| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| computing:raid [2019/02/25 04:21] – oemb1905 | computing:raid [2021/04/03 02:40] (current) – oemb1905 |
|---|
| ------------------------------------------- | ------------------------------------------- |
| |
| This tutorial is based on me wanting to set up a server solution for self-hosters that can survive a remote reboot, but also encrypt the data on the server that matters most, and most importantly, be able to give me a chance to replace a hard drive if one were to fail. For those reasons, I chose RAID1 array as the wrapper, and used luks and pam_mount and once that array and debian OS were installed on my host with that arrangement - for short, I call this the 'RAID' tutorial, since that was the primary non-negotiable and all of this pivots around being able to replace failing hard drives first, and then building other 'backup' solutions on top of that later (see [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:rsyncrsnapshot|rsyncrsnapshot tutorial]]. For now, it is important to set up the RAID, luks, and pam_mount correctly, and here is what I got to work flawlessly. I used a debian stretch .iso that I ripped to a flash drive (full amd64DVD1.iso). | This tutorial is based on me wanting to set up a server solution for self-hosters that can survive a remote reboot, but also encrypt the data on the server that matters most, and most importantly, be able to give me a chance to replace a hard drive if one were to fail. For those reasons, I chose RAID1 array as the wrapper, and used luks and pam_mount and once that array and debian OS were installed on my host with that arrangement - for short, I call this the 'RAID' tutorial, since that was the primary non-negotiable and all of this pivots around being able to replace failing hard drives first, and then building other 'backup' solutions on top of that later (see [[https://wiki.haacksnetworking.com/doku.php?id=computing:rsyncrsnapshot|rsyncrsnapshot tutorial]]. For now, it is important to set up the RAID, luks, and pam_mount correctly, and here is what I got to work flawlessly. I used a debian stretch .iso that I ripped to a flash drive (full amd64DVD1.iso). |
| |
| (Optional: I recommend not using the netinst.iso but the full DVD.iso instead. I also do not use a network mirror, and do not install any other packages than the defaults, as I noticed this speeds up the install a lot. Once the system is bootable and up, you can install the packages and rebuild the the OS as needed. Debian keeps the repositories at [[https://wiki.debian.org/SourcesList|Debian Repositories]] web page and make sure that /etc/apt/sources.list is updated to those examples. //Again, do this after the final RAID syncing below.// Also, when you save time like this, you need to install sudo (yes, really). Why? The RAID1 array is suycing and slowing everything down a lot. Just wait until it finishes, reboot, and then update. And take as little time as possible during the install. That's the plan I use ... ok, moving on!) | (Optional: I recommend not using the netinst.iso but the full DVD.iso instead. I also do not use a network mirror, and do not install any other packages than the defaults, as I noticed this speeds up the install a lot. Once the system is bootable and up, you can install the packages and rebuild the the OS as needed. Debian keeps the repositories at [[https://wiki.debian.org/SourcesList|Debian Repositories]] web page and make sure that /etc/apt/sources.list is updated to those examples. //Again, do this after the final RAID syncing below.// Also, when you save time like this, you need to install sudo (yes, really). Why? The RAID1 array is suycing and slowing everything down a lot. Just wait until it finishes, reboot, and then update. And take as little time as possible during the install. That's the plan I use ... ok, moving on!) |
| mdadm --readwrite /dev/mdx [restart] | mdadm --readwrite /dev/mdx [restart] |
| | |
| If a drive fails, you need to deactivate it, activate the replacement and then allow enough time for syncing. That tutorial is next and will go below. It centers around mdadm commands to deactivate the old drive, and with sfdisk to create an identical partition table on the new device. More later on that ... | Okay, the point of this is to combine RAID with pam_mount handlind the mounting of the crypt, and we also need ssh pubkey authentication. But, without some tweaks, we would never be able to access the public key, which is in the crypt on the server. So, we need to move a copy of the public keys outside the crypt. Here is how: |
| | |
| | cp -a ~/.ssh/authorized_keys /opt/authorizedkeys |
| | sudo nano /etc/ssh/sshd_config |
| | |
| | Add the following parameter in the section that pertains to it: |
| | |
| | AuthorizedKeysFile /opt/authorized_keys |
| | |
| | Now, when you reboot, even if PasswordAuthentication and ChallengeResponse are set to "no," as long as PubKeyAuthentication is set to "yes" you will be able to do the following to mount the crypt. This is because pam_mount is handling log in, and PAM is therefore allowing the password to be entered through the ssh tunnel because sshd_config also has Use PAM yes. |
| | |
| | ssh user@xx.xx.xx.xx |
| | screen |
| | su - user |
| | <authenticate> |
| | |
| | Now, press ctrl-a-d to detach from the screen. |
| | |
| | exit |
| | |
| | Okay, now you have survived reboot with a RAID array, with pam doing its magic for you on the crypt ... hardly a pain if it saves you |
| | a trip |
| |
| ------------------------------------------- | ------------------------------------------- |
