Summary: | sys-kernel/dracut-044 problem with root device on luks volume? | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Martin Mokrejš <mmokrejs> |
Component: | Current packages | Assignee: | Alexander Tsoy <alexander> |
Status: | RESOLVED OBSOLETE | ||
Severity: | normal | CC: | alexander |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
rdsosreport.txt
rdsosreport.txt11 rdsosreport.txt13 rdsosreport.txt14 rdsosreport.txt15 rdsosreport.txt16 dmesg17.txt |
Description
Martin Mokrejš
2016-09-01 19:32:44 UTC
What version of udev? Support for DOS partitions using partuuid was added in systemd-230 and udev-230. What parameters are you passing on the kernel command line? What does your fstab contain? # emerge -pv udev Calculating dependencies... done! [ebuild R ] sys-fs/udev-230-r1::gentoo USE="kmod -acl (-selinux) -static-libs" ABI_X86="32 (64) (-x32)" 0 KiB BTW, I tried many dracut commandline options, but to give out just a few: dracut -a "crypt crypt-gpg dm" --kver 4.6.3-default-pciehp --force -I "/usr/bin/gpg-agent /usr/bin/ssh /sbin/fsck.ext4 /usr/bin/strace" dracut -a "crypt crypt-gpg" --kver 4.6.3-default-pciehp --force --hostonly dracut -a "crypt crypt-gpg lvm dm" --kver 4.0.6-default-pciehp --force -I "/usr/bin/gpg-agent /usr/bin/ssh /sbin/fsck.ext4 /usr/bin/strace" --add-fstab=/boot/fstab # grep -v "^#" /etc/fstab UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45" / ext4 noatime 0 1 /dev/sda7 /scratch ext4 noatime 0 0 /dev/mapper/swap none swap sw 0 0 /dev/cdrom /mnt/cdrom auto noauto,ro 0 0 shm /dev/shm tmpfs nodev,nosuid,noexec 0 0 /dev/sda5 /boot ext4 noatime 0 0 /dev/sda3 /mnt/ntfs ntfs-3g default 0 0 Kernel commandline: /vmlinuz-4.6.3 ro docrypt root=PARTUUID=87391709-06 rootfallback=/dev/sda5 rd.luks.key=/sda6key.gpg:/dev/sda5:/dev/sda6 slub_debug=AFPZ pciehp.pciehp_debug=1 pciehp_debug=1 intel_idle.max_cstate=c3 i915.i915_enable_rc6=1 usbcore.autosuspend=-1 rd.shell It also fails with unprotected key (to avoid issues with gpg-agent) for which I showed the dmesg snippet. /vmlinuz-4.6.3 ro docrypt root=PARTUUID=87391709-06 rootfallback=/dev/sda5 rd.luks.key=/sda6key:/dev/sda5:/dev/sda6 slub_debug=AFPZ pciehp.pciehp_debug=1 pciehp_debug=1 intel_idle.max_cstate=c3 i915.i915_enable_rc6=1 usbcore.autosuspend=-1 rd.shell Basically, dracut should fetch key from sda5 filesystem, from a file sda6key placed in its root. and, call luksOpen to decrypt sda6. I am slightly off-topic in this bug report but IMHO dracut should not bother about the UUID because I said clearly which /dev/sda* device it should have opened (via kernel commandline). But I saw the code somewhere in the dracut scripts, so it behaves as I reported (it looks for a non-existing file without care). Seems dracut is developed for RedHat and for systemd, so could be a Gentoo issue. Initially I thought I cannot decrypt my device because of gpg-agent and sometimes it seemed it is because it cannot find pinentry (I don't have it in the ramdisk, indeed, I do not want gpg-agent to require pinentry either). But the real issue is that gpg-agent aims to decrypt a non-existing partuuid file, just asks for a passphrase. Once it receives it, nothing happens. Probably a bug in gpg could be filed as well so that gpg-agent checks it has a file to work with before even asking for a passphrase. # emerge -pv gnupg These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild U ] dev-libs/libgcrypt-1.7.3:0/20::gentoo [1.7.2:0/20::gentoo] USE="-doc -static-libs" ABI_X86="32 (64) (-x32)" 0 KiB [ebuild U ] app-crypt/gnupg-2.1.15::gentoo [2.1.14-r1::gentoo] USE="bzip2 doc gnutls nls readline tools usb -ldap (-selinux) -smartcard -tofu" 0 KiB To show my kernel commandline and system works, here is what I execute once dracut gives me its emergency shell: $ cat /boot/luksmount.sh #! /bin/sh cat /sysroot/sda6key | cryptsetup luksOpen /dev/sda6 root umount /sysroot mount /dev/mapper/root /sysroot exit # exit from emerge shell and continue booting $ So, dracut is happy with the /dev/mapper/root created manually and with the layout of the decrypted filesystem in /sysroot. I do not understand why it even wants to create /dev/mapper/$someotherfilename . Sorry for being so verbose, Mike. > # grep -v "^#" /etc/fstab
>
> UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45" / ext4
> noatime 0 1
And did had there /dev/sda6 as well, that did not work and therefore I tried the above UUID approach. Doesn't work either.
I'm confused; why are you passing root=PARTUUID=87391709-06 on the kernel command line? (In reply to Mike Gilbert from comment #5) > I'm confused; why are you passing root=PARTUUID=87391709-06 on the kernel > command line? Sorry, I tried so many tricks that I managed to paste a commandline from a different attempt. Here is the commandline which does not work either, and IMHO the real issue has nothing to do with my kernel commandline, because dracut does under the hood something different. Command line: BOOT_IMAGE=/vmlinuz-4.6.3 ro docrypt root=/dev/sda6 root=/dev/mapper/root fallback=/dev/sda5 rd.luks.key=/sda6key:/dev/sda5:/dev/sda6 slub_debug=AFPZ pciehp.pciehp_debug=1 pciehp_debug=1 intel_idle.max_cstate=c3 i915.i915_enable_rc6=1 usbcore.autosuspend=-1 rd.shell Why I have two "root=" items in there? I do not know, but that prevent kernel panicking because it cannot mount root filesystem. I assume the latter takes precedence. dracut fails to its job but after 5 minutes gives me the emergency shell. From that shell I call the short shellscript I pasted above, and the system boots up because /sysroot filesystem seems reasonable. Probably it has nothing to do with /dev/mapper/root being available (decrypted by me manually). Please follow instructions from [1] and attach rdsosreport.txt to this bug. You can also add "rd.retry=4" to the kernel cmdline - dracut will drop you to rescue shell much faster. [1] https://www.kernel.org/pub/linux/utils/boot/dracut/dracut.html#identifying-your-problem-area Created attachment 444804 [details]
rdsosreport.txt
(In reply to Martin Mokrejš from comment #8) You forgot to append "rd.debug log_buf_len=1M" to the kernel cmdline. Created attachment 444806 [details]
rdsosreport.txt11
Yes, I also realized that meanwhile, sorry, here we go.
So... You don't have /etc/crypttab in initramfs and expect that dracut will magically give the name "root" to the luks device? :) You should try hostonly initramfs: pass "-H" option to dracut or add hostonly="yes" to /etc/(dracut.conf|dracut.conf.d/*). Of course ensure first that you have a proper /etc/crypttab on the real root. Another option is to use "root=/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45". (In reply to Alexander Tsoy from comment #11) > So... You don't have /etc/crypttab in initramfs and expect that dracut will > magically give the name "root" to the luks device? :) Seemed optional, dracut can just respect the kernel commandline arguments, so it knows where to get the key from, and what partition to decrypt. It seemed from manual pages that /dev/mapper/root is the common device name. Why isn't this enough? [ 5.366397] dracut: rd.luks.key: keypath='/sda6key.gpg' keydev='/dev/sda5' luksdev='/dev/sda6' You did not comment on the /dev/disk/by-partuuid/87391709-06 does not exist eroor message. Clearly the /dev/disk/by-partuuid/ is misisng in my Gentoo case, and I doubt it has to do with wrong kernel comandline or wrong dracut arguments used to create the ramdisk. What am I missing? (In reply to Martin Mokrejš from comment #13) > Seemed optional, dracut can just respect the kernel commandline arguments, > so it knows where to get the key from, and what partition to decrypt. It > seemed from manual pages that /dev/mapper/root is the common device name. > > Why isn't this enough? You can specify multiple luks devices on the cmdline and neither of them is required to be a root device: it may be /usr or a custom mount point. > You did not comment on the > > /dev/disk/by-partuuid/87391709-06 does not exist > > eroor message. Clearly the /dev/disk/by-partuuid/ is misisng in my Gentoo > case, and I doubt it has to do with wrong kernel comandline or wrong dracut > arguments used to create the ramdisk. What am I missing? Looks like partuuid symlinks only created for GPT partitions. I just checked latest systemd from git: $ grep -r by-partuuid rules/ rules/60-persistent-storage.rules:# by-partlabel/by-partuuid links (partition metadata) rules/60-persistent-storage.rules:ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_UUID}=="?*", SYMLINK+="disk/by-partuuid/$env{ID_PART_ENTRY_UUID}" Hmm < I do not how that translates to my openrc situation but although I wanted to answer that I have GPT partition on the 1.8TiB drive, there is some problem: # gdisk /dev/sda GPT fdisk (gdisk) version 1.0.1 Partition table scan: MBR: MBR only BSD: not present APM: not present GPT: not present *************************************************************** Found invalid GPT and valid MBR; converting MBR to GPT format in memory. THIS OPERATION IS POTENTIALLY DESTRUCTIVE! Exit by typing 'q' if you don't want to convert your MBR partitions to GPT format! *************************************************************** Exact type match not found for type code DE00; assigning type code for 'Linux filesystem' Warning! Secondary partition table overlaps the last partition by 33 blocks! You will need to delete this partition or resize it in another utility. Command (? for help): p Disk /dev/sda: 3907029168 sectors, 1.8 TiB Logical sector size: 512 bytes Disk identifier (GUID): 45932B6C-CAEC-47A8-874D-D92A28E314D8 Partition table holds up to 128 entries First usable sector is 34, last usable sector is 3907029134 Partitions will be aligned on 2048-sector boundaries Total free space is 10206 sectors (5.0 MiB) Number Start (sector) End (sector) Size Code Name 1 2048 206847 100.0 MiB 8300 Linux filesystem 2 206848 30926847 14.6 GiB 0700 Microsoft basic data 3 30926848 235726847 97.7 GiB 0700 Microsoft basic data 5 235728896 237826047 1024.0 MiB 8300 Linux filesystem 6 237828096 2385311743 1024.0 GiB 8300 Linux filesystem 7 2385313792 3853320191 700.0 GiB 8300 Linux filesystem 8 3853322240 3907029167 25.6 GiB 8200 Linux swap Command (? for help): q Maybe that is confusing some scripts if I had systemd. But I have openrc installed so it may not even apply. (In reply to Alexander Tsoy from comment #12) > You should try hostonly initramfs: pass "-H" option to dracut or add > hostonly="yes" to /etc/(dracut.conf|dracut.conf.d/*). Of course ensure first > that you have a proper /etc/crypttab on the real root. Another option is to > use "root=/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45". So I did: $ cat /etc/dracut.conf.d/crypt-gpg.conf hostonly="yes" root=UUID=luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 rootfstype=ext4 rootfallback=/dev/sda5 # encrypted LUKS partition from outside # rd.luks.uuid=luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 # # decrypted LUKS filesystem # UUID="637c34b3-85dc-4d35-a5da-3f9588aaf41c" add_dracutmodules+="crypt-gpg crypt-loop crypt" omit_dracutmodules+="systemd" $ $ cat /etc/crypttab root UUID=067d6953-349e-49fc-9aae-2bb2b48dbf45 /sda6key luks $ $ dracut -a "crypt crypt-gpg lvm dm" --kver 4.6.3-default-pciehp --force --hostonly dracut: Executing: /usr/bin/dracut -a "crypt crypt-gpg lvm dm" --kver 4.6.3-default-pciehp --force --hostonly dracut: dracut module 'bootchart' will not be installed, because command '/sbin/bootchartd' could not be found! dracut: dracut module 'dash' will not be installed, because command '/bin/dash' could not be found! dracut: dracut module 'network' will not be installed, because command 'arping' could not be found! dracut: dracut module 'plymouth' will not be installed, because command 'plymouthd' could not be found! dracut: dracut module 'plymouth' will not be installed, because command 'plymouth' could not be found! dracut: dracut module 'plymouth' will not be installed, because command 'plymouth-set-default-theme' could not be found! dracut: dracut module 'btrfs' will not be installed, because command 'btrfs' could not be found! dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! dracut: dracut module 'biosdevname' will not be installed, because command 'biosdevname' could not be found! dracut: dracut module 'dash' will not be installed, because command '/bin/dash' could not be found! dracut: dracut module 'network' will not be installed, because command 'arping' could not be found! dracut: dracut module 'btrfs' will not be installed, because command 'btrfs' could not be found! dracut: dracut module 'dmraid' will not be installed, because command 'dmraid' could not be found! dracut: dracut module 'iscsi' will not be installed, because command 'iscsistart' could not be found! dracut: dracut module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found! dracut: *** Including module: bash *** dracut: *** Including module: caps *** dracut: *** Including module: i18n *** dracut: *** Including module: crypt *** dracut: *** Including module: dm *** dracut: Skipping udev rule: 64-device-mapper.rules dracut: Skipping udev rule: 60-persistent-storage-dm.rules dracut: Skipping udev rule: 55-dm.rules dracut: *** Including module: kernel-modules *** dracut: *** Including module: lvm *** dracut: Skipping udev rule: 64-device-mapper.rules dracut: Skipping udev rule: 56-lvm.rules dracut: Skipping udev rule: 60-persistent-storage-lvm.rules dracut: *** Including module: crypt-gpg *** dracut: *** Including module: crypt-loop *** dracut: *** Including module: rootfs-block *** dracut: *** Including module: terminfo *** dracut: *** Including module: udev-rules *** dracut: Skipping udev rule: 40-redhat.rules dracut: Skipping udev rule: 50-firmware.rules dracut: Skipping udev rule: 50-udev.rules dracut: Skipping udev rule: 91-permissions.rules dracut: Skipping udev rule: 80-drivers-modprobe.rules dracut: *** Including module: usrmount *** dracut: *** Including module: base *** dracut: *** Including module: fs-lib *** dracut: *** Including module: shutdown *** dracut: *** Including modules done *** dracut: *** Installing kernel module dependencies and firmware *** dracut: *** Installing kernel module dependencies and firmware done *** dracut: *** Resolving executable dependencies *** dracut: *** Resolving executable dependencies done*** dracut: *** Pre-linking files *** dracut: *** Pre-linking files done *** dracut: *** Stripping files *** dracut: *** Stripping files done *** dracut: *** Store current command line parameters *** dracut: Stored kernel commandline: dracut: rd.luks.uuid=luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 dracut: root=/dev/mapper/root rootfstype=ext4 rootflags=rw,relatime,data=ordered dracut: ro dracut: *** Creating image file '/boot/initramfs-4.6.3-default-pciehp.img' *** dracut: *** Creating initramfs image file '/boot/initramfs-4.6.3-default-pciehp.img' done *** $ grub.cfg contains: linux /vmlinuz-4.6.3 ro docrypt root=/dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 fallback=/dev/sda5 rd.luks.key=/sda6key:/dev/sda5:/dev/sda6 ... rd.shell rd.debug log_buf_len=1M rd.retry=4 Let's see. Created attachment 444820 [details]
rdsosreport.txt13
Doesn't work.
(In reply to Martin Mokrejš from comment #13) > You did not comment on the > > /dev/disk/by-partuuid/87391709-06 does not exist I'm pretty sure that warning was being output because you were passing root=PARTUUID=... on the kernel command line. I would suggest you find the UUID of the filesystem that is on your luks device, and pass that as the kernel root parameter. That will allow dracut to find it regardless of what the /dev/mappper device gets called. You can get the UUID from the output of blkid once the /dev/mapper device has been created. root=UUID=... (In reply to Alexander Tsoy from comment #14) > Looks like partuuid symlinks only created for GPT partitions. I just checked > latest systemd from git: As of systemd-230, the get created for DOS partitions as well. https://github.com/systemd/systemd/commit/cf1d3efce9ada4a7401a273b215896bce32610d1 Regardless, passing a PARTUUID for root when root is on an encrypted block device makes absolutely no sense. The luks device will not have a PARTUUID since it is a virtual device to begin with. (In reply to Mike Gilbert from comment #19) > I would suggest you find the UUID of the filesystem that is on your luks > device, and pass that as the kernel root parameter. That will allow dracut > to find it regardless of what the /dev/mappper device gets called. > > You can get the UUID from the output of blkid once the /dev/mapper device > has been created. > > root=UUID=... /dev/sda6: UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45" TYPE="crypto_LUKS" PARTUUID="87391709-06" I thought that I followed the manual properly and used the PARTUUID as it seemed more general approach, is is accessible before filesystem UUID. I know I was following some other manuals from the internet, just do not remember now. man7.org/linux/man-pages/man7/dracut.cmdline.7.html > Regardless, passing a PARTUUID for root when root is on an encrypted block > device makes absolutely no sense. The luks device will not have a PARTUUID > since it is a virtual device to begin with. But is that my case? /dev/sda is visible, /dev/sda6 as well, so why is not PARTUUID of /dev/sda6 is not visible to luks/dracut? Notably, if UUID of /dev/sda6 is visible. # blkid /dev/sda1: SEC_TYPE="msdos" LABEL="DELLUTILITY" UUID="3030-3030" TYPE="vfat" PARTUUID="87391709-01" /dev/sda2: LABEL="Recovery" UUID="CC70378A703779F2" TYPE="ntfs" PARTUUID="87391709-02" /dev/sda3: LABEL="OS" UUID="AC7C4EC27C4E86D4" TYPE="ntfs" PARTUUID="87391709-03" /dev/sda5: UUID="c9031918-c48b-43ca-b621-e5c669e4160d" TYPE="ext4" PARTUUID="87391709-05" /dev/sda6: UUID="067d6953-349e-49fc-9aae-2bb2b48dbf45" TYPE="crypto_LUKS" PARTUUID="87391709-06" /dev/sda7: UUID="67e0a12b-8a1b-4a60-981c-5c6b5dda5619" TYPE="ext4" PARTUUID="87391709-07" /dev/sda8: PARTUUID="87391709-08" /dev/mapper/root: UUID="637c34b3-85dc-4d35-a5da-3f9588aaf41c" TYPE="ext4" # From the many attempts for which I kept the rdsosreport* file it seems I did not try "root=UUID=067d6953-349e-49fc-9aae-2bb2b48dbf45" on the kernel commandline. Thank you. At least I got it right in /etc/dracut.conf.d/crypt-gpg.conf shown in comment #16. Would have been a breeze if the docs spoke about 'TYPE="crypto_LUKS"' instead of 'real root'. 'Real root' does not mean (to me, not a native speaker) if that: 1. is the encrypted UUID as seen from the outside 2. or the decrypted UUID which dracut should obtain after luksOpen 3. or if that is the /boot partition which kernel needs to initially mount. Created attachment 444822 [details] rdsosreport.txt14 > root=UUID=... Doesn't work. Try root=UUID=637c34b3-85dc-4d35-a5da-3f9588aaf41c. Created attachment 444904 [details] rdsosreport.txt15 > Try root=UUID=637c34b3-85dc-4d35-a5da-3f9588aaf41c. No way, /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c does not exist. See e.g. lines: [ 5.825671] dracut: ///lib/dracut/hooks/pre-udev/30-block-genrules.sh@14(source): wait_for_dev /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c [ 9.011186] dracut: //lib/dracut/hooks/initqueue/settled/blocksymlink.sh@1(source): '[' -e /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c ']' [ 12.632140] dracut Warning: /dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c does not exist [ 12.732099] dracut: ///lib/dracut/hooks/emergency/80-x2fdevx2fdiskx2fby-uuidx2f637c34b3-85dc-4d35-a5da-3f9588aaf41c.sh@1(source): warn '/dev/disk/by-uuid/637c34b3-85dc-4d35-a5da-3f9588aaf41c does not exist' Is openrc-0.21.3 really supported? # emerge -pv openrc These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild U ] sys-apps/openrc-0.21.7::gentoo [0.21.3::gentoo] USE="ncurses netifrc pam unicode -audit -debug -newnet (-prefix) (-selinux) -static-libs -tools" 165 KiB I'm not an expert on configuring luks, but it looks like dracut is not successfully opening the luks device. Perhaps something is wrong with your rd.luks.key parameter. (In reply to Mike Gilbert from comment #20) > (In reply to Alexander Tsoy from comment #14) > > Looks like partuuid symlinks only created for GPT partitions. I just checked > > latest systemd from git: > > As of systemd-230, the get created for DOS partitions as well. > > https://github.com/systemd/systemd/commit/ > cf1d3efce9ada4a7401a273b215896bce32610d1 Ah, right. I pulled sources from freedesktop.org git repo which is outdated. =/ > > Regardless, passing a PARTUUID for root when root is on an encrypted block > device makes absolutely no sense. The luks device will not have a PARTUUID > since it is a virtual device to begin with. Yes, indeed. (In reply to Martin Mokrejš from comment #24) > Is openrc-0.21.3 really supported? Dracut doesn't make use of anything from openrc. (In reply to Martin Mokrejš from comment #17) > Created attachment 444820 [details] > rdsosreport.txt13 > > Doesn't work. Yes, the second issue is that for some reason cryptsetup refuses the key. No idea what's wrong here. Maybe readkey function outputs some garbage, but this is very unlikely. [ 6.954940] dracut: /sbin/cryptroot-ask@141(main): cryptsetup -d - luksOpen /dev/sda6 root ... ... [ 6.971468] dracut: /lib/dracut-crypt-lib.sh@188(readkey): local mntp=/mnt/keydev--dev-sda5--sda6key [ 6.972161] dracut: /lib/dracut-crypt-lib.sh@190(readkey): '[' '!' -d /mnt/keydev--dev-sda5--sda6key ']' [ 6.972855] dracut: /lib/dracut-crypt-lib.sh@191(readkey): mkdir /mnt/keydev--dev-sda5--sda6key [ 6.973552] dracut: /lib/dracut-crypt-lib.sh@192(readkey): mount -r /dev/sda5 /mnt/keydev--dev-sda5--sda6key [ 6.974259] dracut: /lib/dracut-crypt-lib.sh@195(readkey): case "${keypath##*.}" in [ 6.974972] dracut: /lib/dracut-crypt-lib.sh@215(readkey): cat /mnt/keydev--dev-sda5--sda6key//sda6key [ 6.975690] dracut: /lib/dracut-crypt-lib.sh@220(readkey): umount /mnt/keydev--dev-sda5--sda6key [ 6.976404] dracut: /lib/dracut-crypt-lib.sh@221(readkey): rmdir /mnt/keydev--dev-sda5--sda6key [ 7.752662] dracut: No key available with this passphrase. Do you have all necessary crypto modules compiled into the kernel, or have you compiled them as modules? You can find needed cipher suite with the following command: "cryptsetup status /dev/mapper/<name of the luks device>". (In reply to Alexander Tsoy from comment #29) > Do you have all necessary crypto modules compiled into the kernel, or have > you compiled them as modules? You can find needed cipher suite with the > following command: "cryptsetup status /dev/mapper/<name of the luks device>". First of all, even if I had some only as module I assume I couldn't bootup from the emergency shell with just the few commands: $ cat /boot/luksmount.sh #! /bin/sh cat /sysroot/sda6key | cryptsetup luksOpen /dev/sda6 root umount /sysroot mount /dev/mapper/root /sysroot exit # exit from emerge shell and continue booting $ I just need to decrypt the disk and make it available under anticipated /dev/mapper/blah filename, then exiting from emergency shell force dracut to re-check for presence of the file, or maybe just re-checks the mounted filesystem to ensure it looks like a root filesystem. Due the course of this bugreport, as you may see from the attached logs, I now need to do this instead: $ cat /boot/luksmount2.sh #! /bin/sh cat /sysroot/sda6key | cryptsetup luksOpen /dev/sda6 luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 umount /sysroot mount /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /sysroot $ anyway, to answer your suggestions: # cryptsetup status /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 is active and is in use. type: LUKS1 cipher: aes-xts-plain64:sha512 keysize: 512 bits device: /dev/sda6 offset: 4096 sectors size: 2147479552 sectors mode: read/write # # gzip -dc /proc/config.gz | grep CRYPTO | grep -v "^#" CONFIG_BLK_DEV_CRYPTOLOOP=y CONFIG_CRYPTO=y CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y CONFIG_CRYPTO_AEAD2=y CONFIG_CRYPTO_BLKCIPHER=y CONFIG_CRYPTO_BLKCIPHER2=y CONFIG_CRYPTO_HASH=y CONFIG_CRYPTO_HASH2=y CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y CONFIG_CRYPTO_USER=y CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_NULL2=y CONFIG_CRYPTO_PCRYPT=y CONFIG_CRYPTO_WORKQUEUE=y CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_MCRYPTD=y CONFIG_CRYPTO_AUTHENC=y CONFIG_CRYPTO_ABLK_HELPER=y CONFIG_CRYPTO_GLUE_HELPER_X86=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_GCM=y CONFIG_CRYPTO_CHACHA20POLY1305=y CONFIG_CRYPTO_SEQIV=y CONFIG_CRYPTO_ECHAINIV=y CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CTR=y CONFIG_CRYPTO_CTS=y CONFIG_CRYPTO_ECB=y CONFIG_CRYPTO_LRW=y CONFIG_CRYPTO_PCBC=y CONFIG_CRYPTO_XTS=y CONFIG_CRYPTO_KEYWRAP=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_XCBC=y CONFIG_CRYPTO_VMAC=y CONFIG_CRYPTO_CRC32C=y CONFIG_CRYPTO_CRC32C_INTEL=y CONFIG_CRYPTO_CRC32=y CONFIG_CRYPTO_CRC32_PCLMUL=y CONFIG_CRYPTO_CRCT10DIF=y CONFIG_CRYPTO_CRCT10DIF_PCLMUL=y CONFIG_CRYPTO_GHASH=y CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_POLY1305_X86_64=y CONFIG_CRYPTO_MD4=y CONFIG_CRYPTO_MD5=y CONFIG_CRYPTO_MICHAEL_MIC=y CONFIG_CRYPTO_RMD128=y CONFIG_CRYPTO_RMD160=y CONFIG_CRYPTO_RMD256=y CONFIG_CRYPTO_RMD320=y CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA1_SSSE3=y CONFIG_CRYPTO_SHA256_SSSE3=y CONFIG_CRYPTO_SHA512_SSSE3=y CONFIG_CRYPTO_SHA1_MB=y CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_TGR192=y CONFIG_CRYPTO_WP512=y CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=y CONFIG_CRYPTO_AES=y CONFIG_CRYPTO_AES_X86_64=y CONFIG_CRYPTO_AES_NI_INTEL=y CONFIG_CRYPTO_ANUBIS=y CONFIG_CRYPTO_ARC4=y CONFIG_CRYPTO_BLOWFISH=y CONFIG_CRYPTO_BLOWFISH_COMMON=y CONFIG_CRYPTO_BLOWFISH_X86_64=y CONFIG_CRYPTO_CAMELLIA=y CONFIG_CRYPTO_CAMELLIA_X86_64=y CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y CONFIG_CRYPTO_CAST_COMMON=y CONFIG_CRYPTO_CAST5=y CONFIG_CRYPTO_CAST5_AVX_X86_64=y CONFIG_CRYPTO_CAST6=y CONFIG_CRYPTO_CAST6_AVX_X86_64=y CONFIG_CRYPTO_DES=y CONFIG_CRYPTO_DES3_EDE_X86_64=y CONFIG_CRYPTO_FCRYPT=y CONFIG_CRYPTO_KHAZAD=y CONFIG_CRYPTO_SALSA20=y CONFIG_CRYPTO_SALSA20_X86_64=y CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CHACHA20_X86_64=y CONFIG_CRYPTO_SEED=y CONFIG_CRYPTO_SERPENT=y CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y CONFIG_CRYPTO_SERPENT_AVX_X86_64=y CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y CONFIG_CRYPTO_TEA=y CONFIG_CRYPTO_TWOFISH=y CONFIG_CRYPTO_TWOFISH_COMMON=y CONFIG_CRYPTO_TWOFISH_X86_64=y CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y CONFIG_CRYPTO_DEFLATE=y CONFIG_CRYPTO_LZO=y CONFIG_CRYPTO_842=y CONFIG_CRYPTO_LZ4=y CONFIG_CRYPTO_LZ4HC=y CONFIG_CRYPTO_ANSI_CPRNG=y CONFIG_CRYPTO_DRBG_MENU=y CONFIG_CRYPTO_DRBG_HMAC=y CONFIG_CRYPTO_DRBG_HASH=y CONFIG_CRYPTO_DRBG_CTR=y CONFIG_CRYPTO_DRBG=y CONFIG_CRYPTO_JITTERENTROPY=y CONFIG_CRYPTO_USER_API=y CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y CONFIG_CRYPTO_USER_API_RNG=y CONFIG_CRYPTO_USER_API_AEAD=y CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y # gzip -dc /proc/config.gz | grep MD | grep -v "^#" CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y CONFIG_CPU_SUP_AMD=y CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y CONFIG_AMD_NB=y CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y CONFIG_SCTP_COOKIE_HMAC_MD5=y CONFIG_ATA_BMDMA=y CONFIG_MD=y CONFIG_BLK_DEV_MD=y CONFIG_MD_AUTODETECT=y CONFIG_MD_LINEAR=y CONFIG_MD_RAID0=y CONFIG_MD_RAID1=y CONFIG_MD_RAID10=y CONFIG_MD_RAID456=y CONFIG_FB_CMDLINE=y CONFIG_CRYPTO_MD4=y CONFIG_CRYPTO_MD5=y CONFIG_CRYPTO_RMD128=y CONFIG_CRYPTO_RMD160=y CONFIG_CRYPTO_RMD256=y CONFIG_CRYPTO_RMD320=y # gzip -dc /proc/config.gz | grep DM | grep -v "^#" CONFIG_NEED_DMA_MAP_STATE=y CONFIG_NEED_SG_DMA_LENGTH=y CONFIG_GENERIC_ISA_DMA=y CONFIG_ZONE_DMA32=y CONFIG_HAVE_DMA_CONTIGUOUS=y CONFIG_HAVE_DMA_API_DEBUG=y CONFIG_LDM_PARTITION=y CONFIG_ZONE_DMA=y CONFIG_DMI=y CONFIG_ARCH_DMA_ADDR_T_64BIT=y CONFIG_ZONE_DMA_FLAG=1 CONFIG_ISA_DMA_API=y CONFIG_X86_DEV_DMA_OPS=y CONFIG_DMA_SHARED_BUFFER=y CONFIG_SCSI_DMA=y CONFIG_ATA_BMDMA=y CONFIG_BLK_DEV_DM_BUILTIN=y CONFIG_BLK_DEV_DM=y CONFIG_DM_BUFIO=y CONFIG_DM_BIO_PRISON=y CONFIG_DM_PERSISTENT_DATA=y CONFIG_DM_CRYPT=y CONFIG_DM_SNAPSHOT=y CONFIG_DM_THIN_PROVISIONING=y CONFIG_DM_MIRROR=y CONFIG_DM_RAID=y CONFIG_DM_ZERO=y CONFIG_DM_UEVENT=y CONFIG_HDMI=y CONFIG_SND_DMA_SGBUF=y CONFIG_SND_HDA_CODEC_HDMI=y CONFIG_USB_WDM=y CONFIG_DMAR_TABLE=y CONFIG_DMIID=y CONFIG_DMI_SYSFS=y CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y CONFIG_HAVE_C_RECORDMCOUNT=y CONFIG_HAS_DMA=y # (In reply to Martin Mokrejš from comment #30) Ah. I've got it. There is a difference between issuing cryptsetup with '-d -' and without it. Without '-d -' trailing new line is stripped from the stdin. ;) (see NOTES ON PASSPHRASE PROCESSING FOR PLAIN MODE in the man cryptsetup) I just tried to reproduce this: $ cat /tmp/lukspass WqUktlXy8QKFNnWy6Yd9t7Ik8fyhJj $ cat /tmp/lukspass | sudo cryptsetup luksFormat /dev/mapper/vg_system-test $ cat /tmp/lukspass | sudo cryptsetup open --type luks /dev/mapper/vg_system-test crypttest $ echo $? 0 $ sudo cryptsetup close crypttest Now let's try with '-d -': $ cat /tmp/lukspass | sudo cryptsetup open --type luks -d - /dev/mapper/vg_system-test crypttest No key available with this passphrase. $ echo WqUktlXy8QKFNnWy6Yd9t7Ik8fyhJj | sudo cryptsetup open --type luks -d - /dev/mapper/vg_system-test crypttest No key available with this passphrase. $ echo -n WqUktlXy8QKFNnWy6Yd9t7Ik8fyhJj | sudo cryptsetup open --type luks -d - /dev/mapper/vg_system-test crypttest $ echo $? 0 Please try to create a new key slot with proper key that can be passed to cryptsetup with '-d -' (In reply to Alexander Tsoy from comment #31) > see NOTES ON PASSPHRASE PROCESSING FOR PLAIN MODE I mean FOR LUKS of course, but there is no difference in processing stdin. (In reply to Alexander Tsoy from comment #31) > Please try to create a new key slot with proper key that can be passed to > cryptsetup with '-d -' Honestly, the documentation for cryptsetup seemed to messy to me and the '-d -' specially. Why doesn't it work with my /boot/sda6key file? It does contain '\n' on the single line. Would adding second '\n' help? Anyway, so what do you want me to test? What do you mean under "proper key that can be passed to cryptsetup with ..."? What is wrong with my key in slot 0? Thank you anyway for you kind analysis! (In reply to Martin Mokrejš from comment #33) Without '-d -' cryptsetup reads passphrase up to the first newline character, so I was not 100% correct in my previous comment. I think the following command should be enough to make dracut happy: cat <path>/sda6key | cryptsetup luksAddKey <device> <path>/sda6key If the system boots up properly, then you can remove key slot 0. # cryptsetup status luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 is active and is in use. type: LUKS1 cipher: aes-xts-plain64:sha512 keysize: 512 bits device: /dev/sda6 offset: 4096 sectors size: 2147479552 sectors mode: read/write # cat /boot/sda6key | cryptsetup luksAddKey luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /boot/sda6key Device luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 doesn't exist or access denied. # # ls -latr /dev/mapper/ total 0 lrwxrwxrwx 1 root root 7 Sep 20 08:35 luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 -> ../dm-0 drwxr-xr-x 18 root root 14000 Sep 20 08:35 .. drwxr-xr-x 2 root root 80 Sep 20 2016 . crw------- 1 root root 10, 236 Sep 20 2016 control # # ls -latr /dev/dm-0 brw-rw---- 1 root disk 253, 0 Sep 20 08:35 /dev/dm-0 # I forgot to show what I tried at first. # cat /boot/sda6key | cryptsetup luksAddKey /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 /boot/sda6key Device /dev/mapper/luks-067d6953-349e-49fc-9aae-2bb2b48dbf45 is not a valid LUKS device. # strace(1) shows this is merely correct , because cryptsetup tries to open the device directly, without prepending '/dev/' or '/dev/mapper/' to it. So, trying to pass it the not decrypted device now: # cat /boot/sda6key | cryptsetup luksAddKey /dev/sda6 /boot/sda6key # OK, this went through. Can I list used key slots for a LUKS device? I don't see anythjing liek that in 'cryptsetup --help'. :( (In reply to Martin Mokrejš from comment #36) luksDump should do the trick: cryptsetup luksDump /dev/sda6 Created attachment 446872 [details]
rdsosreport.txt16
So, addition of the same key into slot 1 helped. Attached rdsos file shows the device was assembled as /dev/mapper/root. Because my kernel commandline contained for about last month "root=UUID=637c34b3-85dc-4d35-a5da-3f9588aaf41" dracut failed to continue. Also, mounting the /dev/mapper/root as /sysroot kept failing with:
mount: unknown filesystem type 'crypto_LUKS'
dracut Warning: Failed to mount -t crypto_LUKS -o rw,relatime,data=ordered,ro,ro /dev/disk/by-uuid/067d6953-349e-49fc-9aae-2bb2b48dbf45 /sysroot
dracut Warning: *** An error occurred during the file system check.
dracut Warning: *** Dropping you to a shell; the system will try
dracut Warning: *** to mount the filesystem(s), when you leave the shell.
It seemed to me so far that is something looking reasonably similar to a root filesystrem is mounted into /sysroot then dracut will just try to boot it. That doe snot seem to be the case now. I was going to hack /lib/dracut-lib.sh but because I have no good editor (vim) in the ramdisk, I gave up an attempt to comment out the above mount call.
The only way out was to give up and reboot, revert my kernel commandline to root=/dev/mapper/root. For that I will upload dmesg17.txt file, because I do not know how to tell dracut to save the rdsos file for me during booting.
I think you could run diff on the attached logs to pinpoint the differences and find problematic places, right?
Created attachment 446874 [details]
dmesg17.txt
root=/dev/mapper/root on the kernel commandline needs to be specified because dracut assembles the luks device as /dev/mapper/root. If that does not match the kernel commandline then dracut gives up mistakenly and dumps me into an emergency shell.
So one of the additional problems is that my mount -t crypto_LUKS complains about unknown filesystem type.
|