Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 592686 - sys-kernel/dracut-044 problem with root device on luks volume?
Summary: sys-kernel/dracut-044 problem with root device on luks volume?
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Alexander Tsoy
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-01 19:32 UTC by Martin Mokrejš
Modified: 2023-09-08 09:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
rdsosreport.txt (rdsosreport.txt10,61.80 KB, text/plain)
2016-09-02 15:16 UTC, Martin Mokrejš
Details
rdsosreport.txt11 (rdsosreport.txt11,343.50 KB, text/plain)
2016-09-02 15:55 UTC, Martin Mokrejš
Details
rdsosreport.txt13 (rdsosreport.txt13,361.21 KB, text/plain)
2016-09-02 18:17 UTC, Martin Mokrejš
Details
rdsosreport.txt14 (rdsosreport.txt14,344.85 KB, text/plain)
2016-09-02 20:03 UTC, Martin Mokrejš
Details
rdsosreport.txt15 (rdsosreport.txt15,363.11 KB, text/plain)
2016-09-03 16:16 UTC, Martin Mokrejš
Details
rdsosreport.txt16 (rdsosreport.txt16,341.05 KB, text/plain)
2016-09-20 08:35 UTC, Martin Mokrejš
Details
dmesg17.txt (dmesg17.txt,239.39 KB, text/plain)
2016-09-20 08:40 UTC, Martin Mokrejš
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Mokrejš 2016-09-01 19:32:44 UTC
I have OpenRC and not systemd on my live system. However, it seems dracut anticipates systemd? One of the reason LUKKS partition decryption fails for me is likely that there is no /dev/disk/by-partuuid/ at all!

[    5.319231] dracut: dracut-044
[    5.366397] dracut: rd.luks.key: keypath='/sda6key.gpg' keydev='/dev/sda5' luksdev='/dev/sda6'
[    5.527262] random: systemd-udevd urandom read with 30 bits of entropy available
[    5.555805] dracut: rd.md=0: removing MD RAID activation
[    6.767873] dracut: Probing /dev/sda5 for /sda6key.gpg...
[    6.805826] EXT4-fs (sda5): mounted filesystem with ordered data mode. Opts: (null)
[    6.891684] dracut: Found /sda6key.gpg on /dev/sda5
[  133.406842] random: nonblocking pool is initialized
[  133.644584] EXT4-fs (sda5): mounted filesystem with ordered data mode. Opts: (null)
[  133.648982] dracut: Mounted rootfallback /dev/sda5
[  133.659172] dracut Warning: Signal caught!
[  133.665248] dracut Warning: /dev/disk/by-partuuid/87391709-06 does not exist
+ '[' -f /run/initramfs/init.log ']'
/dev/disk:
total 0
drwxr-xr-x 15 root 0 13300 Aug  4 22:33 ..
drwxr-xr-x  6 root 0   120 Aug  4 22:33 .
drwxr-xr-x  2 root 0   100 Aug  4 22:33 by-label
drwxr-xr-x  2 root 0   160 Aug  4 22:33 by-uuid
drwxr-xr-x  2 root 0   240 Aug  4 22:33 by-path
drwxr-xr-x  2 root 0   420 Aug  4 22:33 by-id

/dev/disk/by-label:
total 0
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 DELLUTILITY -> ../../sda1
drwxr-xr-x 6 root 0 120 Aug  4 22:33 ..
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 OS -> ../../sda3
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 Recovery -> ../../sda2
drwxr-xr-x 2 root 0 100 Aug  4 22:33 .

/dev/disk/by-uuid:
total 0
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 c9031918-c48b-43ca-b621-e5c669e4160d -> ../../sda5
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 067d6953-349e-49fc-9aae-2bb2b48dbf45 -> ../../sda6
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 3030-3030 -> ../../sda1
drwxr-xr-x 6 root 0 120 Aug  4 22:33 ..
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 AC7C4EC27C4E86D4 -> ../../sda3
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 CC70378A703779F2 -> ../../sda2
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 67e0a12b-8a1b-4a60-981c-5c6b5dda5619 -> ../../sda7
drwxr-xr-x 2 root 0 160 Aug  4 22:33 .

/dev/disk/by-path:
total 0
lrwxrwxrwx 1 root 0   9 Aug  4 22:33 pci-0000:00:1f.2-ata-5 -> ../../sr0
lrwxrwxrwx 1 root 0   9 Aug  4 22:33 pci-0000:00:1f.2-ata-1 -> ../../sda
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 pci-0000:00:1f.2-ata-1-part4 -> ../../sda4
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 pci-0000:00:1f.2-ata-1-part5 -> ../../sda5
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 pci-0000:00:1f.2-ata-1-part6 -> ../../sda6
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 pci-0000:00:1f.2-ata-1-part1 -> ../../sda1
drwxr-xr-x 6 root 0 120 Aug  4 22:33 ..
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 pci-0000:00:1f.2-ata-1-part3 -> ../../sda3
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 pci-0000:00:1f.2-ata-1-part8 -> ../../sda8
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 pci-0000:00:1f.2-ata-1-part2 -> ../../sda2
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 pci-0000:00:1f.2-ata-1-part7 -> ../../sda7
drwxr-xr-x 2 root 0 240 Aug  4 22:33 .

/dev/disk/by-id:
total 0
lrwxrwxrwx 1 root 0   9 Aug  4 22:33 ata-PLDS_DVD+_-RW_DS-8A8SH_G0V0C550811AI40P2A00 -> ../../sr0
lrwxrwxrwx 1 root 0   9 Aug  4 22:33 wwn-0x50004cf20ef6ec36 -> ../../sda
lrwxrwxrwx 1 root 0   9 Aug  4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269 -> ../../sda
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 wwn-0x50004cf20ef6ec36-part4 -> ../../sda4
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part4 -> ../../sda4
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 wwn-0x50004cf20ef6ec36-part5 -> ../../sda5
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part5 -> ../../sda5
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 wwn-0x50004cf20ef6ec36-part6 -> ../../sda6
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part6 -> ../../sda6
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 wwn-0x50004cf20ef6ec36-part1 -> ../../sda1
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part1 -> ../../sda1
drwxr-xr-x 6 root 0 120 Aug  4 22:33 ..
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 wwn-0x50004cf20ef6ec36-part3 -> ../../sda3
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part3 -> ../../sda3
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 wwn-0x50004cf20ef6ec36-part8 -> ../../sda8
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part8 -> ../../sda8
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 wwn-0x50004cf20ef6ec36-part2 -> ../../sda2
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part2 -> ../../sda2
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 wwn-0x50004cf20ef6ec36-part7 -> ../../sda7
lrwxrwxrwx 1 root 0  10 Aug  4 22:33 ata-ST2000LM003_HN-M201RAD_S321J9CG102269-part7 -> ../../sda7
drwxr-xr-x 2 root 0 420 Aug  4 22:33 .


   Now I know that about after 2 minutes dracut at least returns me to the rescue shell, so I can at least inspect what is going on a bit.

  I think the dracut scripts should not try to use /dev/disk/by-partuuid/87391709-06 at all if there is not event a parent directory /dev/disk/by-partuuid/ present.


# emerge -pv dracut openrc
Calculating dependencies... done!
[ebuild   R    ] sys-kernel/dracut-044::gentoo  USE="-debug (-selinux) -systemd" 0 KiB
[ebuild     U  ] sys-apps/openrc-0.21.7::gentoo [0.21.3::gentoo] USE="ncurses netifrc pam unicode -audit -debug -newnet (-prefix) (-selinux) -static-libs -tools" 165 KiB

#  emerge --info
Portage 2.3.0 (python 2.7.11-final-0, default/linux/amd64/13.0, gcc-5.4.0, glibc-2.23-r2, 4.6.3-default-pciehp x86_64)
=================================================================
System uname: Linux-4.6.3-default-pciehp-x86_64-Intel-R-_Core-TM-_i7-2640M_CPU_@_2.80GHz-with-gentoo-2.2
KiB Mem:    16375816 total,   3512652 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Thu, 01 Sep 2016 12:30:01 +0000
sh bash 4.3_p46
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
app-shells/bash:          4.3_p46::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.20.2-r1::gentoo
dev-lang/python:          2.7.11-r1::gentoo, 3.4.3-r7::gentoo, 3.5.1-r2::gentoo
dev-util/cmake:           3.6.1::gentoo
dev-util/pkgconfig:       0.29.1::gentoo
sys-apps/baselayout:      2.2-r1::gentoo
sys-apps/openrc:          0.21.3::gentoo
sys-apps/sandbox:         2.10-r2::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r2::gentoo
sys-devel/automake:       1.11.6-r2::gentoo, 1.12.6-r1::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo, 2.26.1::gentoo
sys-devel/gcc:            4.3.6-r1::gentoo, 4.4.7::gentoo, 4.6.4::gentoo, 4.7.4::gentoo, 4.8.5::gentoo, 4.9.3::gentoo, 5.3.0::gentoo, 5.4.0::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r2::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.6::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r2::gentoo
Repositories:

gentoo
    location: /scratch/usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

science
    location: /home/mmokrejs/proj/sci
    masters: gentoo
    priority: 0

x-portage
    location: /usr/local/portage
    masters: gentoo
    priority: 1

layman
    location: /var/lib/layman
    masters: gentoo
    priority: 2

haskell
    location: /var/lib/layman/haskell
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA dlj-1.1 sun-bcla-java-vm Oracle-BCLA-JavaSE IBM-J1.6 skype-eula Nero-EULA-US AdobeFlash-10.3 skype-4.0.0.7-copyright AdobeFlash-11.x OPERA-2014"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -maes -mpclmul -mpopcnt -mavx -march=native"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /etc/stunnel/stunnel.conf /usr/lib64/libreoffice/program/sofficerc /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /usr/share/maven-bin-3.2/conf /var/bind /var/lib/hsqldb /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/apache2-php5.5/ext-active/ /etc/php/apache2-php5.6/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -maes -mpclmul -mpopcnt -mavx -march=native"
DISTDIR="/scratch/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news noclean nostrip parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://gentoo.wheel.sk/ http://ftp.fi.muni.cz/pub/linux/gentoo/ http://gentoo.mirror.web4u.cz/ rsync://gentoo.mirror.dkm.cz/gentoo/ ftp://gentoo.mirror.web4u.cz/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/scratch/var/tmp"
USE="X acpi alsa amd64 amr apache apache2 apulse avx berkdb bindist bluetooth boost bzip2 cairo cgi cli coin consolekit cracklib crypt cryptlib cups cxx dbus device-mapper dhcp directfb dri drm dvd emboss encode fax fbcon ffmpeg flac fontconfig fortran gbm gd gdbm geoip gimp glpk gnutls gpm gtk hal hpijs hwdb iconv id3tag imaging innodb java javafx javascript jce jpeg jpg js jscript keymap ladspa lapack laptop lcms libnotify lm_sensors mad matroska mmx mmxext modules mpi mpich2 multilib mysql ncurses nfs nls nptl nptlonly nscd nsplugin ntfsprogs ocr ogg opengl openmp pam parport pcre pdf perl php png policykit polkit ppds pppd python qt3support readline rendering resolvconf scanner seccomp server session slideshow sndfile sqlite sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 suexec svg syslog tcl tcpd threads tiff tk truetype udev unicode usb v4l v4l2 vim-syntax vnc wavpack wifi x11 xattr xcb xml xorg xrandr xv xvid xvmc zlib" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="alias authz_host auth_basic auth_digest cgi cgid deflate dir env filter include info mem_cache mime mime_magic negotiation remoteip setenvif status userdir vhost_alias rewrite usertrack cache file_cache disk_cache charset_lite log_config log_forensic" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" DRACUT_MODULES="crypt crypt-gpg" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US en_GB cs cz" OFFICE_IMPLEMENTATION="libreoffice" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_5" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="vesa vmware fbdev intel i915 i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
USE_PYTHON="2.7"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

#
Comment 1 Mike Gilbert gentoo-dev 2016-09-01 19:52:48 UTC
What version of udev?
Comment 2 Mike Gilbert gentoo-dev 2016-09-01 19:59:00 UTC
Support for DOS partitions using partuuid was added in systemd-230 and udev-230.

What parameters are you passing on the kernel command line? What does your fstab contain?
Comment 3 Martin Mokrejš 2016-09-01 20:20:02 UTC
# emerge -pv udev
Calculating dependencies... done!
[ebuild   R    ] sys-fs/udev-230-r1::gentoo  USE="kmod -acl (-selinux) -static-libs" ABI_X86="32 (64) (-x32)" 0 KiB



BTW, I tried many dracut commandline options, but to give out just a few:

dracut -a "crypt crypt-gpg dm" --kver 4.6.3-default-pciehp  --force -I "/usr/bin/gpg-agent /usr/bin/ssh /sbin/fsck.ext4 /usr/bin/strace"

dracut -a "crypt crypt-gpg" --kver 4.6.3-default-pciehp  --force --hostonly

dracut -a "crypt crypt-gpg lvm dm" --kver 4.0.6-default-pciehp  --force -I "/usr/bin/gpg-agent /usr/bin/ssh /sbin/fsck.ext4 /usr/bin/strace" --add-fstab=/boot/fstab





# grep -v "^#" /etc/fstab

UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45"             /               ext4            noatime         0 1

/dev/sda7               /scratch        ext4            noatime         0 0

/dev/mapper/swap        none            swap            sw              0 0

/dev/cdrom              /mnt/cdrom      auto            noauto,ro       0 0

shm                     /dev/shm        tmpfs           nodev,nosuid,noexec     0 0

/dev/sda5               /boot           ext4            noatime         0 0

/dev/sda3               /mnt/ntfs       ntfs-3g         default         0 0





Kernel commandline:

/vmlinuz-4.6.3 ro docrypt root=PARTUUID=87391709-06 rootfallback=/dev/sda5 rd.luks.key=/sda6key.gpg:/dev/sda5:/dev/sda6 slub_debug=AFPZ pciehp.pciehp_debug=1 pciehp_debug=1 intel_idle.max_cstate=c3 i915.i915_enable_rc6=1 usbcore.autosuspend=-1 rd.shell


It also fails with unprotected key (to avoid issues with gpg-agent) for which I showed the dmesg snippet.

/vmlinuz-4.6.3 ro docrypt root=PARTUUID=87391709-06 rootfallback=/dev/sda5 rd.luks.key=/sda6key:/dev/sda5:/dev/sda6 slub_debug=AFPZ pciehp.pciehp_debug=1 pciehp_debug=1 intel_idle.max_cstate=c3 i915.i915_enable_rc6=1 usbcore.autosuspend=-1 rd.shell


Basically, dracut should fetch key from sda5 filesystem, from a file sda6key placed in its root. and, call luksOpen to decrypt sda6.

I am slightly off-topic in this bug report but IMHO dracut should not bother about the UUID because I said clearly which /dev/sda* device it should have opened (via kernel commandline). But I saw the code somewhere in the dracut scripts, so it behaves as I reported (it looks for a non-existing file without care). Seems dracut is developed for RedHat and for systemd, so could be a Gentoo issue.

Initially I thought I cannot decrypt my device because of gpg-agent and sometimes it seemed it is because it cannot find pinentry (I don't have it in the ramdisk, indeed, I do not want gpg-agent to require pinentry either). But the real issue is that gpg-agent aims to decrypt a non-existing partuuid file, just asks for a passphrase. Once it receives it, nothing happens. Probably a bug in gpg could be filed as well so that gpg-agent checks it has a file to work with before even asking for a passphrase.

# emerge -pv gnupg

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U  ] dev-libs/libgcrypt-1.7.3:0/20::gentoo [1.7.2:0/20::gentoo] USE="-doc -static-libs" ABI_X86="32 (64) (-x32)" 0 KiB
[ebuild     U  ] app-crypt/gnupg-2.1.15::gentoo [2.1.14-r1::gentoo] USE="bzip2 doc gnutls nls readline tools usb -ldap (-selinux) -smartcard -tofu" 0 KiB




To show my kernel commandline and system works, here is what I execute once dracut gives me its emergency shell:

$ cat /boot/luksmount.sh 
#! /bin/sh
cat /sysroot/sda6key | cryptsetup luksOpen /dev/sda6 root
umount /sysroot
mount /dev/mapper/root /sysroot
exit # exit from emerge shell and continue booting
$

So, dracut is happy with the /dev/mapper/root created manually and with the layout of the decrypted filesystem in /sysroot. I do not understand why it even wants to create /dev/mapper/$someotherfilename . Sorry for being so verbose, Mike.
Comment 4 Martin Mokrejš 2016-09-01 20:22:52 UTC
> # grep -v "^#" /etc/fstab
> 
> UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45"             /               ext4
> noatime         0 1

And did had there /dev/sda6 as well, that did not work and therefore I tried the above UUID approach. Doesn't work either.
Comment 5 Mike Gilbert gentoo-dev 2016-09-01 21:19:16 UTC
I'm confused; why are you passing root=PARTUUID=87391709-06 on the kernel command line?
Comment 6 Martin Mokrejš 2016-09-02 06:31:31 UTC
(In reply to Mike Gilbert from comment #5)
> I'm confused; why are you passing root=PARTUUID=87391709-06 on the kernel
> command line?

Sorry, I tried so many tricks that I managed to paste a commandline from a different attempt. Here is the commandline which does not work either, and IMHO the real issue has nothing to do with my kernel commandline, because dracut does under the hood something different.

Command line: BOOT_IMAGE=/vmlinuz-4.6.3 ro docrypt root=/dev/sda6 root=/dev/mapper/root fallback=/dev/sda5 rd.luks.key=/sda6key:/dev/sda5:/dev/sda6 slub_debug=AFPZ pciehp.pciehp_debug=1 pciehp_debug=1 intel_idle.max_cstate=c3 i915.i915_enable_rc6=1 usbcore.autosuspend=-1 rd.shell

Why I have two "root=" items in there? I do not know, but that prevent kernel panicking because it cannot mount root filesystem. I assume the latter takes precedence. dracut fails to its job but after 5 minutes gives me the emergency shell. From that shell I call the short shellscript I pasted above, and the system boots up because /sysroot filesystem seems reasonable. Probably it has nothing to do with /dev/mapper/root being available (decrypted by me manually).
Comment 7 Alexander Tsoy 2016-09-02 11:32:20 UTC
Please follow instructions from [1] and attach rdsosreport.txt to this bug. You can also add "rd.retry=4" to the kernel cmdline - dracut will drop you to rescue shell much faster.

[1] https://www.kernel.org/pub/linux/utils/boot/dracut/dracut.html#identifying-your-problem-area
Comment 8 Martin Mokrejš 2016-09-02 15:16:30 UTC
Created attachment 444804 [details]
rdsosreport.txt
Comment 9 Alexander Tsoy 2016-09-02 15:44:50 UTC
(In reply to Martin Mokrejš from comment #8)

You forgot to append "rd.debug log_buf_len=1M" to the kernel cmdline.
Comment 10 Martin Mokrejš 2016-09-02 15:55:53 UTC
Created attachment 444806 [details]
rdsosreport.txt11

Yes, I also realized that meanwhile, sorry, here we go.
Comment 11 Alexander Tsoy 2016-09-02 16:33:51 UTC
So... You don't have /etc/crypttab in initramfs and expect that dracut will magically give the name "root" to the luks device? :)
Comment 12 Alexander Tsoy 2016-09-02 16:49:07 UTC
You should try hostonly initramfs: pass "-H" option to dracut or add hostonly="yes" to /etc/(dracut.conf|dracut.conf.d/*). Of course ensure first that you have a proper /etc/crypttab on the real root. Another option is to use "root=/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45".
Comment 13 Martin Mokrejš 2016-09-02 17:07:00 UTC
(In reply to Alexander Tsoy from comment #11)
> So... You don't have /etc/crypttab in initramfs and expect that dracut will
> magically give the name "root" to the luks device? :)

Seemed optional, dracut can just respect the kernel commandline arguments, so it knows where to get the key from, and what partition to decrypt. It seemed from manual pages that /dev/mapper/root is the common device name.

  Why isn't this enough?

[    5.366397] dracut: rd.luks.key: keypath='/sda6key.gpg' keydev='/dev/sda5' luksdev='/dev/sda6'

  You did not comment on the 

/dev/disk/by-partuuid/87391709-06 does not exist

  eroor message. Clearly the /dev/disk/by-partuuid/ is misisng in my Gentoo case, and I doubt it has to do with wrong kernel comandline or wrong dracut arguments used to create the ramdisk. What am I missing?
Comment 14 Alexander Tsoy 2016-09-02 17:33:09 UTC
(In reply to Martin Mokrejš from comment #13)

> Seemed optional, dracut can just respect the kernel commandline arguments,
> so it knows where to get the key from, and what partition to decrypt. It
> seemed from manual pages that /dev/mapper/root is the common device name.
> 
>   Why isn't this enough?

You can specify multiple luks devices on the cmdline and neither of them is required to be a root device: it may be /usr or a custom mount point.


>   You did not comment on the 
> 
> /dev/disk/by-partuuid/87391709-06 does not exist
> 
>   eroor message. Clearly the /dev/disk/by-partuuid/ is misisng in my Gentoo
> case, and I doubt it has to do with wrong kernel comandline or wrong dracut
> arguments used to create the ramdisk. What am I missing?

Looks like partuuid symlinks only created for GPT partitions. I just checked latest systemd from git:

$ grep -r by-partuuid rules/
rules/60-persistent-storage.rules:# by-partlabel/by-partuuid links (partition metadata)
rules/60-persistent-storage.rules:ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_UUID}=="?*", SYMLINK+="disk/by-partuuid/$env{ID_PART_ENTRY_UUID}"
Comment 15 Martin Mokrejš 2016-09-02 17:45:06 UTC
Hmm < I do not how that translates to my openrc situation but although I wanted to answer that I have GPT partition on the 1.8TiB drive, there is some problem:

# gdisk /dev/sda
GPT fdisk (gdisk) version 1.0.1

Partition table scan:
  MBR: MBR only
  BSD: not present
  APM: not present
  GPT: not present


***************************************************************
Found invalid GPT and valid MBR; converting MBR to GPT format
in memory. THIS OPERATION IS POTENTIALLY DESTRUCTIVE! Exit by
typing 'q' if you don't want to convert your MBR partitions
to GPT format!
***************************************************************

Exact type match not found for type code DE00; assigning type code for
'Linux filesystem'

Warning! Secondary partition table overlaps the last partition by
33 blocks!
You will need to delete this partition or resize it in another utility.

Command (? for help): p
Disk /dev/sda: 3907029168 sectors, 1.8 TiB
Logical sector size: 512 bytes
Disk identifier (GUID): 45932B6C-CAEC-47A8-874D-D92A28E314D8
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 3907029134
Partitions will be aligned on 2048-sector boundaries
Total free space is 10206 sectors (5.0 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048          206847   100.0 MiB   8300  Linux filesystem
   2          206848        30926847   14.6 GiB    0700  Microsoft basic data
   3        30926848       235726847   97.7 GiB    0700  Microsoft basic data
   5       235728896       237826047   1024.0 MiB  8300  Linux filesystem
   6       237828096      2385311743   1024.0 GiB  8300  Linux filesystem
   7      2385313792      3853320191   700.0 GiB   8300  Linux filesystem
   8      3853322240      3907029167   25.6 GiB    8200  Linux swap

Command (? for help): q


Maybe that is confusing some scripts if I had systemd. But I have openrc installed so it may not even apply.
Comment 16 Martin Mokrejš 2016-09-02 18:10:43 UTC
(In reply to Alexander Tsoy from comment #12)
> You should try hostonly initramfs: pass "-H" option to dracut or add
> hostonly="yes" to /etc/(dracut.conf|dracut.conf.d/*). Of course ensure first
> that you have a proper /etc/crypttab on the real root. Another option is to
> use "root=/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45".

So I did:

$ cat /etc/dracut.conf.d/crypt-gpg.conf 
hostonly="yes"
root=UUID=luks-067d6953-349e-49fc-9aae-2bb2b48dbf45
rootfstype=ext4
rootfallback=/dev/sda5
# encrypted LUKS partition from outside
# rd.luks.uuid=luks-067d6953-349e-49fc-9aae-2bb2b48dbf45
#
# decrypted LUKS filesystem
# UUID="637c34b3-85dc-4d35-a5da-3f9588aaf41c"
add_dracutmodules+="crypt-gpg crypt-loop crypt"
omit_dracutmodules+="systemd"
$

$ cat /etc/crypttab
root    UUID=067d6953-349e-49fc-9aae-2bb2b48dbf45       /sda6key        luks
$

$ dracut -a "crypt crypt-gpg lvm dm" --kver 4.6.3-default-pciehp  --force --hostonly
dracut: Executing: /usr/bin/dracut -a "crypt crypt-gpg lvm dm" --kver 4.6.3-default-pciehp --force --hostonly
dracut: dracut module 'bootchart' will not be installed, because command '/sbin/bootchartd' could not be found!
dracut: dracut module 'dash' will not be installed, because command '/bin/dash' could not be found!
dracut: dracut module 'network' will not be installed, because command 'arping' could not be found!
dracut: dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found!
dracut: dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found!
dracut: dracut module 'plymouth' will not be installed, because command 'plymouth-set-default-theme' could not be found!
dracut: dracut module 'btrfs' will not be installed, because command 'btrfs' could not be found!
dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found!
dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found!
dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
dracut: dracut module 'biosdevname' will not be installed, because command 'biosdevname' could not be found!
dracut: dracut module 'dash' will not be installed, because command '/bin/dash' could not be found!
dracut: dracut module 'network' will not be installed, because command 'arping' could not be found!
dracut: dracut module 'btrfs' will not be installed, because command 'btrfs' could not be found!
dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found!
dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found!
dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
dracut: *** Including module: bash ***
dracut: *** Including module: caps ***
dracut: *** Including module: i18n ***
dracut: *** Including module: crypt ***
dracut: *** Including module: dm ***
dracut: Skipping udev rule: 64-device-mapper.rules
dracut: Skipping udev rule: 60-persistent-storage-dm.rules
dracut: Skipping udev rule: 55-dm.rules
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: lvm ***
dracut: Skipping udev rule: 64-device-mapper.rules
dracut: Skipping udev rule: 56-lvm.rules
dracut: Skipping udev rule: 60-persistent-storage-lvm.rules
dracut: *** Including module: crypt-gpg ***
dracut: *** Including module: crypt-loop ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 50-firmware.rules
dracut: Skipping udev rule: 50-udev.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies and firmware ***
dracut: *** Installing kernel module dependencies and firmware done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done***
dracut: *** Pre-linking files ***
dracut: *** Pre-linking files done ***
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Store current command line parameters ***
dracut: Stored kernel commandline:
dracut:  rd.luks.uuid=luks-067d6953-349e-49fc-9aae-2bb2b48dbf45
dracut:  root=/dev/mapper/root rootfstype=ext4 rootflags=rw,relatime,data=ordered
dracut: ro
dracut: *** Creating image file '/boot/initramfs-4.6.3-default-pciehp.img' ***
dracut: *** Creating initramfs image file '/boot/initramfs-4.6.3-default-pciehp.img' done ***
$

grub.cfg contains:
linux   /vmlinuz-4.6.3 ro docrypt root=/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 fallback=/dev/sda5 rd.luks.key=/sda6key:/dev/sda5:/dev/sda6 ... rd.shell rd.debug log_buf_len=1M rd.retry=4


Let's see.
Comment 17 Martin Mokrejš 2016-09-02 18:17:05 UTC
Created attachment 444820 [details]
rdsosreport.txt13

Doesn't work.
Comment 18 Mike Gilbert gentoo-dev 2016-09-02 18:56:05 UTC
(In reply to Martin Mokrejš from comment #13)
>   You did not comment on the 
> 
> /dev/disk/by-partuuid/87391709-06 does not exist

I'm pretty sure that warning was being output because you were passing root=PARTUUID=... on the kernel command line.
Comment 19 Mike Gilbert gentoo-dev 2016-09-02 18:59:00 UTC
I would suggest you find the UUID of the filesystem that is on your luks device, and pass that as the kernel root parameter. That will allow dracut to find it regardless of what the /dev/mappper device gets called.

You can get the UUID from the output of blkid once the /dev/mapper device has been created.

root=UUID=...
Comment 20 Mike Gilbert gentoo-dev 2016-09-02 19:02:22 UTC
(In reply to Alexander Tsoy from comment #14)
> Looks like partuuid symlinks only created for GPT partitions. I just checked
> latest systemd from git:

As of systemd-230, the get created for DOS partitions as well.

https://github.com/systemd/systemd/commit/cf1d3efce9ada4a7401a273b215896bce32610d1

Regardless, passing a PARTUUID for root when root is on an encrypted block device makes absolutely no sense. The luks device will not have a PARTUUID since it is a virtual device to begin with.
Comment 21 Martin Mokrejš 2016-09-02 19:22:02 UTC
(In reply to Mike Gilbert from comment #19)
> I would suggest you find the UUID of the filesystem that is on your luks
> device, and pass that as the kernel root parameter. That will allow dracut
> to find it regardless of what the /dev/mappper device gets called.
> 
> You can get the UUID from the output of blkid once the /dev/mapper device
> has been created.
> 
> root=UUID=...

/dev/sda6: UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45" TYPE="crypto_LUKS" PARTUUID="87391709-06"

I thought that I followed the manual properly and used the PARTUUID as it seemed more general approach, is is accessible before filesystem UUID. I know I was following some other manuals from the internet, just do not remember now.

man7.org/linux/man-pages/man7/dracut.cmdline.7.html


> Regardless, passing a PARTUUID for root when root is on an encrypted block
> device makes absolutely no sense. The luks device will not have a PARTUUID
> since it is a virtual device to begin with.

But is that my case? /dev/sda is visible, /dev/sda6 as well, so why is not PARTUUID of /dev/sda6 is not visible to luks/dracut? Notably, if UUID of /dev/sda6 is visible.


# blkid
/dev/sda1: SEC_TYPE="msdos" LABEL="DELLUTILITY" UUID="3030-3030" TYPE="vfat" PARTUUID="87391709-01"
/dev/sda2: LABEL="Recovery" UUID="CC70378A703779F2" TYPE="ntfs" PARTUUID="87391709-02"
/dev/sda3: LABEL="OS" UUID="AC7C4EC27C4E86D4" TYPE="ntfs" PARTUUID="87391709-03"
/dev/sda5: UUID="c9031918-c48b-43ca-b621-e5c669e4160d" TYPE="ext4" PARTUUID="87391709-05"
/dev/sda6: UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45" TYPE="crypto_LUKS" PARTUUID="87391709-06"
/dev/sda7: UUID="67e0a12b-8a1b-4a60-981c-5c6b5dda5619" TYPE="ext4" PARTUUID="87391709-07"
/dev/sda8: PARTUUID="87391709-08"
/dev/mapper/root: UUID="637c34b3-85dc-4d35-a5da-3f9588aaf41c" TYPE="ext4"
#




From the many attempts for which I kept the rdsosreport* file it seems I did not try "root=UUID=067d6953-349e-49fc-9aae-2bb2b48dbf45" on the kernel commandline. Thank you. At least I got it right in /etc/dracut.conf.d/crypt-gpg.conf shown in comment #16.


Would have been a breeze if the docs spoke about 'TYPE="crypto_LUKS"' instead of 'real root'. 'Real root' does not mean (to me, not a native speaker) if that:
1. is the encrypted UUID as seen from the outside
2. or the decrypted UUID which dracut should obtain after luksOpen
3. or if that is the /boot partition which kernel needs to initially mount.
Comment 22 Martin Mokrejš 2016-09-02 20:03:19 UTC
Created attachment 444822 [details]
rdsosreport.txt14

> root=UUID=...

Doesn't work.
Comment 23 Mike Gilbert gentoo-dev 2016-09-02 20:08:29 UTC
Try root=UUID=637c34b3-85dc-4d35-a5da-3f9588aaf41c.
Comment 24 Martin Mokrejš 2016-09-03 16:16:05 UTC
Created attachment 444904 [details]
rdsosreport.txt15

> Try root=UUID=637c34b3-85dc-4d35-a5da-3f9588aaf41c.

No way, /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c does not exist.

See e.g. lines:

[    5.825671] dracut: ///lib/dracut/hooks/pre-udev/30-block-genrules.sh@14(source): wait_for_dev /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c

[    9.011186] dracut: //lib/dracut/hooks/initqueue/settled/blocksymlink.sh@1(source): '[' -e /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c ']'

[   12.632140] dracut Warning: /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c does not exist

[   12.732099] dracut: ///lib/dracut/hooks/emergency/80-x2fdevx2fdiskx2fby-uuidx2f637c34b3-85dc-4d35-a5da-3f9588aaf41c.sh@1(source): warn '/dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c does not exist'


Is openrc-0.21.3 really supported?

# emerge -pv openrc

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U  ] sys-apps/openrc-0.21.7::gentoo [0.21.3::gentoo] USE="ncurses netifrc pam unicode -audit -debug -newnet (-prefix) (-selinux) -static-libs -tools" 165 KiB
Comment 25 Mike Gilbert gentoo-dev 2016-09-03 16:49:09 UTC
I'm not an expert on configuring luks, but it looks like dracut is not successfully opening the luks device.

Perhaps something is wrong with your rd.luks.key parameter.
Comment 26 Alexander Tsoy 2016-09-04 18:09:33 UTC
(In reply to Mike Gilbert from comment #20)
> (In reply to Alexander Tsoy from comment #14)
> > Looks like partuuid symlinks only created for GPT partitions. I just checked
> > latest systemd from git:
> 
> As of systemd-230, the get created for DOS partitions as well.
> 
> https://github.com/systemd/systemd/commit/
> cf1d3efce9ada4a7401a273b215896bce32610d1

Ah, right. I pulled sources from freedesktop.org git repo which is outdated. =/

> 
> Regardless, passing a PARTUUID for root when root is on an encrypted block
> device makes absolutely no sense. The luks device will not have a PARTUUID
> since it is a virtual device to begin with.

Yes, indeed.
Comment 27 Alexander Tsoy 2016-09-04 18:26:53 UTC
(In reply to Martin Mokrejš from comment #24)

> Is openrc-0.21.3 really supported?

Dracut doesn't make use of anything from openrc.
Comment 28 Alexander Tsoy 2016-09-04 19:08:39 UTC
(In reply to Martin Mokrejš from comment #17)
> Created attachment 444820 [details]
> rdsosreport.txt13
> 
> Doesn't work.

Yes, the second issue is that for some reason cryptsetup refuses the key. No idea what's wrong here. Maybe readkey function outputs some garbage, but this is very unlikely.


[    6.954940] dracut: /sbin/cryptroot-ask@141(main): cryptsetup -d - luksOpen /dev/sda6 root
...
...
[    6.971468] dracut: /lib/dracut-crypt-lib.sh@188(readkey): local mntp=/mnt/keydev--dev-sda5--sda6key
[    6.972161] dracut: /lib/dracut-crypt-lib.sh@190(readkey): '[' '!' -d /mnt/keydev--dev-sda5--sda6key ']'
[    6.972855] dracut: /lib/dracut-crypt-lib.sh@191(readkey): mkdir /mnt/keydev--dev-sda5--sda6key
[    6.973552] dracut: /lib/dracut-crypt-lib.sh@192(readkey): mount -r /dev/sda5 /mnt/keydev--dev-sda5--sda6key
[    6.974259] dracut: /lib/dracut-crypt-lib.sh@195(readkey): case "${keypath##*.}" in
[    6.974972] dracut: /lib/dracut-crypt-lib.sh@215(readkey): cat /mnt/keydev--dev-sda5--sda6key//sda6key
[    6.975690] dracut: /lib/dracut-crypt-lib.sh@220(readkey): umount /mnt/keydev--dev-sda5--sda6key
[    6.976404] dracut: /lib/dracut-crypt-lib.sh@221(readkey): rmdir /mnt/keydev--dev-sda5--sda6key
[    7.752662] dracut: No key available with this passphrase.
Comment 29 Alexander Tsoy 2016-09-18 22:45:55 UTC
Do you have all necessary crypto modules compiled into the kernel, or have you compiled them as modules? You can find needed cipher suite with the following command: "cryptsetup status /dev/mapper/<name of the luks device>".
Comment 30 Martin Mokrejš 2016-09-19 17:53:57 UTC
(In reply to Alexander Tsoy from comment #29)
> Do you have all necessary crypto modules compiled into the kernel, or have
> you compiled them as modules? You can find needed cipher suite with the
> following command: "cryptsetup status /dev/mapper/<name of the luks device>".

First of all, even if I had some only as module I assume I couldn't bootup from the emergency shell with just the few commands:

$ cat /boot/luksmount.sh 
#! /bin/sh
cat /sysroot/sda6key | cryptsetup luksOpen /dev/sda6 root
umount /sysroot
mount /dev/mapper/root /sysroot
exit # exit from emerge shell and continue booting
$

I just need to decrypt the disk and make it available under anticipated /dev/mapper/blah filename, then exiting from emergency shell force dracut to re-check for presence of the file, or maybe just re-checks the mounted filesystem to ensure it looks like a root filesystem.

Due the course of this bugreport, as you may see from the attached logs, I now need to do this instead:

$ cat /boot/luksmount2.sh 
#! /bin/sh
cat /sysroot/sda6key | cryptsetup luksOpen /dev/sda6 luks-067d6953-349e-49fc-9aae-2bb2b48dbf45
umount /sysroot
mount /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /sysroot
$





anyway, to answer your suggestions:

# cryptsetup status /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 
/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 is active and is in use.
  type:    LUKS1
  cipher:  aes-xts-plain64:sha512
  keysize: 512 bits
  device:  /dev/sda6
  offset:  4096 sectors
  size:    2147479552 sectors
  mode:    read/write
# 


# gzip -dc /proc/config.gz |  grep CRYPTO | grep -v "^#"
CONFIG_BLK_DEV_CRYPTOLOOP=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_BLKCIPHER=y
CONFIG_CRYPTO_BLKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_RNG_DEFAULT=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_AKCIPHER=y
CONFIG_CRYPTO_RSA=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER=y
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_NULL2=y
CONFIG_CRYPTO_PCRYPT=y
CONFIG_CRYPTO_WORKQUEUE=y
CONFIG_CRYPTO_CRYPTD=y
CONFIG_CRYPTO_MCRYPTD=y
CONFIG_CRYPTO_AUTHENC=y
CONFIG_CRYPTO_ABLK_HELPER=y
CONFIG_CRYPTO_GLUE_HELPER_X86=y
CONFIG_CRYPTO_CCM=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_CHACHA20POLY1305=y
CONFIG_CRYPTO_SEQIV=y
CONFIG_CRYPTO_ECHAINIV=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_CTS=y
CONFIG_CRYPTO_ECB=y
CONFIG_CRYPTO_LRW=y
CONFIG_CRYPTO_PCBC=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_KEYWRAP=y
CONFIG_CRYPTO_CMAC=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_XCBC=y
CONFIG_CRYPTO_VMAC=y
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_CRC32C_INTEL=y
CONFIG_CRYPTO_CRC32=y
CONFIG_CRYPTO_CRC32_PCLMUL=y
CONFIG_CRYPTO_CRCT10DIF=y
CONFIG_CRYPTO_CRCT10DIF_PCLMUL=y
CONFIG_CRYPTO_GHASH=y
CONFIG_CRYPTO_POLY1305=y
CONFIG_CRYPTO_POLY1305_X86_64=y
CONFIG_CRYPTO_MD4=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_MICHAEL_MIC=y
CONFIG_CRYPTO_RMD128=y
CONFIG_CRYPTO_RMD160=y
CONFIG_CRYPTO_RMD256=y
CONFIG_CRYPTO_RMD320=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA1_SSSE3=y
CONFIG_CRYPTO_SHA256_SSSE3=y
CONFIG_CRYPTO_SHA512_SSSE3=y
CONFIG_CRYPTO_SHA1_MB=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_TGR192=y
CONFIG_CRYPTO_WP512=y
CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_AES_X86_64=y
CONFIG_CRYPTO_AES_NI_INTEL=y
CONFIG_CRYPTO_ANUBIS=y
CONFIG_CRYPTO_ARC4=y
CONFIG_CRYPTO_BLOWFISH=y
CONFIG_CRYPTO_BLOWFISH_COMMON=y
CONFIG_CRYPTO_BLOWFISH_X86_64=y
CONFIG_CRYPTO_CAMELLIA=y
CONFIG_CRYPTO_CAMELLIA_X86_64=y
CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
CONFIG_CRYPTO_CAST_COMMON=y
CONFIG_CRYPTO_CAST5=y
CONFIG_CRYPTO_CAST5_AVX_X86_64=y
CONFIG_CRYPTO_CAST6=y
CONFIG_CRYPTO_CAST6_AVX_X86_64=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_DES3_EDE_X86_64=y
CONFIG_CRYPTO_FCRYPT=y
CONFIG_CRYPTO_KHAZAD=y
CONFIG_CRYPTO_SALSA20=y
CONFIG_CRYPTO_SALSA20_X86_64=y
CONFIG_CRYPTO_CHACHA20=y
CONFIG_CRYPTO_CHACHA20_X86_64=y
CONFIG_CRYPTO_SEED=y
CONFIG_CRYPTO_SERPENT=y
CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
CONFIG_CRYPTO_TEA=y
CONFIG_CRYPTO_TWOFISH=y
CONFIG_CRYPTO_TWOFISH_COMMON=y
CONFIG_CRYPTO_TWOFISH_X86_64=y
CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
CONFIG_CRYPTO_DEFLATE=y
CONFIG_CRYPTO_LZO=y
CONFIG_CRYPTO_842=y
CONFIG_CRYPTO_LZ4=y
CONFIG_CRYPTO_LZ4HC=y
CONFIG_CRYPTO_ANSI_CPRNG=y
CONFIG_CRYPTO_DRBG_MENU=y
CONFIG_CRYPTO_DRBG_HMAC=y
CONFIG_CRYPTO_DRBG_HASH=y
CONFIG_CRYPTO_DRBG_CTR=y
CONFIG_CRYPTO_DRBG=y
CONFIG_CRYPTO_JITTERENTROPY=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_CRYPTO_USER_API_RNG=y
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_HASH_INFO=y
CONFIG_CRYPTO_HW=y
 # gzip -dc /proc/config.gz |  grep MD | grep -v "^#"
CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
CONFIG_CPU_SUP_AMD=y
CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
CONFIG_AMD_NB=y
CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
CONFIG_SCTP_COOKIE_HMAC_MD5=y
CONFIG_ATA_BMDMA=y
CONFIG_MD=y
CONFIG_BLK_DEV_MD=y
CONFIG_MD_AUTODETECT=y
CONFIG_MD_LINEAR=y
CONFIG_MD_RAID0=y
CONFIG_MD_RAID1=y
CONFIG_MD_RAID10=y
CONFIG_MD_RAID456=y
CONFIG_FB_CMDLINE=y
CONFIG_CRYPTO_MD4=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_RMD128=y
CONFIG_CRYPTO_RMD160=y
CONFIG_CRYPTO_RMD256=y
CONFIG_CRYPTO_RMD320=y
# gzip -dc /proc/config.gz |  grep DM | grep -v "^#"
CONFIG_NEED_DMA_MAP_STATE=y
CONFIG_NEED_SG_DMA_LENGTH=y
CONFIG_GENERIC_ISA_DMA=y
CONFIG_ZONE_DMA32=y
CONFIG_HAVE_DMA_CONTIGUOUS=y
CONFIG_HAVE_DMA_API_DEBUG=y
CONFIG_LDM_PARTITION=y
CONFIG_ZONE_DMA=y
CONFIG_DMI=y
CONFIG_ARCH_DMA_ADDR_T_64BIT=y
CONFIG_ZONE_DMA_FLAG=1
CONFIG_ISA_DMA_API=y
CONFIG_X86_DEV_DMA_OPS=y
CONFIG_DMA_SHARED_BUFFER=y
CONFIG_SCSI_DMA=y
CONFIG_ATA_BMDMA=y
CONFIG_BLK_DEV_DM_BUILTIN=y
CONFIG_BLK_DEV_DM=y
CONFIG_DM_BUFIO=y
CONFIG_DM_BIO_PRISON=y
CONFIG_DM_PERSISTENT_DATA=y
CONFIG_DM_CRYPT=y
CONFIG_DM_SNAPSHOT=y
CONFIG_DM_THIN_PROVISIONING=y
CONFIG_DM_MIRROR=y
CONFIG_DM_RAID=y
CONFIG_DM_ZERO=y
CONFIG_DM_UEVENT=y
CONFIG_HDMI=y
CONFIG_SND_DMA_SGBUF=y
CONFIG_SND_HDA_CODEC_HDMI=y
CONFIG_USB_WDM=y
CONFIG_DMAR_TABLE=y
CONFIG_DMIID=y
CONFIG_DMI_SYSFS=y
CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
CONFIG_HAVE_C_RECORDMCOUNT=y
CONFIG_HAS_DMA=y
#
Comment 31 Alexander Tsoy 2016-09-19 18:51:42 UTC
(In reply to Martin Mokrejš from comment #30)

Ah. I've got it. There is a difference between issuing cryptsetup with '-d -' and without it. Without '-d -' trailing new line is stripped from the stdin. ;) (see NOTES ON PASSPHRASE PROCESSING FOR PLAIN MODE in the man cryptsetup)

I just tried to reproduce this:

$ cat /tmp/lukspass 
WqUktlXy8QKFNnWy6Yd9t7Ik8fyhJj
$ cat /tmp/lukspass | sudo cryptsetup luksFormat /dev/mapper/vg_system-test
$ cat /tmp/lukspass | sudo cryptsetup open --type luks /dev/mapper/vg_system-test crypttest
$ echo $?
0
$ sudo cryptsetup close crypttest

Now let's try with '-d -':

$ cat /tmp/lukspass | sudo cryptsetup open --type luks -d - /dev/mapper/vg_system-test crypttest
No key available with this passphrase.
$ echo WqUktlXy8QKFNnWy6Yd9t7Ik8fyhJj | sudo cryptsetup open --type luks -d - /dev/mapper/vg_system-test crypttest
No key available with this passphrase.
$ echo -n WqUktlXy8QKFNnWy6Yd9t7Ik8fyhJj | sudo cryptsetup open --type luks -d - /dev/mapper/vg_system-test crypttest
$ echo $?
0


Please try to create a new key slot with proper key that can be passed to cryptsetup with '-d -'
Comment 32 Alexander Tsoy 2016-09-19 18:54:35 UTC
(In reply to Alexander Tsoy from comment #31)
> see NOTES ON PASSPHRASE PROCESSING FOR PLAIN MODE

I mean FOR LUKS of course, but there is no difference in processing stdin.
Comment 33 Martin Mokrejš 2016-09-19 19:03:40 UTC
(In reply to Alexander Tsoy from comment #31)

> Please try to create a new key slot with proper key that can be passed to
> cryptsetup with '-d -'

Honestly, the documentation for cryptsetup seemed to messy to me and the '-d -' specially. Why doesn't it work with my /boot/sda6key file? It does contain '\n' on the single line. Would adding second '\n' help?

Anyway, so what do you want me to test? What do you mean under "proper key that can be passed to cryptsetup with ..."? What is wrong with my key in slot 0?

Thank you anyway for you kind analysis!
Comment 34 Alexander Tsoy 2016-09-19 19:27:32 UTC
(In reply to Martin Mokrejš from comment #33)

Without '-d -' cryptsetup reads passphrase up to the first newline character, so I was not 100% correct in my previous comment. I think the following command should be enough to make dracut happy:

cat <path>/sda6key | cryptsetup luksAddKey <device> <path>/sda6key

If the system boots up properly, then you can remove key slot 0.
Comment 35 Martin Mokrejš 2016-09-20 07:48:02 UTC
# cryptsetup status luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 
/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 is active and is in use.
  type:    LUKS1
  cipher:  aes-xts-plain64:sha512
  keysize: 512 bits
  device:  /dev/sda6
  offset:  4096 sectors
  size:    2147479552 sectors
  mode:    read/write
# cat /boot/sda6key | cryptsetup luksAddKey luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /boot/sda6key
Device luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 doesn't exist or access denied.
#

# ls -latr /dev/mapper/
total 0
lrwxrwxrwx  1 root root       7 Sep 20 08:35 luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 -> ../dm-0
drwxr-xr-x 18 root root   14000 Sep 20 08:35 ..
drwxr-xr-x  2 root root      80 Sep 20  2016 .
crw-------  1 root root 10, 236 Sep 20  2016 control
#
# ls -latr /dev/dm-0   
brw-rw---- 1 root disk 253, 0 Sep 20 08:35 /dev/dm-0
#
Comment 36 Martin Mokrejš 2016-09-20 07:55:38 UTC
I forgot to show what I tried at first.

# cat /boot/sda6key | cryptsetup luksAddKey /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /boot/sda6key
Device /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 is not a valid LUKS device.
#

strace(1) shows this is merely correct , because cryptsetup tries to open the device directly, without prepending '/dev/'  or '/dev/mapper/' to it.


So, trying to pass it the not decrypted device now:

# cat /boot/sda6key | cryptsetup luksAddKey /dev/sda6 /boot/sda6key
#

OK, this went through. Can I list used key slots for a LUKS device? I don't see anythjing liek that in 'cryptsetup --help'. :(
Comment 37 Alexander Tsoy 2016-09-20 08:20:59 UTC
(In reply to Martin Mokrejš from comment #36)

luksDump should do the trick:

cryptsetup luksDump /dev/sda6
Comment 38 Martin Mokrejš 2016-09-20 08:35:32 UTC
Created attachment 446872 [details]
rdsosreport.txt16

So, addition of the same key into slot 1 helped. Attached rdsos file shows the device was assembled as /dev/mapper/root. Because my kernel commandline contained for about last month  "root=UUID=637c34b3-85dc-4d35-a5da-3f9588aaf41" dracut failed to continue. Also, mounting the /dev/mapper/root as /sysroot kept failing with:

mount: unknown filesystem type 'crypto_LUKS'
dracut Warning: Failed to mount -t crypto_LUKS -o rw,relatime,data=ordered,ro,ro /dev/disk/by-uuid/067d6953-349e-49fc-9aae-2bb2b48dbf45 /sysroot
dracut Warning: *** An error occurred during the file system check.
dracut Warning: *** Dropping you to a shell; the system will try
dracut Warning: *** to mount the filesystem(s), when you leave the shell.

It seemed to me so far that is something looking reasonably similar to a root filesystrem is mounted into /sysroot then dracut will just try to boot it. That doe snot seem to be the case now. I was going to hack /lib/dracut-lib.sh but because I have no good editor (vim) in the ramdisk, I gave up an attempt to comment out the above mount call.


The only way out was to give up and reboot, revert my kernel commandline to root=/dev/mapper/root. For that I will upload dmesg17.txt file, because I do not know how to tell dracut to save the rdsos file for me during booting.

I think you could run diff on the attached logs to pinpoint the differences and find problematic places, right?
Comment 39 Martin Mokrejš 2016-09-20 08:40:01 UTC
Created attachment 446874 [details]
dmesg17.txt

root=/dev/mapper/root on the kernel commandline needs to be specified because dracut assembles the luks device as /dev/mapper/root. If that does not match the kernel commandline then dracut gives up mistakenly and dumps me into an emergency shell.

So one of the additional problems is that my mount -t crypto_LUKS complains about unknown filesystem type.