[tor-bugs] #32937 [Internal Services/Tor Sysadmin Team]: install a new node in the gnt-fsn cluster (fsn-node-03)

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 22 19:52:01 UTC 2020


#32937: install a new node in the gnt-fsn cluster (fsn-node-03)
-------------------------------------------------+-------------------------
 Reporter:  anarcat                              |          Owner:  anarcat
     Type:  project                              |         Status:
                                                 |  accepted
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by anarcat):

 okay, after help from MrFai on IRC, I got this config to work, which is
 pretty frigging awesome:

 {{{
 # open questions
 # --align=optimal?
 # leave keys in /tmp/fai or specify passphrase?
 # use sameas: to set all disk names earlier?
 # bios_grub flag?

 disk_config nvme0n1 disklabel:gpt bootable:2
 # bios grub second stage
 primary -       8MiB    -       -
 # /boot
 primary -       512MiB  -       -
 # rest is RAID+LUKS+LVM
 primary -       0-      -       -

 disk_config nvme1n1 disklabel:gpt bootable:2
 # same as above
 primary -       8MiB    -       -
 primary -       512MiB  -       -
 primary -       0-      -       -

 disk_config sda disklabel:gpt
 primary -       0-      -       -

 disk_config sdb disklabel:gpt
 primary -       0-      -       -

 disk_config raid fstabkey:uuid
 raid1   /boot   nvme0n1p2,nvme1n1p2     ext4    rw,noatime,errors=remount-
 ro
 raid1   -       nvme0n1p3,nvme1n1p3     -       -
 raid1   -       sda1,sdb1       -       -

 # FAI defaults to -c aes-xts-plain64 -s 256
 disk_config cryptsetup
 luks    -       /dev/md1        -       -
 luks    -       /dev/md2        -       -

 disk_config lvm fstabkey:uuid
 # previous convention was "vg_$hostname"
 vg      vg_nvme md1
 vg_nvme-root    /       30G     ext4    rw
 vg_nvme-swap    swap    1G      swap    sw

 vg      vg_hdd  md2

 # HDD disks config intentionally left blank
 }}}

 This gives us the following non-verbose run, which is also pretty awesome:

 {{{
 root at rescue ~ # setup-storage -f setup-storage-fsn-node-3 -X
 Starting setup-storage 2.2
 Using config file: setup-storage-fsn-node-3
     No volume groups found.
 Executing: wipefs -af /dev/nvme0n1p1
 Executing: wipefs -af /dev/nvme1n1p1
 Executing: mdadm --stop --scan
 Executing: mdadm --assemble --scan --config=/tmp/fai/mdadm-from-
 examine.conf
 Executing: mdadm -W --stop /dev/md0
 Executing: mdadm -W --stop /dev/md1
 Executing: mdadm -W --stop /dev/md2
 Executing: head -c 2048 /dev/urandom | od | tee /tmp/fai/crypt_dev_md1
 Executing: head -c 2048 /dev/urandom | od | tee /tmp/fai/crypt_dev_md2
 Executing: wipefs -af /dev/nvme0n1p2
 Executing: wipefs -af /dev/nvme0n1p3
 Executing: parted -s /dev/nvme0n1 mklabel gpt
 Executing: parted -s /dev/nvme0n1 mkpart primary "" 1048576B 9437183B
 Executing: parted -s /dev/nvme0n1 mkpart primary "" 9437184B 546308095B
 Executing: parted -s /dev/nvme0n1 set 2 boot on
 Executing: parted -s /dev/nvme0n1 mkpart primary "" 546308096B
 960197107199B
 Executing: wipefs -af /dev/sdb1
 Executing: parted -s /dev/sdb mklabel gpt
 Executing: parted -s /dev/sdb mkpart primary "" 1048576B 10000831331839B
 Executing: wipefs -af /dev/sda1
 Executing: parted -s /dev/sda mklabel gpt
 Executing: parted -s /dev/sda mkpart primary "" 1048576B 10000831331839B
 Executing: wipefs -af /dev/nvme1n1p2
 Executing: wipefs -af /dev/nvme1n1p3
 Executing: parted -s /dev/nvme1n1 mklabel gpt
 Executing: parted -s /dev/nvme1n1 mkpart primary "" 1048576B 9437183B
 Executing: parted -s /dev/nvme1n1 mkpart primary "" 9437184B 546308095B
 Executing: parted -s /dev/nvme1n1 set 2 boot on
 Executing: parted -s /dev/nvme1n1 mkpart primary "" 546308096B
 960197107199B
 Executing: parted -s /dev/nvme1n1 set 2 raid on
 Executing: parted -s /dev/nvme0n1 set 2 raid on
 Executing: parted -s /dev/nvme0n1 set 3 raid on
 Executing: parted -s /dev/nvme1n1 set 3 raid on
 Executing: parted -s /dev/sdb set 1 raid on
 Executing: parted -s /dev/sda set 1 raid on
 Executing: yes | mdadm --create  /dev/md0 --level=raid1 --force --run
 --raid-devices=2 /dev/nvme1n1p2 /dev/nvme0n1p2
 Executing: mkfs.ext4  /dev/md0
 Executing: yes | mdadm --create  /dev/md1 --level=raid1 --force --run
 --raid-devices=2 /dev/nvme0n1p3 /dev/nvme1n1p3
 Executing: yes | mdadm --create  /dev/md2 --level=raid1 --force --run
 --raid-devices=2 /dev/sdb1 /dev/sda1
 Executing: yes YES | cryptsetup luksFormat /dev/md1 /tmp/fai/crypt_dev_md1
 Executing: cryptsetup luksOpen /dev/md1 crypt_dev_md1 --key-file
 /tmp/fai/crypt_dev_md1
 Executing: yes YES | cryptsetup luksFormat /dev/md2 /tmp/fai/crypt_dev_md2
 Executing: cryptsetup luksOpen /dev/md2 crypt_dev_md2 --key-file
 /tmp/fai/crypt_dev_md2
 Executing: pvcreate -ff -y  /dev/mapper/crypt_dev_md2
 Executing: vgcreate  vg_hdd  /dev/mapper/crypt_dev_md2
 Executing: vgchange -a y vg_hdd
 Executing: pvcreate -ff -y  /dev/mapper/crypt_dev_md1
 Executing: vgcreate  vg_nvme  /dev/mapper/crypt_dev_md1
 Executing: vgchange -a y vg_nvme
 Executing: lvcreate  --yes -n root -L 30720 vg_nvme
 Executing: mkfs.ext4  /dev/vg_nvme/root
 Executing: lvcreate  --yes -n swap -L 1024 vg_nvme
 Executing: mkswap  /dev/vg_nvme/swap
 /dev/md0 UUID=4bfcb3a7-c549-4c1b-be3a-ff2f5648525e
 /dev/vg_nvme/swap UUID=71656b76-e3c0-46e0-b171-a6ff78fcd5c4
 /dev/vg_nvme/root UUID=f96dc710-9044-485a-9120-3075f28aa697
 }}}

 This also leaves configuration files in `/tmp/fai`, including
 `mdadm.conf`, `fstab`, (broken) crypttab (because it requires keyfiles)
 and the two luks keyfiles.

 i'll start with this and move ahead with the next step of the install
 process.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32937#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list