Andrew David Wong:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 31/08/2019 11.23 AM, Claudia wrote:
>> The "Custom Installation" doc gives instructions about how to
>> create a non-default dm-crypt partition, or other custom setup, and
>> install Qubes to it. But when I follow these instructions on
>> R4.0.1, and try to assign my dm-crypt device to "/", I get a
>> message something like
>>
>> "You must create a new filesystem for the root filesystem."
>>
>
> That's odd. I don't remember getting a message like that when I
> installed 4.0 this way
First, thanks for your reply!
BTW, the actual message is "You must create a new file system on the
root device." (I was going from memory.)
Okay, so I think I might have figured it out: The tutorial should work
for any filesystem other than btrfs, provided you check the "Reformat"
option. Upon closer examination, your tutorial covers creation of
dm-crypt and LVM containers, but not any filesystems. The installer does
create the actual filesystem, so that's why the tutorial doesn't cause
the message about creating a new filesystem. It's just that btrfs isn't
one of the options.
When there is an empty dm-crypt partition on the disk, under "Unknown"
category it shows up as "luks-<uuid>" and asks for a password. Once
unlocked, all options are greyed out, including Mountpoint, except Label
and Reformat. When check Reformat, the File System drop down is enabled,
but btrfs is not an option. So at this point I could use another
filesystem, just not btrfs. The "Encrypt" checkbox is also enabled and
checked by default.
When I manually format that partition with btrfs, it shows up under
"Unknown" as "Encrypted (LUKS)" and asks for a password. Once unlocked,
it shows under "Unknown" as "btrfs" and all options are greyed out
except Mountpoint and Label. But when I enter "/" as mountpoint I get
that message. I would be fine with replacing the filesystem in the
container, but the "Reformat" box is unchecked and greyed out.
Like I said, I thought I got around it somehow, but I don't remember for
sure. I might have given up and used the default cryptsetup options.
>
> Well, the Qubes installer is mostly just the upstream Fedora
> installer, so you might want to file bug reports with them about these
> issues.
I was afraid of that. I may try to look into it some more and perhaps
see if it's a reportable bug. But the more I'm looking at it, I think
they would call it a "feature" of this deranged installer. (See below.)
I really just want to get past it.
Did you happen to do any testing with btrfs when you wrote the tutorial?
At this point I don't think the tutorial is faulty, I think it just
cannot be used with btrfs.
Like I said, though, bug #2294 talks about this very problem. So I'm at
least not imagining things. Although it doesn't mention the exact error
message (I could have sworn it did).
In #2294, under "General Notes" > "Not Workarounds:"
"If you also manually create a new btrfs filesystem inside the LUKS
container, the installer will unselect and gray out the Reformat check
box and then complain that reformatting the root mountpoint is required
to continue..."
That pretty much exactly describes what I'm running into.
The bug itself apparently was fixed in R4.0-rc4, but I'm assuming the
btrfs problem has not.
>> 3) Is there a way around it that doesn't involve the hacky
>> post-installation migration?
>
> Not that I know of.
>
>> 4) Does qubes provide any way to sidestep the graphical installer,
>> i.e. something akin to debootstrap or arch-bootstrap?
>>
>
> Not that I know of. (Again, it's mostly the stock Fedora installer.)
>
> - --
So I think the real problem here is that the installer doesn't treat
btrfs the same way as the rest of the filesystems. Btrfs is a "Device
Type" not a "File System". i.e. You can't put btrfs on an existing
device, you have to choose "Btrfs" for "Device Type". Thus, it can't be
installed to a preexisting dm-crypt container.
Note that when you select Btrfs for Device Type, Encrypt will be greyed
out and unchecked. You have to click Modify, select the device, and
check the Encrypt checkbox, and click save. Then the Encrypt checkbox
will be checked next to Device Type on the previous screen. However this
will be created using cryptsetup defaults!
There are several workaround ideas which after much testing and
reconfiguration eventually may or may not work. But right now I don't
have that kind of time, and I just want something to work. So for now I
think I'll just accept defeat: settle for cryptsetup defaults and just
let the installer do its thing. You can't always get what you want.
Thanks again for your input. If you get the chance to try the tutorial
using btrfs on a custom dm-crypt container, I'd be interested in your
results. You might have better luck, or perhaps a whole new tutorial.