Ever since the virtualization epidemic hit the datacenter, server filesystems have increasingly taken the form of images, and conventional partitions have been on the decline. The benefit for the admin is that the filesystem images are easier to move or manipulate.However, if you want to use physical disks – typically block devices named /dev/sd<x> or the like – in your own cloud, you need to convert them to suitable virtual disk image formats, such as .vdi or .vmdk.

Popular conversion programs, such as qemu-img --convert (for KVM), can convert your physical partition to a virtual form, but these tools are not designed to address complex situations. For instance, if you want to build a RAID system from multiple disks, you need to master a few tricks, and this article will help you do so. Incidentally, the approach described here relies on forensic tools, because I developed this technique while investigating a crime case. For virtualization, I will rely on VirtualBox [1] version 4.

Problems with RAID Controllers

Physical systems are not always easy to virtualize. For example, you can experience driver problems if the hard disks come from machines in which the RAID systems are managed by hardware controllers. Some tools do exist for simple scenarios. KVM offers a number of options for smoothing out the process. If you rely on VirtualBox, you can easily convert a hard disk /dev/sdb by using:

VBoxManage convertdd /dev/sdb test.vdi --format VDI

This command converts the currently mounted disk, which you might have removed from another host, to a virtual hard disk named test.vdi using VirtualBox's own Virtual Disk Image (VDI) format [2].

Images like this can almost always be integrated easily into any new guest system, but other hypervisors can also handle them. Once this (fairly time-consuming) process is complete, you can export the entire system as an appliance in Open Virtualization Archive (OVA) format [3].

Complex Servers

Unfortunately, a typical server system rarely uses just a single hard disk. You are more likely to find a setup in which one hard disk stores the system, and the data resides on a RAID array. If the original  host consists of three hard disks (e.g., a 40GB SATA and two 80GB SATA disks on a RAID controller), you can expect the conversion to be more complex.

If you can bring the legacy host back to life, you have many options. But if you don't have access to the original system (e.g., when the hard disks were part of the evidence in a crime case), the following approach can help. To read alien hard disks, administrators often resort to the RAW format, because it is the simplest possible standard and practically any version of Linux has suitable tools for it.

However, forensics experts tend to prefer the Expert Witness Format (EWF), which was introduced in an article in a previous issue of Linux Pro Magazine [4]. EWF offers a variety of benefits that help admins manage complex tasks. The ewfacquire program creates images in EWF; you need to install the ewf-tools package from your distribution's repository to access the tool.

Striped Set: RAID 0 – A Tough Nut

The use of a striped set (RAID 0) is not recommended from an administrative point of view, but you still see it on older servers. Because it causes the biggest problems and was used on the original system, I will be using it as an example here. Given a working controller, fdisk will show the disks that belonged to the striped RAID set (Figure  1). The forensic counterpart to fdisk from The Sleuth Kit is mmls (Figure  2).

Figure 1: The first hard disk is 40GB, the second disk on the RAID controller is 160GB, but this is actually a RAID 0 made up of two 80GB disks.

Figure 2: The Sleuth Kit mmls tool can look behind the scenes of the second hard disk.

If you take the hard disks out of the legacy system and mount them on another machine without a RAID controller, things change. Although nothing changes for the first hard disk, you will see, as in Figure 3, that disks 2 and 3 (the two 80GB storage media) are no longer a system; in fact, they do not even contain a partition table, according to fdisk.

Figure 3: Without a RAID controller, the two 80GB hard disks are useless.