Overview
This post documents a CentOS 7 build on a physical server that automates the following tasks:
- Configure an LACP Network Bond
- Encrypt multiple disks
- Create unique keys to auto-mount the encrypted disks at boot
DVD Boot
Boot from the DVD (CentOS-7-x86_64-DVD-2009.iso) and add the following custom boot options (appended all on one line) to grab the Kickstart file from the webserver and create an LACP Bond network connection.
The IP address format translates to:
ip=ip::gateway:netmask:hostname:interface:none
linux ip=10.x.x.x::10.x.x.1:24:server01:bond0:none nameserver=10.x.x.2 inst.ks=http://10.x.x.4/ks.cfg bond=bond0:p1p1,p4p1:mode=802.3ad,lacp_rate=fast,miimon=100,xmit_hash_policy=layer2+3Note: In order to get the device names for the NICs I initially performed a vanilla install from the DVD using the GUI.
For more information on booting from the DVD and adding the custom boot options refer to the following links:
- https://www.dell.com/support/kbdoc/en-au/000124001/using-the-virtual-media-function-on-idrac-6-7-8-and-9
- https://docs.centos.org/en-US/centos/install-guide/Boot_x86/#chap-booting-installer-x86
- https://docs.centos.org/en-US/centos/install-guide/Kickstart2/#sect-kickstart-installation-starting
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_installation/kickstart-and-advanced-boot-options_installing-rhel-as-an-experienced-user
Encryption Objectives
Customer request was for /home mount and secondary disk to be encrypted. It is recommended to encrypt the disk and then build the LVM on top but couldn’t do that with the /home mount as other mounts were to remain unencrypted.
Kickstart file
auth --enableshadow --passalgo=sha512
cdrom
text
firstboot --disable
keyboard --vckeymap=us --xlayouts='us'
lang en_AU.UTF-8
network --bootproto static --ip=10.x.x.x --netmask=255.255.255.0 --gateway=10.x.x.1 --hostname=server01 --nameserver=10.x.x.2,10.x.x.3
rootpw --iscrypted $6$d7F8dmHnyIn7oGzY$3RiVNxjuQssQPWLU4Lxo/IZ7LlEp4.EjZ/Pl6rC9HPdPJeRwnfz30quIIsJEg4WqtO24gW8SJXKT9e30Ep7Wl0
timezone Australia/Perth --isUtc --nontp
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sdb
zerombr
clearpart --all
part /boot --fstype=xfs --ondisk=sdb --size=1024
part /boot/efi --fstype=efi --ondisk=sdb --size=200
part pv.01 --size=1000 --grow --ondisk=sdb
volgroup VolGroup00 --pesize=4096 pv.01
logvol swap --vgname=VolGroup00 --name=LogVol00 --fstype=swap --size=16384
logvol / --vgname=VolGroup00 --name=LogVol01 --fstype=xfs --size=102400
logvol /home --vgname=VolGroup00 --name=LogVol02 --fstype=xfs --size=10240 --encrypted --cipher=aes-xts-plain64 --passphrase=Password1
logvol /var --vgname=VolGroup00 --name=LogVol03 --fstype=xfs --size=10240
logvol /mnt1 --vgname=VolGroup00 --name=LogVol04 --fstype=xfs --size=10240
logvol /mnt2 --vgname=VolGroup00 --name=LogVol05 --fstype=xfs --size=20480
logvol /mnt3 --vgname=VolGroup00 --name=LogVol06 --fstype=xfs --size=10240
part pv.02 --size=1000 --grow --ondisk=sda --encrypted --cipher=aes-xts-plain64 --passphrase=Password1
volgroup VolGroup01 --pesize=4096 pv.02
logvol /mnt4 --vgname=VolGroup01 --name=LogVol00 --fstype=xfs --size=1024 --grow
reboot
%packages
@^minimal
@core
bind-utils
chrony
kexec-tools
net-tools
vim
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end
%post
logger "Starting anaconda postinstall"
exec < /dev/tty3 > /dev/tty3
/usr/bin/chvt 3
(
# luks key
dd if=/dev/random bs=32 count=1 of=/root/.luksKey
chmod 0600 /root/.luksKey
echo 'Password1' | cryptsetup luksAddKey /dev/sda1 /root/.luksKey
echo 'Password1' | cryptsetup luksAddKey /dev/mapper/VolGroup00-LogVol02 /root/.luksKey
sed -i 's/none/\/root\/.luksKey/' /etc/crypttab
) 2>&1 | tee /root/install.post.log
exit 0
%endNote: The disk device names will sometimes switch at build requiring a rebuild but for the eight server builds I performed for this job around 80% of time the system disk (200GB) was named /dev/sdb and the additional storage disk (40TB) was named /dev/sda. I believe this game of chance can be resolved by using SCSI device IDs but I needed to use the /dev/sda device name when creating the LUKS key anyway.
Download
Best viewed in Notepad++
Post Install Summary
Device Listing
# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 41.9T 0 disk
+-sda1 8:1 0 41.9T 0 part
+-luks-cd84ae57-7f5d-4632-870c-b24fcc0b51b1 253:7 0 41.9T 0 crypt
+-VolGroup01-LogVol00 253:8 0 41.9T 0 lvm /mnt4
sdb 8:16 0 223.5G 0 disk
+-sdb1 8:17 0 200M 0 part /boot/efi
+-sdb2 8:18 0 1G 0 part /boot
+-sdb3 8:19 0 222.3G 0 part
+-VolGroup00-LogVol01 253:0 0 100G 0 lvm /
+-VolGroup00-LogVol00 253:1 0 16G 0 lvm [SWAP]
+-VolGroup00-LogVol06 253:2 0 10G 0 lvm /mnt3
+-VolGroup00-LogVol05 253:3 0 20G 0 lvm /mnt2
+-VolGroup00-LogVol04 253:4 0 10G 0 lvm /mnt1
+-VolGroup00-LogVol03 253:5 0 10G 0 lvm /var
+-VolGroup00-LogVol02 253:6 0 10G 0 lvm
+-luks-e9b31b1c-cab5-41bc-9e71-226fc0d6bed4 253:9 0 10G 0 crypt /home
sr0 11:0 1 4.4G 0 romLUKs Slots
# cryptsetup luksDump /dev/sda1
LUKS header information for /dev/sda1
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 512
MK digest: 75 d1 30 8e da 08 cf ea 8e 2a 86 f9 17 9c 9f 18 3f 8f 79 a0
MK salt: 65 95 45 22 bc 2f ab 03 f4 6d a0 86 75 e5 66 c2
ec e9 da 8c 9c b7 cc b6 a1 e3 b8 ea fe f6 79 22
MK iterations: 20750
UUID: cd84ae57-7f5d-4632-870c-b24fcc0b51b1
Key Slot 0: ENABLED
Iterations: 167757
Salt: ba 5e b6 a3 7c 5d 20 cb b1 ba de 08 a0 10 35 13
4b aa b5 24 c3 23 1e 38 1d 1f 52 4a 02 7b 1e b8
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 414128
Salt: fa ca b1 39 0f 39 b5 44 c4 f8 32 08 9a d6 aa c8
49 3b ce b0 10 fd 81 f7 a6 42 ee 9a 95 26 3e 43
Key material offset: 512
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLEDLACP Bond
# cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
Bonding Mode: IEEE 802.3ad Dynamic link aggregation
Transmit Hash Policy: layer2+3 (2)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
802.3ad info
LACP rate: fast
Min links: 0
Aggregator selection policy (ad_select): stable
System priority: 65535
System MAC address: bc:97:e1:cd:83:80
Active Aggregator Info:
Aggregator ID: 1
Number of ports: 1
Actor Key: 21
Partner Key: 40
Partner Mac Address: a0:11:22:33:44:10
Slave Interface: p4p1
MII Status: up
Speed: 25000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: bc:97:e1:cd:83:80
Slave queue ID: 0
Aggregator ID: 1
Actor Churn State: none
Partner Churn State: none
Actor Churned Count: 0
Partner Churned Count: 0
details actor lacp pdu:
system priority: 65535
system mac address: bc:97:e1:cd:83:80
port key: 21
port priority: 255
port number: 1
port state: 63
details partner lacp pdu:
system priority: 4096
system mac address: a0:11:22:33:44:10
oper key: 40
port priority: 32768
port number: 66
port state: 61
Slave Interface: p1p1
MII Status: down
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 2c:ea:7f:5b:75:22
Slave queue ID: 0
Aggregator ID: 2
Actor Churn State: churned
Partner Churn State: churned
Actor Churned Count: 1
Partner Churned Count: 1
details actor lacp pdu:
system priority: 65535
system mac address: bc:97:e1:cd:83:80
port key: 0
port priority: 255
port number: 2
port state: 71
details partner lacp pdu:
system priority: 65535
system mac address: 00:00:00:00:00:00
oper key: 1
port priority: 255
port number: 1
port state: 1
Fantastic guide! Thanks!