On 04/23/2022 09:19 PM, H wrote:> On 04/19/2022 09:57 AM, Roberto Ragusa wrote: >> On 4/18/22 1:27 PM, H wrote: >>> I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted. >> It may be a good idea to also have / and swap encrypted, since user data can go there easily >> (logs, locatedb, swapped mem). >> >> I would do: >> - /boot as a separate RAID1 (md1=sda1+sdb1) >> - then another RAID1 (md2=sda2+sdb2) using all the remaining disk >> - luks on top of md2, giving you luks-xxxxx >> - LVM with a PV on luks-xxxxx >> - VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem) >> >> Not sure if you can do this setup through the installer, you have to try (in a VM maybe). >> >> Regards. >> > Thank you. I will have time to get back to this system tomorrow to try this. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosRoberto, what would the advantage(s) be with your setup, ie one RAID1 array for everything but /boot compared to what I had done, ie three RAID1 arrays for /boot/efi RAID1, /boot RAID1 and one LVM-RAID1 for / and /home? As a naive user it would seem to me that the setup I did would be more resilient if a disk fails, or?
Think he might have just missed the fact that you had EFI boot aswell. So then it would be: /boot md0 /boot/EFI md1 / md2 -> vg0 -> lvs Otherwise it was more a suggestion on using encryption for more then just the /home partition since there is always a risk with SWAP etc to have information that you do not want to be read. My current setup goes: /dev/mapper/vg0-root????????? ? ?? / /dev/mapper/vg0-usr?????????? ? ?? /usr /dev/nvme0n1p2??????????????? ? ? ? /boot?????? <- this would be a md device in your case /dev/nvme0n1p1??????????????? ? ? ?? /boot/efi <- this would be a md device in your case /dev/mapper/vg0-home???????????? /home /dev/mapper/vg0-var????????? ? ? ?? /var /dev/mapper/vg0-tmp???????????????? /tmp /dev/mapper/vg0-var_tmp?????? ?? /var/tmp /dev/mapper/vg0-var_log??????????? /var/log /dev/mapper/vg0-var_log_audit? /var/log/audit Note that we are most likely mixing data redundancy with data security a bit here. So as far as your plan to run a md device for each "partition" needed that is a sound and solid plan. When it comes to encryption the point is that you might want to have more then just /home protected. But this is very dependent on your threat model. If you have a laptop encryption of all partitions is suggested. Regards On 2022-04-24 20:54, H wrote:> On 04/23/2022 09:19 PM, H wrote: >> On 04/19/2022 09:57 AM, Roberto Ragusa wrote: >>> On 4/18/22 1:27 PM, H wrote: >>>> I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted. >>> It may be a good idea to also have / and swap encrypted, since user data can go there easily >>> (logs, locatedb, swapped mem). >>> >>> I would do: >>> - /boot as a separate RAID1 (md1=sda1+sdb1) >>> - then another RAID1 (md2=sda2+sdb2) using all the remaining disk >>> - luks on top of md2, giving you luks-xxxxx >>> - LVM with a PV on luks-xxxxx >>> - VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem) >>> >>> Not sure if you can do this setup through the installer, you have to try (in a VM maybe). >>> >>> Regards. >>> >> Thank you. I will have time to get back to this system tomorrow to try this. >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > Roberto, what would the advantage(s) be with your setup, ie one RAID1 array for everything but /boot compared to what I had done, ie three RAID1 arrays for /boot/efi RAID1, /boot RAID1 and one LVM-RAID1 for / and /home? As a naive user it would seem to me that the setup I did would be more resilient if a disk fails, or? > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20220429/83cff3d8/attachment-0003.sig>
On 04/29/2022 07:30 AM, Joakim Dellrud wrote:> Think he might have just missed the fact that you had EFI boot aswell. So then it would be: > > /boot md0 > > /boot/EFI md1 > > / md2 -> vg0 -> lvs > > Otherwise it was more a suggestion on using encryption for more then just the /home partition since there is always a risk with SWAP etc to have information that you do not want to be read. > > My current setup goes: > > /dev/mapper/vg0-root????????? ? ?? / > /dev/mapper/vg0-usr?????????? ? ?? /usr > /dev/nvme0n1p2??????????????? ? ? ? /boot?????? <- this would be a md device in your case > /dev/nvme0n1p1??????????????? ? ? ?? /boot/efi <- this would be a md device in your case > /dev/mapper/vg0-home???????????? /home > /dev/mapper/vg0-var????????? ? ? ?? /var > /dev/mapper/vg0-tmp???????????????? /tmp > /dev/mapper/vg0-var_tmp?????? ?? /var/tmp > /dev/mapper/vg0-var_log??????????? /var/log > /dev/mapper/vg0-var_log_audit? /var/log/audit > > Note that we are most likely mixing data redundancy with data security a bit here. So as far as your plan to run a md device for each "partition" needed that is a sound and solid plan. > > When it comes to encryption the point is that you might want to have more then just /home protected. But this is very dependent on your threat model. If you have a laptop encryption of all partitions is suggested. > > Regards > > > On 2022-04-24 20:54, H wrote: >> On 04/23/2022 09:19 PM, H wrote: >>> On 04/19/2022 09:57 AM, Roberto Ragusa wrote: >>>> On 4/18/22 1:27 PM, H wrote: >>>>> I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted. >>>> It may be a good idea to also have / and swap encrypted, since user data can go there easily >>>> (logs, locatedb, swapped mem). >>>> >>>> I would do: >>>> - /boot as a separate RAID1 (md1=sda1+sdb1) >>>> - then another RAID1 (md2=sda2+sdb2) using all the remaining disk >>>> - luks on top of md2, giving you luks-xxxxx >>>> - LVM with a PV on luks-xxxxx >>>> - VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem) >>>> >>>> Not sure if you can do this setup through the installer, you have to try (in a VM maybe). >>>> >>>> Regards. >>>> >>> Thank you. I will have time to get back to this system tomorrow to try this. >>> >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> Roberto, what would the advantage(s) be with your setup, ie one RAID1 array for everything but /boot compared to what I had done, ie three RAID1 arrays for /boot/efi RAID1, /boot RAID1 and one LVM-RAID1 for / and /home? As a naive user it would seem to me that the setup I did would be more resilient if a disk fails, or? >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centosI am coming back to this topic after a long while. Again, I am installing CentOS 7 on a new machine. Using the graphical installer and following the suggestion above, I first created the /boot partition in RAID1 configuration, then /boot EFI in RAID1 configuration, after which I proceeded to create an LVM in RAID1 configuration for the remainder of the disks using the / partition. If I understand the above correctly, I should then create /home and swap using this LVM (as well as possibly /var) but do not seem to be able to do so in the graphical installer. Have I missed something? Or, do I need to do this differently following another path? Thank you in advance.
On 04/24/2022 02:54 PM, H wrote:> On 04/23/2022 09:19 PM, H wrote: >> On 04/19/2022 09:57 AM, Roberto Ragusa wrote: >>> On 4/18/22 1:27 PM, H wrote: >>>> I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted. >>> It may be a good idea to also have / and swap encrypted, since user data can go there easily >>> (logs, locatedb, swapped mem). >>> >>> I would do: >>> - /boot as a separate RAID1 (md1=sda1+sdb1) >>> - then another RAID1 (md2=sda2+sdb2) using all the remaining disk >>> - luks on top of md2, giving you luks-xxxxx >>> - LVM with a PV on luks-xxxxx >>> - VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem) >>> >>> Not sure if you can do this setup through the installer, you have to try (in a VM maybe). >>> >>> Regards. >>> >> Thank you. I will have time to get back to this system tomorrow to try this. >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > Roberto, what would the advantage(s) be with your setup, ie one RAID1 array for everything but /boot compared to what I had done, ie three RAID1 arrays for /boot/efi RAID1, /boot RAID1 and one LVM-RAID1 for / and /home? As a naive user it would seem to me that the setup I did would be more resilient if a disk fails, or? >Did not get any response to the above and I will have an opportunity to work with this computer again in a few days. If I were to partition the disks as suggested above - and which is not supported by the CentOS 7 installation software (anaconda?) - which software would be suggested to use to partition the disks prior to installing CentOS 7? Thank you in advance.