Bug#1119958: closing encrypted volume impossible if root is located on it
Package: mmdebstrap
Version: 1.5.7-1+deb13u1
Severity: important
Tags: d-i
X-Debbugs-Cc: horacijedjuric@gmail.com, debian-boot@lists.debian.org
mount --make-rprivate / in the function setup_mounts
makes it impossible to close the encrypted volume if the target root is located
on it. It is not the fault of mmdebstrap per se, but the easiest way to solve
the problem is to fix it in mmdebstrap.
To illustrate the problem, I made a minimal setup to reproduce it:
Case 1, with mount propagation:
root@qemu# cryptsetup luksOpen /dev/sdb2 cryptoroot
Enter passphrase for /dev/sdb2:
root@qemu# mount /dev/mapper/cryptoroot /target
root@qemu# mount --make-rprivate /
root@qemu# umount -R /target
root@qemu# sudo cryptsetup luksClose cryptoroot
Device cryptoroot is still in use.
root@qemu# grep cryptoroot /proc/*/mountinfo
/proc/336/mountinfo:86 87 254:0 / /target rw,relatime shared:103 - ext4
/dev/mapper/cryptoroot rw
/proc/341/mountinfo:85 88 254:0 / /target rw,relatime shared:102 - ext4
/dev/mapper/cryptoroot rw
/proc/638/mountinfo:84 176 254:0 / /target rw,relatime shared:101 - ext4
/dev/mapper/cryptoroot rw
root@qemu# grep -l cryptoroot /proc/[0-9]*/mountinfo 2>/dev/null | cut -d/ -f3
| xargs ps -p
PID TTY STAT TIME COMMAND
336 ? Ssl 0:00 /usr/lib/systemd/systemd-timesyncd
341 ? Ss 0:00 /usr/lib/systemd/systemd-udevd
638 ? Ss 0:00 /usr/lib/systemd/systemd-logind
root@qemu# systemctl restart systemd-timesyncd systemd-udevd systemd-logind
root@qemu# grep cryptoroot /proc/*/mountinfo
root@qemu# sudo cryptsetup luksClose cryptoroot
root@qemu#
As you can see some systemd services still use unmounted root (/target).
restarting them frees the handles and luks volume can be closed. Restarting
those services is not a solution; I have three of them, someone could have
more, or less, or even something else holding the volume.
The same procedure without mount propagation
Case 2:
root@qemu# cryptsetup luksOpen /dev/sdb2 cryptoroot
Enter passphrase for /dev/sdb2:
root@qemu# mount /dev/mapper/cryptoroot /target
root@qemu# umount -R /target
root@qemu# sudo cryptsetup luksClose cryptoroot
root@qemu# grep cryptoroot /proc/*/mountinfo
root@qemu#
I'm not sure why is mount --make-rprivate / required, but if it can't be
removed, then at least it shouldn't be executed if all mounts are skipped by
selecting all three options to that effect:
--skip=chroot/mount/dev --skip=chroot/mount/proc --skip=chroot/mount/sys
In such a case, no mounts will be done, hence mount --make-rprivate / is not
required, and I'd be very happy indeed if it wasn't executed at all.
Let me know if I can help further.
-- System Information:
Debian Release: 13.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.48+deb13-amd64 (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages mmdebstrap depends on:
ii apt 3.0.3
ii perl 5.40.1-6
ii python3 3.13.5-1
Versions of packages mmdebstrap recommends:
ii arch-test 0.22-1
ii gpg 2.4.7-21+b3
ii libdistro-info-perl 1.13
ii libdpkg-perl 1.22.21
ii mount 2.41-5
ii uidmap 1:4.17.4-2
Versions of packages mmdebstrap suggests:
pn apt-transport-tor <none>
ii apt-utils 3.0.3
ii bzip2 1.0.8-6
ii ca-certificates 20250419
pn debootstrap <none>
ii distro-info-data 0.66
ii dpkg-dev 1.22.21
ii e2fsprogs 1.47.2-3+b3
pn fakechroot <none>
ii fakeroot 1.37.1.1-1
pn genext2fs <none>
ii libarchive13t64 [libarchive13] 3.7.4-4
pn lz4 <none>
pn lzop <none>
pn ncompress <none>
pn perl-doc <none>
pn qemu-user <none>
pn qemu-user-static <none>
pn squashfs-tools-ng <none>
ii systemd 257.8-1~deb13u2
ii xz-utils 5.8.1-1
ii zstd 1.5.7+dfsg-1
-- no debconf information
Reply to: