grub2 does not install on encrypted lvm

Bug #1425681 reported by Lyn Perrine on 2015-02-25
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
debian-installer (Ubuntu)
High
Unassigned

Bug Description

To reproduce boot a lubuntu alternate amd64 and select guided partioning to set up entire encryped lvm. The install will continue until you install grub and then grub will not install on the encrpted lvm

The deb on the altenrate installer is
/grub2-common_2.02~beta2-21_amd64.deb

This is a vivid amd 64 alternate relase but fails with altenrate installer so this how to get info

I expected grub2 to install instead it did not for the encrpytion.

Related branches

Lyn Perrine (walterorlin) wrote :
Lyn Perrine (walterorlin) wrote :
Lyn Perrine (walterorlin) wrote :
Lyn Perrine (walterorlin) wrote :
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1425681

tags: added: iso-testing
Phill Whiteside (phillw) wrote :

I've now re-read the test case. The correct way is to create the LVM before the install. I've never done it that way and would like to know if it is a recent bug, or just a case of asking the installer to do something it cannot do which as a tester - I'd never dream of!

Phill Whiteside (phillw) wrote :

Be interesting to hear the opinions of the server team... Did this used to work?

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu):
status: New → Confirmed
Walter Lapchynski (wxl) on 2015-02-25
tags: added: amd64 i386
affects: grub2 (Ubuntu) → debian-installer (Ubuntu)
tags: added: vivid
Changed in debian-installer (Ubuntu):
importance: Undecided → Critical
importance: Critical → High
sudodus (nio-wiklund) wrote :

I think this bug might affect installations in UEFI mode, where grub2 replaces syslinux (I have not tested that case). But it does not affect the i386 (32-bit) versions of the Lubuntu iso files.

I could install a Lubuntu system with encrypted LVM and encrypted home according to the previous test-case for alternate Lubuntu Vivid beta 1 i386. I could also do it with the corresponding desktop installer.

-o-

I tested the Lubuntu Vivid beta 1 *desktop* ISO file corresponding to the testcase with LVM encrypted disk and encrypted home. It is also reported in the qa-tracker.

The computer is an hp Probook 6450b laptop with Intel i5 cpu:

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02218879

Trying to use the whole drive with encrypted LVM and encrypted home, It complained about existing swap (which is zram), so I had to turn it off with

sudo swapoff -a

and restart Ubiquity. It complained that partman failed:

ubi-partman failed with exit code 141. Further information may be found in /var/log/syslog. Do you want to try ...

The installled system worked, but I had the same error as with the alternate iso file: there is no swap.

I wiped the drive (wrote zeros to the first megabyte using mkusb (dd)) and made an MSDOS partition table using gparted.

Then I tried again with Ubiquity, and succeeded: The installed system works, and there is swap. See the attached file.

-o-

The *alternate* iso does not use zram, so it was enough to wipe [the first megabyte of] the internal drive and create a new partition table. I did that before booting into the alternate iso file, but it could be added into the alternate installer.

Then select No (when asked to install grub, the bootloader) and enter /dev/sda manually ... and success

I have a good Lubuntu installed system with swap and everything works (except maybe the Lubuntu Software Center, which I have never used).

*Summary*

This Lubuntu Vivid 32-bit alternate iso file is in rather good shape. With a little bit of help it can install a good encrypted LVM and
encrypted home system. It should be possible to make the installer wipe the first megabyte or the whole drive (a user choice), and then create an MSDOS partition table before starting the advanced partitioning.

sudodus (nio-wiklund) wrote :

A. I'm afraid that this 64-bit alternate installer does not work in UEFI mode and that it does not create GUID partition tables, so it works only with BIOS/CSM mode and it creates MSDOS partition tables. I think it is a limitation of the alternate installer and not a bug. Use the 64-bit desktop installer for UEFI.

B. I have tested Lubuntu with encrypted disk with the desktop installers and the 32-bit alternate installer. And now I am testing the this 64-bit alternate installer once more ... and it works in the same way as the 32-bit version.

Both alternate installers work according to the attached modified version of the test-case.

I know a little more now about the encrypted systems, not only the test-cases, but also what happens afterwards.

1. We have more than one bug (probably more than two bugs).

2a. All Ubuntu flavour desktop test-cases with encryption have only encrypted disk with LVM, not encrypted home inside the encrypted disk.

2b. I have managed to make cryptswap work (inside encrypted LVM with the alternate installer), but only in the first session. After reboot it disappears.

2c. So I suggest test-cases for Lubuntu alternate and desktop with only encrypted LVM and skip the encrypted home. This way it
will be rather similar to the other Ubuntu flavour desktop test-cases with encryption, and much easier to get working again.

3. The alternate testcase will probably work with some simple changes and the work-around (detour into a text screen) is only to unmount some partition(s) on the target drive. I think it should be done *earlier* than the installer does it now.

4. Knowing this (after a lot of testing) the desktop testcase can probably be simplified too. But there is an additional bug due to the zRAM, that must be switched off or (better) accepted.

Summary: I think that a developer can make encryption work rather easily, so that we can get nice and polished test-cases (that work). I think it is quite possible to revive the alternate test-case before the release of Vivid (with automatic unmounting of that partition, often /dev/sda1).

See the attached text version of a modified Lubuntu alternate test-case. Look for # tags in order to find what is modified.

sudodus (nio-wiklund) wrote :

@phillw:

Comment #8 'Be interesting to hear the opinions of the server team... Did this used to work?'

The Ubuntu server test-case for encryption uses 'only' encrypted disk with LVM, not encrypted home inside it. So this is another indication (alongside the encrypted desktop test-cases), that Lubuntu should do the same thing.

@ everybody:

Skipping 'encrypted home inside encrypted disk with LVM' makes things much easier to get working. My tests today indicate, that the Lubuntu alternate test-case works with this small modification. We need not even unmount any partition earlier than the installer wants to do it.

I just tested that it works with very different original partition tables (GPT and several partitions of various kinds)

- the 64-bit alternate Lubuntu Vivid installer works
- the 32-bit alternate Lubuntu Vivid installer works

I modified the test-case for encryption only at these places:

'No' for encrypted home directory # Changed from 'Yes'. This is the most important modification.

'Yes' unmount mounted partitions in the target drive # Additional item which is important.

'No' to install grub boot loader to master boot record. Instead select the target drive for the bootloader manually. # Changed from 'Yes'. This is optional but I recommend it because the automatic choice often creates problems for me.

-o-

It is not necessary to enter another text screen and unmount any partition earlier than the installer wants to do it.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers