After upgrating from 'sys-kernel/dracut-037-r3' it's not possible anymore to boot a system, which has two encrypted HDDs and running kernel >=3.18 While booting the passphrase for the primary HDD is asked by the script. After that seems the script tries to encrypt the primary HDD a second time instead to encrypt the 2nd HDD which is included in /etc/crypttab and should be encrypted via key file. using a initram file created with dracut-037 works fine, regardless which kernel version is used. Reproducible: Always Portage 2.2.14 (python 3.3.5-final-0, default/linux/amd64/13.0, gcc-4.8.4, glibc-2.19-r1, 3.18.5-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.18.5-gentoo-x86_64-Intel-R-_Core-TM-_i7-3770_CPU_@_3.40GHz-with-gentoo-2.2 KiB Mem: 16464684 total, 14922612 free KiB Swap: 20971516 total, 20971516 free Timestamp of tree: Sat, 31 Jan 2015 10:15:01 +0000 ld GNU ld (Gentoo 2.24 p1.4) 2.24 app-shells/bash: 4.2_p53 dev-lang/perl: 5.18.2-r2 dev-lang/python: 2.7.9-r1, 3.3.5-r1, 3.4.1 dev-util/cmake: 2.8.12.2-r1 dev-util/pkgconfig: 0.28-r2 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.13.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.10.3-r1, 1.11.6-r1, 1.12.6, 1.13.4 sys-devel/binutils: 2.24-r3 sys-devel/gcc: 4.8.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.4 sys-devel/make: 4.0-r1 sys-kernel/linux-headers: 3.16 (virtual/os-headers) sys-libs/glibc: 2.19-r1 Repositories: gentoo cross_dev owncloud-client aidecoe poly-c qt steam-overlay unity-gentoo temilun_overlay ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="ftp://de-mirror.org/gentoo/ http://de-mirror.org/gentoo/" LANG="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/cross_dev /var/lib/layman/owncloud-client /var/lib/layman/aidecoe /var/lib/layman/poly-c /var/lib/layman/qt /var/lib/layman/steam-overlay /home/mirko/git/unity-gentoo /home/mirko/git/temilun_overlay" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi aes alsa amd64 avx ayatana bash-completion battery berkdb branding bzip2 cairo cdda cdr cli colord corefonts cpudetection cracklib crypt cryptsetup cups cxx dbus device-mapper dhcpd dri dts dvd dvdr eds emboss encode evo exif fam firefox flac fortran fuse gdbm gif git glamor gnome gnome-keyring gnome-online-accounts gpm gstreamer gtk gtk3 iconv introspection ipv6 jpeg lcms ldap libnotify libsecret lm_sensors mad mmx mmxext mng modules mp3 mp4 mpeg mtp multilib nautilus ncurses networkmanager nfs nls nptl ntpl ogg opengl openmp pam pango pcre pdf plymouth png policykit popcnt ppds pulseaudio qt3support qt4 readline resolvconf sdl session shared-dricore socialweb spell sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 startup-notification subversion svg systemd tcpd threads tiff truetype type3 udev udisks unicode upower usb vorbis wxwidgets x264 xcb xinerama xml xv xvid zeitgeist zlib" ABI_X86="32 64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON ================================================================= Package Settings ================================================================= sys-kernel/dracut-040-r3 was built with the following: USE="systemd -debug (-selinux)" ABI_X86="64"
Created attachment 395292 [details] dracut-037 debug log following attached file is the devug log of dracut-037 initramfs which works.
Created attachment 395294 [details] dracut-040 debug log following it the debug log of dracut-040 initramfs file which doesn't work. May it helps you to find the issue.
(In reply to Mirko Guenther from comment #2) > Created attachment 395294 [details] > dracut-040 debug log > > following it the debug log of dracut-040 initramfs file which doesn't work. > > May it helps you to find the issue. Please also add systemd.log_level=debug to the kernel cmdline and attach a new debug log.
Created attachment 395538 [details] dracut-040 debug log with systemd.log enabled see attached file.
Please show contents of the crypttab inside initramfs: # lsinitrd <path-to-initramfs> etc/crypttab Check from emergency shell what cryptsetup units are generated: # ls /run/systemd/generator/systemd-cryptsetup@* What happens if you run the following commands in emergency shell? # systemctl daemon-reload # systemctl start cryptsetup.target
(In reply to Alexander Tsoy from comment #5) > Please show contents of the crypttab inside initramfs: > # lsinitrd <path-to-initramfs> etc/crypttab > > Check from emergency shell what cryptsetup units are generated: > # ls /run/systemd/generator/systemd-cryptsetup@* > > What happens if you run the following commands in emergency shell? > # systemctl daemon-reload > # systemctl start cryptsetup.target Sorry for the late answer. 1) '# lsinitrd <path-to-initramfs> etc/crypttab' shows same crypttab as I've in my system: 'data /dev/disk/by-uuid/f7a0db53-a2ae-40f4-9f60-7bdd8fc8ed91 /etc/keys/hive_hdd.key luks' I've also tried ',hash=plain,timeout=180' as additional parameter. But it didn't work. 2) '# ls /run/systemd/generator/systemd-cryptsetup@*' shows only one rule for the first HDD in both cases. 3) 'What happens if you run the following commands in emergency shell?' There is some output, but nothing happens? To hwat shall I look? Regards
Well.. I don't know how this setup worked for you in dracut-037. Maybe you didn't use systemd in initramfs generated with that version of dracut? There is an attempt to get rid of systemd-cryptsetup-generator and co. in dracut. Could you try the patch from the following merge request? https://github.com/haraldh/dracut/compare/master...dracut-mailing-devs:1425455385-28495-1-git-send-email-jsynacek@redhat.com
Created attachment 400000 [details] bootlog dracut-041-r1 patched as suggested in #7
Created attachment 400002 [details] log creating initramfs with patched dracut-041-r1
#7 I've issues to create a working initramfs with every new dracut version since dracut-034. Every new version has it's own troubles. And I've two systems with two encrypted HDDs each, which shows the same issues. But never the less, I've patched dracut-041-r1 with your suggested patch and now the initramfs is (again) asking for a pass phrase for both HDDs. It doesn't takes the key file for the second HDD. I've added the log of dracut while creating the initramfs file and the boot log.
(In reply to Mirko Guenther from comment #10) > #7 I've issues to create a working initramfs with every new dracut version > since dracut-034. Every new version has it's own troubles. And I've two > systems with two encrypted HDDs each, which shows the same issues. Are you sure that second encrypted volume is activated by initramfs generated with dracut-034? After looking deeper into the code and commit history I came to conclusion that keyfile in crypttab has been always interpreted as is, without prepending /sysroot to it. So you either need a keyfile inside initramfs (definitely not what you want :)), or you have to use "rd.luks.key" cmdline option (see man dracut.cmdline).
(In reply to Mirko Guenther from comment #1) > Created attachment 395292 [details] > dracut-037 debug log > > following attached file is the devug log of dracut-037 initramfs which works. Yes, it doesn't try to decrypt second encrypted volume. I didn't noticed that fact. :(
(In reply to Mirko Guenther from comment #9) > Created attachment 400002 [details] > log creating initramfs with patched dracut-041-r1 >*** Including module: resume *** Try to generate initramfs with '--omit "resume"' option or add 'omit_dracutmodules+=" resume "' to the /etc/dracut.conf or /etc/dracut.conf.d/*.conf. Alternatively disabling hostonly_cmdline may help (I hope). Dracut already have logic to skip swap devices if key file is needed to decrypt them. But this is not enough - it should also check all underlying devices. :(
Sorry for the delay... #11 > Are you sure that second encrypted volume is activated by initramfs generated > with dracut-034?' No. In theory there is no need for it as the keyfile is accessible after decryption and mount of root partition. >Try to generate initramfs with '--omit "resume"' option or add >'omit_dracutmodules+=" resume "' to the /etc/dracut.conf or /etc/dracut.conf.d>/*.conf. The option has no effect in this case. > Alternatively disabling hostonly_cmdline may help (I hope). That worked. Without this option I can boot the system again.
> > Alternatively disabling hostonly_cmdline may help (I hope). > That worked. Without this option I can boot the system again. removing the hostonly_cmdline is also not really a solution since I need the german keyboard layout on one of my machines and dracut doesn't respect the 'rd.vconsole.keymap' parameter. It uses always US keymap. The hostonly_cmdline set the keymap correct.
We will have to fix things upstream.
(In reply to Mirko Guenther from comment #14) > > Are you sure that second encrypted volume is activated by initramfs generated > with dracut-034?' > No. In theory there is no need for it as the keyfile is accessible after > decryption and mount of root partition. In theory yes, but historically support for keyfile in crypttab was added for another reason: https://bugzilla.redhat.com/show_bug.cgi?id=751640 http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=4e05cb4023966a828ad90432816467a1da540120 So dracut and systemd-cryptsetup-generator doesn't append "/sysroot" to the keyfile's path. You can try rd.luks.key option but I'm not sure if it will work for you. > > >Try to generate initramfs with '--omit "resume"' option or add >'omit_dracutmodules+=" resume "' to the /etc/dracut.conf or /etc/dracut.conf.d>/*.conf. > > The option has no effect in this case. Ah, I see. Swaps are always activated in hostonly mode. Recent patches from Colin Guthrie should fix this. https://github.com/haraldh/dracut/compare/master...dracut-mailing-devs:1431698021-16626-3-git-send-email-colin%40mageia.org (In reply to Mirko Guenther from comment #15) > > > Alternatively disabling hostonly_cmdline may help (I hope). > > That worked. Without this option I can boot the system again. > > removing the hostonly_cmdline is also not really a solution since I need the > german keyboard layout on one of my machines and dracut doesn't respect the > 'rd.vconsole.keymap' parameter. It uses always US keymap. systemd-vconsole-setup only respects parameters without 'rd.' prefix. > The hostonly_cmdline set the keymap correct. That's strange because i18 parameters are not saved in /etc/cmdline.d. And /etc/vconsole.conf is generated regardless hostonly_cmdline setting.
(In reply to Alexander Tsoy from comment #17) > (In reply to Mirko Guenther from comment #14) > > >Try to generate initramfs with '--omit "resume"' option or add >'omit_dracutmodules+=" resume "' to the /etc/dracut.conf or /etc/dracut.conf.d>/*.conf. > > > > The option has no effect in this case. > > Ah, I see. Swaps are always activated in hostonly mode. Recent patches from > Colin Guthrie should fix this. > > https://github.com/haraldh/dracut/compare/master...dracut-mailing-devs: > 1431698021-16626-3-git-send-email-colin%40mageia.org > Please try the patches below. If you don't add resume= to your kernel cmdline, they should fix the issue for you. :) http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=3e3ed34f036a833ccc2150c6224d0a954e841e39 http://git.kernel.org/cgit/boot/dracut/dracut.git/commit/?id=7b56b905824da32dfc0b9309a004013ff19986f6 Or wait for dracut-043 (it is just released).
(In reply to Alexander Tsoy from comment #18) > (In reply to Alexander Tsoy from comment #17) > > (In reply to Mirko Guenther from comment #14) > Or wait for dracut-043 (it is just released). The new dracut-043 has also problems with my setup. When creating a image with '-H' parameter the image compains about missing 'wc' command and doesn't find (as side effect?) the logical volume on my first HDD. I can test tomorrow, if the keyboard layout is working.
(In reply to Mirko Guenther from comment #19) > When creating a image with '-H' parameter the image compains about missing > 'wc' command ... You can ignore complains about missing wc. It is a bug 553444 which should not cause any harm unless you include wc in the initramfs. > ... and doesn't find (as side effect?) the logical volume on my > first HDD. I can test tomorrow, if the keyboard layout is working. As usual we want to see rdsosreport.
Created attachment 406586 [details] Build log dracut-043 The file contains the console output of build of the initramfs file. I don't know where the kernel command parameter are from. Building the initramfs file without '-H' parameter the kernel command line parameters are empty. Not sure if the double 'rd.luks.uuid=' parameter is correct and/or needed. The ID for the first HDD is 'luks-34deb499-56bd-47de-bf15-7b86278114a5' The 'resume' parameter is added by the script itself.
Created attachment 406588 [details] dracut-043 debug log for initramfs built with '-H'
I see. Second rd.luks.uuid= is added because corresponding luks device is still being added to the host_devs array and because hostonly_cmdline is enabled. :(
What is the status of this with 0.44 version?