Constructing IT Infrastructure — A Diary + Part V: Creating images

TL;DR We need to create an image and back it up. To construct an image we need to construct a pendrive. This ensures we are free and have more security in place against physical hackers. Clonezilla does not work in a high-security setting. To craft an image, we utilise KVM on a high-security machine.

Julian M. Kleber
5 min readJun 12, 2023

We spent a couple of days choosing our distribution and installing it. But what now? We don’t want to do that every other week so we basically need to find a way to distribute our OS independently.

We need to make a backup. Lets see what works for an encrypted developer machine first. A server image that is not encrypted will for sure be easier and would probably work with the same method.

Deployment to a single machine should use the reverse method and deployment to multiple machines will use a completely different method.

Choosing a tool

Godzilla Icon generated with NightCafe.

As far as my research goes there are only two tools possible. DD and Clonezilla.

I tried Clonezilla for backing up a LUKS encrypted Debian but that did not work. Using dd is a little bit complicated and requires some knowledge. Lucky you I researched it for you.

  1. You will need a Live USB stick to dd your hard drive because dd may break systems while they are running. That means the system you want to copy should not be running while you are copying it.
  2. I choose to make a Clonezilla bootable because it will be useful to multi server deployments and can run dd as well. We really already used two of our three bootables. I actually used all three because I am having one for Debian netinstall and one for Debian full image
  3. DD is also copying empty bytes by default. However, we may get around this problem by doing multiple things:

Useful commands during the administration process

In the Clonezilla bootable you can gain shell access. Note that the sudo user is not password protected here. This is common for Live images and you might consider setting up your own live system with root protection.

Useful commands include:

fdisk -l #listing mounted drives
touch #creating files
nano #editing files
dd #actually copying files
gzip #compress files
gunzip #uncompress files

One basic command should be:

dd if=/dev/nvme0n1 of=/dev/sda2 bs=1M conv=noerror,sync status=progress

However, including oflag=direct would circumvent the empty bytes thing

dd if=/dev/nvme0n1 of=/dev/sda2 bs=64K conv=noerror,sync status=progress oflag=direct

Finally we would like to compress the clone as an image using gzip

sudo dd if=/dev/sda conv=sync,noerror bs=64K status=progress oflag=direct | gzip -c  > /PATH/TO/DRIVE/backup_image.img.gz

To unzip we run

gunzip -c /PATH/TO/DRIVE/backup_image.img.gz | dd of=/dev/sda

For more info you could read the blog.

GUI

To avoid mistakes and if you don’t want to use a script you could also use the GUI of your pendrive. We created a pendrive in this article. If you are using Gnome you can just use the Disks utility to create an image.

You can restore using the utility, too.

Tips

  1. Before you do not have a really good image start small. You could choose a size of 80GB. Then the process of restoring the image is much easier.
  2. Use a pendrive instead of Clonezilla or a Live installation
  3. Resizing the encrypted partition
  4. When developing an image you should install it first using a small partition

Explanation

  • bs: Set the block size for copy (the default is 512 bytes but doesn’t work well for larger drives)
  • noerror: Instructs dd to continue operation, ignoring all read errors
  • sync: Instruct dd to fill input blocks with zeroes if there were any read errors

Manual Partitioning

My whole life I was too lazy for it. But since we are fizzling around with moving the system back and forth we have to dig into this.

Maybe we can also learn about how we can make the default partitioning more secure. Remember it is an iterative process and does not have to be perfect the first try.

You can always work with your pendrive when your dev image is not yet done. We can conclude all of this is either the same or much easier when constructing the server image.

What we need:

  1. Separate the /home /tmp /var for security
  2. Encrypt as much stuff as possible, even boot
  3. Consider of our machine has EFI or BIOS -> different partitioning
  4. Do not use more than 80GB for easy moving of the image
  5. Being able to resize the partition later on

Manual partitioning helps us with the backup process of our machines. It is easier to keep the system files and the home directory separate and we can even have multiple and tiered encryption layers making everything harder for an intruder.

Remember encryption really saves your life even if your whole infrastructure is compromised. This will actually most likely happen to your infrastructure once you start attracting customers.

Two options left

Either you create an image from the whole hard drive or you use virtualisation.

The Debian process is not made for making encrypted images of the hard disk and not using the full hard disk. It is thus maybe best to do virtualisation. It was the reason that is was invented in the first place.

There are many companies around the virtualisation. But the best option on Linux is the KVM software. And that works quite well.

I recommend using KVM. At the end of the article, I linked a few resources on how to hack around Debian to make images of the encrypted system, but I do not recommend that.

Of course you could argue that the base system should be secure, too. But setting up that system is fairly easy and you do not need a lot of them.

If you run a datacenter, you will have firewalls and embedded systems maybe built with Yocto or something similar securing the large chunk of systems.

The rest can then installed via network deploy using for example clonezilla. You could also think about making your own distro internal and/or external. Maybe you also have Live USBs of your distro.

Join our email list 9K+ and people to learn more about the good lifestyle, technology, and fashion.

Helpful ressources

Cryptsetup commands to backup an encrypted system

# decrypt LUKS
$ sudo cryptsetup luksOpen /dev/nvme0n1p3 vgmint
$ sudo lvs

# shrink root, expand swap
$ sudo lvresize -L -31G --resizefs vgmint/root
$ sudo lvresize -l +100%FREE /dev/vgmint/swap_1

# rebuild swap on the partition and check the result
$ sudo mkswap /dev/vgmint/swap_1
$ sudo lvs

--

--

Julian M. Kleber
Julian M. Kleber

Written by Julian M. Kleber

Just sailing ⛵ - Constructing for endurance | www.julianmkleber.com

No responses yet