Created Ubuntu 16.04 amd64 server installer image on a USB stick with unetbootin. This resulted in ominous warning message on boot saying things might go wrong if one uses unetbootin. The warning is probably due to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775689 or the Ubuntu equivalent.
Retried creating using Ubuntu's official tool, usb-creator-gtk. This results in "gfxboot.c32: not a COM32R Image" https://bugs.launchpad.net/ubuntu/+source/usb-creator/+bug/1325801 . Workaround described at http://ubuntuforums.org/showthread.php?t=2249701 , i.e., type help and press enter.
The underlying problem with the unetbootin route appears to be Debian/Ubuntu's fault; the filenames have length longer than 64 characters in length, violating the Joliet file system standard. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775689#94
Used mkusb, which requires a ppa:
sudo add-apt-repository ppa:mkusb/ppa https://help.ubuntu.com/community/mkusb
On a Dell optiplex, the key to trigger boot options is F12.
First interesting experiment was to try to install everything inside LVM, without /boot as a separate partition outside of LVM. It used to be one needed /boot outside of LVM, but nowadays grub has an lvm module. I've been bitten too many times by a too small /boot partition filling up with too many old kernels, so we'd like to avoid a separate /boot partition. Let's see if it works.
All these experiments were done by installing Ubuntu onto a 4GB USB key, a somewhat unusual install target (and as mentioned above, from USB key as well).
From experience, choose en_US.UTF-8 locale, not C, because desktop environments fail when there is only a C locale, e.g., terminal programs don't start.
(Experience was, almost no application starts. uxterm worked. Trying to start gnome-terminal from inside uxterm gives
Error constructing proxy for org.gnome.Terminal:/org/gnome/Terminal/Factory0: Error calling StartServiceByName for org.gnome.terminal: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.gnome.Terminal exited with status 8
Select noatime as a filesystem mount option because USB SSD has limited writes.
Things went smoothly until the grub install step. Choosing any of the disks resulted in an error, e.g., "unable to install grub in /dev/mapper". One needed to manually specify /dev/sdb . To know for sure what disk is being installed, get a shell (ctrl-alt-f2) and do pvdisplay.
After install, this much space was used: (1K blocks)
/dev/mapper/vg--one-root 3800784 total 1371468 used 2216532 available
The next adventure was to repeat the same idea, but all of LVM inside an LUKS/dm-crypt encrypted container.
Created the dm-crypt container with System Rescue CD, because I wanted to customize the number of rounds of password hashing. ArchWiki is pretty good: https://wiki.archlinux.org/index.php/Dm-crypt
system rescue cd 4.7.3, with docache is nice.
During Ubuntu install, Grub install failed. Looking at the logs (ctrl-alt-F4) found:
grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set GRUB_ENABLE_CRYPTODISK=1
Workaround for this involved getting a shell (ctrl-alt-f2), editing /target/etc/default/grub in the installed system to have GRUB_ENABLE_CRYPTODISK=y . We do "y" and not "1" as the error message states, because https://savannah.gnu.org/bugs/?41524 which has not been fixed in this version of Ubuntu.
Use nano as the available editor in the install shell.
After grub, install completes successfully. Here are the autogenerated grub.cfg and fstab.
Booting requires typing the disk unlock password twice, once for grub, then again for kernel filesystem mount. The amount of time it takes to verify a password differs greatly between them.
Aside: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ describes how to only need to type the password once, into grub. grub then finds a keyfile on the unlocked disk and passes it to the kernel. I did not try this hack.
Typing password twice is fine for now. The grub password prompt, in contrast to the kernel password prompt, does not display a text cursor, so one cannot obviously see if one's keyboard is working properly. Hitting Enter after typing the password does not advance a visible cursor to the next line.
Ran tasksel to install "Xubuntu minimal". Also installed firefox. Also did aptitude full-upgrade, installed a new kernel. The new kernel did successfully boot, so the necessary grub magic with LUKS and dm-crypt just worked.
During and after full-upgrade, there is a persistent error on both shutdown and boot about lxd-containers.service. The workaround is to just once manually restart lxd and reboot. http://ubuntuforums.org/showthread.php?t=2326866
sudo service lxd restart
After removing the old kernel, total 1k blocks used according to df is 2751788, or 77% of the 4 GB drive. Peak usage was 93% during the upgrade.
Xubuntu does provide the Guest login account.
Next experiment, same but install "Lubuntu minimal". Lubuntu is lighter than Xubuntu. After similar install, 2459872 K used, 69%
Next experiment, try btrfs because it has transparent compression. All these experiments were done on a slightly different USB stick, so unfortunately cannot compare with previous experiments.
Sandisk Cruzer Fit is a compact USB stick that does not stick out very much from the USB port.
Setting btrfs compression is done at mount, not at filesystem creation. We use Ubuntu Expert Mode (f6 "Other Options" at the boot screen) in order to have pauses between steps.
Creating an encrypted container, then directly creating btrfs inside the encrypted container fails. Red screen "Encryption configuration failure" "You have selected the root file system to be stored on an encrypted partition. This feature requires a separate /boot partition on which the kernel and initrd can be stored." "You should go back and setup a /boot partition".
Workaround: btrfs inside of LVM inside of encrypted container.
noatime is available as an option in the installer UI.
Expert Mode allows a pause between "Partition disks" and "Install the system". Get a shell, then 'mount -o remount,compress=lzo,ssd /target'. /target/home automatically remounts to pick up compress=lzo, according to mount.
Where it asks, choose a generic kernel and a big initrd with "everything" because the usb key might be used to boot a different computer.
System Rescue CD seemed to have problems unmounting LVM on shutdown. Use vgchange -an and lvchange -an .
Chose to install grub to the EFI removable media path
Edited /target/etc/fstab to have compress=lzo as options. Also ssd option.
In retrospect, encrypted home directory and filesystem compression don't work so well. ecryptfs does not have compression https://bugs.launchpad.net/ecryptfs/+bug/492237 , marked "Won't fix". Read about CRIME and BREACH exploits against compress-then-encrypt.
Mistyping the disk encryption password into grub results does not result in a prompt to try again, instead a grub shell. Reboot to try again.
Usually avoid recommended packages, especially on this limited disk system. But xul-ext-ubufox seems like a good recommended package to install.
All the extra package installs were done in console (Ctrl-Alt-F1) to avoid disk space usage of starting X (window manager caches, initial config, etc).
after lubuntu, full-upgrade, firefox, xul-ext-ubufox on compress=lzo:
3903488 1K total, 2573916 used, 917156 available, 74%
3903488 2545980 944868 73% (slight improvement)
which is higher than the 69% on a different disk
Plan is to add an additional usb stick if we need swap.
Unlocking the disk in grub 15.75 sec. Later during Linux boot, unlocking the same disk on the same computer takes 6.68 sec. Grub is clearly not using the most efficient password hashing code.
cryptsetup -i 20000 causes grub 26 seconds, linux 11 seconds.
btrfs: ubuntu creates @ and @home subvolumes automatically.
Instead of editing /etc/default/grub directly, let's try putting GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub.d (not to be confused with /etc/grub.d). It needs to be a file with extension .cfg . https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/901600 (the bug also complains about lack of documentation) /usr/sbin/grub-mkconfig is the script that reads these files.
dmesg log, both in boot and during full-upgrade
BTRFS error (device dm-1): could not find root 8
aptitude full-upgrade took 40 minutes
during aptitude purge old linux image
File descriptor 4 (/) leaked on vgs invocation. Parent PID 5071: grub-probe
tasksel lubuntu minimal took 194 minutes.
after firefox and xul-ext-ubufox
3903488 2532984 951304 73%
which provides about 7MB more than lzo, but very small improvment, which is strange.
/usr/lib is 570 MB, and gzip -v reports 61.2% compression as a tar.
btrfs mount option compress-force=zlib: df says "3903488 2461512 1025048 71%", so not much of an improvement.
weird issue on console that the cursor jumps to column 1 after about a minute after boot.
Remove old linux kernel and linux-headers to save space
sudo aptitude purge linux-headers-4.4.0-21
which removes the generic package as a reverse dependency.
2298488 1143560 67%