| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| advanced:target [2018/10/04 23:48] – [Enable encryption, and create an encrypted dataset] dan | advanced:target [2018/10/10 00:02] (current) – [Build ZFS on Linux] dan |
|---|
| |
| Unfortunately, the Ubuntu 18.04 image uses a 32-bit kernel, and the available ZFS packages aren't compatible with a 32-bit kernel. This means I'll need to compile the ZFS pieces myself, and they're not known to be stable with a 32-bit kernel in any event. Updates to come. | Unfortunately, the Ubuntu 18.04 image uses a 32-bit kernel, and the available ZFS packages aren't compatible with a 32-bit kernel. This means I'll need to compile the ZFS pieces myself, and they're not known to be stable with a 32-bit kernel in any event. Updates to come. |
| | ===== Create a non-privileged user with sudo capability ===== |
| ===== Rebuild the kernel ===== | <code> |
| To ensure you have the headers for the running kernel installed, run the following commands (taken from the [[https://wiki.odroid.com/odroid-xu4/software/building_kernel#y|Hardkernel wiki]]): | adduser fred |
| | usermod -aG sudo fred |
| | </code> |
| | ===== Install the kernel headers ===== |
| | In order to build ZFS, you must have the headers for the running kernel installed on the system. |
| <code> | <code> |
| sudo apt update && sudo apt upgrade | wget http://deb.odroid.in/5422-s/pool/main/l/linux-source-4.14.73-136/linux-headers-4.14.73-136_20181001_armhf.deb |
| sudo apt install git gcc g++ build-essential | sudo dpkg -i linux-headers-4.14.73-136_20181001_armhf.deb |
| git clone --depth 1 https://github.com/hardkernel/linux -b odroidxu4-4.14.y | |
| cd linux | |
| make odroidxu4_defconfig | |
| make -j8 | |
| sudo make modules_install | |
| sudo cp -f arch/arm/boot/zImage /media/boot | |
| sudo cp -f arch/arm/boot/dts/exynos5422-odroidxu3.dtb /media/boot | |
| sudo cp -f arch/arm/boot/dts/exynos5422-odroidxu4.dtb /media/boot | |
| sudo cp -f arch/arm/boot/dts/exynos5422-odroidxu3-lite.dtb /media/boot | |
| sudo cp .config /boot/config-`make kernelrelease` | |
| sudo update-initramfs -c -k `make kernelrelease` | |
| sudo mkimage -A arm -O linux -T ramdisk -C none -a 0 -e 0 -n uInitrd -d /boot/initrd.img-`make kernelrelease` /boot/uInitrd-`make kernelrelease` | |
| sudo cp /boot/uInitrd-`make kernelrelease` /media/boot/uInitrd | |
| sync | |
| </code> | </code> |
| Then reboot your system to start using the new kernel. | |
| |
| ===== Build ZFS on Linux ===== | ===== Build ZFS on Linux ===== |
| These instructions are taken from the [[https://github.com/zfsonlinux/zfs/wiki/Building-ZFS|ZFSonLinux Wiki]]. First, install the necessary dependencies: | These instructions are taken from the [[https://github.com/zfsonlinux/zfs/wiki/Building-ZFS|ZFSonLinux Wiki]]. First, install the necessary dependencies: |
| <code> | <code> |
| sudo apt install build-essential autoconf libtool gawk alien fakeroot zlib1g-dev uuid-dev libattr1-dev libblkid-dev libselinux-dev libudev-dev parted lsscsi ksh libssl-dev libelf-dev | sudo apt install git build-essential autoconf libtool gawk alien fakeroot zlib1g-dev uuid-dev libattr1-dev libblkid-dev libselinux-dev libudev-dev parted lsscsi ksh libssl-dev libelf-dev |
| </code> | </code> |
| Then download, build, and install the ZFS code: | Then download, build, and install the ZFS code: |
| |
| ===== Enable encryption, and create an encrypted dataset ===== | ===== Enable encryption, and create an encrypted dataset ===== |
| **FreeNAS doesn't support OpenZFS encryption at this time, and it's not possible to replicate from a non-encrypted dataset to an encrypted one. This documentation is left for the sake of completeness.** | |
| |
| The idea of this system is to be a standalone storage "brick", which could be left at a remote location where you might not fully trust the network operator. ZFS on Linux supports dataset encryption for this purpose, and material for this section is drawn from this [[https://datacenteroverlords.com/2017/12/17/zfs-on-linux-with-encryption-part-2/|blog post]]. You'll first need to enable that feature on your pool: | The idea of this system is to be a standalone storage "brick", which could be left at a remote location where you might not fully trust the network operator. ZFS on Linux supports dataset encryption for this purpose, and material for this section is drawn from this [[https://datacenteroverlords.com/2017/12/17/zfs-on-linux-with-encryption-part-2/|blog post]]. You'll first need to enable that feature on your pool: |
| |
| ===== Create a replication user ===== | ===== Create a replication user ===== |
| For the sake of security, it would be best if replication to this device ran as a user other than root. Start by creating the user: | For the sake of security, it would be best if replication to this device ran as a user other than root. First, create a user in the FreeNAS web GUI called ''zfsuser''. Note the numeric userid for that user. |
| | |
| | Then, on the Odroid, as root, run |
| <code> | <code> |
| adduser zfsuser | adduser zfsuser -u userid -s /bin/false |
| </code> | |
| Disable login for that user: | |
| <code> | |
| chsh -s /bin/false zfsuser | |
| </code> | |
| Generate a SSH keypair for that user: | |
| <code> | |
| sudo -u zfsuser ssh-keygen | |
| </code> | </code> |
| | where "userid" is the numeric user ID noted on the FreeNAS box. |
| | |
| Now allow that user to make changes on the encrypted dataset: | Now allow that user to make changes on the encrypted dataset: |
| <code> | <code> |
| zfs allow -ldu zfsuser create,destroy,diff,mount,readonly,receive,release,send,userprop dozer/backup | zfs allow -ldu zfsuser create,destroy,diff,mount,readonly,receive,release,send,userprop dozer/backup |
| </code> | </code> |
| | ===== Install Zerotier ===== |
| | [[https://zerotier.com/|Zerotier]] will create an encrypted virtual network connection between your Odroid and your FreeNAS box. It's installed by default on FreeNAS, but you'll need to install it on the Odroid. Run these commands: |
| | <code> |
| | sudo apt install curl |
| | curl https://install.zerotier.com | sudo bash |
| | </code> |