Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-19 20:54:33 -05:00
Code Issues Packages Projects Releases Wiki Activity
b93b3c571e
qubes-doc/user/advanced-topics/secondary-storage.rst
Marek Marczykowski-Górecki b93b3c571e
Convert to RST
2024-05-21 20:59:46 +02:00

160 lines
4.2 KiB
ReStructuredText
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

=================
Secondary storage
=================
Suppose you have a fast but small primary SSD and a large but slow
secondary HDD. You want to store a subset of your app qubes on the HDD.
Instructions
------------
Qubes 4.0 is more flexible than earlier versions about placing different
VMs on different disks. For example, you can keep templates on one disk
and app qubes on another, without messy symlinks.
These steps assume you have already created a separate `volume group <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/vg_admin#VG_create>`__
and `thin pool <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/thinly_provisioned_volume_creation>`__
(not thin volume) for your HDD. See also `this example <https://www.linux.com/blog/how-full-encrypt-your-linux-system-lvm-luks>`__
if you would like to create an encrypted LVM pool (but note you can use
a single logical volume if preferred, and to use the ``-T`` option on
``lvcreate`` to specify it is thin). You can find the commands for this
example applied to Qubes at the bottom of this R4.0 section.
First, collect some information in a dom0 terminal:
.. code:: bash
sudo pvs
sudo lvs
Take note of the VG and thin pool names for your HDD, then register it
with Qubes:
.. code:: bash
# <pool_name> is a freely chosen pool name
# <vg_name> is LVM volume group name
# <thin_pool_name> is LVM thin pool name
qvm-pool --add <pool_name> lvm_thin -o volume_group=<vg_name>,thin_pool=<thin_pool_name>,revisions_to_keep=2
Now, you can create qubes in that pool:
.. code:: bash
qvm-create -P <pool_name> --label red <vmname>
It isnt possible to directly migrate an existing qube to the new pool,
but you can clone it there, then remove the old one:
.. code:: bash
qvm-clone -P <pool_name> <sourceVMname> <cloneVMname>
qvm-remove <sourceVMname>
If that was a template, or other qube referenced elsewhere (NetVM or
such), you will need to adjust those references manually after moving.
For example:
.. code:: bash
qvm-prefs <appvmname_based_on_old_template> template <new_template_name>
In theory, you can still use file-based disk images (“file” pool
driver), but it lacks some features such as you wont be able to do
backups without shutting down the qube.
Example HDD setup
^^^^^^^^^^^^^^^^^
Assuming the secondary hard disk is at /dev/sdb (it will be completely
erased), you can set it up for encryption by doing in a dom0 terminal
(use the same passphrase as the main Qubes disk to avoid a second
password prompt at boot):
.. code:: bash
sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb
sudo blkid /dev/sdb
Note the devices UUID (in this example “b209…”), we will use it as its
luks name for auto-mounting at boot, by doing:
.. code:: bash
sudo nano /etc/crypttab
And adding this line (change both “b209…” for your devices UUID from
blkid) to crypttab:
.. code:: bash
luks-b20975aa-8318-433d-8508-6c23982c6cde UUID=b20975aa-8318-433d-8508-6c23982c6cde none
Reboot the computer so the new luks device appears at
/dev/mapper/luks-b209… and we can then create its pool, by doing this on
a dom0 terminal (substitute the b209… UUIDs with yours):
First create the physical volume
.. code:: bash
sudo pvcreate /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde
Then create the LVM volume group, we will use for example “qubes” as the
:
.. code:: bash
sudo vgcreate qubes /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde
And then use “poolhd0” as the (LVM thin pool name):
.. code:: bash
sudo lvcreate -T -n poolhd0 -l +100%FREE qubes
Finally we will tell Qubes to add a new pool on the just created thin
pool
.. code:: bash
qvm-pool --add poolhd0_qubes lvm_thin -o volume_group=qubes,thin_pool=poolhd0,revisions_to_keep=2
By default VMs will be created on the main Qubes disk (i.e. a small
SSD), to create them on this secondary HDD do the following on a dom0
terminal:
.. code:: bash
qvm-create -P poolhd0_qubes --label red unstrusted-hdd
Reference in New Issue View Git Blame Copy Permalink