Most of these notes are fairly general and may be of use with other Linux distributions and other hardware. The usual disclaimers apply, i.e., works for me but use at your own risk. If you find mistakes, please let me know. Also, there are some things I haven't set up which might be an issue for others:
(Update: one site mentioning all of the above.)
- Michael BreenI use Linux for its power and flexibility as a development platform as well as its relative security and stability. I chose Fedora in part because it comes with a fairly comprehensive set of up-to-date packages: I don't have easy access to broadband. Fedora also has the benefit of a large user community. Most of the time, my laptop is used as a desktop PC with external keyboard and mouse and set on a neat stand, which I recommend. An advantage of using a laptop for a desktop PC is relative silence; also, the battery effectively works as a UPS in the unlikely event of a power failure.
However, I do not recommend Dell. About a week after I got the PC, it began locking up for no reason, requiring a hard reset each time. I eventually diagnosed the problem as an intermittent fault with the NVidia graphics card. Now, there is one person in Dell who is reasonable and helpful (he's from Scotland) but it took 2 weeks of phone calls and emails to find him. Up to that, the following was typical of Dell's response: "There's no such thing as an intermittent hardware fault, if the diagnostics pass then it's OK" - not exactly a level of competence worth waiting 35 minutes on hold for. Merely having Linux installed was also given as an excuse to refuse support - even though the system would also freeze in XP if that was booted and, more often, during BIOS POST prior to either OS being loaded. It was more than a month before the PC was returned with a new graphics card. In short, buyer beware: Dell will prevaricate and stonewall and generally do everything possible to avoid repairing a PC under warranty.
When you're upgrading or trying out a new Linux distribution, it's really useful to have a working installation to fall back on. Otherwise, if something goes wrong, getting your machine back to its previous state can be time-consuming and frustrating, even if you've backed everything up - which of course you should do anyway. This approach also means that you're never blocked on a problem with the new installation: you can continue using the older installation for your everyday work while you configure and check the new one as time permits.
Thus, I have two / partitions, each about 8GB. When I boot into the linux on the first, the other is mounted as /mnt/linux2 - conversely the /etc/fstab on that partition mounts the first partition as /mnt/linux1.
For this scheme, you should also have a /boot partition and another for /home - though, in my case, the latter is an encrypted disk partition mounted at /secure (see below).
It's a good idea to keep your original Windows XP partition, even if you don't plan on using it (just resize it). You never know, you might even need to return the PC to have a faulty piece of hardware replaced. You could then even hide Linux by overwriting the boot sector with one to boot only XP (I did, so Dell could have no excuses - see above) and reinstall your GRUB boot sector later.
Having a partition that is write-accessible under both Linux and Windows is no harm either. This is also a handy place to store such things such as copies of downloaded software packages, which are not tied to a particular Linux installation. VFAT: Unlike (at time of writing) NTFS, Linux support for VFAT filesystems is mature. Also, securely deleting files (using the shred command) works for VFAT partitions.
After you've done the basic Linux installation from CD, you'll probably be installing various other software packages at various times. It's a really good idea to keep notes on what extra software you installed when and what you did to get it to a nicely configured and working state. This takes a bit of discipline, but very little time as you don't really need much more than the edited output of a history command. As an example, here is part of my Fedora Core 1 log for a bug-tracking package called GNATS - which, on Fedora, was unusually troublesome to get working:
# Try with make install instead of checkinstall: 44 /bin/rm -r gnats-4.0 45 tar -xzf gnats-4.0.tar.gz 46 cd gnats-4.0 47 ./configure 48 make install 49 ls -la /usr/local/libexec/gnats/gnatsd # size is now same in both (672491) - but... 51 /usr/local/libexec/gnats/gnatsd Segmentation fault # it looks like specifying the CFLAGS as suggested by Chad # means some that are used normally don't get used... # Try removing -O2 from each of the configure scripts
Notes like this can save hours spent in troubleshooting or relearning the details of installation and configuration options, most of which may be irrelevant to you. If you don't get something working, a record of things you tried is also useful when asking someone for help. License codes and the like can also be dumped into this file, plus any configuration changes or problems you encountered during normal operation post-installation.
If you want to change any system configuration files after basic installation, e.g., some files in /etc/, grub configuration file in /boot/grub, and so on, put them under under RCS first. This means a backup of any file you change is kept - and it means that changed files are easy to find, so you can easily backup all your post-installation changes to a CD or another machine. For example, if you want to change /etc/fstab:
cd /etc mkdir RCS # (if not already created) ci -u fstab # check in original version co -l fstab # check out for editing # make and test changes, then ci -u fstab # check in new version with suitable comment
Note: fstab is now a file whose contents can be updated by the system on the fly (do "man fstab-sync"). One way to deal with this is to check it out again whenever you've checked in changes of your own.
Later, if you want to produce a list of RCS files under /etc and /boot (for instance), you can just do
find /etc /boot -type f | grep "/RCS/"
And, for the files that are currently checked out (and so likely to have changes not yet recorded in the RCS file)
rlog -L -R $(find /etc /boot -type f | grep "/RCS/") | \ sed s#/RCS/#/#|sed s/,v$//
For a list of files that are under revision control, whether checked out or not, do the same command without the "-L".
Not every Linux distribution includes the RCS package (Mandrake?) and with some you'll need to select a development package at installation for it to be included. But you can always get the rpm separately.
I used a Fedora Core 3 DVD from a magazine. Not too much to say about this except that I initially enabled SELinux in permissive (non-enforcing) mode and later decided to disable it entirely. It's a good idea but as yet it looks like being a bit troublesome to configure and administer. If you're setting up a server then it might be worth the effort, otherwise I recommend not wasting time on it.
My laptop screen resolution is 1280x800. This isn't supported at installation by FC3 so I chose the lower 1024x768 resolution. While this works, it looks poor on an LCD display. To get the display working at its native resolution, I check the PC manual for the display refresh rate - it quotes 60Hz - and run gtf to find the modeline needed:
gtf 1280 800 60 # 1280x800 @ 60.00 Hz (GTF) hsync: 49.68 kHz; pclk: 83.46 MHz Modeline "1280x800_60.00" 83.46 1280 1344 1480 1680 800 801 804 828 -HSync +Vsync
Using this, I edit /etc/X11/xorg.conf, adding a Modes section:
Section "Modes" Identifier "16x10" # 1280x800 @ 60.00 Hz (GTF) hsync: 49.68 kHz; pclk: 83.46 MHz Modeline "1280x800_60.00" 83.46 1280 1344 1480 1680 800 801 804 828 -HSync +Vsync EndSection
(Update: It's been noted that the "_60" above may cause problems — and, on checking my own xorg.conf, I've found I actually used "1280x800", not the "1280x800_60.00" as output by gtf.)
The Monitor section already has VertRefresh set to 60 and the HorizSync range is consistent with the gtf output so I just change the name and add a UseModes to it:
Section "Monitor" Identifier "Monitor0" VendorName "Dell" ModelName "LCD Panel 1280x800" UseModes "16x10" HorizSync 31.5 - 90.0 VertRefresh 60.0 - 60.0 Option "dpms" EndSection
Finally, the Screen section needs to refer to the new resolution first (you can leave some old ones, just in case you made a mistake somewhere):
Section "Screen" Identifier "Screen0" Device "Videocard0" Monitor "Monitor0" DefaultDepth 24 SubSection "Display" Viewport 0 0 Depth 24 Modes "1280x800_60.00" "1024x768" EndSubSection EndSection
Log out, Ctrl-Alt-BackSpace to restart X, and the login screen is displayed at the new resolution.
I could install the nvidia driver instead of the default nv at this point but I don't; anyway, the nvidia driver will have to be re-installed anytime the kernel is upgraded, which is the next job.
Unlike earlier versions, FC3 does not come with kernel source, which means problems if you want to do something like install other drivers. Also, it's a good idea to upgrade to the latest stable kernel version to benefit from any security fixes and the like. You could get the FC3 kernel source but I choose instead to upgrade to the latest standard kernel (partly because I don't have broadband and I do have an earlier standard kernel on a DVD; patches from kernel.org are relatively small downloads).
Don't assume the FC3 .config is good for compiling your new kernel! One bizarre problem I found was that CONFIG_EXT3_FS was set to "m" rather than "y". If your root filesystem is on an ext3 partition, this means that when you try to reboot the kernel the system will freeze after printing an error like
Creating root device Mounting root filesystem mount: error 19 mounting ext3 mount: error 2 mounting none Switching to new root switchroot: mount failed: 22 umount /initrd/dev failed: 2 Kernel panic - not syncing: Attempted to kill init!
(Note that other problems can lead to the same error.)
Also, don't use "make oldconfig" to move from the Fedora version of a kernel (e.g., 2.6.9-1.667) to the vanilla version of the same kernel (2.6.9 from kernel.org) as some extra configuration options included in FC3 which were not yet part of the stable kernel at that point may be lost. One problem I had was in compiling QLogic (QLA) drivers, which may have been a result of this. Instead go directly to 2.6.10 (or whatever).
Messing around with the kernel .config file can be dangerous; change too many options at once and you'll have an unbootable kernel, probably with little idea of what the problem is. For example, I found that taking out support for the ELF binary format (CONFIG_BINFMT_ELF) would cause this. For my .config, I took the FC3 config, brought it up to date with the newer kernel using "make oldconfig", and, via "make menuconfig", selected the processor (CONFIG_MPENTIUMM), added support for reading NTFS filesystems (CONFIG_NTFS_FS), CONFIG_PCCARD, removed all SCSI and ISDN stuff and made some other minor changes.To sum up, the sequence of commands is something like
# First put /boot/grub/grub.conf under RCS (see above) # and check it out for edits - this will be updated # automatically during the kernel installation. Then cd /usr/src # I have the 2.6.9 kernel and the patch to upgrade it # to 2.6.10, so: bzip2 -cd path/linux-2.6.9.tar.bz2|tar -xvf - mv linux-2.6.9 linux-2.6.10 # version after patches cd !$ bzip2 -cd path/patch-2.6.10.bz2 | patch -p1 # (If I had further patches, e.g. for 2.6.11, I would # repeat the above command for each in sequence.) cp /boot/config-2.6.9-1.667 .config make oldconfig make menuconfig # Edit the Makefile and set the extraversion to give this # kernel version a unique label of your own devising, e.g., # EXTRAVERSION = -mb2b # Then make the appropriate directory for the kernel's # modules and compile the kernel mkdir /lib/modules/2.6.10-mb2b make # will take some time make install make modules_install cp .config /boot/config-2.6.10-mb2b # (I also put the latter file under RCS so it will be included # in my periodic backups)
If you look in /boot, you'll see that several new files have been installed, including vmlinuz-2.6.10-mb2b, initrd-2.6.10mb2b.img and System.map-2.6.10mb2b; the symbolic links System.map and vmlinuz will also have been made to point to the corresponding new files but these aren't used and don't affect anything.
In /boot/grub/, grub.conf will also have had an entry added to the start of it for the new kernel, though the default kernel will be the same (i.e., the "default=?" number will have been incremented by one so that it still points to the entry that was previously the default). You may want to edit grub.conf to change the title of the new entry or the order in which the entries are displayed. One thing I tend to do at this point is change "root=LABEL=/" in the new entry to the actual / partition, e.g., "root=/dev/hda11".
If trying to boot the new kernel causes it to hang with a kernel panic message or the like then reset the machine (by keeping the power button pressed for a few seconds) and try to boot another Linux at power up - either one you already had installed on another partition of your hard drive (by selecting it when you reach the GRUB screen), or from a CD, using a run-from-CD Linux distribution like Knoppix, or boot from your Fedora CD/DVD, typing "linux rescue" at the prompt to get a basic terminal. If you have an idea of what went wrong, you can then try to fix it. As a last resort, you could always re-install Fedora all over again.
If you need to change the .config and make the kernel again then you should do
make mrproper
first to clean out the directory structure. Doing this also deletes your .config file so ensure that's backed-up first (as it was to /boot in the commands above).
You'll want to do this next to ensure everything you need for your normal work installs and works without problems. For me, this software includes, among other things, a modem driver bought from Linuxant (price is reasonable) for my Conexant D480 modem.
rpm -iv hsfmodem-6.03.00lnxt04011900full-1.i386.rpm ERROR: no device detected by hsf driver error: %post(hsfmodem-6.03.00lnxt04011900full-1.i386) scriptlet failed, exit status 1
I discovered on the web that
there was a problem with hsfmodem and FC3.
This has been solved in later versions but you
still need to reboot after installing.
You should then be able to run hsfconfig
and enter your licence key.
Update: If you upgrade to kernel 2.6.11 then you will need at least version 7.18.00.03 of hsfmodem to avoid getting an "ERROR: hsf driver not active" message.
As a precaution, I don't connect to any network until I've double checked my firewall settings and then I use my guest login, not root.
Before switching over to the new installation, it's a good idea to do some quick testing to check you can do everything you'll need to be able to do. To do this, I create just one user account at this point: user guest (UID 600), primary group guest (GID 600); the UID and GID are chosen so as not to clash with those of users on my existing installation - their home directories (on the encrypted partition) will later be mounted in my new installation and their accounts will be recreated with the same IDs.
A problem I find is that I can't play audio CDs. This is a minor issue for me but it's easily fixed. At first, it looks like the problem is that /dev/cdrom is not being created. In fact, the problem is due to an incorrect version of udev erroneously included in the FC3 distribution. I download the latest version of udev from http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/i386/ and update it ("rpm -U"). After the next reboot, it works.
The system hangs at "Stopping iptables:", requiring a hard reset. After some investigation, this turns out to be a known bug though only affecting some systems. There are several possible workarounds. What I do is simply change the line
IPTABLES_MODULES_UNLOAD="yes"
in /etc/sysconfig/iptables-config to
# Fix problem: "modprobe -r ipt_state" hangs 99% CPU unkillable # (on system shutdown and when changing firewall settings)... # IPTABLES_MODULES_UNLOAD="yes" IPTABLES_MODULES_UNLOAD="no"
Because I have a previous installation on another disk partition (see above), the next step for me is to copy over any system configuration changes I need - mainly in files under /etc (now mounted as /mnt/linux1/etc or /mnt/linux2/etc). To find these, I look for the files under RCS there (again, see above). To see the changes made in a file I go to the directory and do
rcsdiff -r1.1 file
I also diff the file against the corresponding file in /etc; if the differences are the same, the file in /mnt/linux?/etc can just be copied over to replace it, together with its RCS file. Otherwise, I put the file in /etc under RCS and re-apply the same changes as before.
Don't blindly copy changes; the new /etc/fstab, for example, should obviously differ from the previous one!
This step may interleave with the installation of additional software packages above. There may also be some files that you won't want to copy over immediately, for example, /mnt/linux?/etc/aliases might be delayed until you've got the same logins created in your new installation.
Laptops are easily stolen. If you have any confidential data on one then it's sensible to keep it in encrypted form - and if some of that data belongs to a client then it's also the professional thing to do.
If swap encryption is not already set up (through the previous step of copying files from the previous installation), here's what I do. First, some packages I need are already installed, including cryptsetup, libgpg-error and libgcrypt. Others I find on my Fedora DVD:
rpm -i /media/*/Fedora/RPMS/libgpg-error-devel-*.i386.rpm rpm -i /media/*/Fedora/RPMS/libgcrypt-devel-*.i386.rpm
Next, create the file /etc/init.d/secureswap and change the constants at the beginning to refer to your actual swap partition. Also read the comment at the beginning of the script. The script is a bit rough and could certainly be improved. Note also that it ignores the contents of /etc/fstab. Though the script is written as a service, it's actually called explicitly: replace the part in /etc/rc.d/rc.sysinit that starts swapping with
# Start up swapping - use an encrypted swap partition update_boot_stage RCswap action $"Enabling swap with encryption: " /etc/init.d/secureswap start
Note: System initialization and shutdown can vary substantially between Linux distributions.
Now add the following to /etc/rc.d/init.d/halt immediately before the line "# Turn off swap":
# turn off encrypion of swap partition runcmd $"Disabling swap encryption: " /etc/init.d/secureswap stop
Finally, because halt expects to have to stop swap encryption (and to check that it works), do
/etc/init.d/secureswap start
Assuming, for example, the encrypted partition is hda9, I proceed as follows:
cryptsetup -y create hda9 /dev/hda9
- entering the same passphrase as before if this partition already contains encrypted data (set up in the same way under a previous installation). Otherwise, choose a new passphrase and format the partition, e.g., for an ext3 partition
# Careful - destroys all data!!! mkfs.ext3 /dev/mapper/hda9
Note that if you need to change your passphrase later then you'll have to backup the contents of the partition first, reformat it and then restore the data.
I mount my encrypted partition at /secure. Home directories of all accounts (to be (re)created below) go there, except for guest (/home/guest on my / partition) and root (/root).
mkdir /secure; mount /dev/mapper/hda9 /secure ls /secure
edit fstab, adding a line something like (if ext3 type):
/dev/mapper/hda9 /secure ext3 defaults,noauto 1 0
Similar to the previous step, create another script /etc/init.d/securefs Change the constants at the start of the script to reflect the actual partition and mount point (again, this could obviously be done more neatly) and add the following to rc.sysinit:
# turn on encryption for and mount the encrypted filesystem /etc/init.d/securefs start
- just after
# The root filesystem is now read-write, so we can now log
# via syslog() directly..
if [ -n "$IN_INITLOG" ]; then
IN_INITLOG=
fi
is one possible location for this.
To ensure a clean shutdown, add the following to /etc/rc.d/init.d/halt (I put this just after the existing unmounting code, before the "rm -f /.autofsck"):
# unmount encrypted filesystem # and turn off encryption /etc/init.d/securefs stop
Finally, run
/etc/init.d/securefs start
At boot-up, the securefs script gives you three chances to give the correct passphrase for the encrypted partition; of course, you have the option of not mounting it at boot and later issuing the above command (as root) if you want. You'll still be able to log in to any account with its home directory not on that partition (including root and guest).
I'm not sure how this approach would work with the graphical version of the startup sequence. If I remember correctly, graphical bootup is accomplished with an "rhgb" option in /etc/grub/grub.conf; this may need to be removed in order to see the prompt for the passphrase.
Generally, the last step is to create the user accounts. If the relevant home directories of these accounts already exist (i.e., on the encrypted home partition just mounted) then I take care to recreate the group and user accounts with the same memberships, UIDs and GIDs as before. I already have a guest account but ~guest is /home/guest and the home directory on the other installation (/mnt/linux?/home/guest) shouldn't contain anything worth saving (of course, it's no harm to check both this and /mnt/linux?/root). For each of the other (re)created accounts, I specify the home directory as /secure/login and, for convenience, add a link to it from /home.
Before browsing the web, check that the privacy and security settings on your browser are as you expect; if a new version of it comes as part of the distribution, it may not have recognised some of your previous configuration settings. Similar considerations apply to other software packages.
Update: the use of /dev/random below may cause boot-up to stall if enough entropy hasn't been collected for a random number to be generated reliably (press a few random buttons to get it to continue). If you find this happens, change /dev/random to /dev/urandom in this script. You might want to check that /dev/urandom is seeded before swap is mounted (for Fedora, in the rc.sysinit script).
#!/bin/bash
#
# securefs Start / stop encryption of swap partition
#
# Author: Michael Breen
#
# Designed to operate safely: will mount encrypted swap
# on a device only if the underlying physical device is
# formatted as a swap partition; on stop, encryption is
# turned off and mkswap is run on the unencrypted partition.
# This avoids the danger of doing a mkswap on the wrong
# partition if device numbers change as a result of editing
# the partition table.
# It also means that any other installation that boots can
# use the swap partition unencrypted with just a swapon.
# The only disadvantage is that if the system is not shutdown
# cleanly then a mkswap on the swap partition is necessary
# before this can work again.
# source function library
. /etc/rc.d/init.d/functions
DMID=hda8
SWAP_DEVICE=/dev/hda8
CRYPTSETUP=/sbin/cryptsetup
RETVAL=0
start() {
echo $"Encrypting swap ($SWAP_DEVICE)..."
mounted=`swapon -s|grep "/dev/mapper/$DMID" `
if [ "$mounted" != "" ] ; then
echo "Device /dev/mapper/$DMID already mounted as swap."
echo -n "Mount encrypted swap: " && failure
echo
exit 1
fi
# Try to make sure $SWAP_DEVICE is a swap device
REGULARSWAP=`swapon -s|grep "$SWAP_DEVICE " `
if [ "$REGULARSWAP" == "" ] ; then
swapon $SWAP_DEVICE
RETVAL=$?
if [ $RETVAL -ne 0 ] ; then
echo "$SWAP_DEVICE does not appear to be swap (need to run mkswap?)"
echo -n "Mount encrypted swap: " && failure
echo
exit 1
fi
fi
swapoff $SWAP_DEVICE
RETVAL=$?
if [ $RETVAL -ne 0 ] ; then
echo "Could not unmount regular swap from $SWAP_DEVICE."
echo -n "Mount encrypted swap: " && failure
echo
exit 1
fi
$CRYPTSETUP -d /dev/random create $DMID $SWAP_DEVICE
RETVAL=$?
if [ $RETVAL -ne 0 ] ; then
echo "Failed to set up encrypted swap device /dev/mapper/$DMID. "
echo -n "Mount encrypted swap: " && failure
echo
exit 1
fi
mkswap /dev/mapper/$DMID
RETVAL=$?
if [ $RETVAL -ne 0 ] ; then
echo "Failed to mkswap /dev/mapper/$DMID. "
echo -n "Mount encrypted swap: " && failure
echo
exit 1
fi
swapon /dev/mapper/$DMID
RETVAL=$?
if [ $RETVAL -ne 0 ] ; then
echo "Failed to mount swap on /dev/mapper/$DMID. "
fi
echo -n $"Mount encrypted swap (/dev/mapper/$DMID): "
[ $RETVAL -eq 0 ] && success || failure
echo
if [ $RETVAL -ne 0 ] ; then
if [ -b /dev/mapper/$DMID ] ; then
$CRYPTSETUP remove $DMID
fi
fi
}
stop() {
echo $"Unmounting encrypted swap ($SWAP_DEVICE)... "
mounted=`swapon -s |grep "/dev/mapper/$DMID " `
if [ "$mounted" != "" ] ; then
swapoff /dev/mapper/$DMID
RETVAL=$?
if [ $RETVAL -ne 0 ] ; then
echo "swapoff /dev/mapper/$DMID failed!"
exit $RETVAL
fi
fi
if [ -b /dev/mapper/$DMID ] ; then
$CRYPTSETUP remove $DMID
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
mkswap $SWAP_DEVICE > /dev/null
RETVAL=$?
fi
else
echo "Encrypted swap already stopped."
RETVAL=1
fi
echo -n $"Stop encrypting swap: "
[ $RETVAL -eq 0 ] && success || failure
echo
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|force-reload)
restart
;;
reload)
;;
condrestart)
mounted=`swapon -s|grep "/dev/mapper/$DMID " `
[ "$mounted" != "" ] && restart
;;
status)
mounted=`swapon -s|grep "/dev/mapper/$DMID " `
if [ "$mounted" != "" ] ; then
echo "Encrypted swap is on /dev/mapper/$DMID."
RETVAL=0
else
if [ -b "/dev/mapper/$DMID" ] ; then
echo "Encrypted swap device /dev/mapper/$DMID exists but swap is off."
else
echo "Encrypted swap device /dev/mapper/$DMID does not exist."
fi
RETVAL=3
fi
;;
*)
echo $"Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart}"
exit 1
esac
exit $RETVAL
#!/bin/bash
#
# securefs Mount/unmount dm-crypt encrypted filesystem
#
# Author: Michael Breen
#
# It is assumed there is an entry in /etc/fstab like:
# /dev/mapper/$DMID $DIRECTORY <fstype> <options>,noauto 1 0
# (where $DMID and $DIRECTORY are replaced by the values they
# are given below).
#
# source function library
. /etc/rc.d/init.d/functions
DMID=hda9
DEVICE=/dev/hda9
DIRECTORY=/secure
CRYPTSETUP=/sbin/cryptsetup
RETVAL=0
start() {
echo $"Mounting encrypted filesystem ($DIRECTORY)..."
mounted=`mount|grep "/dev/mapper/$DMID" `
if [ "$mounted" != "" ] ; then
echo "/dev/mapper/$DMID already mounted."
echo -n "mount $DIRECTORY " && failure
echo
exit 1
fi
RETVAL=1
retry=3
while [ $RETVAL -ne 0 -a $retry -gt 0 ]; do
if [ -b /dev/mapper/$DMID ] ; then
$CRYPTSETUP remove $DMID
fi
$CRYPTSETUP -h ripemd160 -c aes -s 256 create $DMID $DEVICE
fsck $DIRECTORY
RETVAL=$?
retry=$(($retry -1))
if [ $RETVAL -ne 0 ] ; then
echo -n "Passphrase incorrect. "
[ $retry -gt 0 ] && echo -n " $retry tries remaining..."
fi
echo
done
if [ $RETVAL -eq 0 ] ; then
mount $DIRECTORY
RETVAL=$?
fi
echo -n $"Mount encrypted filesystem ($DIRECTORY): "
[ $RETVAL -eq 0 ] && success || failure
echo
if [ $RETVAL -ne 0 ] ; then
if [ -b /dev/mapper/$DMID ] ; then
$CRYPTSETUP remove $DMID
fi
fi
}
stop() {
echo $"Unmounting encrypted filesystem ($DIRECTORY)... "
mounted=`mount|grep "/dev/mapper/$DMID"|grep "$DIRECTORY"`
if [ "$mounted" != "" ] ; then
umount /dev/mapper/$DMID
RETVAL=$?
if [ $RETVAL -ne 0 ] ; then
echo "FAILED: cannot umount /dev/mapper/$DMID"
exit $RETVAL
fi
fi
if [ -b /dev/mapper/$DMID ] ; then
$CRYPTSETUP remove $DMID
RETVAL=$?
else
echo "Not mounted."
RETVAL=1
fi
echo -n $"Unmount encrypted filesystem ($DIRECTORY): "
[ $RETVAL -eq 0 ] && success || failure
echo
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|force-reload)
restart
;;
reload)
;;
condrestart)
mounted=`mount|grep "/dev/mapper/$DMID"|grep "$DIRECTORY"`
[ "$mounted" != "" ] && restart
;;
status)
mounted=`mount|grep "/dev/mapper/$DMID"|grep "$DIRECTORY"`
if [ "$mounted" != "" ] ; then
echo "$DIRECTORY is mounted."
RETVAL=0
elif [ -b "/dev/mapper/$DMID" ] ; then
echo "/dev/mapper/$DMID exists but $DIRECTORY is not mounted."
RETVAL=3
else
echo "$DIRECTORY is not mounted."
RETVAL=3
fi
;;
*)
echo $"Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart}"
exit 1
esac
exit $RETVAL