ data store. I'm also massively in favour of encrypted data channels! But I don't encrypt data on static machines. (usually) An encrypted FS or data store that is available in the clear while the system is booted anyway makes no sense to me. It only makes sense if the machine itself is physically insecure, that the drive could be stolen. And not really even then; if the machine is physically insecure the whole thing could be stolen, and booted, or the data extracted while the machine was running, or, given physical access, a keystroke recorder could be plugged in. Per user encryption that is only made available in the clear by the user, possibly, though I hope not, when the user logs in, begins to make sense on a static machine that is protected from some classes of physical hacking. One might reason that the "My Accounts" (or "My Nude Pictures") is encrypted and only unencrypted while the appropriate application is run, and re-encrypted at the end of that run. Never the less, if the (static) machine is not physically protected a keystroke recorder can be used to get the key prior to stealing the encrypted data. If the (static) machine is physically protected then I don't see the justification for encrypted file system that is mounted & unencrypted, at boot time by the kernel and kept unencrypted while the system is running. It might make some marginal sense if the machine is off most of the time, but I'd be hard pressed to justify that myself. Then there's the issue of backups. Are they done of the encrypted FS or are they done of the running, unencrypted FS? Are the backups, which are not on portable media, encrypted and/or physically protected? Then we get into the thorny matter of key management. If the kernel is to automatically unencrypt & mount the FS at boot time then the kernel need to know the key or have the key to the key management system (which may be an encrypted file... And so on regressing indefinitely) I'm sure people are going to disagree with what I've said. I *DO* want to hear other reasoned views. But before you do, read what I've written carefully. I've tried to make clear the difference between mobile devices and mobile data on the one hand, and static machine such as servers (in farms, at service providers) on the other, and to make clear that the risks associated with allowing unlimited physical access to static machines cannot be fully mitigated by encrypting file systems or even individual files. Derived from the latter, if you have physical protection then the value of encryption is ruined if the machine is running with the file system mounted clearly accessible. However it is the MOBILE which concerns me most. That includes backups from the static machines. If we are talking about mobile data in any form, be it backup takes, on cell phones/tablets, on laptops & chromebooks, or stored in the cloud and flowing backwards and forwards, then there is a good justification for encryption. Encryption is not a magic ointment that one applies to cure ills and protect from hackers. Having that attitude will lead you to disaster in one form or another. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 08 Nov 2014 11:35:28 -0500 Anton Aylward <opensuse@antonaylward.com> wrote:
But I don't encrypt data on static machines. (usually)
An encrypted FS or data store that is available in the clear while the system is booted anyway makes no sense to me. It only makes sense if the machine itself is physically insecure, that the drive could be stolen. And not really even then; if the machine is physically insecure the whole thing could be stolen, and booted, or the data extracted while the machine was running, or, given physical access, a keystroke recorder could be plugged in.
Well, it depends on WHO you are trying to protect your data from. In my case, I live in the very rural South of the USA. The "threat" to my data is primarily not from government spooks or knowledgeable hackers but instead from common criminals. While I am home on my property they are no threat, we are all armed here and protected by the "castle doctrine", i.e. you come on my property uninvited I can take you out, no questions to be answered afterwards. But, when I travel and property is vacant for more than a few days, it is another story. No one would hear a burglar alarm going off, and silent alarms are not useful when the responding sheriff might be 30 minutes or more away on the other side of the county when needed. So, you do all you can to protect your property and that includes protecting your data should the criminal gain actual access into your buildings and steal your machines. LUKS works fine to protect data on shut-down machines.
Then there's the issue of backups. Are they done of the encrypted FS or are they done of the running, unencrypted FS? Are the backups, which are not on portable media, encrypted and/or physically protected?
My backups are done from the running unencrypted fs, and onto LUKS encrypted USB sticks (full backups) or LUKS encrypted SD cards (incrementals). Works for me. Ralph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2014 10:09 AM, listreader wrote:
On Sat, 08 Nov 2014 11:35:28 -0500 Anton Aylward <opensuse@antonaylward.com> wrote:
But I don't encrypt data on static machines. (usually)
An encrypted FS or data store that is available in the clear while the system is booted anyway makes no sense to me. It only makes sense if the machine itself is physically insecure, that the drive could be stolen. And not really even then; if the machine is physically insecure the whole thing could be stolen, and booted, or the data extracted while the machine was running, or, given physical access, a keystroke recorder could be plugged in.
Well, it depends on WHO you are trying to protect your data from. In my case, I live in the very rural South of the USA. The "threat" to my data is primarily not from government spooks or knowledgeable hackers but instead from common criminals. While I am home on my property they are no threat, we are all armed here and protected by the "castle doctrine", i.e. you come on my property uninvited I can take you out, no questions to be answered afterwards. But, when I travel and property is vacant for more than a few days, it is another story. No one would hear a burglar alarm going off, and silent alarms are not useful when the responding sheriff might be 30 minutes or more away on the other side of the county when needed. So, you do all you can to protect your property and that includes protecting your data should the criminal gain actual access into your buildings and steal your machines. LUKS works fine to protect data on shut-down machines.
Then there's the issue of backups. Are they done of the encrypted FS or are they done of the running, unencrypted FS? Are the backups, which are not on portable media, encrypted and/or physically protected?
My backups are done from the running unencrypted fs, and onto LUKS encrypted USB sticks (full backups) or LUKS encrypted SD cards (incrementals). Works for me.
Ralph
I worry about my traveling laptop. That's far more likely to get stolen than something from my home. I encrypt my /home and proprietary data/code directories for my day job. I also use ddclient to map a both my internal and external IP to a dynamic dns provider. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2014 01:20 PM, John Andersen wrote:
I worry about my traveling laptop. That's far more likely to get stolen than something from my home. I encrypt my /home and proprietary data/code directories for my day job.
Makes sense to me. "If data is mobile then encrypt it". -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2014 11:35 AM, Anton Aylward wrote:
An encrypted FS or data store that is available in the clear while the system is booted anyway makes no sense to me. It only makes sense if the machine itself is physically insecure, that the drive could be stolen. And not really even then; if the machine is physically insecure the whole thing could be stolen, and booted, or the data extracted while the machine was running, or, given physical access, a keystroke recorder could be plugged in.
A few years ago, I set up ThinkPads for a pharmaceutical company. The drives were encrypted and could only be accessed after the password was entered. No password, no data. Even if someone "borrowed" a computer, they couldn't read anything without the password. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 08/11/2014 21:30, James Knott a écrit :
A few years ago, I set up ThinkPads for a pharmaceutical company. The drives were encrypted and could only be accessed after the password was entered. No password, no data. Even if someone "borrowed" a computer, they couldn't read anything without the password.
many of the users I know tend to forget they passwds or write them on the keyboard... encrypting is only necessary if the data is really secret (and a pharamcy company seems to be a good candidate for that). most thief looks about the computer, not it's content jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/09/2014 02:38 AM, jdd wrote:
encrypting is only necessary if the data is really secret
I'm sure we can think of other reasons. Access control (such as James mentioned) isn't just about "secrecy". A pharma company is bound by other regulations, even ones not pertaining to issues of pharmaceutical trade secrets such as Sarbanes-Oxley (or since James is in Canada, Bill 198). And 'security' that encryption can be used to enforce has other aspects than access control, such as ensuring integrity and demonstrating audit trail, One view of 'security' attributes: http://www.mekabay.com/overviews/hexad.ppt -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/09/2014 02:38 AM, jdd wrote:
most thief looks about the computer, not it's content
What do you mean by that? Are you saying that computers are stolen for the hardware value alone? While the re-sale value of a high-end gaming laptop might make that worth while, the kind of pathetic things that my banking, telecom and I would guess James' pharma clients supply to their minions are not so powerful. All the ones I saw were low end IBM or Leveno units, bulk purchases on a 3 year CCA cycle. But there is a clear market for information. Even the 'generic' information of credit card numbers and PII. A moment's consideration and you'll realise that a laptop owned by a telcom field agent is going to have client information from sales or maintenance visits and possibly billing information as well. That of a pharma company cold be involved in field trials. That of bank, client or similar information. I can personally attest to 2 of the above 3. One engineering firm I was at had poor physical security and a thief came one night and stole hard drives from the servers - faster than copying! But easier than sealing the while computer. Perhaps the view that the computer was more valuable than its contents held in the last century and holds in the minds of many judges in the legal system who have an antiquated view of "physical evidence', but these days even the police and other law enforcement have caught on to the idea that it is the contents that count. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/11/2014 14:16, Anton Aylward a écrit :
On 11/09/2014 02:38 AM, jdd wrote:
most thief looks about the computer, not it's content
What do you mean by that? Are you saying that computers are stolen for the hardware value alone?
yes. Mosth thief do not even know what a computer is :-(
Perhaps the view that the computer was more valuable than its contents held in the last century and holds in the minds of many judges in the
enterprises may have valuable data not to be stolen and use encryptiàon, but most of the peoàple do not even backup they Hard drive. I nearly any week have such call "my drive do not read, help". around me, many computer where stolen, but through windows let open, or luggage, or office wrekked no one for data mining (not to say this do not exist) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/09/2014 10:00 AM, jdd wrote:
Le 09/11/2014 14:16, Anton Aylward a écrit :
On 11/09/2014 02:38 AM, jdd wrote:
most thief looks about the computer, not it's content
What do you mean by that? Are you saying that computers are stolen for the hardware value alone?
yes. Mosth thief do not even know what a computer is :-(
Even spelling corrected I think that is a ridiculous and unsupportable statement. It may have held even in the closing years of the last century, but today, even in obscure parts of the world, I don't think its true.
Perhaps the view that the computer was more valuable than its contents held in the last century and holds in the minds of many judges in the
enterprises may have valuable data not to be stolen and use encryptiàon, but most of the peoàple do not even backup they Hard drive. I nearly any week have such call "my drive do not read, help".
I'm not denying the Joe Sixpacks of the world, who obviously do know what a computer is, are lax about backups. I'd bet there are people on this forum who are lax about backups. But I've also met many corporations & business enterprises that have poor backup/restore policy, and what's the point of a backup if you can't do a restore? And encryption, as many who have surveyed this matter (q.v, go google) is not widespread in business.
around me, many computer where stolen, but through windows let open, or luggage, or office wrekked
That sounds to me like poor physical security and opportunistic theft. I've had my phone stolen at a computer conference where I knew many of the people; someone just walked by, picked it up and walked off with it. Its why I encrypt & lock my phone. Recall what I said about "portable media"? A great deal of personal theft goes on in offices & the workplace, but that too seems to be opportunist: money, purses, wallets ... I once had a camera stolen from a drawer. Management attitude varies over such pilfering, often they don't want to investigate as it might prove that they hired thieves. But in all of this the theft of the "device" is about something with immediate resale value.
no one for data mining (not to say this do not exist)
Its long been observed that e-theft is more profitable and lower risk than robbing a bank or store for cash or jewels. That doesn't stop the latter, but its a different class of their and, according to police presentations I've attended, different motivation. Any targeted theft involving a physical computer is more likely to be about the contents. After all, computers are getting to be commodity items and easily stolen devices have a comparatively low resale vale on the street. Data, such as PII and CC# is a different matter; it is easily bulked and removed. So what if each CC# is only worth a couple of $. When you trading tens of thousands and can sell each multiple times, that makes more sense. You can't sell a stolen laptop multiple times. As for corporate encryption, well, there are quite a few regulations that advise or mandate it, but , but the reality is that either enterprises get it wrong or it doesn't work as intended. We've seen recently how retailers such as TARGET, even though "PCI Compliant", and this isn't the PCI of old, this is up top date, are still vulnerable. In the sources of DotSigQuotes that Henne tells me not to use here, I once found this: "Security can be viewed like a construction scenario - build part of a road, and even if and even if you don't complete it, you still have something to drive on; build part of a bridge and you have nothing! Security is like the last." That's the point with security. Encryption is well and good ... As part of an overall security plan an implementation. Then again, physical security, preventing your phone, laptop from being stolen, vetting your employees and all the rest, are also parts of the overall security plan and implementation. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/09/2014 11:12 AM, Anton Aylward wrote:
That sounds to me like poor physical security and opportunistic theft. I've had my phone stolen at a computer conference where I knew many of the people; someone just walked by, picked it up and walked off with it. Its why I encrypt & lock my phone. Recall what I said about "portable media"?
There have been several instances where a government or business employee has lost a USB drive containing confidential info such as personal identification, account numbers and more. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2014 03:30 PM, James Knott wrote:
On 11/08/2014 11:35 AM, Anton Aylward wrote:
An encrypted FS or data store that is available in the clear while the system is booted anyway makes no sense to me. It only makes sense if the machine itself is physically insecure, that the drive could be stolen. And not really even then; if the machine is physically insecure the whole thing could be stolen, and booted, or the data extracted while the machine was running, or, given physical access, a keystroke recorder could be plugged in.
A few years ago, I set up ThinkPads for a pharmaceutical company. The drives were encrypted and could only be accessed after the password was entered. No password, no data. Even if someone "borrowed" a computer, they couldn't read anything without the password.
Another reason to encrypt your data, be it on your computer, phone/tablet or the cloud: Nude selfies -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 09/11/2014 14:18, Anton Aylward a écrit :
Another reason to encrypt your data, be it on your computer, phone/tablet or the cloud:
Nude selfies
don't do this (nude selfies), or do not use the same passwd anywhere like 99% of the population :-( jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/09/2014 10:01 AM, jdd wrote:
don't do this (nude selfies)
Indeed. it makes me wonder, whatever possessed those celebrities to take nude selfies in the first place. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward composed on 2014-11-09 11:09 (UTC-0500):
jdd wrote:
don't do this (nude selfies)
Indeed. it makes me wonder, whatever possessed those celebrities to take nude selfies in the first place.
Assuming they happened on purpose, ethyl alcohol, and/or other drugs, and/or peer pressure, and/or dietary reminder, and/or want of additional tabloid headlines.... :-) -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/2014 06:45 AM, listreader wrote:
Problem #2: I booted into 13.1 and looked at the new 13.2 brtfs and xfs partitions. The brtfs looks fine, or at least I can browse what's in there. The xfs partition, though, appears broken. I had LUKS encrypted it during the install/format process but when I try to mount I get the familiar bad old message about:
I would have made an unencrypted FS, then manually, in single user mode (or maintenance mode from the DVD) encrypted, manually checked it could be mounted, then altered the fstab. I suspect you still can drop into single use and do all that. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-08 12:45, listreader wrote:
Howdy...
:~> uname -a Linux msbmainhp.site 3.11.10-21-desktop #1 SMP PREEMPT Mon Jul 21 15:28:46 UTC 2014 (9a9565d) x86_64 x86_64 x86_64 GNU/Linux
That's openSUSE 13.1 kernel, not 13.2. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Sun, 09 Nov 2014 17:19:03 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2014-11-08 12:45, listreader wrote:
Howdy...
:~> uname -a Linux msbmainhp.site 3.11.10-21-desktop #1 SMP PREEMPT Mon Jul 21 15:28:46 UTC 2014 (9a9565d) x86_64 x86_64 x86_64 GNU/Linux
That's openSUSE 13.1 kernel, not 13.2.
Eh, yes, that is correct. If you read the whole message you are responding to - or even just the title line of the message - you'll discover that 13.1 is the running os because the 13.2 install failed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-09 17:53, listreader wrote:
Eh, yes, that is correct. If you read the whole message you are responding to - or even just the title line of the message - you'll discover that 13.1 is the running os because the 13.2 install failed.
Then don't try to repair the filesystems created by 13.2 using 13.1. Instead, download the 13.2 rescue image and use it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Sun, 09 Nov 2014 17:57:16 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2014-11-09 17:53, listreader wrote:
Eh, yes, that is correct. If you read the whole message you are responding to - or even just the title line of the message - you'll discover that 13.1 is the running os because the 13.2 install failed.
Then don't try to repair the filesystems created by 13.2 using 13.1. Instead, download the 13.2 rescue image and use it.
Please please PLEASE read the entire thread before commenting. This problem has already been fully discussed and solved. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-11-09 18:14, listreader wrote:
On Sun, 09 Nov 2014 17:57:16 +0100 "Carlos E. R." <> wrote:
Please please PLEASE read the entire thread before commenting. This problem has already been fully discussed and solved.
Sure? I do not see a "solved" comment in any of your posts. They are a bit confusing. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlRgNcAACgkQtTMYHG2NR9XC+wCcC/Z9w+Hth+m2TSzmdAGpX15E mZgAn18IOZYWDXijMhTo5aQQQlDhH37e =UZAb -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (9)
-
Andrei Borzenkov -
Anton Aylward -
Carlos E. R. -
Carlos E. R. -
Felix Miata -
James Knott -
jdd -
John Andersen -
listreader