[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

mostly Solved: [Re: cryptdisks runlevel configuration for lvm2 + encrypted swap file]

On Wed, 27 Jul 2011, 10:18-0400, Jean-Marc Ranger <jmranger@hotmail.com> wrote:
[...]
> Not sure how versed you are in script programming, but my take at
> debugging this would be to add more traces in cryptdisks.functions
> file, especially in the handle_crypttab_line_start funtion, that is
> called for each line in crypttab during startup. I'd be adding lines
> to check
> - whether /var is mounted
> - whether /dev/urandom can be accesses
> - function error codes

I threw some debugging code into /lib/cryptsetup/cryptdisks.functions as 
suggested and found out that none of my lvm volumes were mounted except 
for root.

On Wed, 27 Jul 2011, 14:09-0600, Bob Proulx <bob@proulx.com> wrote:
[...]
> I don't know anything about setting up encrypted swap files.  But I
> will suggest that if you want to change the boot order that you edit
> the /etc/init.d/cryptdisks script and perhaps add "$all" or some other
> dependency to the Required-Start: line and then run insserv to update
> the symlinks.  Adding $all is a quick hack to push the start to the
> end of the boot process.  I would think adding swap could happen at
> any time and be okay to happen very late.  You can look at the
> ordering of the boot scripts in /etc/rc2.d/ and observe the changes.
> If that works then you know you have a boot time initialization
> ordering problem.  You can then work from there to refine the
> solution.
> Jimmy Wu wrote:

So then I went to take a look at the boot order dependencies.  After 
reading a bit of insserv(8), looking at the LSB headers and 
/etc/init.d/.depend.boot info for mountall.sh, cryptdisks, etc., I came 
up with the following dependency chain ('a -> b' := a depends on b, so 
b starts before a and a stops before b):
mountall.sh -> checkfs.sh -> cryptdisks -> lvm2 -> cryptdisks-early

Since /var is a LVM2 logical volume, it won't get mounted until after 
mountall.sh (I assume).  Since cryptdisks comes before mountall.sh in the 
dependency chain I (also assume that I) can't move it after mountall.sh 
without creating some circular mess.

I also checked for when swap is enabled (grep -Ri swapon /etc/init.d) 
and the latest place where swapon gets run is in mountall.sh, so even if 
I were able to move cryptdisks after mountall.sh somehow, the swap would 
have to be enabled manually after the /dev/mapper file is set up.

My current kludge is to add the following line to /etc/rc.local:
services cryptdisks start && swapon -a.

It makes my shutdown process (even more) unclean - I see some message 
about being unable to stop the (sole) lvm volume group due to some 
logical volumes still being in use but since the machine is shutting 
down anyways, that is comparatively minor.

I considered using cryptmount to do the swap encryption but couldn't 
find any good documentation on how to get it to use the same 
aes-cbc-essiv cipher that crypttab/cryptsetup uses.

Thanks to Jean-Marc and Bob for pointing me in the right directions.

Cheers,

Jimmy
Reply to: