Re: systemd-repart HOWTO + demo code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Response in line:

On Sat, 2024-10-19 at 21:57 -0400, Adrian Vovk wrote:
> Responses inline
> 
> On Sat, Oct 19, 2024, 21:52 Thayne Harbaugh <thayne@xxxxxxxxxxxxxxxx>
> wrote:
> > Response in line:
> > 
> > On Sat, 2024-10-19 at 20:36 -0400, Adrian Vovk wrote:
> > > Hello,
> > > I might have spotted something 

<SNIP>

> > > You tell repart to encrypt with a keyfile, but it seems like you
> > > don't pass in which keyfile to use.
> > 
> > Maybe I'm confused about how Encrypt= and EncryptedVolume=
> > interact.

<SNIP>

> Yeah I think you are. I'm pretty sure EncryptedVolume= is about
> defining what goes into /etc/crypttab, and thus how the volume is set
> up at runtime or at boot. Not how the volume is set up when it's
> created. Basically each EncryptedVolume= entry is an entry in
> /etc/crypttab and no more.

> > > By default, repart will encrypt
> > > with a null key in that case. IIRC, you have to pass in the
> > > keyfile
> > > (or maybe socket) to use in your drop-in.
> > 
> > I feel like I should know what my "drop-in" ... but I have no idea.
> > Is thet the repart.d/30-xdata.conf?  Is it the override I made to
> > systemd-repart.service as
> > systemd-repart.service.d/systemd-repart-gen_tabs.conf ?
> 
> I mean the override you made to systemd-repart.service

I changed the systemd-repart drop-in to pass
--key-file=/run/fscrypt.sock:

  ExecStart=systemd-repart --dry-run=no --key-file=/run/fscrypt.sock --generate-fstab=/run/fstab --generate-crypttab=/run/crypttab

(change pushed into repart_howto project)

I can now see that it opens the socket defined by fscrypt.socket,
activates fscrypt@.service and executes getkey.  Woot!

Unfortunately systemd-repart still does not exit and udev events
continue to repeat waiting for a lock (the new, encrypted partition is
not created):

  <SNIP>
  Oct 19 23:20:27.218374 localhost (d-repart)[277]: systemd-repart.service: Executing: systemd-repart --dry-run=no --key-file=/run/fscrypt.sock --generate-fstab=/run/fstab --generate-crypttab=/run/crypttab
  <SNIP>
  Oct 19 23:20:27.286753 localhost systemd-repart[277]: Device /dev/sdb opened and locked.
  <SNIP>
  Oct 19 23:20:27.305471 localhost systemd-repart[277]: Sector size of device is 512 bytes. Using filesystem sector size of 4096 and grain size of 4096.
  Oct 19 23:20:27.305544 localhost systemd-repart[277]: /run/fstab written.
  Oct 19 23:20:27.305567 localhost systemd-repart[277]: /run/crypttab written.
  Oct 19 23:20:27.305838 localhost systemd-repart[277]: Applying changes to /dev/sdb.
  <SNIP>
  Oct 19 23:20:27.314953 localhost systemd-repart[277]: Successfully wiped file system signatures from future partition 2.
  Oct 19 23:20:27.320086 localhost systemd-repart[277]: Successfully discarded data from future partition 2.
  Oct 19 23:20:27.320446 localhost systemd-repart[277]: Successfully discarded gap after partition 2.
  Oct 19 23:20:27.320611 localhost systemd-repart[277]: loop0: Acquired exclusive lock.
  Oct 19 23:20:27.320872 localhost systemd-repart[277]: Successfully acquired /dev/loop0, devno=7:0, nr=0, diskseq=11
  Oct 19 23:20:27.323113 localhost systemd-repart[277]: Encrypting future partition 2...
  Oct 19 23:20:27.325115 localhost systemd-repart[277]: Allocating context for crypt device /dev/loop0.
  Oct 19 23:20:27.325128 localhost systemd-repart[277]: Trying to open and read device /dev/loop0 with direct-io.
  Oct 19 23:20:27.326081 localhost systemd-repart[277]: Initialising device-mapper backend library.
  Oct 19 23:20:27.326092 localhost systemd-repart[277]: Formatting device /dev/loop0 as type LUKS2.
  <SNIP>
  Oct 19 23:20:29.400763 localhost systemd-repart[277]: Device size 17179869184, offset 16777216.
  Oct 19 23:20:29.400876 localhost systemd-repart[277]: Acquiring write lock for device /dev/loop0.
  Oct 19 23:20:29.400929 localhost systemd-repart[277]: Locking directory /run/cryptsetup will be created with default compiled-in permissions.
  <SNIP>
  Oct 19 23:20:27.617748 localhost systemd-repart[277]: Formatting LUKS2 with JSON metadata area 12288 bytes and keyslots area 16744448 bytes.
  <SNIP>
  Oct 19 23:20:27.808111 localhost (udev-worker)[301]: loop0: Processing device (SEQNUM=1940, ACTION=change)
  Oct 19 23:20:27.808199 localhost (udev-worker)[301]: loop0: Failed to flock(/dev/loop0): Resource temporarily unavailable
  Oct 19 23:20:27.808207 localhost (udev-worker)[301]: loop0: Block device is currently locked, requeueing the event.
  <SNIP>
  Oct 19 23:20:28.008110 localhost (udev-worker)[319]: loop0: Processing device (SEQNUM=1940, ACTION=change)
  Oct 19 23:20:28.008146 localhost (udev-worker)[319]: loop0: Failed to flock(/dev/loop0): Resource temporarily unavailable
  Oct 19 23:20:28.008156 localhost (udev-worker)[319]: loop0: Block device is currently locked, requeueing the event.
  <SNIP>
  Oct 19 23:20:28.214865 localhost (udev-worker)[316]: sdb: Processing device (SEQNUM=2090, ACTION=add)
  Oct 19 23:20:28.214892 localhost (udev-worker)[316]: sdb: Failed to flock(/dev/sdb): Resource temporarily unavailable
  Oct 19 23:20:28.214899 localhost (udev-worker)[316]: sdb: Block device is currently locked, requeueing the event.
  <SNIP>
  Oct 19 23:20:28.239122 localhost (udev-worker)[316]: loop0: Processing device (SEQNUM=1940, ACTION=change)
  Oct 19 23:20:28.239150 localhost (udev-worker)[316]: loop0: Failed to flock(/dev/loop0): Resource temporarily unavailable
  Oct 19 23:20:28.239156 localhost (udev-worker)[316]: loop0: Block device is currently locked, requeueing the event.
  <SNIP>

The "Failed to flock" message groups for both `/dev/sdb` and
`/dev/loop0` continue to repeat until the system is shut down.

Any ideas what might be wrong?

> Best,
> Adrian 
> 
> > 
> > > Apologies if I'm wrong. I'm on my phone and haven't pulled up the
> > > docs to verify.
> > 
> > Maybe you can send something with more details when you have access
> > to
> > a system.
> > 
> > Thank you for the response.
> > 
> > > Best,
> > > Adrian 
> > > 
> > > On Sat, Oct 19, 2024, 20:21 Thayne Harbaugh
> > > <thayne@xxxxxxxxxxxxxxxx>
> > > wrote:
> > > > Greetings - apologies if this isn't the proper list - please
> > > > redirect
> > > > me.
> > > > 
> > > > I'm writing a systemd-repart HOWTO with demo code for various
> > > > use
> > > > cases:
> > > > 
> > > >   https://github.com/plastikos/repart_howto
> > > > 
> > > > The HOWTO is a typical document while the demos are minimal
> > > > cases
> > > > built with mkosi and available for growing into larger
> > > > solutions.
> > > > 
> > > > Initially it has two use-case demos:
> > > > 
> > > >   1. Creating a new partition (xdata) on first boot
> > > > 
> > > >   2. Creating a new partition (xdata) with encryption on first
> > > > boot
> > > > 
> > > > Currently #1 works.  It's simple.  I still need to create more
> > > > details
> > > > around growing partitions and other ideas.
> > > > 
> > > > The encryption case #2, however, does not work and I'm looking
> > > > for
> > > > some assistance.  While there is significant documentation
> > > > around
> > > > the
> > > > systemd ecosystem of tools I feel like I have possibly missed
> > > > some
> > > > detail or may not be understanding how to synthesize the
> > > > information
> > > > into a working model.
> > > > 
> > > > The encryption demo is identical to case #1 of adding a
> > > > partition
> > > > with
> > > > the following changes:
> > > > 
> > > >   1. The /usr/lib/repart.d/30-xdata.conf file adds the
> > > > following:
> > > > 
> > > >        Encrypt=key-file
> > > >        EncryptedVolume=dc-xdata:/run/fscrypt.sock:luks,discard
> > > > 
> > > >   2. a /usr/lib/systemd/system/fscrypt.socket file is added
> > > > along
> > > > with
> > > >      a fscrypt@.service file (see the project source, please).
> > > > 
> > > >   3. A /usr/bin/getkey file is added for fscrypt@.service to
> > > > call.
> > > >      getkey provides a simplistic way of producing an
> > > > encryption
> > > > key
> > > >      for *demonstration* purposes *ONLY*.
> > > > 
> > > >   4. A /var/lib/key.bin is added as a binary encryption key
> > > > that
> > > >      getkey retrieves - for *demonstration* purposes *ONLY*.
> > > > 
> > > > When built into a disk image by mkosi and started with qemu it
> > > > fails
> > > > to create the new xdata partition.  I see quite a few journal
> > > > messages
> > > > from systemd-repart and related udev events.  I have verified a
> > > > few
> > > > things:
> > > > 
> > > >   1. /run/fscrypt.sock does get created
> > > > 
> > > >   2. getkey does emit the encryption key to stdout
> > > > 
> > > >   3. systemd-repart is started and initiates creating a
> > > > partition
> > > > with
> > > >      LUKS
> > > > 
> > > > There are two notable details that cause me concern and might
> > > > be
> > > > where
> > > > the problem lies:
> > > > 
> > > >   1. There is no evidence that getkey is invoked even when I
> > > >      instrument it to generate side-effects.
> > > > 
> > > >   2. There are messages in the journal that indicate that
> > > >      systemd-repart never exits and that it might be in
> > > > deadlock
> > > > waiting
> > > >      for child events.
> > > > 
> > > > The messages around the possible deadlock of #2 above are the
> > > > following:
> > > > 
> > > >   Oct 19 12:08:48.510843 localhost systemd-repart[276]: loop0: Acquired exclusive lock.
> > > >   Oct 19 12:08:48.512130 localhost systemd-repart[276]: Successfully acquired /dev/loop0, devno=7:0, nr=0, diskseq=11
> > > >   Oct 19 12:08:48.516941 localhost systemd-repart[276]: Encrypting future partition 2...
> > > >   Oct 19 12:08:48.517077 localhost systemd-repart[276]: Allocating context for crypt device /dev/loop0.
> > > >   <SNIP/>
> > > >   Oct 19 12:08:49.114118 localhost (udev-worker)[299]: loop0: Processing device (SEQNUM=1996, ACTION=change)
> > > >   Oct 19 12:08:49.114972 localhost (udev-worker)[299]: loop0: Failed to flock(/dev/loop0): Resource temporarily unavailable
> > > >   Oct 19 12:08:49.114979 localhost (udev-worker)[299]: loop0: Block device is currently locked, requeueing the event.
> > > >   <SNIP/>
> > > >   Oct 19 12:08:49.328308 localhost (udev-worker)[296]: loop0: Processing device (SEQNUM=1996, ACTION=change)
> > > >   Oct 19 12:08:49.328345 localhost (udev-worker)[296]: loop0: Failed to flock(/dev/loop0): Resource temporarily unavailable
> > > >   Oct 19 12:08:49.328352 localhost (udev-worker)[296]: loop0: Block device is currently locked, requeueing the event.
> > > >   <SNIP/>
> > > > 
> > > > Those last three messages about failing to lock repeat until
> > > > QEMU
> > > > is
> > > > shut down.
> > > > 
> > > > There are quite a few additional diagnostic details and logs
> > > > that
> > > > may
> > > > be of interest but it might be easier to clone the repart_howto
> > > > project from github and run it:
> > > > 
> > > >   >$ ./demo crypt
> > > > 
> > > > Once it executes all of the mkosi configuration files and disk
> > > > image
> > > > are in the build-crypt sub-directory.  All relevant files
> > > > specific
> > > > to
> > > > partition creation and encryption are in build-
> > > > crypt/mkosi.extra -
> > > > there are not many since I'm trying to keep the demo as simple
> > > > as
> > > > possible.  All relevant journal events and state information
> > > > can be
> > > > extracted from build-crypt/image.raw.
> > > > 
> > > > Thanks for either directing me to a more appropriate help
> > > > resource
> > > > and/or providing direct assistance.
> > > > 
> > > > 
> > > > P.S. If you want to run demo #1 of partition creation sans
> > > > encryption
> > > > then execute the following from the project source tree:
> > > > 
> > > >   >$ ./demo clear
> > 

-- 
Big Solutions
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux