在加密设备上配置 LVM 和 RAIDConfigure LVM and RAID on encrypted devices

本文分步介绍如何在加密设备上执行逻辑卷管理 (LVM) 和 RAID。This article is a step-by-step process for how to perform Logical Volume Management (LVM) and RAID on encrypted devices. 该过程适用于以下环境:The process applies to the following environments:

  • Linux 发行版Linux distributions
    • CentOS 7.6+CentOS 7.6+
    • Ubuntu 18.04+Ubuntu 18.04+
    • SUSE 12+SUSE 12+
  • Azure 磁盘加密单一传递扩展Azure Disk Encryption single-pass extension
  • Azure 磁盘加密双重传递扩展Azure Disk Encryption dual-pass extension

方案Scenarios

本文中的过程支持以下方案:The procedures in this article support the following scenarios:

  • 在加密设备上配置 LVM (LVM-on-crypt)Configure LVM on top of encrypted devices (LVM-on-crypt)
  • 在加密设备上配置 RAID (RAID-on-crypt)Configure RAID on top of encrypted devices (RAID-on-crypt)

在加密基础设备或设备之后,就可以在该加密层上创建 LVM 或 RAID 结构。After the underlying device or devices are encrypted, then you can create the LVM or RAID structures on top of that encrypted layer.

物理卷 (PV) 在加密层上创建。The physical volumes (PVs) are created on top of the encrypted layer. 物理卷用于创建卷组。The physical volumes are used to create the volume group. 创建卷并在 /etc/fstab 上添加所需的条目。You create the volumes and add the required entries on /etc/fstab.

LVM 结构层关系图

以类似的方式,在磁盘上的加密层上创建 RAID 设备。In a similar way, the RAID device is created on top of the encrypted layer on the disks. 在 RAID 设备上创建文件系统,并将其作为常规设备添加到 /etc/fstab。A file system is created on top of the RAID device and added to /etc/fstab as a regular device.

注意事项Considerations

建议使用 LVM-on-crypt。We recommend that you use LVM-on-crypt. 由于特定的应用程序或环境限制而无法使用 LVM 时,可以选择 RAID。RAID is an option when LVM can't be used because of specific application or environment limitations.

我们将使用“EncryptFormatAll”选项。You'll use the EncryptFormatAll option. 有关此选项的详细信息,请参阅将 EncryptFormatAll 功能用于 Linux VM 上的数据磁盘For more information about this option, see Use the EncryptFormatAll feature for data disks on Linux VMs.

虽然在加密操作系统时也可以使用此方法,但在这里仅加密数据驱动器。Although you can use this method when you're also encrypting the OS, we're just encrypting data drives here.

这些过程假定已检查 Linux VM 上的 Azure 磁盘加密方案快速入门:使用 Azure CLI 创建 Linux VM 并对其进行加密中的先决条件。The procedures assume that you already reviewed the prerequisites in Azure Disk Encryption scenarios on Linux VMs and in Quickstart: Create and encrypt a Linux VM with the Azure CLI.

Azure 磁盘加密双重传递版本位于弃用路径上,不应再用于新加密。The Azure Disk Encryption dual-pass version is on a deprecation path and should no longer be used on new encryptions.

常规步骤General steps

使用“on-crypt”配置时,请使用以下过程中概述的过程。When you're using the "on-crypt" configurations, use the process outlined in the following procedures.

备注

我们将在本文中使用变量。We're using variables throughout the article. 请相应地替换值。Replace the values accordingly.

部署 VMDeploy a VM

以下命令可选,但建议将其应用于新部署的虚拟机 (VM)。The following commands are optional, but we recommend that you apply them on a newly deployed virtual machine (VM).

PowerShell:PowerShell:

New-AzVm -ResourceGroupName ${RGNAME} `
-Name ${VMNAME} `
-Location ${LOCATION} `
-Size ${VMSIZE} `
-Image ${OSIMAGE} `
-Credential ${creds} `
-Verbose

Azure CLI:Azure CLI:

az vm create \
-n ${VMNAME} \
-g ${RGNAME} \
--image ${OSIMAGE} \
--admin-username ${username} \
--admin-password ${password} \
-l ${LOCATION} \
--size ${VMSIZE} \
-o table

将磁盘附加到 VMAttach disks to the VM

对要附加到 VM 的 $N 个新磁盘重复以下命令。Repeat the following commands for $N number of new disks that you want to attach to the VM.

PowerShell:PowerShell:

$storageType = 'Standard_LRS'
$dataDiskName = ${VMNAME} + '_datadisk0'
$diskConfig = New-AzDiskConfig -SkuName $storageType -Location $LOCATION -CreateOption Empty -DiskSizeGB 5
$dataDisk1 = New-AzDisk -DiskName $dataDiskName -Disk $diskConfig -ResourceGroupName ${RGNAME}
$vm = Get-AzVM -Name ${VMNAME} -ResourceGroupName ${RGNAME} 
$vm = Add-AzVMDataDisk -VM $vm -Name $dataDiskName -CreateOption Attach -ManagedDiskId $dataDisk1.Id -Lun 0
Update-AzVM -VM ${VM} -ResourceGroupName ${RGNAME}

Azure CLI:Azure CLI:

az vm disk attach \
-g ${RGNAME} \
--vm-name ${VMNAME} \
--name ${VMNAME}datadisk1 \
--size-gb 5 \
--new \
-o table

验证磁盘是否已附加到 VMVerify that the disks are attached to the VM

PowerShell:PowerShell:

$VM = Get-AzVM -ResourceGroupName ${RGNAME} -Name ${VMNAME}
$VM.StorageProfile.DataDisks | Select-Object Lun,Name,DiskSizeGB

PowerShell 中附加磁盘的列表

Azure CLI:Azure CLI:

az vm show -g ${RGNAME} -n ${VMNAME} --query storageProfile.dataDisks -o table

Azure CLI 中附加磁盘的列表

门户:Portal:

门户中附加磁盘的列表

OS:OS:

lsblk 

OS 中附加磁盘的列表

配置要加密的磁盘Configure the disks to be encrypted

此配置在操作系统级别完成。This configuration is done at the operating system level. 将相应的磁盘配置为通过 Azure 磁盘加密进行传统加密:The corresponding disks are configured for a traditional encryption through Azure Disk Encryption:

  • 文件系统是在磁盘上创建的。File systems are created on top of the disks.
  • 创建临时装入点以装载文件系统。Temporary mount points are created to mount the file systems.
  • 文件系统在 /etc/fstab 上配置为在启动时装载。File systems are configured on /etc/fstab to be mounted at boot time.

检查分配给新磁盘的设备号。Check the device letter assigned to the new disks. 在此示例中,使用四个数据磁盘。In this example, we're using four data disks.

lsblk 

附加到 OS 的数据磁盘

在每个磁盘上创建文件系统Create a file system on top of each disk

此命令在“for”循环的“in”部分中定义的每个磁盘上迭代创建 ext4 文件系统。This command iterates the creation of an ext4 file system on each disk defined on the "in" part of the "for" cycle.

for disk in c d e f; do echo mkfs.ext4 -F /dev/sd${disk}; done |bash

创建 ext4 文件系统

查找最近创建的文件系统的通用唯一标识符 (UUID),创建临时文件夹,在 /etc/fstab 上添加相应的条目,然后装载所有文件系统。Find the universally unique identifier (UUID) of the file systems that you recently created, create a temporary folder, add the corresponding entries on /etc/fstab, and mount all the file systems.

此命令还会在“for”循环的“in”部分中定义的每个磁盘上进行迭代:This command also iterates on each disk defined on the "in" part of the "for" cycle:

for disk in c d e f; do diskuuid="$(blkid -s UUID -o value /dev/sd${disk})"; \
mkdir /tempdata${disk}; \
echo "UUID=${diskuuid} /tempdata${disk} ext4 defaults,nofail 0 0" >> /etc/fstab; \
mount -a; \
done

验证磁盘是否已正确装载Verify that the disks are mounted properly

lsblk

已装载的临时文件系统列表

还要验证磁盘是否已配置:Also verify that the disks are configured:

cat /etc/fstab

通过 fstab 配置信息

加密数据磁盘Encrypt the data disks

使用密钥加密密钥 (KEK) 的 PowerShell:PowerShell using a key encryption key (KEK):

$sequenceVersion = [Guid]::NewGuid() 
Set-AzVMDiskEncryptionExtension -ResourceGroupName $RGNAME `
-VMName ${VMNAME} `
-DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl `
-DiskEncryptionKeyVaultId $KeyVaultResourceId `
-KeyEncryptionKeyUrl $keyEncryptionKeyUrl `
-KeyEncryptionKeyVaultId $KeyVaultResourceId `
-VolumeType 'DATA' `
-EncryptFormatAll `
-SequenceVersion $sequenceVersion `
-skipVmBackup;

使用 KEK 的 Azure CLI:Azure CLI using a KEK:

az vm encryption enable \
--resource-group ${RGNAME} \
--name ${VMNAME} \
--disk-encryption-keyvault ${KEYVAULTNAME} \
--key-encryption-key ${KEYNAME} \
--key-encryption-keyvault ${KEYVAULTNAME} \
--volume-type "DATA" \
--encrypt-format-all \
-o table

验证加密状态Verify the encryption status

仅当所有磁盘都已加密后,才继续下一步。Continue to the next step only when all the disks are encrypted.

PowerShell:PowerShell:

Get-AzVmDiskEncryptionStatus -ResourceGroupName ${RGNAME} -VMName ${VMNAME}

PowerShell 中的加密状态

Azure CLI:Azure CLI:

az vm encryption show -n ${VMNAME} -g ${RGNAME} -o table

Azure CLI 中的加密状态

门户:Portal:

门户中的加密状态

OS 级别:OS level:

lsblk

OS 中的加密状态

扩展会将文件系统添加到 /var/lib/azure_disk_encryption_config/azure_crypt_mount(旧加密)或 /etc/crypttab(新加密)。The extension will add the file systems to /var/lib/azure_disk_encryption_config/azure_crypt_mount (an old encryption) or to /etc/crypttab (new encryptions).

备注

请不要修改任何其他文件。Do not modify any of these files.

此文件将负责在启动过程中激活这些磁盘,以便 LVM 或 RAID 以后可以使用这些磁盘。This file will take care of activating these disks during the boot process so that LVM or RAID can use them later.

不用担心此文件上的装入点。Don't worry about the mount points on this file. 当在这些加密设备上创建物理卷或 RAID 设备之后,Azure 磁盘加密将无法将磁盘作为普通文件系统安装。Azure Disk Encryption will lose the ability to get the disks mounted as a normal file system after we create a physical volume or a RAID device on top of those encrypted devices. (这将删除在准备过程中使用的文件系统格式。)(This will remove the file system format that we used during the preparation process.)

删除临时文件夹和临时 fstab 条目Remove the temporary folders and temporary fstab entries

在将用作 LVM 一部分的磁盘上卸载文件系统。You unmount the file systems on the disks that will be used as part of LVM.

for disk in c d e f; do unmount /tempdata${disk}; done

同时删除 /etc/fstab 条目:And remove the /etc/fstab entries:

vi /etc/fstab

验证是否未装载磁盘以及是否已删除 /etc/fstab 上的条目Verify that the disks are not mounted and that the entries on /etc/fstab were removed

lsblk

验证是否已卸载临时文件系统

同时验证是否已配置磁盘:And verify that the disks are configured:

cat /etc/fstab

验证是否已删除临时 fstab 条目

LVM-on-crypt 的步骤Steps for LVM-on-crypt

加密基础磁盘之后,接下来即可创建 LVM 结构。Now that the underlying disks are encrypted, you can create the LVM structures.

不要使用设备名称,而是使用每个磁盘的 /dev/mapper 路径来创建物理卷(在磁盘上的加密层上,而不是磁盘本身上)。Instead of using the device name, use the /dev/mapper paths for each of the disks to create a physical volume (on the crypt layer on top of the disk, not on the disk itself).

在加密层上配置 LVMConfigure LVM on top of the encrypted layers

创建物理卷Create the physical volumes

你将收到一条警告,询问是否可以擦除文件系统签名。You'll get a warning that asks if it's OK to wipe out the file system signature. 输入 y 继续操作,或使用回显“y”,如下所示 :Continue by entering y, or use echo "y" as shown:

echo "y" | pvcreate /dev/mapper/c49ff535-1df9-45ad-9dad-f0846509f052
echo "y" | pvcreate /dev/mapper/6712ad6f-65ce-487b-aa52-462f381611a1
echo "y" | pvcreate /dev/mapper/ea607dfd-c396-48d6-bc54-603cf741bc2a
echo "y" | pvcreate /dev/mapper/4159c60a-a546-455b-985f-92865d51158c

验证是否已创建物理卷

备注

需要根据 lsblk 的输出,将此处的 /dev/mapper/device 名称替换为实际值。The /dev/mapper/device names here need to be replaced for your actual values based on the output of lsblk.

验证物理卷的信息Verify the information for physical volumes

pvs

物理卷的信息

创建卷组Create the volume group

使用已初始化的相同设备创建卷组:Create the volume group by using the same devices already initialized:

vgcreate vgdata /dev/mapper/

检查卷组的信息Check the information for the volume group

vgdisplay -v vgdata
pvs

卷组的信息

创建逻辑卷Create logical volumes

lvcreate -L 10G -n lvdata1 vgdata
lvcreate -L 7G -n lvdata2 vgdata

检查创建的逻辑卷Check the created logical volumes

lvdisplay
lvdisplay vgdata/lvdata1
lvdisplay vgdata/lvdata2

逻辑卷的信息

在逻辑卷的结构上创建文件系统Create file systems on top of the structures for logical volumes

echo "yes" | mkfs.ext4 /dev/vgdata/lvdata1
echo "yes" | mkfs.ext4 /dev/vgdata/lvdata2

创建新文件系统的装入点Create the mount points for the new file systems

mkdir /data0
mkdir /data1

将新文件系统添加到 /etc/fstab 并对其进行装载Add the new file systems to /etc/fstab and mount them

echo "/dev/mapper/vgdata-lvdata1 /data0 ext4 defaults,nofail 0 0" >>/etc/fstab
echo "/dev/mapper/vgdata-lvdata2 /data1 ext4 defaults,nofail 0 0" >>/etc/fstab
mount -a

验证是否已装载新文件系统Verify that the new file systems are mounted

lsblk -fs
df -h

屏幕截图显示控制台窗口,其中文件系统装载为 data0 和 data1。

在 lsblk 的这种变体中,我们将按相反顺序列出显示依赖项的设备。On this variation of lsblk, we're listing the devices showing the dependencies in reverse order. 此选项有助于标识按逻辑卷(而不是原始的 /dev/sd[磁盘] 设备名称)分组的设备。This option helps to identify the devices grouped by the logical volume instead of the original /dev/sd[disk] device names.

务必确保将 nofail 选项添加到在通过 Azure 磁盘加密进行加密的设备上创建的 LVM 卷的装入点选项中。It's important to make sure that the nofail option is added to the mount point options of the LVM volumes created on top of a device encrypted through Azure Disk Encryption. 它可以防止 OS 在启动过程中(或处于维护模式)停滞。It prevents the OS from getting stuck during the boot process (or in maintenance mode).

如果不使用 nofail 选项:If you don't use the nofail option:

  • OS 将永远不会进入启动 Azure 磁盘加密以及解锁和装载数据磁盘的阶段。The OS will never get into the stage where Azure Disk Encryption is started and the data disks are unlocked and mounted.
  • 启动过程结束时,将解锁加密的磁盘。The encrypted disks will be unlocked at the end of the boot process. LVM 卷和文件系统会自动装载,直到 Azure 磁盘加密将其解锁。The LVM volumes and file systems will be automatically mounted until Azure Disk Encryption unlocks them.

可以测试重启 VM 的过程,并验证启动后是否还自动装载了文件系统。You can test rebooting the VM and validate that the file systems are also automatically getting mounted after boot time. 此过程可能需要几分钟时间,具体取决于文件系统的数量和大小。This process might take several minutes, depending on the number and sizes of file systems.

重启 VM 并在重启后对其进行验证Reboot the VM and verify after reboot

shutdown -r now
lsblk
df -h

RAID-on-crypt 的步骤Steps for RAID-on-crypt

现在,基础磁盘已加密,可以继续创建 RAID 结构。Now that the underlying disks are encrypted, you can continue to create the RAID structures. 此过程与 LVM 的过程相同,但使用的是每个磁盘的 /dev/mapper 路径,而不是设备名称。The process is the same as the one for LVM, but instead of using the device name, use the /dev/mapper paths for each disk.

在磁盘的加密层上配置 RAIDConfigure RAID on top of the encrypted layer of the disks

mdadm --create /dev/md10 \
--level 0 \
--raid-devices=4 \
/dev/mapper/c49ff535-1df9-45ad-9dad-f0846509f052 \
/dev/mapper/6712ad6f-65ce-487b-aa52-462f381611a1 \
/dev/mapper/ea607dfd-c396-48d6-bc54-603cf741bc2a \
/dev/mapper/4159c60a-a546-455b-985f-92865d51158c

通过 mdadm 命令配置的 RAID 的信息

备注

需要根据 lsblk 的输出,将此处的 /dev/mapper/device 名称替换为实际值。The /dev/mapper/device names here need to be replaced with your actual values, based on the output of lsblk.

检查/监视 RAID 的创建过程Check/monitor RAID creation

watch -n1 cat /proc/mdstat
mdadm --examine /dev/mapper/[]
mdadm --detail /dev/md10

RAID 状态

在新的 RAID 设备上创建文件系统Create a file system on top of the new RAID device

mkfs.ext4 /dev/md10

为文件系统创建新的装入点,将新的文件系统添加到 /etc/fstab 并装载该文件:Create a new mount point for the file system, add the new file system to /etc/fstab, and mount it:

for device in md10; do diskuuid="$(blkid -s UUID -o value /dev/${device})"; \
mkdir /raiddata; \
echo "UUID=${diskuuid} /raiddata ext4 defaults,nofail 0 0" >> /etc/fstab; \
mount -a; \
done

验证是否已装载新文件系统:Verify that the new file system is mounted:

lsblk -fs
df -h

屏幕截图显示控制台窗口,其中文件系统已装载为 raiddata。

务必确保将 nofail 选项添加到在通过 Azure 磁盘加密进行加密的设备上创建的 RAID 卷的装入点选项中。It's important to make sure that the nofail option is added to the mount point options of the RAID volumes created on top of a device encrypted through Azure Disk Encryption. 它可以防止 OS 在启动过程中(或处于维护模式)停滞。It prevents the OS from getting stuck during the boot process (or in maintenance mode).

如果不使用 nofail 选项:If you don't use the nofail option:

  • OS 将永远不会进入启动 Azure 磁盘加密以及解锁和装载数据磁盘的阶段。The OS will never get into the stage where Azure Disk Encryption is started and the data disks are unlocked and mounted.
  • 启动过程结束时,将解锁加密的磁盘。The encrypted disks will be unlocked at the end of the boot process. RAID 卷和文件系统会自动装载,直到 Azure 磁盘加密将其解锁。The RAID volumes and file systems will be automatically mounted until Azure Disk Encryption unlocks them.

可以测试重启 VM 的过程,并验证启动后是否还自动装载了文件系统。You can test rebooting the VM and validate that the file systems are also automatically getting mounted after boot time. 此过程可能需要几分钟时间,具体取决于文件系统的数量和大小。This process might take several minutes, depending on the number and sizes of file systems.

shutdown -r now

可以登录时:And when you can log in:

lsblk
df -h

后续步骤Next steps