diff options
| author | Franck Bui <fbui@suse.com> | 2019-12-03 09:30:57 +0100 |
|---|---|---|
| committer | Franck Bui <fbui@suse.com> | 2019-12-05 11:43:02 +0100 |
| commit | 1dc85eff1d0dff18aaeaae530c91bf53f34b726e (patch) | |
| tree | 2dbf3ae1d2a44d134a85740971f4cdf69a2ed4a6 | |
| parent | 1e904320aacb21b1b9563015cb8a7f2014088920 (diff) | |
| download | systemd-1dc85eff1d0dff18aaeaae530c91bf53f34b726e.tar.gz | |
crypsetup: introduce x-initrd.attach option
This option is an indication for PID1 that the entry in crypttab is handled by
initrd only and therefore it shouldn't interfer during the usual start-up and
shutdown process.
It should be primarily used with the encrypted device containing the root FS as
we want to keep it (and thus its encrypted device) until the very end of the
shutdown process, i.e. when initrd takes over.
This option is the counterpart of "x-initrd.mount" used in fstab.
Note that the slice containing the cryptsetup services also needs to drop the
usual shutdown dependencies as it's required by the cryptsetup services.
Fixes: #14224
| -rw-r--r-- | man/crypttab.xml | 19 | ||||
| -rw-r--r-- | src/cryptsetup/cryptsetup-generator.c | 8 | ||||
| -rw-r--r-- | src/cryptsetup/cryptsetup.c | 2 | ||||
| -rw-r--r-- | units/meson.build | 1 | ||||
| -rw-r--r-- | units/system-systemd\x2dcryptsetup.slice | 13 |
5 files changed, 40 insertions, 3 deletions
diff --git a/man/crypttab.xml b/man/crypttab.xml index e4b1e43e42..e933b2db78 100644 --- a/man/crypttab.xml +++ b/man/crypttab.xml @@ -431,6 +431,25 @@ </para></listitem> </varlistentry> + <varlistentry> + <term><option>x-initrd.attach</option></term> + + <listitem><para>Setup this encrypted block device in the initramfs, similarly to + <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry> + units marked with <option>x-initrd.mount</option>.</para> + + <para>Although it's not necessary to mark the mount entry for the root file system with + <option>x-initrd.mount</option>, <option>x-initrd.attach</option> is still recommended with + the encrypted block device containing the root file system as otherwise systemd will + attempt to detach the device during the regular system shutdown while it's still in + use. With this option the device will still be detached but later after the root file + system is unmounted.</para> + + <para>All other encrypted block devices that contain file systems mounted in the initramfs + should use this option.</para> + </listitem> + </varlistentry> + </variablelist> <para>At early boot and when the system manager configuration is diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c index 811a9468c1..82e4314913 100644 --- a/src/cryptsetup/cryptsetup-generator.c +++ b/src/cryptsetup/cryptsetup-generator.c @@ -227,7 +227,7 @@ static int create_disk( *filtered = NULL, *u_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL, *header_path = NULL; _cleanup_fclose_ FILE *f = NULL; const char *dmname; - bool noauto, nofail, tmp, swap, netdev; + bool noauto, nofail, tmp, swap, netdev, attach_in_initrd; int r, detached_header, keyfile_can_timeout; assert(name); @@ -238,6 +238,7 @@ static int create_disk( tmp = fstab_test_option(options, "tmp\0"); swap = fstab_test_option(options, "swap\0"); netdev = fstab_test_option(options, "_netdev\0"); + attach_in_initrd = fstab_test_option(options, "x-initrd.attach\0"); keyfile_can_timeout = fstab_filter_options(options, "keyfile-timeout\0", NULL, &keyfile_timeout_value, NULL); if (keyfile_can_timeout < 0) @@ -290,12 +291,15 @@ static int create_disk( "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n" "SourcePath=%s\n" "DefaultDependencies=no\n" - "Conflicts=umount.target\n" "IgnoreOnIsolate=true\n" "After=%s\n", arg_crypttab, netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target"); + /* If initrd takes care of attaching the disk then it should also detach it during shutdown. */ + if (!attach_in_initrd) + fprintf(f, "Conflicts=umount.target\n"); + if (password) { password_escaped = specifier_escape(password); if (!password_escaped) diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 8723eb4c01..19f075dfeb 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -228,7 +228,7 @@ static int parse_one_option(const char *option) { if (r < 0) return log_error_errno(r, "Failed to parse %s: %m", option); - } else + } else if (!streq(option, "x-initrd.attach")) log_warning("Encountered unknown /etc/crypttab option '%s', ignoring.", option); return 0; diff --git a/units/meson.build b/units/meson.build index 6a3a0d0dea..9da60a431c 100644 --- a/units/meson.build +++ b/units/meson.build @@ -74,6 +74,7 @@ units = [ 'sysinit.target.wants/'], ['sysinit.target', ''], ['syslog.socket', ''], + ['system-systemd\\x2dcryptsetup.slice', 'HAVE_LIBCRYPTSETUP'], ['system-update.target', ''], ['system-update-pre.target', ''], ['system-update-cleanup.service', ''], diff --git a/units/system-systemd\x2dcryptsetup.slice b/units/system-systemd\x2dcryptsetup.slice new file mode 100644 index 0000000000..83310900a7 --- /dev/null +++ b/units/system-systemd\x2dcryptsetup.slice @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: LGPL-2.1+ +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Cryptsetup Units Slice +Documentation=man:systemd.special(7) +DefaultDependencies=no |