[systemd-devel] systemd-repart HOWTO + demo code
Thayne Harbaugh
thayne at mastodonlabs.com
Sun Oct 20 06:13:24 UTC 2024
Response in line:
On Sat, 2024-10-19 at 21:57 -0400, Adrian Vovk wrote:
> Responses inline
>
> On Sat, Oct 19, 2024, 21:52 Thayne Harbaugh <thayne at mastodonlabs.com>
> wrote:
> > Response in line:
> >
> > On Sat, 2024-10-19 at 20:36 -0400, Adrian Vovk wrote:
> > > Hello,
> > > I might have spotted something
<SNIP>
> > > You tell repart to encrypt with a keyfile, but it seems like you
> > > don't pass in which keyfile to use.
> >
> > Maybe I'm confused about how Encrypt= and EncryptedVolume=
> > interact.
<SNIP>
> Yeah I think you are. I'm pretty sure EncryptedVolume= is about
> defining what goes into /etc/crypttab, and thus how the volume is set
> up at runtime or at boot. Not how the volume is set up when it's
> created. Basically each EncryptedVolume= entry is an entry in
> /etc/crypttab and no more.
> > > By default, repart will encrypt
> > > with a null key in that case. IIRC, you have to pass in the
> > > keyfile
> > > (or maybe socket) to use in your drop-in.
> >
> > I feel like I should know what my "drop-in" ... but I have no idea.
> > Is thet the repart.d/30-xdata.conf? Is it the override I made to
> > systemd-repart.service as
> > systemd-repart.service.d/systemd-repart-gen_tabs.conf ?
>
> I mean the override you made to systemd-repart.service
I changed the systemd-repart drop-in to pass
--key-file=/run/fscrypt.sock:
ExecStart=systemd-repart --dry-run=no --key-file=/run/fscrypt.sock --generate-fstab=/run/fstab --generate-crypttab=/run/crypttab
(change pushed into repart_howto project)
I can now see that it opens the socket defined by fscrypt.socket,
activates fscrypt at .service and executes getkey. Woot!
Unfortunately systemd-repart still does not exit and udev events
continue to repeat waiting for a lock (the new, encrypted partition is
not created):
<SNIP>
Oct 19 23:20:27.218374 localhost (d-repart)[277]: systemd-repart.service: Executing: systemd-repart --dry-run=no --key-file=/run/fscrypt.sock --generate-fstab=/run/fstab --generate-crypttab=/run/crypttab
<SNIP>
Oct 19 23:20:27.286753 localhost systemd-repart[277]: Device /dev/sdb opened and locked.
<SNIP>
Oct 19 23:20:27.305471 localhost systemd-repart[277]: Sector size of device is 512 bytes. Using filesystem sector size of 4096 and grain size of 4096.
Oct 19 23:20:27.305544 localhost systemd-repart[277]: /run/fstab written.
Oct 19 23:20:27.305567 localhost systemd-repart[277]: /run/crypttab written.
Oct 19 23:20:27.305838 localhost systemd-repart[277]: Applying changes to /dev/sdb.
<SNIP>
Oct 19 23:20:27.314953 localhost systemd-repart[277]: Successfully wiped file system signatures from future partition 2.
Oct 19 23:20:27.320086 localhost systemd-repart[277]: Successfully discarded data from future partition 2.
Oct 19 23:20:27.320446 localhost systemd-repart[277]: Successfully discarded gap after partition 2.
Oct 19 23:20:27.320611 localhost systemd-repart[277]: loop0: Acquired exclusive lock.
Oct 19 23:20:27.320872 localhost systemd-repart[277]: Successfully acquired /dev/loop0, devno=7:0, nr=0, diskseq=11
Oct 19 23:20:27.323113 localhost systemd-repart[277]: Encrypting future partition 2...
Oct 19 23:20:27.325115 localhost systemd-repart[277]: Allocating context for crypt device /dev/loop0.
Oct 19 23:20:27.325128 localhost systemd-repart[277]: Trying to open and read device /dev/loop0 with direct-io.
Oct 19 23:20:27.326081 localhost systemd-repart[277]: Initialising device-mapper backend library.
Oct 19 23:20:27.326092 localhost systemd-repart[277]: Formatting device /dev/loop0 as type LUKS2.
<SNIP>
Oct 19 23:20:29.400763 localhost systemd-repart[277]: Device size 17179869184, offset 16777216.
Oct 19 23:20:29.400876 localhost systemd-repart[277]: Acquiring write lock for device /dev/loop0.
Oct 19 23:20:29.400929 localhost systemd-repart[277]: Locking directory /run/cryptsetup will be created with default compiled-in permissions.
<SNIP>
Oct 19 23:20:27.617748 localhost systemd-repart[277]: Formatting LUKS2 with JSON metadata area 12288 bytes and keyslots area 16744448 bytes.
<SNIP>
Oct 19 23:20:27.808111 localhost (udev-worker)[301]: loop0: Processing device (SEQNUM=1940, ACTION=change)
Oct 19 23:20:27.808199 localhost (udev-worker)[301]: loop0: Failed to flock(/dev/loop0): Resource temporarily unavailable
Oct 19 23:20:27.808207 localhost (udev-worker)[301]: loop0: Block device is currently locked, requeueing the event.
<SNIP>
Oct 19 23:20:28.008110 localhost (udev-worker)[319]: loop0: Processing device (SEQNUM=1940, ACTION=change)
Oct 19 23:20:28.008146 localhost (udev-worker)[319]: loop0: Failed to flock(/dev/loop0): Resource temporarily unavailable
Oct 19 23:20:28.008156 localhost (udev-worker)[319]: loop0: Block device is currently locked, requeueing the event.
<SNIP>
Oct 19 23:20:28.214865 localhost (udev-worker)[316]: sdb: Processing device (SEQNUM=2090, ACTION=add)
Oct 19 23:20:28.214892 localhost (udev-worker)[316]: sdb: Failed to flock(/dev/sdb): Resource temporarily unavailable
Oct 19 23:20:28.214899 localhost (udev-worker)[316]: sdb: Block device is currently locked, requeueing the event.
<SNIP>
Oct 19 23:20:28.239122 localhost (udev-worker)[316]: loop0: Processing device (SEQNUM=1940, ACTION=change)
Oct 19 23:20:28.239150 localhost (udev-worker)[316]: loop0: Failed to flock(/dev/loop0): Resource temporarily unavailable
Oct 19 23:20:28.239156 localhost (udev-worker)[316]: loop0: Block device is currently locked, requeueing the event.
<SNIP>
The "Failed to flock" message groups for both `/dev/sdb` and
`/dev/loop0` continue to repeat until the system is shut down.
Any ideas what might be wrong?
> Best,
> Adrian
>
> >
> > > Apologies if I'm wrong. I'm on my phone and haven't pulled up the
> > > docs to verify.
> >
> > Maybe you can send something with more details when you have access
> > to
> > a system.
> >
> > Thank you for the response.
> >
> > > Best,
> > > Adrian
> > >
> > > On Sat, Oct 19, 2024, 20:21 Thayne Harbaugh
> > > <thayne at mastodonlabs.com>
> > > wrote:
> > > > Greetings - apologies if this isn't the proper list - please
> > > > redirect
> > > > me.
> > > >
> > > > I'm writing a systemd-repart HOWTO with demo code for various
> > > > use
> > > > cases:
> > > >
> > > > https://github.com/plastikos/repart_howto
> > > >
> > > > The HOWTO is a typical document while the demos are minimal
> > > > cases
> > > > built with mkosi and available for growing into larger
> > > > solutions.
> > > >
> > > > Initially it has two use-case demos:
> > > >
> > > > 1. Creating a new partition (xdata) on first boot
> > > >
> > > > 2. Creating a new partition (xdata) with encryption on first
> > > > boot
> > > >
> > > > Currently #1 works. It's simple. I still need to create more
> > > > details
> > > > around growing partitions and other ideas.
> > > >
> > > > The encryption case #2, however, does not work and I'm looking
> > > > for
> > > > some assistance. While there is significant documentation
> > > > around
> > > > the
> > > > systemd ecosystem of tools I feel like I have possibly missed
> > > > some
> > > > detail or may not be understanding how to synthesize the
> > > > information
> > > > into a working model.
> > > >
> > > > The encryption demo is identical to case #1 of adding a
> > > > partition
> > > > with
> > > > the following changes:
> > > >
> > > > 1. The /usr/lib/repart.d/30-xdata.conf file adds the
> > > > following:
> > > >
> > > > Encrypt=key-file
> > > > EncryptedVolume=dc-xdata:/run/fscrypt.sock:luks,discard
> > > >
> > > > 2. a /usr/lib/systemd/system/fscrypt.socket file is added
> > > > along
> > > > with
> > > > a fscrypt at .service file (see the project source, please).
> > > >
> > > > 3. A /usr/bin/getkey file is added for fscrypt at .service to
> > > > call.
> > > > getkey provides a simplistic way of producing an
> > > > encryption
> > > > key
> > > > for *demonstration* purposes *ONLY*.
> > > >
> > > > 4. A /var/lib/key.bin is added as a binary encryption key
> > > > that
> > > > getkey retrieves - for *demonstration* purposes *ONLY*.
> > > >
> > > > When built into a disk image by mkosi and started with qemu it
> > > > fails
> > > > to create the new xdata partition. I see quite a few journal
> > > > messages
> > > > from systemd-repart and related udev events. I have verified a
> > > > few
> > > > things:
> > > >
> > > > 1. /run/fscrypt.sock does get created
> > > >
> > > > 2. getkey does emit the encryption key to stdout
> > > >
> > > > 3. systemd-repart is started and initiates creating a
> > > > partition
> > > > with
> > > > LUKS
> > > >
> > > > There are two notable details that cause me concern and might
> > > > be
> > > > where
> > > > the problem lies:
> > > >
> > > > 1. There is no evidence that getkey is invoked even when I
> > > > instrument it to generate side-effects.
> > > >
> > > > 2. There are messages in the journal that indicate that
> > > > systemd-repart never exits and that it might be in
> > > > deadlock
> > > > waiting
> > > > for child events.
> > > >
> > > > The messages around the possible deadlock of #2 above are the
> > > > following:
> > > >
> > > > Oct 19 12:08:48.510843 localhost systemd-repart[276]: loop0: Acquired exclusive lock.
> > > > Oct 19 12:08:48.512130 localhost systemd-repart[276]: Successfully acquired /dev/loop0, devno=7:0, nr=0, diskseq=11
> > > > Oct 19 12:08:48.516941 localhost systemd-repart[276]: Encrypting future partition 2...
> > > > Oct 19 12:08:48.517077 localhost systemd-repart[276]: Allocating context for crypt device /dev/loop0.
> > > > <SNIP/>
> > > > Oct 19 12:08:49.114118 localhost (udev-worker)[299]: loop0: Processing device (SEQNUM=1996, ACTION=change)
> > > > Oct 19 12:08:49.114972 localhost (udev-worker)[299]: loop0: Failed to flock(/dev/loop0): Resource temporarily unavailable
> > > > Oct 19 12:08:49.114979 localhost (udev-worker)[299]: loop0: Block device is currently locked, requeueing the event.
> > > > <SNIP/>
> > > > Oct 19 12:08:49.328308 localhost (udev-worker)[296]: loop0: Processing device (SEQNUM=1996, ACTION=change)
> > > > Oct 19 12:08:49.328345 localhost (udev-worker)[296]: loop0: Failed to flock(/dev/loop0): Resource temporarily unavailable
> > > > Oct 19 12:08:49.328352 localhost (udev-worker)[296]: loop0: Block device is currently locked, requeueing the event.
> > > > <SNIP/>
> > > >
> > > > Those last three messages about failing to lock repeat until
> > > > QEMU
> > > > is
> > > > shut down.
> > > >
> > > > There are quite a few additional diagnostic details and logs
> > > > that
> > > > may
> > > > be of interest but it might be easier to clone the repart_howto
> > > > project from github and run it:
> > > >
> > > > >$ ./demo crypt
> > > >
> > > > Once it executes all of the mkosi configuration files and disk
> > > > image
> > > > are in the build-crypt sub-directory. All relevant files
> > > > specific
> > > > to
> > > > partition creation and encryption are in build-
> > > > crypt/mkosi.extra -
> > > > there are not many since I'm trying to keep the demo as simple
> > > > as
> > > > possible. All relevant journal events and state information
> > > > can be
> > > > extracted from build-crypt/image.raw.
> > > >
> > > > Thanks for either directing me to a more appropriate help
> > > > resource
> > > > and/or providing direct assistance.
> > > >
> > > >
> > > > P.S. If you want to run demo #1 of partition creation sans
> > > > encryption
> > > > then execute the following from the project source tree:
> > > >
> > > > >$ ./demo clear
> >
--
Big Solutions
More information about the systemd-devel
mailing list