[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Problem with systemd and cryptsetup - how to solve it the systemd way?

I am trying to set up an encrypted btrfs system on a Debian Jessie
system but I am running into a lot of issues, and now I need some help
debugging the basics. It seems like I'm running in to a new bug for
everything I do.

To get to the bottom of this I set up a virtual Debian Jessie with two
drives, the first with an unencrypted OS, and the second with one
partition and and empty luks device:

root@jessie:~# cryptsetup luksFormat /dev/sdb1
root@jessie:~# cryptsetup luksOpen /dev/sdb1 crypt
root@jessie:~# dd if=/dev/zero of=/dev/mapper/crypt
root@jessie:~# cryptsetup luksClose crypt

Then I add this to /etc/crypttab:
---- /etc/crypttab ---
# <target name>    <source device>        <key file>    <options>
crypt /dev/sdb1 none luks,noauto
---- /etc/crypttab ---

I ask systemd to generate the relevant unit files for this:
root@jessie:~# systemctl daemon-reload

..which gives me some files in /var/run/systemd/generator
root@jessie:~# tree --charset=ascii /var/run/systemd/generator
|-- dev-mapper-crypt.device.requires
|   `-- systemd-cryptsetup@crypt.service -> ../systemd-cryptsetup@crypt.service
`-- systemd-cryptsetup@crypt.service

---- /var/run/systemd/generator/systemd-cryptsetup@crypt.service ----
# Automatically generated by systemd-cryptsetup-generator

Description=Cryptography Setup for %I
Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8)
systemd-readahead-replay.service cryptsetup-pre.target

ExecStart=/lib/systemd/systemd-cryptsetup attach 'crypt' '/dev/sdb1'
'none' 'luks,noauto'
ExecStop=/lib/systemd/systemd-cryptsetup detach 'crypt'
---- /var/run/systemd/generator/systemd-cryptsetup@crypt.service ----

After this I try starting the new device:
root@jessie:~# systemctl start dev-mapper-crypt.device
Please enter passphrase for disk VBOX_HARDDISK (crypt)! ****
   ... here it stalls for what is likely 90 seconds ...
Job for dev-mapper-crypt.device timed out.

Ok. It kinda failed but not really. The device has been unlocked and
exists in /dev/mapper/ as expected. Looking at the journal gives me
the following relevant lines:

Dec 10 14:18:33 jessie systemctl[4064]: Failed to stop
systemd-ask-password-plymouth.path: Unit
systemd-ask-password-plymouth.path not loaded.
Dec 10 14:18:33 jessie systemctl[4064]: Failed to stop
systemd-ask-password-plymouth.service: Unit
systemd-ask-password-plymouth.service not loaded.
Dec 10 14:19:08 jessie systemd-cryptsetup[4062]: Set cipher aes, mode
xts-plain64, key size 256 bits for device /dev/sdb1.
Dec 10 14:20:03 jessie systemd[1]: Job dev-mapper-crypt.device/start timed out.
Dec 10 14:20:03 jessie systemd[1]: Timed out waiting for device
Dec 10 14:20:03 jessie systemd[1]:
systemd-ask-password-console.service stop-sigterm timed out. Killing.
Dec 10 14:20:03 jessie systemd[1]:
systemd-ask-password-console.service: main process exited,
code=killed, status=9/KILL
Dec 10 14:20:03 jessie systemd[1]: Unit
systemd-ask-password-console.service entered failed state.
Dec 10 14:20:03 jessie systemd[1]: systemd-ask-password-wall.service
start-pre operation timed out. Terminating.
Dec 10 14:20:03 jessie systemd[1]: Failed to start Forward Password
Requests to Wall.
Dec 10 14:20:03 jessie systemd[1]: Unit
systemd-ask-password-wall.service entered failed state.

Rebooting the machine and starting the device with "cryptdisks_start
crypt" works, and does not give any immediate errors in the journal,
but because it does not go through systemd I get in trouble later when
I start adding filesystems that requires multiple encrypted devices,
so I really want to get this very basic thing working first!

My question is thus: How am I supposed to solve this the "systemd
way"? I want to be able to start an encrypted block device using a
normal systemd service/device so that I can later have systemd units
depend on this.

Reply to: