Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] initrd with luks partitions, lvm2, and systemd
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Tatsh
Apprentice
Apprentice


Joined: 22 Jul 2007
Posts: 179

PostPosted: Tue Apr 14, 2015 2:22 pm    Post subject: [SOLVED] initrd with luks partitions, lvm2, and systemd Reply with quote

See third post.

I have been searching all over and have not found a lot of help when things go wrong here. I am using Dracut to generate a host-only initrd that should make the following kind of layout:

Code:

NAME           FSTYPE      LABEL                       UUID                                   MOUNTPOINT
sda
├─sda1         vfat        EFI                         FF0B-C552                              /boot/efi
├─sda2         ext2        boot                        cc9cb75b-7153-44bd-a520-f8072add4bba   /boot
└─sda3         crypto_LUKS                             5d4fa557-d643-4220-b4fd-0662eba8783a
  └─root       LVM2_member                             7k9Kix-LHvZ-qy60-eluo-20vr-N5nf-LJuzXe
    ├─vg0-root ext4        root                        6c32e104-186c-4e38-86d5-baa5ef08c8f7   /
    └─vg0-home ext4                                    0cbbd0d3-5844-43ad-83ef-d434d2a58f48   /home/tatsh
sdb            crypto_LUKS                             78091943-1099-48c5-b1d7-6ec3a611bd8a
└─home         LVM2_member                             44qXdW-Y7f5-rUDX-oOm8-7azb-oryc-7d0p4R
  └─vg0-home   ext4                                    0cbbd0d3-5844-43ad-83ef-d434d2a58f48   /home/tatsh


Basically:

1. Unlock 5d4fa557 (dev/sda3)
2. Unlock 78091943 (/dev/sdb)
3. lvm scan and enable vg0
4. Mount root (/dev/mapper/vg0-root)
5. Mount /home/tatsh from /dev/mapper/vg0-home

What happens right now is I can begin the boot but dracut-initqueue (its own module) does not run the cryptsetup generator (systemd) properly that would generate a service for each LUKS encrypted disk, and unlock them based on options given. I am almost certain this is caused by Dracut not copying my /etc/crypttab to its own image because that file is required for the generator to work. When I use lsinitrd I see a 0 byte /etc/crypttab in the image.

Has anyone succeeded with this combination? The only reason I am able to boot is because I followed Dracut wiki's instructions on how to manually boot with their debug shell. https://www.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_troubleshooting

/etc/default/grub : http://dpaste.com/34E3VB4
/etc/dracut.conf : http://dpaste.com/0GQV0WD
Last Dracut log (during generation): https://gist.github.com/1da4028d91492a747110

Code:

DRACUT_MODULES="crypt crypt-gpg crypt-loop gensplash lvm ssh-client systemd"

systemd USE flags = "acl cryptsetup gudev idn introspection kmod lz4 pam (policykit) seccomp ssl -apparmor -audit -curl -doc -elfutils -gcrypt -http -importd (-kdbus) -lzma -nat -python -qrcode (-selinux) -sysv-utils -terminal -test -vanilla -xkb"


Note that I tried using genkernel-next but it does not support systemd enough as far as I can tell, regaring LUKS. It only copies the binary but not any of the other necessary files (services, etc).


Last edited by Tatsh on Wed Apr 15, 2015 1:10 am; edited 1 time in total
Back to top
View user's profile Send private message
croutch
n00b
n00b


Joined: 04 Aug 2012
Posts: 32
Location: göteborg

PostPosted: Tue Apr 14, 2015 5:46 pm    Post subject: Reply with quote

Take a look if this guide could help you -> http://www.hivestream.de/gentoo-installation-with-raid-lvm-luks-and-systemd.html
Back to top
View user's profile Send private message
Tatsh
Apprentice
Apprentice


Joined: 22 Jul 2007
Posts: 179

PostPosted: Wed Apr 15, 2015 12:39 am    Post subject: Reply with quote

croutch wrote:
Take a look if this guide could help you -> http://www.hivestream.de/gentoo-installation-with-raid-lvm-luks-and-systemd.html


Thanks for the link. It was useful for a few things. I am looking into using pam_mount instead of fstab to mount my $HOME but I am not finding that necessary.

I have resolved this issue, so I want to take notes for anyone else who might want to achieve the same thing. What I have is a system now that will not boot unless my flash drive with the key is in.

My setup is 2 SSDs combined linearly with LVM, both encrypted separately, but with the same key to make life a little easier.

So you need this in your /etc/crypttab:

Code:

diskX UUID=5d4fa557-d643-4220-b4fd-0662eba8783a /file/path-to-key luks
diskY UUID=78091943-1099-48c5-b1d7-6ec3a611bd8a /file/path-to-key luks


Where diskX and diskY are what you used originally to create the LVM volume group (/dev/mapper/diskX, etc). If you put none instead of the path you will just get prompted for every drive.

Do not use quotes on the UUID like in fstab!

Here is something that might be a bug. Basically, when dracut does its analysis to figure out which drives are okay from your /etc/crypttab to add to its own, it does not want to take in any that are in use *except* root. This is a problem if you are using LVM to merge 2 drives and create a 'linear RAID0' (please make backups somewhere else!). So what you need to do is remove some checks in the crypt module that comes with Dracut. This is with Dracut version 041-r2:

Code:

  66     if [[ $hostonly ]] && [[ -f /etc/crypttab ]]; then
  67         # filter /etc/crypttab for the devices we need
  68         while read _mapper _dev _rest; do
  69             [[ $_mapper = \#* ]] && continue
  70             [[ $_dev ]] || continue
  71
  72             [[ $_dev == UUID=* ]] && \
  73                 _dev="/dev/disk/by-uuid/${_dev#UUID=}"
  74
  75             for _hdev in "${!host_fs_types[@]}"; do
  76                 #[[ ${host_fs_types[$_hdev]} == "crypto_LUKS" ]] || continue
  77                 #if [[ $_hdev -ef $_dev ]] || [[ /dev/block/$_hdev -ef $_dev ]]; then
  78                     echo "$_mapper $_dev $_rest"
  79                     break
  80                 #fi
  81             done
  82         done < /etc/crypttab > $initdir/etc/crypttab


The checks for busy or if its the disk is part of LVM volume group have been commented out in the for loop (3 lines commented out). This will just make the initrd /etc/crypttab the same as system so be sure that is what you want.

In order for the initrd to know about the mount point where your USB or other device with the key will be located (the path referenced in /etc/crypttab), you need to add a custom fstab entry via Dracut's configuration:

Code:

# fstab
add_fstab+="/usr/src/initrd-fstab"


My /usr/src/initrd-fstab:

Code:

UUID="BD3B-03BD" /file vfat noatime 1 2


Add this same entry to your /etc/fstab to ensure that post-switch root, the decryption can occur again if necessary.

In /etc/dracut.conf you should basically have this, at minimum (unless you want to specify on the command line):

Code:

logfile=/var/log/dracut.log
fileloglvl=10 # Useful for debugging later

add_dracutmodules+="crypt crypt-gpg dm systemd crypt-loop lvm"
# fstab
add_fstab+="/usr/src/initrd-fstab"
# build initrd only to boot current hardware
hostonly="yes"


And you'll notice that lsinitrd does not show /file being created in the image. It will be created at boot time. Any mount point that does not exist and is not used for something will be used, and if the directory does not exist it will be created.

Now, you can regenerate your Grub configuration. My /etc/default/grub only has these items enabled:

Code:

GRUB_PRELOAD_MODULES=lvm  # Maybe unnecessary?
GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd video=uvesafb:2560x1600-32,mtrr:3,ywrap"
GRUB_GFXPAYLOAD_LINUX="keep" # For EFI FB


Regenerating, especially if you are on live CD/USB (where -limelight is the suffix you gave in kernel configuration, otherwise remove it):

Code:

$ dracut --force --kver 3.18.11-gentoo-limelight -k /lib/modules/3.18.11-gentoo-limelight
$ grub2-mkconfig -o /boot/grub/grub.cfg


Now make sure you have everything about Grub correct for you (UEFI, etc). Plug in the required flash drive or other device containing the key and reboot.

After rebooting, if you are using something like KDE, after you log in you can open up the devices widget, and unmount the flash drive there. Because it is not mounted by you, you will be asked for your root password.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum