cryptsetup can't create temporary directory where it would mount removable device, because root filesystem at this point of booting hasn't been remounted r/w, so decrypting fails. Basic workaround - use some existing directory (I changed appropriate line in /lib/rcscripts/addons/dm-crypt-start.sh to "local mntrem=/mnt/flash" and it helped). I don't see any point in using "random" directory name for this purpose at the first place. Furthermore i doubt, that it's random at all - PID especially during booting is pretty much guessable. Reproducible: Always Steps to Reproduce:
it doesnt need to be random (nothing in the code indicates this), it just needs to be unused
*** Bug 218636 has been marked as a duplicate of this bug. ***
RC_SVCDIR is a good place for a temp dir ... however, that still doesnt address the fundamental issue cryptsetup needs to execute after the rootfs has been fscked and remounted read write, but before local fsck and mount gets run. openrc has unified the fsck steps, so it isnt possible for this scenario anymore. if the encrypted file lives on the root filesystem, then we cant decrypt/set it up until the root filesystem is no longer read-only as the dmcrypt code in the kernel is not able to handle this afaik.
We had a big discussion about this on my bugzilla. http://bugs.marples.name/show_bug.cgi?id=35 Quick summary - we shouldn't reference file based fs's in /etc/fstab to fsck or automount. Instead, write a new init script and config file to especially handle this after localmount. Unifying the fsck calls removed all the cludgy hacks we had in place, and I'm not keen on adding them back.
so you're suggesting substituting one kludge for another ? and instead of having people use standard interfaces (/etc/fstab), they be expected to use a completely non-standard one ? sounds to me like splitting the fsck init.d steps makes a lot more sense, especially considering it's been pretty vetted also, forcing people to mount their devices only via an init.d script is a bad idea. that prevents them from using completely standard utilities such as `mount`.
I'm suggesting that the automatic mount and fsck or file based mounts happen in another init script yes. I'm not saying that the entry should be removed entirely from /etc/fstab. /path/to/some/file /mount/me/here crypt rw,noauto 0 0 mount still works, no special init script required.
you're still kludging things. now you have to setup a config file for a custom init.d script where you have to duplicate a list mount points where the standard meanings of "noauto" and "dont fsck" basically get ignored and have the opposite meaning.
Then I suggest that the fsck tool is patched so that it can retain it's parallel checking whilst avoiding some mount points. Being able to check partitions in parallel on servers with many disks is something I'd rather not lose. Restricting file based mounts to / is just silly. Correct behvaiour for file based mounts should be fsck / mount / fsck /a mount /a fsck /a/b mount /a/b fsck /a/b/c mount /a/b/c If you can think of a way of ramming that (square peg) into /etc/fstab (round hole) feel free to submit a patch as dammed if I can work it out. The best way of fixing this I can think of is to add an option to fsck and mount to skip non block mounts, similar to -t nonfs for skipping of network filesystems. Then we add a new init script to fsck and mount each file based mount in the correct order as above.
the only thing lost would be having / checked in parallel with all others (in other words, the behavior we have today). and in the case of file-based mounts, there is no way to avoid it as fsck will have to be run (N+1) times (where N is the recursive depth). i think addressing the large majority of cases (where N is 0 or 1) is fine. anyone doing files-in-files can just suck it. all of that said, i think there's any easy solution. make the "fsck" script multipurpose. we install "fsck" and create a symlink "rootfsck". if the fsck script is run as "rootfsck", it only checks the /. otherwise, it checks everything. by default we only add "fsck" to the "boot" runlevel. thus the default behavior is retained. in the dmcrypt init.d script, we can simply do: need rootfsck before fsck and dmcrypt users should automatically get the split behavior without having to manually add rootfsck to their boot runlevel.
when i say "the behavior we have today", i'm referring to baselayout-1
So you're happy restricting file backed mounts to / then?
since that is the only behavior we had before, and it covers the majority of people, yes. the upgrade to openrc is breaking existing working systems. once we rectify that, we can *try* and think about a general solution (i'm not optimistic that one exists).
What you propose doesn't quite work as root would need to depend on fsck.root rather than fsck. If we use this block then it works if [ -x /etc/init.d/fsck.root ]; then need fsck.root else need fsck fi But that's nasty. The user still has to install the specific script in a specific name. However, there is an alternative :) As it stands right now, one could do this with openrc-0.2.2 /etc/conf.d/fsck.root fsck_passno=1 /etc/conf.d/root rc_need="!fsck fsck.root" And then ln -s fsck /etc/init.d/fsck.root That works right now, without any patching and the user has full control over the name of the script. Although you do see the message "Checking local filesystems" twice. I'll patch that so it's more sane though. Is this acceptable?
Sorry, should be fsck_passno="=1"
and conf.d/fsck already has good examples of this. Maybe add a bit here about fscking root here too?
changing it from 'need fsck' to 'use fsck. root.fsck' would work just as well as a need in this case ...
I too had this problem on two systems as posted from: http://forums.gentoo.org/viewtopic-t-688186-start-75.html I have /home, /tmp, and swap in dmcrypt, but this would probably work for everything except encrypted /. The suggestion I was given by Roy was to put rc_need="root" in /etc/conf.d/dmcrypt. Unfortunately, as stated in my last post dmcrypt needs /mnt to be read-write in order to temporarily mount the usb drive to get the key (in my case gpg-encrypted). The real problem is that rc_need="root" puts root, fsck and dmcrypt in a circular dependency which dmcrypt always lost. But, using Roy's suggestion I tried several options. I needed: 1. dmcrypt needs / to be read-write 2. dmcrypt needs to run after fsck (bear with me on this one) to break the dependency cycle. 3. dmcrypt needs to run before localmount or else filesystems (in fstab) won't get mounted. 4. localmount mounts things in order of appearance in /etc/fstab. There are probably some simplifications that can be made (will try them soon), but this is what I got to work: 1. Add to /etc/rc.conf: rc_dmcrypt_need="root" 2. Add to /etc/rc.conf: rc_dmcrypt_after="fsck" 3. Add to /etc/rc.conf: rc_dmcrypt_before="localmount" 4. Put encrypted filesystems last in /etc/fstab (maybe not needed) 5. Put sixth field (fsck) in /etc/fstab to zero (0) for all encrypted filesystem (maybe not needed). This works on both my systems and does not require script hackery - it uses the super flexible native facilities built in to openrc. The only thing I don't like about the solution is the mods to /etc/fstab. This shouldn't be needed (and may not, but I've not tested). I believe that a bit better HOWTO of openrc and baselayout2 would have sped up my discovery, but a week of (un)concentrated work isn't bad for a brand new application. I do think, after looking through cryptsetup scripts that _assuming_ /mnt will be read-write at the time the init script is run is not great design. A key exchange on a ramdisk or temporary ramdisk mount point might be better. Hope this helps somebody. I'll let you know when I try the other (non-fstab hack) options.
Doing these extra steps above allows you to automatically fsck them too ln -s fsck /etc/init.d/fsck.root rc_root_need="!fsck fsck.root" /etc/conf.d/fsck.root fsck_passno=1 Why don't you write such a howto? I don't use any encryption or foo like this, so I'm not really a good candidate.
*** Bug 220070 has been marked as a duplicate of this bug. ***
*** Bug 227199 has been marked as a duplicate of this bug. ***
*** Bug 225539 has been marked as a duplicate of this bug. ***
We should probably provide some documentation for this in the migration guide.
After a huge load of updates from the last weeks this now works for me again. Relevant versions are: sys-apps/baselayout [R 2.0.0] sys-apps/openrc [R 0.3.0-r1] sys-fs/cryptsetup [R 1.0.6-r2] $ emerge --info Portage 2.2_rc12 (default/linux/amd64/2008.0/desktop, gcc-4.3.2, glibc-2.8_p20080602-r0, 2.6.26-gentoo-r1-mw x86_64) ================================================================= System uname: Linux-2.6.26-gentoo-r1-mw-x86_64-Intel-R-_Core-TM-2_CPU_6400_@_2.13GHz-with-glibc2.2.5 Timestamp of tree: Mon, 13 Oct 2008 12:17:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7, 2.1.6-r1 dev-lang/python: 2.4.4-r14, 2.5.2-r8 dev-python/pycrypto: 2.0.1-r6 dev-util/cmake: 2.6.1 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.3.0-r1 sys-apps/sandbox: 1.2.18.1-r3 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.26 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/4.1/env /usr/kde/4.1/share/config /usr/kde/4.1/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="C" LDFLAGS="-Wl,-O1" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mmx mp3 mpeg mudflap multilib ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vorbis xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
This issue was resolved with the release of OpenRC 0.3.0 which allowed more granular control of these steps with additional init script.s OpenRC 0.4.0 came with even more allowing for additional control of this. If you can not achieve this configuration properly with OpenRC 0.4.3, please create a new bug since much of the discussion here is now invalid do to changes.