noauto option ignored in /etc/fstab?

Josef Wolf jw at raven.inka.de
Mon Dec 11 22:29:38 UTC 2017


On Mon, Dec 11, 2017 at 03:26:54PM +0100, Xen wrote:
> >>Well I thank you for your lessons.
> >
> >Hmmm.. Feels like ironical? :-)
> 
> Well no I realized there is really no protection when you have an encrypted
> system on the internet.
> 
> I mean through a hosting provider.
> 
> There is no way to protect a system you either have to log in through some
> webpage, or, if you don't need that, through SSH when the initrd would be
> modifiable.

I'm talking only about REAL hardware.

> >In fact, I also create my own preseeded installation CDs.
> 
> Can I ask what method you are using?

The install CD?

I have grown a rake script that

1. downloads the server-install-cd
2. adds a menu entry to use my preseed file
3. deletes some packages which I don't feel like needing
4. installs a late-command, which will install a systemd service that is
   executed when the freshly installed system is booted for the first time.
5. this "postinstall" script starts a screen session on tty6 and starts four
   initial windows:
   - window 0: top
   - window 1: watch 'hostname -f; echo; route -n; echo; ifconfig'
   - window 2: watch 'ps fax | grep -v grep | grep -B 5 -A 24 postinstall'
   - window 3: runs the real postinstall script.
   With win2, I can watch what the postinstall script is doing.
   Win3 runs the real postinstall script. This way, I can see error messages
   and the postinstall script can ask for additional information.

The postinstall script:
1. makes sure network is available
2. removes cdrom from apt.conf
3. runs update/upgrade
4. installs a bunch of packages which I consider to be essential
5. checks out HEAD of my configuration system
6. starts the configuration system

So, when installing a system, the only things I need to do is:
1. partition the disk
2. provide most basic network setting (hostname and domain name)

Almost everything else is determined by the configuration system by
class/config settings.

> >Generating individual boot-{CD|SD|Sticks} would be much more effort for
> >me.
> 
> Well like I said, not everyone is the same, this works for you, I don't have
> a dozen machines ;-).
> 
> Also I think in my life the risks are different.

If I can eliminate a risk without any effort, I go for it.

If there'd be a noticeable effort, I'd step back and think whether it's
actually worth to do.

> >Same holds for going through the hell to get encrypted /boot. There's
> >simple too much manual and error prone fiddling involved.
> 
> Of course, unless you have an automatic configuration script.
> [ ... ]

Ugh!

You mean doing this automatically by a preseeded install-cd?

I once had set up my install-cd for automatic disk partitioning.

That was a really bad idea: It's way too easy to wipe all data by accident.

> More so it is easy to transform a DEFAULT installed system into this pretty
> quickly, but I have never done it yet.
> 
> In fact it only requires 3 changes to your system + the key, and the
> creating of a container on /dev/sda1, and recreating /boot there, followed
> by restoring its backup.
> 
> In ... 14 commands I could have this done to a default installed system,
> provided /boot was mounted ;-).

I still fail to see the benefit.

> >Yes. But that's a lot of additional effort without any additional benefit.
> >I prefer to have the benefit without additional cost.
> 
> Well, you know, I was only responding because you said encrypted boot was
> _not possible_.

Oh! Then, I correct myself:

It is not possible to have _everything_ encrypted. And this unencrypted piece
of code/data is the achilles' heel.

> Now you say it is not worth your time, but that's something different.

No. I say, encrypting /boot won't buy you anything. You're STILL vulnerable as
long as grub can be modified.

So yes: it's not worth my time, since it won't buy me anything.

> Not everyone has a dozen systems running with identical preconfigured Ubuntu
> or Debian installations using a self-written automation tool that is
> executed from within the installer, either.

Right. But automation is not a prerequisite. Those scripts are really trivial.

> I also don't know what risks you are running.

Probably none. But since there's no effort, why not do it? Much better than
feeling safe just because /boot is encrypted...

-- 
Josef Wolf
jw at raven.inka.de



More information about the ubuntu-users mailing list