[systemd-devel] [PATCH] cryptsetup-generator: support rd.luks.key=keyfile:keyfile_device
Lennart Poettering
lennart at poettering.net
Thu Apr 23 07:57:09 PDT 2015
On Thu, 23.04.15 06:41, Andrei Borzenkov (arvidjaar at gmail.com) wrote:
> В Thu, 23 Apr 2015 00:48:38 +0200
> Lennart Poettering <lennart at poettering.net> пишет:
>
> > On Fri, 20.02.15 10:56, Jan Synacek (jsynacek at redhat.com) wrote:
> >
> > Sorry for the late review.
> >
> > What's the precise background of this? Can you elaborate? Is there
> > some feature request for this?
>
> There are multiple bug reports that switching to dracut with integrated
> systemd breaks ability to auto-setup encrypted devices using keyfile
> on external USB stick.
Hmm, but from Jan's mail I got the impression that this is a Dracut
feature in the first place? Now I am confused?
Which initrd implementations supported this scheme before?
> > What does this actually do? Is the specified key file read from the
> > specified device?
>
> It reads keyfile from filesystem on device identifed by keyfile_device.
>
> > The order of keyfile:device sounds weird, no?
> > Shouldn't it be the other way round?
> >
>
> keyfile is mandatory, keyfile_device is optional and can be omitted. I
> believe dracut looked at all existing devices then. This order makes
> it easier to omit optional parameter(s).
Well, whether it is [device:]file or file[:device] is hardly any
difference for the parser...
> > Is this specific to Dracut so far? Is this widely used, and something
> > that we really want.
>
> I can say about dracut only but yes, it is used and it is serious
> regression when it is used comparing with pre-systemd version.
Can you point me to documentation about the previous features in this
regard? Which initrd implementations are you referring to?
> > > First version of the patch that allows rd.luks.key to be specified
> > > almost the same way as dracut can read it.
> > >
> > > The solution creates a temporary mount unit "mnt.mount" that the
> > > generated cryptsetup service wants. The partition where the keyfile
> > > is then mounted to /mnt and the absolute path to the keyfile is
> > > changed so it points to this temporary mount instead.
> >
> > Well, I'd place this in /run somewhere. Maybe
> > /run/systemd/cryptsetup/mount or so...
> >
> > > I'm not sure if temporarily mounting something to /mnt in initrd is
> > > safe. If not, what would be a preffered way to do this?
> >
> > What does temporarily mean? When is this unmounted?
>
> To fetch keyfile dracut needs to mount USB stick. This mount is not
> normally needed after cryptomount setup is completed.
Well, sure, I am just wondering what precisely shall be used as
trigger to unmount it again.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list