cryptsetup + lvm order and crypt name

cryptsetup + lvm order and crypt name

[Claudio A. T. Clemens]

[-- Attachment #1: Type: text/plain, Size: 2165 bytes --]

Hi there,

I installed a new Debian (7.6) system, where I have a huge crypted
partition. This crypted partition is used as a lvm VG where the actual
Linux partitions are. Everything worked ok, till I installed dracut
(after installing a newer Kernel, which needed dracut). It was version
020, but now I'm using 038. So the Problem is my partitions setup, which
dracut can't handle (or I can't configure it).

If I boot with rd.auto=1, then after some time I get a prompt, where I
need to enter the password for decrypting the crypted partition. Then
the boot goes on, but after a while I'm asked again for the password for
the same partition (some Debian init-script), and then I'm stuck there,
since the partition is already in use.

If I boot without rd.auto=1, then nothing happens, and after a while I
get a dracut shell. The only way to boot the system is typing the following:

- cryptsetup luksOpen /dev/sda5 sda5_crypt
(sda5_crypt is the name I gave to the crypted volume during
installation) Enter password here
- lvm vgscan
- lvm vgchange -ay
- exit

dracut then can boot successfully.

If I give other name in cryptsetup, instead of sda5_crypt, I end again
in the same boot phase, where the password is asked for a second time.
So I suspect, the the "normal" dracut boot is decrypting my /dev/sda5
with another name. The name is given in the /etc/crypttab, but
rd.luks.crypttab=1 doesn't help. I think the debian script only search
if there is a decrypted partition with the exact name as in the crypttab.

I don't know if this order is supported, first decrypt, than lvm.

What should I do? I'm not a dracut hacker (by now).

Thanks for any idea.

Claudio
-- 
         _
+--- ,--(_) -----------------------------------------------------------+
|  _/ ;-._\    Dipl.-Inf. Univ. Claudio Clemens         saucy          |
| (_)(   ) )   asturio at gmx (.) net           GNU/Linux User #79942  |
|   \ ;-'_/    http://asturio.gmxhome.de/begin.html                    |
|    `--(_)    "YE GODS, I HAVE FEET??!"          <- Userfriendly      |
Chegou a conta telefonicAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!!!!..


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

Re: cryptsetup + lvm order and crypt name

[Amadeusz Żołnowski]

[-- Attachment #1: Type: text/plain, Size: 153 bytes --]

Hi Claudio!

Have you tried setting target vg or lv with dracut kernel params?
Something like: rd.vg=my-vg


Cheers,

-- 
Amadeusz Żołnowski

[-- Attachment #2: Type: application/pgp-signature, Size: 472 bytes --]

Re: cryptsetup + lvm order and crypt name

[Claudio Clemens]

Am 06.08.2014 09:11, schrieb Amadeusz Żołnowski:
> Hi Claudio!
> 
> Have you tried setting target vg or lv with dracut kernel params?
> Something like: rd.vg=my-vg

Hi Amadeusz,

I have tried some options, but I think I configured then in the wrong
file. So I have many boot Options, like rd.auto and rd.lvm.vg. But I
wrote then in the file /etc/dracut.conf.d/20-local.conf

In which file should I write this Options, and how should the line look
like? I tried also in /etc/conf.d/ and /etc/cmdline.d/, but I can't get
away with the feeling, that they are not read.

And after setting the file correctly, what should I run? dracut, to
build the initrd again, or grub-update, to put the options in the boot
parameter?

Sorry for the noob questions, but I read all the docs, and couldn't
figure it out.

Cheers,

Claudio
-- 
+- .''`. ---| Dipl.-Inf. Univ. Claudio Clemens |-------| wheezy |-----+
| : :' :      asturio at gmx (.) net           GNU/Linux User #79942  |
| `. `'       http://asturio.gmxhome.de/begin.html                    |
|   `-        "YE GODS, I HAVE FEET??!"         <- Userfriendly       |
O cúmulo da rebeldia é morar sozinho e fugir de casa!

Re: cryptsetup + lvm order and crypt name

[Amadeusz Żołnowski]

[-- Attachment #1: Type: text/plain, Size: 919 bytes --]

(I've forgot to CC list, resending.)

> In which file should I write this Options, and how should the line
> look like? I tried also in /etc/conf.d/ and /etc/cmdline.d/, but I
> can't get away with the feeling, that they are not read.

If you are eventually dropped to shell, you can list cmdline parameters
with:

  cat /proc/cmdline


> And after setting the file correctly, what should I run? dracut, to
> build the initrd again, or grub-update, to put the options in the boot
> parameter?

First of all I advise to call dracut like that:

  dracut -H '' <kernel-version>

it will generate host-specific initramfs for specified kernel version in
default location.  Later edit variable GRUB_CMDLINE_LINUX_DEFAULT in
/etc/default/grub and put there parameters you want. After that
regenerate grub2 config with grub2-mkconfig.

I hope that helps. :-)


Cheers,

-- 
Amadeusz Żołnowski

[-- Attachment #2: Type: application/pgp-signature, Size: 472 bytes --]

Re: cryptsetup + lvm order and crypt name

[Claudio Clemens]

[-- Attachment #1: Type: text/plain, Size: 2889 bytes --]

Am 08.08.2014 09:12, schrieb Amadeusz Żołnowski:
> First of all I advise to call dracut like that:
> 
>   dracut -H '' <kernel-version>
> 
> it will generate host-specific initramfs for specified kernel version in
> default location.  Later edit variable GRUB_CMDLINE_LINUX_DEFAULT in
> /etc/default/grub and put there parameters you want. After that
> regenerate grub2 config with grub2-mkconfig.
> 
> I hope that helps. :-)

Ok... it was a while now. But I managed to boot my system. The -H flag
wasn't needed. I put the boot configuration Opts in grub, and not
dracut. Just for the documentation of it I have this setup:

In /etc/default/grub
GRUB_CMDLINE_LINUX="rd.auto rd.luks rd.luks.crypttab
rd.luks.uuid=83e0aaa5-a8ad-4435-afff-0d52b1071fc3 rd.lvm
rd.lvm.vg=boromir rd.md=0 rd.dm"

The only really needed option was rd.auto (maybe other options now
implies rd.auto). But the problem was a conflict between my
installation, Debian's dracut and Debian's cryptsetup.

When I installed my system and encrypted my /dev/sda5, I gave the
encrypted partition the name sda5_crypt. This value was written in
/etc/crypttab. So for accessing the partition at boot-time what is done
is: cryptsetup luksOpen /dev/sda5 sda5_crypt

When booting /etc/init.d/cryptdisks* looks for sda5_crypt, if it is
there, it won't do anything and boot will continue. If it is not there,
it asks for the passphrase and try to decrypt it.

The problem was that dracut, when calling "cryptsetup luksOpen" won't
use the name given in /etc/crypttab, but "luks-<UUID of the partition>".
When /etc/init.d/cryptdisk* comes in, there is no sda5_crypt present, so
it tried to decrypt the partition again, which is not possible, because
it is actually already in use.

My solution for the problem was to rename the decrypt volume in
/etc/crypttab from "sda5_crypt" to "luks-<UUID of /dev/sda5>". So I use
the same name dracut uses when calling cryptsetup and the
Debian-init-scripts finds the device.

I think the elegant solution would be in dracut, which could have a boot
option to the name of the decrypted device (or read it from
/etc/crypttab when creating the image), or the cryptdisks-init-scripts
which could see if the encrypted device is already decrypted, and not
only look if the name is present.

I hope this can help any one with a similar problem.

Thanks for the help,

Claudio

PS - I'll fill then a bug-report/wish for both Debian-Packages so they
are aware of the problem.

-- 
+- .''`. ---| Dipl.-Inf. Univ. Claudio Clemens |-------| wheezy |-----+
| : :' :      asturio at gmx (.) net           GNU/Linux User #79942  |
| `. `'       http://asturio.gmxhome.de/begin.html                    |
|   `-        "YE GODS, I HAVE FEET??!"         <- Userfriendly       |
"I will take the ring, though I do not know the way" Frodo Baggins


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 259 bytes --]