Hi, already installed artix with s6 init on a system that needs to decrypt and mount a non root disk when booting. See:
> % sudo cat /etc/crypttab
> cryp-ext-main UUID=6a7d2c8d-113f-4551-8529-25961c1f7dd8 none
>
> % cat /etc/fstab
> # /dev/mapper/lm--0-root LABEL=root
> UUID=39881f9a-7e2b-498d-8462-07782cac7b43 / ext4 discard,commit=60 0 1
> ...
> # /dev/mapper/ext--main-data LABEL=ext-data
> UUID=204b5531-53ec-4f8b-bebd-1411be4e111e /ext ext4 commit=60 0 2
> ...
Several directories are soft link to the mounted /ext volume... But the system doesn't decrypt the not root partition at boot as it did on arch:
> % lsblk -f
> NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
> sda
> ├─sda1 vfat FAT32 uefi 8E53-8EBA 510.7M 0% /uefi
> ├─sda2 ext4 1.0 boot 91873189-b48a-41b4-860a-367985fa0020 264M 40% /boot
> └─sda3 crypto_LUKS 2 1c43ec30-ce0b-4111-a852-79899aa965f1
> └─cryp-lm-0
> └─lm--0-root 136.3G 32% /
> sdb
> └─sdb1 crypto_LUKS 2 6a7d2c8d-113f-4551-8529-25961c1f7dd8
I can of course decrypt and mount it manually some time after boot:
> % sudo cryptsetup open UUID=6a7d2c8d-113f-4551-8529-25961c1f7dd8 cryp-ext-main
> [sudo] password for general:
> WARNING: Locking directory /run/cryptsetup is missing!
> Enter passphrase for /dev/disk/by-uuid/6a7d2c8d-113f-4551-8529-25961c1f7dd8:
> %
>
> % sudo mount -t ext4 -o commit=60 UUID=204b5531-53ec-4f8b-bebd-1411be4e111e /ext
> %
>
> % cat /etc/mtab
> ...
> /dev/mapper/lm--0-root / ext4 rw,relatime,stripe=8191 0 0
> ...
> /dev/mapper/ext--main-data /ext ext4 rw,relatime,commit=60 0 0
>
> % lsblk -f
> NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
> sda
> ├─sda1 vfat FAT32 uefi 8E53-8EBA 510.7M 0% /uefi
> ├─sda2 ext4 1.0 boot 91873189-b48a-41b4-860a-367985fa0020 264M 40% /boot
> └─sda3 crypto_LUKS 2 1c43ec30-ce0b-4111-a852-79899aa965f1
> └─cryp-lm-0
> └─lm--0-root 136.3G 32% /
> sdb
> └─sdb1 crypto_LUKS 2 6a7d2c8d-113f-4551-8529-25961c1f7dd8
> └─cryp-ext-main LVM2_member LVM2 001 iYRsRB-M2Fl-RsKB-83s9-LV3l-oZPe-Qz31qd
> └─ext--main-data ext4 1.0 ext-data 204b5531-53ec-4f8b-bebd-1411be4e111e 141.2G 64% /ext
Weird enough, "lsblk -f" does show the UUIDs for the non root volume after decrypting, whereas it doesn't for the root volume.
I just late found out I needed to install cryptsetup-s6. However I just also found several issues with "/etc/s6/sv/cryptsetup/shell_up":
<1> "printhl" is not a bash command, it needs to be replaced with echo, or something supported by bash.
<2> "--allow-discard" is not a cryptsetup option, it needs to be replaced with "--allow-discards" (notice the plural).
<3> After the prior changes, for some reason when calling the oneshot manually, it does work:
> % sudo s6-rc -d change cryptsetup && sudo s6-rc -u change cryptsetup
> -- Stopping encrypted devices
> Device cryp-ext-main is not active.
> ...
> -- Starting encrypted devices
> Unlocking cryp-ext-main
> Enter passphrase for /dev/disk/by-uuid/6a7d2c8d-113f-4551-8529-25961c1f7dd8:
> ...
>
> % ls -l /dev/ext-main/data
> lrwxrwxrwx 1 root root 7 Apr 12 19:58 /dev/ext-main/data -> ../dm-3
You can notice no errors are found for cryp-m1-ext, and it actually gets decrypted. However on boot, I don't get asked to provide the password ever, and instead I see the output:
> Nothing to read on input.
This is unexpected... I was expecting 1st, that mounting processes and other stuff would have not happened only after the cryptsetup service has finished, which is not the case since I see everything mounted except by the non root volume, and I would have expected a prompt waiting for me to provide the password to decrypt the device, and I never got prompted, neither waited for it. I don't want to to provide a clear text password on /etc/cryptab, neither to have a clear text file storing it.
So somehow cryptsetup-s6 is missing to request/prompt for the password at boot, and it's not preventing other systems services to keep running at all, which is something I would have expected, since not all block devices required are mounted yet. Actually I didn't get to see any mounting failure associated to the expected mount point on /etc/fstab, which is a bit weird as well. I also noticed the oneshot cryptsetup is a dependency for the mount-filesystems one, so I believe mount-filesystems actually waits for cryptsetup to finish, but for some reason cryptsetup finishes without ever asking/prompting for the password, but at any rate, mount-filesystems doesn't fail either (to me it looks like it should have, given the /etc/fstab setting).
Is there any way to handle getting asked/prompted for the non root partition at boot, and then to get its volumes mounted as per indicated on /etc/fstab? On arch the behavior is that immediately after providing the root partition password, I get prompted for the non root partition password, and no other service seems to progress until the password is provided (unless a watchdog timeout triggers, in which case it gets noticed as a failure, which also affects the mount process).
Any help will be appreciated !
Thanks !
--
Javier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.artixlinux.org/archives/artix-general/attachments/20200412/33062ced/attachment-0001.sig>
More information about the artix-general
mailing list