Problem with systemd and cryptsetup - how to solve it the systemd way?

To: debian-user@lists.debian.org
Subject: Problem with systemd and cryptsetup - how to solve it the systemd way?
From: Anders Andersson <pipatron@gmail.com>
Date: Thu, 10 Dec 2015 14:38:02 +0100
Message-id: <[🔎] CAKkunMaU=7htqB6S+ka+9nx6ABUzGBaPxZOuA18yUJ=5C6VFmA@mail.gmail.com>

I am trying to set up an encrypted btrfs system on a Debian Jessie
system but I am running into a lot of issues, and now I need some help
debugging the basics. It seems like I'm running in to a new bug for
everything I do.

To get to the bottom of this I set up a virtual Debian Jessie with two
drives, the first with an unencrypted OS, and the second with one
partition and and empty luks device:

root@jessie:~# cryptsetup luksFormat /dev/sdb1
root@jessie:~# cryptsetup luksOpen /dev/sdb1 crypt
root@jessie:~# dd if=/dev/zero of=/dev/mapper/crypt
root@jessie:~# cryptsetup luksClose crypt


Then I add this to /etc/crypttab:
---- /etc/crypttab ---
# <target name>    <source device>        <key file>    <options>
crypt /dev/sdb1 none luks,noauto
---- /etc/crypttab ---

I ask systemd to generate the relevant unit files for this:
root@jessie:~# systemctl daemon-reload

..which gives me some files in /var/run/systemd/generator
root@jessie:~# tree --charset=ascii /var/run/systemd/generator
|-- dev-mapper-crypt.device.requires
|   `-- systemd-cryptsetup@crypt.service -> ../systemd-cryptsetup@crypt.service
`-- systemd-cryptsetup@crypt.service


---- /var/run/systemd/generator/systemd-cryptsetup@crypt.service ----
# Automatically generated by systemd-cryptsetup-generator

[Unit]
Description=Cryptography Setup for %I
Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
SourcePath=/etc/crypttab
DefaultDependencies=no
Conflicts=umount.target
BindsTo=dev-mapper-%i.device
IgnoreOnIsolate=true
After=systemd-readahead-collect.service
systemd-readahead-replay.service cryptsetup-pre.target
Before=cryptsetup.target
BindsTo=dev-sdb1.device
After=dev-sdb1.device
Before=umount.target

[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStart=/lib/systemd/systemd-cryptsetup attach 'crypt' '/dev/sdb1'
'none' 'luks,noauto'
ExecStop=/lib/systemd/systemd-cryptsetup detach 'crypt'
---- /var/run/systemd/generator/systemd-cryptsetup@crypt.service ----






After this I try starting the new device:
root@jessie:~# systemctl start dev-mapper-crypt.device
Please enter passphrase for disk VBOX_HARDDISK (crypt)! ****
   ... here it stalls for what is likely 90 seconds ...
Job for dev-mapper-crypt.device timed out.
root@jessie:~#


Ok. It kinda failed but not really. The device has been unlocked and
exists in /dev/mapper/ as expected. Looking at the journal gives me
the following relevant lines:

Dec 10 14:18:33 jessie systemctl[4064]: Failed to stop
systemd-ask-password-plymouth.path: Unit
systemd-ask-password-plymouth.path not loaded.
Dec 10 14:18:33 jessie systemctl[4064]: Failed to stop
systemd-ask-password-plymouth.service: Unit
systemd-ask-password-plymouth.service not loaded.
Dec 10 14:19:08 jessie systemd-cryptsetup[4062]: Set cipher aes, mode
xts-plain64, key size 256 bits for device /dev/sdb1.
Dec 10 14:20:03 jessie systemd[1]: Job dev-mapper-crypt.device/start timed out.
Dec 10 14:20:03 jessie systemd[1]: Timed out waiting for device
dev-mapper-crypt.device.
Dec 10 14:20:03 jessie systemd[1]:
systemd-ask-password-console.service stop-sigterm timed out. Killing.
Dec 10 14:20:03 jessie systemd[1]:
systemd-ask-password-console.service: main process exited,
code=killed, status=9/KILL
Dec 10 14:20:03 jessie systemd[1]: Unit
systemd-ask-password-console.service entered failed state.
Dec 10 14:20:03 jessie systemd[1]: systemd-ask-password-wall.service
start-pre operation timed out. Terminating.
Dec 10 14:20:03 jessie systemd[1]: Failed to start Forward Password
Requests to Wall.
Dec 10 14:20:03 jessie systemd[1]: Unit
systemd-ask-password-wall.service entered failed state.



Rebooting the machine and starting the device with "cryptdisks_start
crypt" works, and does not give any immediate errors in the journal,
but because it does not go through systemd I get in trouble later when
I start adding filesystems that requires multiple encrypted devices,
so I really want to get this very basic thing working first!

My question is thus: How am I supposed to solve this the "systemd
way"? I want to be able to start an encrypted block device using a
normal systemd service/device so that I can later have systemd units
depend on this.

Reply to:

Follow-Ups:
- Re: Problem with systemd and cryptsetup - how to solve it the systemd way?
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Problem with systemd and cryptsetup - how to solve it the systemd way?
  - From: Jonathan Dowland <jmtd@debian.org>

Prev by Date: Re: Jessie CUPS print class problem
Next by Date: Apt Archives Usage
Previous by thread: Re: Jessie CUPS print class problem [RESOLVED]
Next by thread: Re: Problem with systemd and cryptsetup - how to solve it the systemd way?
Index(es):
- Date
- Thread