Official NixOS Wiki

Swap: Difference between revisions

← Older edit
Hasnep (talk | contribs)
3 edits
VisualWikitext
Jopejoe1 (talk | contribs)
trusted
135 edits
m add closing bracket
Hasnep (talk | contribs)
3 edits
m Change GB to GiB and MB to MiB
 
(3 intermediate revisions by 3 users not shown)
Line 23: Line 23:
swapDevices = [{
swapDevices = [{
   device = "/var/lib/swapfile";
   device = "/var/lib/swapfile";
   size = 16*1024; # 16 GB
   size = 16*1024; # 16 GiB
}];
}];
</nowiki>
</nowiki>
}}
}}


This will create a 16GB swapfile at <code>/var/lib/swapfile</code>. The <code>size</code> value [https://search.nixos.org/options?show=swapDevices.*.size is specified in megabytes]. This will cause a swap file to be generated and an entry to be set up in <code>/etc/fstab</code>.
This will create a 16GB swapfile at <code>/var/lib/swapfile</code>. The <code>size</code> value [https://search.nixos.org/options?show=swapDevices.*.size is specified in mebibytes]. This will cause a swap file to be generated and an entry to be set up in <code>/etc/fstab</code>.


== Swap partition ==
== Swap partition ==
Line 153: Line 153:
By encrypting the swap with a random key kept in memory, we make sure that the contents of the swap become unreadable as soon as the data in memory has been lost. NixOS contains a handy helper to help you do this, generating a new key on each boot:
By encrypting the swap with a random key kept in memory, we make sure that the contents of the swap become unreadable as soon as the data in memory has been lost. NixOS contains a handy helper to help you do this, generating a new key on each boot:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">swapDevices = [{
swapDevices = [{
   device = "/dev/disk/by-partuuid/aaaaaaaaa-bbbb-cccc-dddd-0123456789ab";
   device = "/dev/disk/by-partuuid/aaaaaaaaa-bbbb-cccc-dddd-0123456789ab";
   randomEncryption.enable = true;  
   randomEncryption.enable = true;  
}];
}];</syntaxhighlight>
</syntaxhighlight>


The selected device will have all its content made unusuable at every boot. Using a partuuid or partlabel is recommended because it is less subject to change when the overall partition scheme changes.
The selected device will have all its content made unusable at every boot. Using a partuuid or partlabel is recommended because it is less subject to change when the overall partition scheme changes.


If you want to use TRIM, set <code>randomEncryption.allowDiscards</code> in addition to the <code>options</code>. This has the security implication of:
If you want to use TRIM, set <code>randomEncryption.allowDiscards</code> in addition to the <code>options</code>. This has the security implication of:
Line 168: Line 166:
You will need to weigh between the two.
You will need to weigh between the two.


Using a random key makes hibernation impossible. If you want to use hibernation, use a regular [[Full Disk Encryption]] (or partial disk encryption with LUKS) scheme with an unchanging key.
'''Warning:''' On some NixOS versions, if <code>randomEncryption.enable = true</code> and the <code>swap</code> is a file (rather than a partition) located on an encrypted LUKS partition, [https://discourse.nixos.org/t/swap-file-on-luks-partition/72234 the system can freeze as soon as the swap is used.]
 
Using a random key makes hibernation impossible. If you want to use hibernation, use a regular [[Full Disk Encryption]] with a fixed key. Alternatively, you can encrypt the swap partition separately:
 
== Encrypt swap partition with password or fixed key ==
If you prefer to encrypt the swap partition individually, first create an unformatted partition of the desired size, for example using <code>gparted</code>. In the following, the partition is <code>/dev/sdXY</code>. Then<syntaxhighlight lang="bash">
sudo cryptsetup luksFormat /dev/sdXY --label lb_luks_swap
sudo cryptsetup luksOpen /dev/disk/by-label/lb_luks_swap swap
sudo mkswap /dev/mapper/swap -L lb_swap
</syntaxhighlight>When asked, provide a password for unlocking the partition.
 
This will create
 
* a LUKS container on the unformatted partition with label <code>lb_luks_swap</code>
* open it and mount it under <code>/dev/mapper/swap</code>,
* format it as swap with label <code>lb_swap</code>.
 
If all is correct, block devices should look similar to:<syntaxhighlight lang="bash">
$ lsblk -o +LABEL
...
└─sdaXY      259:16  0  128G  0 part                lb_luks_swap
  └─lb_swap  254:0    0  128G  0 crypt [SWAP]        lb_swap
...
 
</syntaxhighlight>To tell NixOS to use this partition for swap, add to <code>hardware-configuration.nix</code>:<syntaxhighlight lang="nix">
swapDevices = [{
  device = "/dev/disk/by-label/lb_swap";
  encrypted = {
    enable = true;
    label = "swap";
    blkDev = "/dev/disk/by-label/lb_luks_swap";
  };
}];
 
</syntaxhighlight>This automatically adds the swap partition to <code>boot.initrd.luks.devices</code> so that <code>initrd</code> will ask for a password on reboot. initrd will automatically try to use the same password on any other LUKS volumes listed in <code>boot.initrd.luks.devices</code>. Therefore if you use the same password for other volumes you will only have to type it once. If all went well, the swap partition should be mapped at <code>/mapper/swap</code> and <code>/dev/disk/by-id/lb_swap</code>.
 
It is also possible to specify a key file using the <code>--key-file</code> argument to <code>luksFormat</code> and <code>luksOpen</code>. Be aware that the system needs access to this file during boot, so if the key itself is stored on an encrypted volume, it may be tricky to get the unlock sequencing right.


== Adjusting swap usage behaviour ==
== Adjusting swap usage behaviour ==


[https://docs.kernel.org/admin-guide/sysctl/vm.html#swappiness Swappiness] controls how aggressibely swap space is used, specifically how to free up memory when needed. By default, Linux uses a swappiness value of 60. Higher values will make the kernel prefer swapping out idle processes over dropping caches. Conversely lower values will try to avoid swapping as much as possible, keeping processes in RAM unless absolutely necessary. An optimal value is workload dependent and will will require experimentation.
[https://docs.kernel.org/admin-guide/sysctl/vm.html#swappiness Swappiness] controls how aggressively swap space is used, specifically how to free up memory when needed. By default, Linux uses a swappiness value of 60. Higher values will make the kernel prefer swapping out idle processes over dropping caches. Conversely lower values will try to avoid swapping as much as possible, keeping processes in RAM unless absolutely necessary. An optimal value is workload dependent and will will require experimentation.


{{file|/etc/nixos/configuration.nix|nix|
{{file|/etc/nixos/configuration.nix|nix|
Line 184: Line 218:
You can see your current swappiness level by <code>cat /proc/sys/vm/swappiness</code>. The lowest accepted value is 0 while the maximum value is 200. The lowest sane value is 1 (0 causes the system to not scan for unused anonymous pages, i.e. memory freed by processes, at all).
You can see your current swappiness level by <code>cat /proc/sys/vm/swappiness</code>. The lowest accepted value is 0 while the maximum value is 200. The lowest sane value is 1 (0 causes the system to not scan for unused anonymous pages, i.e. memory freed by processes, at all).


For more on tuning the swap, start with [https://wiki.archlinux.org/title/Swap#swappiness ArchWiki]'s description.
For more on tuning the swap, start with [https://wiki.archlinux.org/title/Swap#Swappiness ArchWiki]'s description.


== ZFS and swap ==
== ZFS and swap ==
Retrieved from "https://wiki.nixos.org/wiki/Swap"