Re: unlocking encfs during boot (Re: systemd now appears to be only possible init system in testing)
Hi, Am 28.07.2014 01:54, schrieb Christian Hofstaedtler: * Michael Biebl bi...@debian.org [140727 23:09]: Am 22.07.2014 23:54, schrieb Julian Gilbey: For me, this is a killer, as I still do not know how to solve the problem I asked a while back on debian-user (https://lists.debian.org/debian-user/2014/04/msg01286.html): in summary, I need to unlock an encrypted filesystem during boot time by asking for a password to feed into encfs. But I cannot figure out how to do this under systemd. Answers to this question would also be much appreciated! Julian, do you still need help with that? I've just cobbled together a short unlock.service file which seems to work reasonable fine and which I can share with you. I'd love to see that file. Here we go: --8--- [Unit] Description=Unlock EncFS DefaultDependencies=no After=local-fs.target Before=display-manager.service getty@tty1.service [Service] Type=oneshot RemainAfterExit=true Environment=RootDir=/home/.encfs/crypt Environment=MountPoint=/home/crypt ExecStart=/bin/sh -c systemd-ask-password --no-tty --timeout=30 'Unlock EncFS' | encfs --stdinpass $RootDir $MountPoint ExecStop=/bin/umount $MountPoint [Install] WantedBy=sysinit.target --8--- (The ExecStart= needs to be a single line, I hope it's not messed up by my mailer) I've installed that as /etc/systemd/system/unlock.service, then ran systemctl enable unlock.service A few remarks: - I hook that service up in sysinit.target, which is similar to rcS in sysvinit since that is what Julian was using in his original SysV init script Services which run that early should usually use DefaultDependencies=no and specificy their requirements explicitly (that's what the After=local-fs.target is for) - I used Type=oneshot, as I'm only interested in the unlock process and not in tracking the encfs process. - The usage of Environment= is entirely optional, but makes it a bit more readable - The ExecStop= is not strictly required, but simply a nice touch. - Querying input on a non sequential system (like systemd) is not trivial. I therefore recommend the usage of plymouth. Don't consider it as only a shiny bootsplash, but rather an I/O multi-plexer [1]. If you insist on not using plymouth, make at least sure, to booth with quiet enabled, otherwise your unlock prompt will be overwritten by the boot messages. Let me repeat: for such case, I really recommend to use plymouth! - The Before=display-manager.service getty@tty1.service line makes sure, your plymouth (or console) prompt is not interfered by the getty on tty1 or X/your display manager. Not all display managers already setup the display-manager.service symlink properly (gdm3 in unstable and lightdm, do). So you might need to change that to list the actual service name say you use xdm: Before=xdm.service ... systemd-ask-password is clever enough to automatically use plymouth when available or falls back to the tty agent otherwise. If you have further questions, just ask. Cheers, Michael [1] http://web.dodds.net/~vorlon/wiki/blog/Plymouth_is_not_a_bootsplash/ (currently not reachable, you might use the google cache) -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: unlocking encfs during boot (Re: systemd now appears to be only possible init system in testing)
Am 28.07.2014 16:53, schrieb Michael Biebl: --8--- [Unit] Description=Unlock EncFS DefaultDependencies=no After=local-fs.target Before=display-manager.service getty@tty1.service [Service] Type=oneshot RemainAfterExit=true Environment=RootDir=/home/.encfs/crypt Environment=MountPoint=/home/crypt ExecStart=/bin/sh -c systemd-ask-password --no-tty --timeout=30 'Unlock EncFS' | encfs --stdinpass $RootDir $MountPoint ExecStop=/bin/umount $MountPoint [Install] WantedBy=sysinit.target --8--- To show you some additional cool systemd features, I'm going a step further and make this unit file a completely generic template unit, so it can easily be re-used, say if you have multiple encfs file systems to unlock and you don't want to copy that file over and over again. Only 3 small modifications are necessary: - Rename the file unlock@.service - Update Description: Description=Unlock %I EncFS - Use EnvironmentFile=/etc/encfs/%I The %I is the instance name specfier and denotes the part between unlock@instance name.service. See man systemd.unit(5) The resulting template unit looks like this and is completely generic: --8--- [Unit] Description=Unlock %I EncFS DefaultDependencies=no After=local-fs.target Before=display-manager.service getty@tty1.service [Service] Type=oneshot RemainAfterExit=true EnvironmentFile=/etc/encfs/%I ExecStart=/bin/sh -c systemd-ask-password --no-tty --timeout=30 'Unlock EncFS' | encfs --stdinpass $RootDir $MountPoint ExecStop=/bin/umount $MountPoint [Install] WantedBy=sysinit.target --8--- So how do we create a new encfs unit now? - mkdir /etc/encfs/ - echo -e RootDir=/home/.encfs/crypt/\nMountPoint=/home/crypt /etc/encfs/home - systemctl enable unlock@home.service Note how the file name and the instance name match. Hope you enjoy my little explorations in systemd land :-) Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: unlocking encfs during boot (Re: systemd now appears to be only possible init system in testing)
El lun, 28 de jul 2014 a las 8:21 , Michael Biebl bi...@debian.org escribió: Am 28.07.2014 16:53, schrieb Michael Biebl: --8--- [Unit] Description=Unlock EncFS DefaultDependencies=no After=local-fs.target Before=display-manager.service getty@tty1.service [Service] Type=oneshot RemainAfterExit=true Environment=RootDir=/home/.encfs/crypt Environment=MountPoint=/home/crypt ExecStart=/bin/sh -c systemd-ask-password --no-tty --timeout=30 'Unlock EncFS' | encfs --stdinpass $RootDir $MountPoint ExecStop=/bin/umount $MountPoint [Install] WantedBy=sysinit.target --8--- To show you some additional cool systemd features, I'm going a step further and make this unit file a completely generic template unit, so it can easily be re-used, say if you have multiple encfs file systems to unlock and you don't want to copy that file over and over again. Only 3 small modifications are necessary: - Rename the file unlock@.service - Update Description: Description=Unlock %I EncFS - Use EnvironmentFile=/etc/encfs/%I The %I is the instance name specfier and denotes the part between unlock@instance name.service. See man systemd.unit(5) The resulting template unit looks like this and is completely generic: --8--- [Unit] Description=Unlock %I EncFS DefaultDependencies=no After=local-fs.target Before=display-manager.service getty@tty1.service [Service] Type=oneshot RemainAfterExit=true EnvironmentFile=/etc/encfs/%I ExecStart=/bin/sh -c systemd-ask-password --no-tty --timeout=30 'Unlock EncFS' | encfs --stdinpass $RootDir $MountPoint ExecStop=/bin/umount $MountPoint [Install] WantedBy=sysinit.target --8--- So how do we create a new encfs unit now? - mkdir /etc/encfs/ - echo -e RootDir=/home/.encfs/crypt/\nMountPoint=/home/crypt /etc/encfs/home - systemctl enable unlock@home.service Note how the file name and the instance name match. Maybe you could use BindsTo=/etc/encfs/%I.path (I think that would work, right?) so that you do not have to explicitly enable it. Although that would cause the MTPT to be unmounted if the file is deleted (unless the ExecStop= is removed)... Anyway, pretty cool. Thanks for sharing, -- Cameron Norman
unlocking encfs during boot (Re: systemd now appears to be only possible init system in testing)
Am 22.07.2014 23:54, schrieb Julian Gilbey: For me, this is a killer, as I still do not know how to solve the problem I asked a while back on debian-user (https://lists.debian.org/debian-user/2014/04/msg01286.html): in summary, I need to unlock an encrypted filesystem during boot time by asking for a password to feed into encfs. But I cannot figure out how to do this under systemd. Answers to this question would also be much appreciated! Julian, do you still need help with that? I've just cobbled together a short unlock.service file which seems to work reasonable fine and which I can share with you. We can further discuss this on pkg-systemd-maintainers if you want. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: unlocking encfs during boot (Re: systemd now appears to be only possible init system in testing)
* Michael Biebl bi...@debian.org [140727 23:09]: Am 22.07.2014 23:54, schrieb Julian Gilbey: For me, this is a killer, as I still do not know how to solve the problem I asked a while back on debian-user (https://lists.debian.org/debian-user/2014/04/msg01286.html): in summary, I need to unlock an encrypted filesystem during boot time by asking for a password to feed into encfs. But I cannot figure out how to do this under systemd. Answers to this question would also be much appreciated! Julian, do you still need help with that? I've just cobbled together a short unlock.service file which seems to work reasonable fine and which I can share with you. I'd love to see that file. C. -- ,''`. Christian Hofstaedtler z...@debian.org : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `- -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140727235453.ga5...@sx.home.zeha.at
