In attempting to get encrypted /tmp, I discovered that the post_mount command in /etc/conf.d/dmcrypt does not seem to run (at all). I set a post_mount command of post_mount='/bin/setup_crypt_tmp ${mount_point}' with setup_crypt_tmp being a shell script I wrote that sets the mode to 1777 and also mkdir's /tmp/portage (so I can symlink /var/tmp to /tmp, and mount a tmpfs for portage). I also echo a line into a file in /root when this happens - but, alas, it does not. (Initially I just did the chmod directly in the post_mount line, but when it did not work I tried the shell script so as to attempt to track things down) All this is going more or less off the examples included in the dmcrypt config and what is on the wiki, but seemingly something is off kilter. I looked at /lib/rcscripts/addons/dm-crypt-start.sh trying to figure out how exactly the localmount stuff happens but am clearly missing some vital knowledge. Reproducible: Always Steps to Reproduce: Portage 2.1.6.13 (default/linux/amd64/2008.0/desktop, gcc-4.3.3, glibc-2.10.1-r0, 2.6.29-gentoo-r5 x86_64) ================================================================= System uname: Linux-2.6.29-gentoo-r5-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q6600_@_2.40GHz-with-glibc2.2.5 Timestamp of tree: Wed, 22 Jul 2009 07:00:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7-r1, 2.1.8-r1 dev-lang/python: 2.5.4-r3 dev-python/pycrypto: 2.0.1-r8 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.6.4 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.4.3-r3 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.6.3, 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe -momit-leaf-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=core2 -O2 -pipe -momit-leaf-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://gentoo.mirrors.pair.com/ http://chi-10g-1-mirror.fastsoft.net/pub/linux/gentoo/gentoo-distfiles/" LANG="C" LDFLAGS="-Wl,-O1" LINGUAS="en" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/portage/local/layman/haxe /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 apache2 bash-completion berkdb branding bzip2 cairo cdr cli cracklib crypt cups dbus doc dri dvd dvdr dvdread emacs encode esd fam firefox flac fortran gdbm gmp gstreamer gtk hal iconv jpeg libnotify mad mbox midi mmx mp3 mpeg mudflap multilib ncurses nls nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl png postgres ppds python qt3support qt4 quicktime readline reflection sdl session spell spl sqlite sse sse2 ssl startup-notification svg sysfs tcpd threads tiff truetype unicode usb vorbis xml xorg xulrunner xv zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_default authn_file authz_groupfile authz_host authz_owner authz_user autoindex cache deflate dir env expires ext_filter file_cache filter headers imagemap include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif so status suexec unique_id userdir usertrack vhost_alias fastcgi" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="intel" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 198860 [details] My /etc/conf.d/dmcrypt
Created attachment 198861 [details] /bin/setup_crypt_tmp
Created attachment 198863 [details] boot log
I can confirm this bug with amd64. /etc/conf.d/dmcrypt ----- target=crypt-tmp source='/dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5783237-part3' key='/dev/urandom' options='-c aes-cbc-essiv:sha256' pre_mount='/sbin/mkfs.ext2 -L crypto-tmp ${dev}' post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}' ------ (In reply to comment #3) > Created an attachment (id=198863) [edit] > boot log > OpenRC 0.4.3 is starting up Gentoo Linux (x86_64) Press I to enter interactive boot mode * Mounting /proc... [ ok ] * Mounting /sys... [ ok ] * Mounting debug filesystem... [ ok ] * Mounting /dev... [ ok ] * Starting udevd... [ ok ] * Populating /dev with existing devices through uevents... [ ok ] * Waiting for uevents to be processed... [ ok ] * Device initiated services: net.eth0 * Mounting /dev/pts... [ ok ] * Mounting /dev/shm... [ ok ] * Setting system clock using the hardware clock [UTC]... [ ok ] * Autoloaded 0 module(s) * device-mapper uses addon code which is deprecated * and may not be available in the future. * Setting up dm-crypt mappings... * Checking swap is not LUKS * dm-crypt map crypt-swap... * cryptsetup will be called with : -c aes -h sha1 -d /dev/urandom create crypt-swap /dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5803499-part3 [ ok ] * Running pre_mount commands for crypt-swap... [ ok ] * dm-crypt map crypt-tmp... * cryptsetup will be called with : -c aes-cbc-essiv:sha256 create crypt-tmp /dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5783237-part3 [ ok ] * Running pre_mount commands for crypt-tmp... mke2fs 1.41.3 (12-Oct-2008) [ ok ] * Checking local filesystems ... /dev/disk/by-uuid/23fafc47-37dc-431f-9da2-fc9e0c67f772: clean, 431984/3278576 files, 1822681/13109024 blocks /dev/disk/by-uuid/7362ee33-b769-4be2-b878-6adb518be0c9: clean, 41/28112 files, 22591/112320 blocks crypto-tmp: clean, 11/262944 files, 18570/1050249 blocks [ ok ] * Remounting root filesystem read/write... [ ok ] * Updating /etc/mtab... [ ok ] * Mounting local filesystems... [ ok ] * Setting hostname to Machine... [ ok ] * Configuring kernel parameters... [ ok ] * Creating user login records... [ ok ] * Cleaning /var/run... [ ok ] * Wiping /tmp directory... [ ok ] * Loading ALSA modules... [ ok ] * Restoring Mixer Levels... [ ok ] * Setting terminal encoding [UTF-8]... [ ok ] * Setting console font [lat9v-08]... [ ok ] * Loading key mappings [fi-latin9]... [ ok ] * Fixing font for euro symbol... [ ok ] * Setting keyboard mode [UTF-8]... [ ok ] * Bringing up interface lo * 127.0.0.1/8... [ ok ] * Adding routes * 127.0.0.0/8 via 127.0.0.1... [ ok ] * Bringing up interface eth0 * dhcp... * Running dhcpcd... eth0: dhcpcd 4.0.13 starting eth0: broadcasting for a lease eth0: offered 192.168.1.130 from 192.168.1.1 eth0: acknowledged 192.168.1.130 from 192.168.1.1 eth0: checking 192.168.1.130 is available on attached networks eth0: leased 192.168.1.130 for 86400 seconds [ ok ] * received address 192.168.1.130/24 [ ok ] * Mounting USB device filesystem [usbfs]... [ ok ] * Mounting misc binary format filesystem... [ ok ] * Activating swap devices... [ ok ] * Initializing random number generator... [ ok ] INIT: Entering runlevel: 3 * Starting syslog-ng... [ ok ] * Starting acpid... [ ok ] * Starting D-BUS system messagebus... [ ok ] * Starting Hardware Abstraction Layer daemon... [ ok ] * Mounting network filesystems... [ ok ] * Starting vixie-cron... [ ok ] * Starting local... [ ok ]
I have to sleep more to see that it was an answer not a question.
A workaround for this particular case (encrypted /tmp) is to use a larger encrypted swap and make /tmp a tmpfs, which has the same effect since if VM space gets tight the /tmp contents will be pushed to the (encrypted) swap. The tmpfs won't be persistent, but neither will encrypted /tmp (unless one sets a persistent key for the partition, which would probably work fine without needing a post_mount command, though I haven't attempted it), so these approaches seem to be more or less functionally equivalent.
I never noticed this before, but with my current cryptsetup (1.1.3-r2), I hit this (or something very similar). Jack: Could you see if this can be reproduced with more recent (stable) versions of the cryptsetup package?
I can confirm this started (again?) with cryptsetup-1.1.3-r2 which is the current stable version. This does not happen with 1.1.2 which is the previous stable version currently in portage. A diff on /lib/rcscripts/addons/dm-crypt-start.sh from both versions show that the newer version sets SVCNAME=dmcrypt for localmount. That way, dm_crypt_execute_localmount() never gets executed. Instead, dm_crypt_execute_dmcrypt() is executed twice. The second time it simply complains that all configured mappings are already active. I do not have enough expertise with the Gentoo start scripts to be able to suggest a patch. A naive solution would be to remove the current test for localmount, but I assume the developer put that explicitly there for a good reason. Btw. stable baselayout is 1.12.14-r1 on amd64.
Should this block the stablereq #350044 ?
stable requests are never blocked by non-regression bugs
Yes, but this is a regression, since this behaviour did not occur in 1.1.2.
this bug would indicate differently. notice how the summary says 1.0.6.
Ok, so what would be the correct way then? Have the sumary changed by someone with sufficient rights? Or open a new bug (because most probably only the symptoms, but not the cause are the same)?
Seems to be fixed in 1.1.3-r3: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-fs/cryptsetup/files/1.1.3-dm-crypt-start.sh?r1=1.4&r2=1.5 The check for "localmount" now works as expected. I think this bug is finally resolved&dead now.
(In reply to comment #14) > I think this bug is finally resolved&dead now. (At least as far as 1.1.3-r3 is concerned.)
