Hack 48 Clone Hard Drives

Use dd and partimage on Knoppix to clone hard drives even across the network.

Cloning entire partitions has long been a time-saver for system administrators. Instead of running through the same install process for tens or hundreds of machines, a system administrator can set up a single machine just how he wants it, then copy the hard-drive image to the next machine, saving hours of work. Plus, a broken machine can be reimaged and back to the "factory" state in minutes, reducing downtime. There are many different hard-drive-imaging programs you can purchase, but with a Knoppix disc, you can easily create partition images, partition-to-partition copies, and even disk-to-disk copies. This hack covers two programs: dd, which is commonly used to create and copy drive images, and partimage, which combines the power of dd with an easy-to-use interface and the capability to save images over the network.

5.13.1 Dd

Ask any Unix-system administrator about disk imaging, and, most likely, the first tool that she suggests is dd. Dd is a very powerful program that creates exact bit-for-bit copies of drives or partitions. You might have used this command previously if you had to create a boot floppy or an ISO from a CD-ROM.

While there are quite a few different arguments you can pass dd to change its behavior, the two basic options are if and of, which specify the input file and the output file for dd to use, respectively. As with Unix, in Linux "everything is a file," so the input file or the output file is an actual file on the system—for example, drive.img, a partition such as /dev/hda1, or a complete drive such as /dev/hda. When you use Knoppix for disk imaging, you run completely outside any disks on the system, so you don't have to worry about files changing or being modified by your login.

A direct disk-to-disk copy is a common use of dd. In this scenario, you have partitioned and configured one disk, hda, that you want to mirror—partition tables and all—to a second blank disk, hdb. It is important that hdb be the same size or greater than the size of hda when you copy the image; otherwise, only some of your files are copied, or, the worst case, the image does not mount. To perform the disk-to-disk copy, open a terminal and run the following command:

knoppix@ttyp0[knoppix]$ sudo dd if=/dev/hda

 of=/dev/hdb

This command takes some time depending on size and speed of your disks, and, unfortunately, dd does not provide a fancy progress meter.

If you don't want to copy a complete drive, but just copy a partition from one system to another, you add the particular partition number you want to use. Similar to copying a disk to another disk, make sure that the partition that you are copying to is the same size or larger than the partition you are copying from. This command copies the first partition from /dev/hda to the first partition of /dev/hdb:

knoppix@ttyp0[knoppix]$ sudo dd if=/dev/hda1

 of=/dev/hdb1

Like with a disk-to-disk copy, this takes some time to complete, although, generally, cloning entire disks or partitions with dd is faster than doing file-for-file copies with tar or cpio.

You also have the option to store a complete disk image to a file. This enables you to create a complete snapshot of a hard drive that you can reimage back to the drive to restore it to a certain state. This can be particularly useful in the case of computer forensics [Hack #47], when you want to create a complete copy or multiple copies of a drive so that you can examine the drive without risking any data loss. To copy a disk image to a file, simply pass a filename instead of a device name to the of argument. Most likely, disks you want to image in this way are larger than your available Knoppix ramdisk, so you need to mount another disk to which to save the image. To create a complete image of the /dev/hda1 partition and save it in the root directory of a filesystem mounted at /mnt/hdb1, use the following command:

knoppix@ttyp0[knoppix]$ sudo dd if=/dev/hda1

 of=/mnt/hdb1

/hda1_drive_image.img

Many people make a point of adding an .img extension to their image files as a reminder that the file is a complete disk image, but you can name the file whatever you wish. Even though dd doesn't list progress, when you save to a file, you can monitor the size of the file to see how much time you have left. The watch utility is particularly useful for this task because it performs a command every two seconds and shows you the output. To monitor the progress of this image, type the command:

knoppix@ttyp0[knoppix]$ watch ls -l /mnt/hdb1

/hda1_drive_image.img

Once the operation completes, the complete contents of /dev/hda1 are stored in hda1_drive_image.img.

You can also utilize ssh to save the disk image over the network to a different machine. If you don't specify an output file, dd outputs the disk image to STDOUT, which can then be piped through ssh to the remote machine. So, if you have an account on 192.168.0.2 to which you want to save the file, issue the command:

knoppix@ttyp0[knoppix]$ sudo dd if=/dev/hda1

 | ssh username

@192.168.0.2 

"cat > /home/username

/hda1_drive_image.img"

After you enter your password, dd copies the complete encrypted drive image over the network and stores it in hda1_drive_image.img.

By storing a partition image in a file, you can use Linux's loopback mounting option to mount this file as though it were an actual partition and examine the files. For instance, if you have an image of an ext2 partition, you can create a new mountpoint in /mnt and mount the file under Knoppix with the following command:

knoppix@ttyp0[knoppix]$ sudo mkdir /mnt/temp

knoppix@ttyp0[knoppix]$ sudo mount -o loop -t ext2 /mnt/hdb1

/hda1_drive_image.img /mnt/temp

Now you can browse through the filesystem at /mnt/temp just as if it were the actual partition. This also works for browsing through ISO images, such as the Knoppix CD image, or any other CD images you might have.

To reimage /dev/hda1 with a file you have saved, simply issue the dd command in reverse:

knoppix@ttyp0[knoppix]$ sudo dd if=/mnt/hdb1

/hda1_drive_image.img of=/dev/hda1

If you have saved your image over the network, you can also reimage by reversing the command by typing:

knoppix@ttyp0[knoppix]$ ssh username

@192.168.0.2  

"cat /home/username

/hda1_drive_image.img" | sudo dd of=/dev/hda1

With these commands, you can easily image and reimage machines just from dd, but if you want a more graphical experience, Knoppix has included a utility, partimage, that provides you with an easy-to-use GUI and still gives you many options without any command-line kung fu.

5.13.2 Partimage

While partimage can be run from the command line directly, this hack also covers partimage's interactive mode, which it executes when you run partimage with no options. Partimage requires root privileges, so under Knoppix, type:

knoppix@ttyp0[knoppix]$ sudo partimage

When launched, the first option you see is to choose which partition you want to save or restore. Like its name alludes to, partimage is only for the purposes of saving and restoring partition images. Partimage also attempts to guess which filesystem the partition is currently using, which makes it easier to see which partitions you want to image on a multipartition, dual-boot system. After selecting the partition to save, move the cursor down to select the image file to save to. Knoppix has limited ramdisk space, so you must save the partition image to another partition on the system. Make sure that partition is already mounted and then type in the full path of the file you want to save—for instance, /mnt/hdb1/hda1_drive_image.img. Once you enter the filename, if you are saving to the local machine, you can simply hit F5 to move to the next screen.

Partimage also provides an option to save the partition image over the network to another machine. This requires the other machine to be running the partimaged server, so you need either another machine running Linux with partimaged installed, or you can use another Knoppix disk booted on that machine to run the server. If you choose to run partimaged from Knoppix, you must create a password for the root user, because partimage prompts you for a username and password before connecting to partimaged. On the remote server, open a terminal and type sudo passwd to enter in a new password for root. Then you can run the partimaged server in interactive mode (which lets you see connections as they are created along with their progress):

knoppix@ttyp0[knoppix]$ sudo partimaged

Partimaged supports connections from multiple clients at the same time, so you could potentially image multiple systems at the same time over the network and save to a single file server.

After the server has been configured, on the partimage client, check "Connect to server" and enter the IP address or hostname of the partimaged server in the next field. Keep in mind that when you save to a remote server, the path and filename you enter are the path and filename you have used on the server, not on the local machine, so make sure that path exists and you have enough room for the image. When you hit F5 to continue, partimage attempts to connect to the remote machine and prompts you for a username and password. If the partimaged server is running on Knoppix as well, enter root for the username and the password you have set up, and then choose OK.

Once you've authenticated, you are presented with some compression and file-splitting options. Partimage can compress partition images using gzip and bzip2 algorithms, which are progressively slower but provide progressively smaller images. By default, partimage also splits images into files that are less than 2 GB. This is a safeguard in case you are saving to a filesystem that doesn't allow files to be larger than 2 GB. If you want to burn the images to a CD-ROM later, you can also modify this option to save the image to 650 MB or 700 MB files. Once you have changed these settings to suit your needs, hit F5 to move to the next screen, which allows you to type a description of the saved partition. By default, partimage presents you with information about the partition. Hit Enter to start the image-copying process.

One nice thing about using partimage over dd is that the progress bars tell you how far in the process you are, how much time has elapsed, how much time is remaining, and information about how large the image is and how much free space you have available. If you saved to a remote server, you can also monitor the progress from there. Once the process finishes, partimage displays how long the process has taken and then exits.

To restore an image using partimage, the process is quite similar: specify the partition to which you want to restore to, and specify the image file's path that has already been created. Check "Restore partition from an image file" instead of "Save partition into a new image file."