Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
/bin/sh: cannot access tty; job control turned off
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
anemptygun
n00b
n00b


Joined: 18 Aug 2014
Posts: 13

PostPosted: Mon Aug 18, 2014 11:45 pm    Post subject: /bin/sh: cannot access tty; job control turned off Reply with quote

Hello!

I'm fairly new to the gentoo world. I've done a couple of bare minimum installs, but this is the first time I've really tried to sink my teeth in a do an install on my main machine. I'm trying to do a full disk encryption setup and I'm having some difficulty with setting up an initramfs.

I've mostly been following this guide, as I am trying to do authentication with a gpg key on a USB drive, plus a passphrase. I have a LUKS encrypted / and an unencrypted /boot.

I can access and decrypt my drive just fine from the LiveCd but I get an error when trying to decrypt root from the initramfs. I am issuing the command
Code:
/bin/gpg --decrypt /mnt/usb/luks-key.gpg | /sbin/cryptsetup --key-file - luksOpen $(findfs UUID=<MY DRIVES UUID>) gentoo
like I would do normally, but it complains returning:

Code:

gpg: can't open /mnt/usb/luks-key.gpg
gpg: decrypt_message failed: file open failure
Something went wrong. Dropping you to a shell.
/bin/sh: cannot access tty; job control turned off


If I modify the initramfs to only drop me to a shell I can execute each command by hand ok. USB mounts fine, and I can see the gpg key. But I will still get the cannot access tty error when attempting to mount root. Anyone have any ideas? Feel like I'm missing a one liner or have a typo here somewhere. Been doing a lot of searching and asking around in IRC but to no avail. I expect you guys will needs to see the output of some commands, just let me know. Thanks in advance. :D

Background info:
Kernel enabled initramfs, devtmpfs, device-mapper support, various cipher supports,
Statically emerged gpg 1.4, cryptsetup, busybox, and lvm.

Manual custom initramfs
Code:
#!/bin/busybox sh

rescue_shell() {
    echo "Something went wrong. Dropping you to a shell."
    busybox --install -s
    exec /bin/sh
}
#mount proc and sys filesystems
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devtmpfs none /dev
mount -o ro $(findfs UUID=<MY USB ID>) /mnt/usb
echo 0 > /proc/sys/kernel/printk
clear
sleep 3
busybox --install -s
# decrypt
/bin/gpg --decrypt /tmp/usb/luks-key.gpg | /sbin/cryptsetup --key-file - luksOpen $(findfs UUID=<MY DRIVES UUID>) gentoo || rescue_shell
/sbin/lvm vgscan --mknodes
/sbin/lvm lvchange -a ly vg/swap
/sbin/lvm lvchange -a ly vg/home
/sbin/lvm lvchange -a ly vg/root
#mount
mount /dev/mapper/vg1-root /mnt/root
mount /dev/mapper/vg1-home /mnt/home
#cleanup
umount /proc
umount /sys
umount /mnt/usb
# and we continue
exec switch_root /mnt/root /sbin/init
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7163
Location: almost Mile High in the USA

PostPosted: Tue Aug 19, 2014 12:19 am    Post subject: Reply with quote

This error happens when you try to run an interactive shell on a "terminal" line without a controlling terminal - specifically the default, /dev/console. You can safely ignore it unless it's causing another issue -

The real problem you have to deal with is why

Code:
gpg: can't open /mnt/usb/luks-key.gpg


is showing up. I'm not sure if gpg would give up and error out like this if you don't have terminal control in a script when you can type it in manually.
What if you add a debugging statement into the script that ls -l /mnt/usb just before you do the gpg command just to make sure that file really is there before trying to decrypt it?

It really is mounting the USB stick automatically? On my initrd I tend to have to wait a few seconds for USB and USB-storage to settle before I can mount, but this is very system dependent...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
anemptygun
n00b
n00b


Joined: 18 Aug 2014
Posts: 13

PostPosted: Tue Aug 19, 2014 12:38 am    Post subject: Reply with quote

Looks like /dev/console is present in my initramfs. I do have the 'sleep 3' statement in the script. Maybe I should make that longer? I'll bump it up to 10 for the heck of it and give that a shot. I've mostly been concerned with getting it to run manually first before I worry about the full automation of the script.

Edit: Looks like

Code:
/bin/sh: cannot access tty; job control turned off


is not just a warning. Root is failing to mount when I check /dev/mapper.
Back to top
View user's profile Send private message
anemptygun
n00b
n00b


Joined: 18 Aug 2014
Posts: 13

PostPosted: Tue Aug 19, 2014 1:07 am    Post subject: Reply with quote

Ok, so I moved my sleep statement to look like this...

Code:
mount -t devtmpfs none /dev
sleep 10
mount -o ro $(findfs UUID=<MY USB ID>) /mnt/usb


and that got rid of the "can't open /mnt/usb/luks-key.gpg" error.

But now gpg is also complaining about /dev/tty in addition to /bin/sh. Not sure where to go from here...

I noticed that normally when i unlock the drive this would echo in the terminal.

Code:
pinentry-curses: no LC_CTYPE known - assuming UTF-8


I'm assuming this has to do with password entry? Related at all?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13987

PostPosted: Tue Aug 19, 2014 1:27 am    Post subject: Reply with quote

With recent lvm, I found that I needed to explicitly lvm vgmknodes after lvm lvscan completes. If I did not do this, then the nodes did not appear under /dev/mapper and attempts to access them failed.

You can get job control by redirecting the shell to tty1: /bin/sh </dev/tty1 >/dev/tty1 2>&1.
Back to top
View user's profile Send private message
anemptygun
n00b
n00b


Joined: 18 Aug 2014
Posts: 13

PostPosted: Tue Aug 19, 2014 3:18 am    Post subject: Reply with quote

Hu,

Running a lvm lvscan reports no volume groups found. If I'm remembering correctly the lvm structure is inside of the encrypted LUKS container. Don't I have to be able to unlock the container first? The gentoo wiki guide I had been following did it this way..

When i try to issue /bin/sh </dev/tty1 >/dev/tty1 2>&1 it echos that /bin/sh: cannot access tty; job control turned off

Pardon my ignorance, I'm just trying to wrap my head around this 8O
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13987

PostPosted: Wed Aug 20, 2014 12:55 am    Post subject: Reply with quote

Yes, of course, you need the LVM PVs visible before you can use any LVM commands. My point was that, for recent LVM, I found that once the lvscan completed successfully, the device nodes still did not exist unless I explicitly ran vgmknodes.

I do not know why you still do not get job control. I use that line in my initramfs and I have job control. I think I did not have job control prior to changing the line to add the redirections.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7163
Location: almost Mile High in the USA

PostPosted: Wed Aug 20, 2014 4:20 am    Post subject: Reply with quote

It still doesn't make sense why it would work interactively but not in the script as both do not have job control yet. I think it may be a red herring. Now I don't know enough about how gnupg gets passwords using pinentry, I'd look into pinentry issues first - it's a tricky beast because it's one of those socket ipc systems to allow a UI-agnostic system, which may be overkill in this situation. Then again it may not be...

Unfortunately even if you get job control by running a new shell on /dev/tty1 you can't do this trick in the script as is.

The LC_CTYPE warning you get - this is if you're running with a full Linux or with the initramfs? Your description isn't very clean whether you got it working interactively within the initramfs or not... If running interactively within the initramfs, can you decrypt your key or not?

Now I'm not sure how pinentry-curses works, if it actually needs to take over the master pty of /dev/console then this won't work, but if other people have gotten it working in an initramfs I doubt this is the case... then again I don't know if anyone has or hasn't.

On the page you referred to, there is a blurb about pinentry to set GPG_TTY. I'm not sure if this is applicable in this situation.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
anemptygun
n00b
n00b


Joined: 18 Aug 2014
Posts: 13

PostPosted: Fri Aug 22, 2014 4:10 am    Post subject: Reply with quote

Ok, so after some more searching I came across bit about job control on the gentoo custom initramfs wiki. Issuing this command seemed to do the trick with getting rid of my job control error.

Code:
setsid sh -c 'exec sh </dev/tty1 >/dev/tty1 2>&1'


:D Yay! one less roadblock! Hu was very close with the command hint he gave me.

But it would appear I'm still not out of the woods just yet. I am now receiving this error, which repeats seven times..

Code:
Failed to open temporary keystore device.
device-mapper: remove ioctl on temporary-cryptsetup-1270 failed: no such device or address


If anyone has any ideas on this I'm all ears! I'll keep looking around and see what I come across.


Last edited by anemptygun on Fri Aug 22, 2014 4:17 am; edited 1 time in total
Back to top
View user's profile Send private message
anemptygun
n00b
n00b


Joined: 18 Aug 2014
Posts: 13

PostPosted: Fri Aug 22, 2014 4:16 am    Post subject: Reply with quote

eccerr0r wrote:
The LC_CTYPE warning you get - this is if you're running with a full Linux or with the initramfs? Your description isn't very clean whether you got it working interactively within the initramfs or not... If running interactively within the initramfs, can you decrypt your key or not?


The LC_CTYPE warning I was getting is from running full linux. I think I saw that it was safe to ignore that error. My train of thought was that I just didn't know if there was anything explicit I had to setup for pinentry..

It looks like I now have job control, and can decrypt my key. I think now I am having issues with the cryptsetup side of the pipe.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum