[systemd-devel] [PATCH] random-seed: break ordering cycle with encrypted tmp partitions

Tom Gundersen teg at jklm.no
Thu Dec 22 16:47:41 PST 2011 

Rather than ordering systemd-random-seed-load.service after local-fs.target,
start it by path-activation.

We need write access to the seed, so we order the path unit after
remount-rootfs.service (in case /var is on the root fs).

A better solution might be to introduce PathIsWritable=, but that is not
necessary in order to solve the problem, and I don't know of any other
usecases for it.

Cc: Frederic Crozat <fcrozat at suse.com>
Cc: Michal Schmidt <mschmidt at redhat.com>
---

This is my second attempt at solving this problem. The first one had
some issues as pointed out by Frederic and Michael.

 Makefile.am                               |    7 +++++--
 TODO                                      |    2 --
 units/.gitignore                          |    1 +
 units/systemd-random-seed-load.path.in    |   18 ++++++++++++++++++
 units/systemd-random-seed-load.service.in |    3 +--
 5 files changed, 25 insertions(+), 6 deletions(-)
 create mode 100644 units/systemd-random-seed-load.path.in

diff --git a/Makefile.am b/Makefile.am
index 170465a..5e236f0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -414,6 +414,7 @@ nodist_systemunit_DATA = \
 	units/systemd-update-utmp-shutdown.service \
 	units/systemd-random-seed-save.service \
 	units/systemd-random-seed-load.service \
+	units/systemd-random-seed-load.path \
 	units/systemd-readahead-collect.service \
 	units/systemd-readahead-replay.service \
 	units/systemd-readahead-done.service \
@@ -477,6 +478,7 @@ EXTRA_DIST = \
 	units/systemd-update-utmp-shutdown.service.in \
 	units/systemd-random-seed-save.service.in \
 	units/systemd-random-seed-load.service.in \
+	units/systemd-random-seed-load.path.in \
 	units/systemd-readahead-collect.service.in \
 	units/systemd-readahead-replay.service.in \
 	units/systemd-readahead-done.service.in \
@@ -1611,6 +1613,7 @@ SED_PROCESS = \
 		-e 's, at exec_prefix\@,$(exec_prefix),g' \
 		-e 's, at libdir\@,$(libdir),g' \
 		-e 's, at includedir\@,$(includedir),g' \
+		-e 's, at localstatedir\@,$(localstatedir),g' \
 		< $< > $@ || rm $@
 
 units/%: units/%.in Makefile
@@ -1887,7 +1890,7 @@ endif
 			sys-fs-fuse-connections.mount \
 			systemd-vconsole-setup.service \
 			systemd-modules-load.service \
-			systemd-random-seed-load.service \
+			systemd-random-seed-load.path \
 			systemd-tmpfiles-setup.service \
 			systemd-sysctl.service \
 			systemd-ask-password-console.path \
@@ -1901,7 +1904,7 @@ endif
 		$(LN_S) ../sys-fs-fuse-connections.mount sys-fs-fuse-connections.mount && \
 		$(LN_S) ../systemd-vconsole-setup.service systemd-vconsole-setup.service && \
 		$(LN_S) ../systemd-modules-load.service systemd-modules-load.service && \
-		$(LN_S) ../systemd-random-seed-load.service systemd-random-seed-load.service && \
+		$(LN_S) ../systemd-random-seed-load.path systemd-random-seed-load.path && \
 		$(LN_S) ../systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service && \
 		$(LN_S) ../systemd-sysctl.service systemd-sysctl.service && \
 		$(LN_S) ../systemd-ask-password-console.path systemd-ask-password-console.path && \
diff --git a/TODO b/TODO
index a8ab352..ab26eaa 100644
--- a/TODO
+++ b/TODO
@@ -23,8 +23,6 @@ Features:
 
 * Make libselinux, libattr, libcap, libdl dependencies only of the tools which actually need them.
 
-* as Tom Gundersen pointed out there's a always a dep loop if people use crypto file systems with random keys
-
 * unset container= in PID1?
 
 * automatically escape unit names passed on the service (i.e. think "systemctl start serial-getty.service at serial/by-path/jshdfjsdfhkjh" being automatically escaped as necessary.
diff --git a/units/.gitignore b/units/.gitignore
index cc92c73..202cc62 100644
--- a/units/.gitignore
+++ b/units/.gitignore
@@ -31,6 +31,7 @@ systemd-vconsole-setup.service
 systemd-auto-serial-getty.service
 systemd-shutdownd.service
 systemd-random-seed-load.service
+systemd-random-seed-load.path
 systemd-random-seed-save.service
 systemd-initctl.service
 systemd-stdout-syslog-bridge.service
diff --git a/units/systemd-random-seed-load.path.in b/units/systemd-random-seed-load.path.in
new file mode 100644
index 0000000..614c1d4
--- /dev/null
+++ b/units/systemd-random-seed-load.path.in
@@ -0,0 +1,18 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Random Seed
+DefaultDependencies=no
+Conflicts=shutdown.target
+Before=basic.target shutdown.target
+# in case the seed is on the rootfs, we must
+# wait for the rootfs to be remonuted rw
+After=remount-rootfs.service
+
+[Path]
+PathExists=@localstatedir@/lib/random-seed
diff --git a/units/systemd-random-seed-load.service.in b/units/systemd-random-seed-load.service.in
index a2b6a55..2bcf1aa 100644
--- a/units/systemd-random-seed-load.service.in
+++ b/units/systemd-random-seed-load.service.in
@@ -8,9 +8,8 @@
 [Unit]
 Description=Load Random Seed
 DefaultDependencies=no
-Wants=local-fs.target
 Conflicts=shutdown.target
-After=systemd-readahead-collect.service systemd-readahead-replay.service local-fs.target
+After=systemd-readahead-collect.service systemd-readahead-replay.service systemd-random-seed-load.path
 Before=sysinit.target shutdown.target
 
 [Service]
-- 
1.7.8

More information about the systemd-devel mailing list