203.3 Creating and configuring filesystem options
Description: Candidates should be able to configure automount filesystems using AutoFS. This objective includes configuring automount for network and device filesystems. Also included is creating filesystems for devices such as CD-ROMs and a basic feature knowledge of encrypted filesystems.
Key Knowledge Areas:
autofs configuration files
Understanding of automount units
UDF and ISO9660 tools and utilities
Awareness of other CD-ROM filesystems (HFS)
Awareness of CD-ROM filesystem extensions (Joliet, Rock Ridge, El Torito)
Basic feature knowledge of data encryption (dm-crypt / LUKS)
Terms and Utilities:
We have already worked with fstab and its usage. When we mount a device using fstab it is always mounted and ready.It is okey except when we are using nfs, cifs, smb , ... trough the network. autofs idea is mount when you need. that is all! this way we avoid network over head .
root@server1:~# apt install autofs
autofs puts its configuration files in /etc directory :
root@server1:~# ls -l /etc/auto*-rw-r--r-- 1 root root 12596 Jun 22 2017 /etc/autofs.conf-rw-r--r-- 1 root root 797 Jun 22 2017 /etc/auto.master-rw-r--r-- 1 root root 524 Jun 22 2017 /etc/auto.misc-rwxr-xr-x 1 root root 1039 Jun 22 2017 /etc/auto.net-rwxr-xr-x 1 root root 2191 Jun 22 2017 /etc/auto.smb
auto.master is autofs main configuration and it is first configuration file autofs checks. Inside autofs.master we mention where we want the mount-point to be and where is related configuration file. It is strange but that is the way autofs works. So beside auto.master file , you might need other auto.[*] configuration files which auto.master refers to, to create and mount.The format of master map is:
mount-point map-name options
and the result would be /mynfs/dir1 . Lets make our hands dirty and see what is inside auto.master:
## Sample auto.master file# This is a 'master' automounter map and it has the following format:# mount-point [map-type[,format]:]map [options]# For details of the format look at auto.master(5).##/misc /etc/auto.misc## NOTE: mounts done from a hosts map will be mounted with the# "nosuid" and "nodev" options unless the "suid" and "dev"# options are explicitly given.##/net -hosts## Include /etc/auto.master.d/*.autofs# The included files must conform to the format of this file.#+dir:/etc/auto.master.d## Include central master map if it can be found using# nsswitch sources.## Note that if there are entries for /net or /misc (as# above) in the included master map any keys that are the# same will not be seen as the first read key seen takes# precedence.#+auto.master# Added by Me and You :)/root/mynfs /etc/auto.nfs
so mynfs directory would be created and would be used as mount point, then it refers to /etc/auto.nfs configuration file.We can use
--timeout=60 to define mount timeout in seconds.
and then restart autofs service in order to changes take effect:
root@server1:~# systemctl restart autofsroot@server1:~# lsmynfsroot@server1:~# ls mynfs/root@server1:~# mount | grep mynfs/etc/auto.nfs on /root/mynfs type autofs (rw,relatime,fd=6,pgrp=1738,timeout=300,minproto=5,maxproto=5,indirect,pipe_ino=25202)root@server1:~# ls mynfs/dir1myfile1 myfile2 myfile3root@server1:~# mount | grep mynfs/etc/auto.nfs on /root/mynfs type autofs (rw,relatime,fd=6,pgrp=1738,timeout=300,minproto=5,maxproto=5,indirect,pipe_ino=25202)192.168.10.150:/root/nfsshared/mydir1 on /root/mynfs/dir1 type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.10.149,local_lock=none,addr=192.168.10.150)
watch mount command is usefull to observe what is going.
Previously we have seen different type of File Systems on Hard Drive. Like Hard Disk There are some standards and File System to stores Files on CD-Rom or DVD-Rom.
ISO 9660 is a file system for optical disc media. Being published by the International Organization for Standardization (ISO) the file system is considered an international technical standard.ISO standard was issued in 1988 and as time passed they add some extensions to it, to overcome some shortages it has.
By Microsoft, adds support for longer file names and the Unicode character set
adds support for POSIX file permissions and ownership, symbolic links, and longer file names
enables a disc to boot an x86 compatible system
the UDF (Universal Disk Format) is a more recent file system format. This format is managed by OSTA (Optical Storage Technology Association), and was created to overshadow the shortcomings of the ISO standard. It includes both CD and DVDs and as its name says, it makes a universal compatibility across major platforms. UDF system also enables a more efficient writing process for CD recordable and rewritable disks.
Hierarchical File System (HFS) is a proprietary file system developed by Apple Inc. for use in computer systems running Mac OS. Originally designed for use on floppy and hard disks, it can also be found on read-only media such as CD-ROMs. HFS is also referred to as Mac OS Standard, while its successor, HFS Plus, is also called Mac OS Extended . With the introduction of Mac OS X 10.6, Apple dropped support for formatting or writing HFS disks and images, which remain supported as read-only volumes.
mkisofs is a tool to create ISO9660/UDF/HFS files. The general format of command is:
mkisofs -o MY.iso MYDIR/
Output, specify out put file
Generates Joliet Directory Information
Generates Rationalize Rock Ridge Directory Information
Set El torito boot image name, "isolinux.bin"
for more information use mkisofs -help.Lets see how it works:
root@server3:~# mkdir MYDIRroot@server3:~# cd MYDIR/root@server3:~/MYDIR# touch myfile1,myfile2,myfile3root@server3:~# ls MYDIR/mufile1,myfile2 mufile3root@server3:~# mkisofs -r -o MY.iso MYDIR/I: -input-charset not specified, using utf-8 (detected in locale settings)Total translation table size: 0Total rockridge attributes bytes: 335Total directory bytes: 494Path table size(bytes): 10Max brk space used 0175 extents written (0 MB)root@server3:~# ls -ltotal 356drwxr-xr-x 2 root root 4096 Jan 2 07:56 MYDIR-rw-r--r-- 1 root root 358400 Jan 2 07:56 MY.iso
Cryptsetup is utility used to easily setup disk encryption based on DMCrypt kernel module
root@server1:~# cryptsetupThe program 'cryptsetup' is currently not installed. You can install it by typing:apt install cryptsetup-binroot@server1:~# apt install cryptsetupcryptsetup cryptsetup-binroot@server1:~# apt install cryptsetuproot@server1:~# cryptsetup --helpcryptsetup 1.6.6Usage: cryptsetup [OPTION...] <action> <action-specific>--version Print package version-v, --verbose Shows more detailed error messages--debug Show debug messages-c, --cipher=STRING The cipher used to encrypt the disk (see/proc/crypto)-h, --hash=STRING The hash used to create the encryptionkey from the passphrase-y, --verify-passphrase Verifies the passphrase by asking for ittwice-d, --key-file=STRING Read the key from a file.--master-key-file=STRING Read the volume (master) key from file.--dump-master-key Dump volume (master) key instead ofkeyslots info.-s, --key-size=BITS The size of the encryption key-l, --keyfile-size=bytes Limits the read from keyfile--keyfile-offset=bytes Number of bytes to skip in keyfile--new-keyfile-size=bytes Limits the read from newly added keyfile--new-keyfile-offset=bytes Number of bytes to skip in newly addedkeyfile-S, --key-slot=INT Slot number for new key (default isfirst free)-b, --size=SECTORS The size of the device-o, --offset=SECTORS The start offset in the backend device-p, --skip=SECTORS How many sectors of the encrypted datato skip at the beginning-r, --readonly Create a readonly mapping-i, --iter-time=msecs PBKDF2 iteration time for LUKS (in ms)-q, --batch-mode Do not ask for confirmation-t, --timeout=secs Timeout for interactive passphraseprompt (in seconds)-T, --tries=INT How often the input of the passphrasecan be retried--align-payload=SECTORS Align payload at <n> sector boundaries -for luksFormat--header-backup-file=STRING File with LUKS header and keyslotsbackup.--use-random Use /dev/random for generating volumekey.--use-urandom Use /dev/urandom for generating volumekey.--shared Share device with anothernon-overlapping crypt segment.--uuid=STRING UUID for device to use.--allow-discards Allow discards (aka TRIM) requests fordevice.--header=STRING Device or file with separated LUKSheader.--test-passphrase Do not activate device, just checkpassphrase.--tcrypt-hidden Use hidden header (hidden TCRYPT device).--tcrypt-system Device is system TCRYPT drive (withbootloader).--tcrypt-backup Use backup (secondary) TCRYPT header.-M, --type=STRING Type of device metadata: luks, plain,loopaes, tcrypt.--force-password Disable password quality check (ifenabled).Help options:-?, --help Show this help message--usage Display brief usage<action> is one of:open <device> [--type <type>] [<name>] - open device as mapping <name>close <name> - close device (remove mapping)resize <name> - resize active devicestatus <name> - show device statusbenchmark <name> - benchmark cipherrepair <device> - try to repair on-disk metadataerase <device> - erase all keyslots (remove encryption key)luksFormat <device> [<new key file>] - formats a LUKS deviceluksAddKey <device> [<new key file>] - add key to LUKS deviceluksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS deviceluksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS deviceluksKillSlot <device> <key slot> - wipes key with number <key slot> from LUKS deviceluksUUID <device> - print UUID of LUKS deviceisLuks <device> - tests <device> for LUKS partition headerluksDump <device> - dump LUKS partition informationtcryptDump <device> - dump TCRYPT device informationluksSuspend <device> - Suspend LUKS device and wipe key (all IOs are frozen).luksResume <device> - Resume suspended LUKS device.luksHeaderBackup <device> - Backup LUKS device header and keyslotsluksHeaderRestore <device> - Restore LUKS device header and keyslotsYou can also use old <action> syntax aliases:open: create (plainOpen), luksOpen, loopaesOpen, tcryptOpenclose: remove (plainClose), luksClose, loopaesClose, tcryptClose<name> is the device to create under /dev/mapper<device> is the encrypted device<key slot> is the LUKS key slot number to modify<key file> optional key file for the new key for luksAddKey actionDefault compiled-in key and passphrase parameters:Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)Default PBKDF2 iteration time for LUKS: 1000 (ms)Default compiled-in device cipher parameters:loop-AES: aes, Key 256 bitsplain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha1, RNG: /dev/urandom
Linux Unified Key Setup-on-disk-format (LUKS) is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data very easily.