[systemd-devel] systemd-nspawn/machinectl with LUKS/LVM

Lennart Poettering lennart at poettering.net
Wed Oct 4 09:31:57 UTC 2017 

On Di, 03.10.17 17:04, bugs-systemd at aquazul.com (bugs-systemd at aquazul.com) wrote:

> Hi,
> 
> I'm trying to figure out the right way of using an LUKS-encrypted LV
> with systemd-nspawn.
> 
> I've got an LV called "containername" which is LUKS-encrypted, and I
> start the container using:
> 
> systemd-nspawn --boot --image=/dev/vg/containername
> 
> it asks me for the LUKS passphrase, and it seems to work OK on the
> command line.
> 
> However, just a few questions:
> 
> 1) is there any advantage to using a single-partition GPT instead of no
> partition and a filesystem?

The image dissection logic can deal with either. The GPT approach is a
bit nicer I think since the root partition can be marked as such, and
carries information about the CPU architecture this image is for (and
nspawn derives the --personality= from that). Hence, things are a lot
more discoverable this way, as images suitable for nspawn are easily
recognized as such. And then of course it offers you things like
having multiple partitions in the same image. For example, a single
image that contains a read-only squashfs /usr, combined with an ext4
writable /home or so. Last but not least, by doing GPT it is easy to
make images that boot under both KVM (or physical systems) and nspawn
in pretty much the same way.

If neither of that is interesting to you, i.e. not discoverability, no
architecture support, no multiple partitions and no KVM compat, then
you can happily do without GPT.

(mkosi makes building images easy that take benefit of GPT features btw)

> 2) machinectl list-images doesn't detect the images in LVs; am I
> supposed to (auto)mount them in /var/lib/machines/ ?

Yeah, that's how discovery works. You can alos place a symlink there.

> 3) how do I best enable this on boot? "machinectl enable" won't work
> since it doesn't know which image to use. Is there an example of a
> systemd unit file for an image-based nspawn container?

It should work, if you make them available in /var/lib/machines,
either by mounting them there or by symlinking them there.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list