Package: cryptsetup-initramfs Version: 2:2.1.0-3 Severity: minor Tags: patch
Hi, my root partition resides on an lvm logical volume which is part of a volume group consisting of two physical volumes. Both physical volumes are encrypted with luks. In order to activate the lvm volume group both physical volumes need to be unlocked so I added them both to /etc/crypttab. This works fine except that the following error messages are output on every boot by the initramfs script local-top/cryptroot: Couldn't find device with uuid xxxxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxxx. Refusing activation of partial LV vgroup0/lv0. Use '--activationmode partial' to override. In order to get rid of this I changed the script to only attempt activation of lvm volume groups after all the disks in /etc/crypttab have been unlocked. The check for dm-crypt devices needs to stay in the first pass as this is part of the unlocking procedure but the lvm volume group activation can be moved to a second step. Like this the above error messages are gone and I couldn't think of anything that would now go wrong because of that. Cheers, Christof -- Package-specific info: -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cryptsetup-initramfs depends on: ii busybox 1:1.30.1-4 ii cryptsetup-run 2:2.1.0-3 ii initramfs-tools [linux-initramfs-tool] 0.133 Versions of packages cryptsetup-initramfs recommends: ii console-setup 1.191 ii kbd 2.0.4-4 cryptsetup-initramfs suggests no packages. -- no debconf information
>From 422096ea74e4adbcbb28ad1e61ffa16971c05cf8 Mon Sep 17 00:00:00 2001 From: Christof Baumann <chris...@boumann.ch> Date: Wed, 8 May 2019 20:30:55 +0200 Subject: [PATCH] Activate LVM vgroups after unlocking all mappings Because an lvm volume group may be composed by several mappings. In this case this lead to an error message like this: Couldn't find device with uuid xxxxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxxx. Refusing activation of partial LV <vgroupname>. Use '--activationmode partial' The boot was still successful in this case as we try activating the volume group after every successful mapping setup. However as this was output on stderr it changed the boot screen behavior in my case: the systemd messages which are normally suppressed with the quiet grub option are then output. So I propose to only activate lvm volume groups after having unlocked all crypttab entries. --- debian/initramfs/scripts/local-top/cryptroot | 50 ++++++++++++++------ 1 file changed, 35 insertions(+), 15 deletions(-) diff --git a/debian/initramfs/scripts/local-top/cryptroot b/debian/initramfs/scripts/local-top/cryptroot index 6a831cd3..304b1317 100644 --- a/debian/initramfs/scripts/local-top/cryptroot +++ b/debian/initramfs/scripts/local-top/cryptroot @@ -71,10 +71,10 @@ wait_for_source() { return 1 } -# setup_mapping() -# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME, +# open_mapping() +# Open (unlock) a crypttab(5) mapping defined by $CRYPTTAB_NAME, # $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS. -setup_mapping() { +open_mapping() { local dev # The same target can be specified multiple times @@ -124,7 +124,7 @@ setup_mapping() { fi get_crypt_type # set CRYPTTAB_TYPE to the type of crypt device - local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv + local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype rv while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then # unlock via keyfile @@ -145,8 +145,8 @@ setup_mapping() { return 1 fi - if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = "unknown" ]; then - if [ "$CRYPTTAB_TYPE" != "luks" ]; then + if [ "$CRYPTTAB_TYPE" != "luks" ]; then + if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = "unknown" ]; then # bad password for plain dm-crypt device? or mkfs not run yet? cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown fstype, bad password or options?" wait_for_udev 10 @@ -154,17 +154,9 @@ setup_mapping() { sleep 1 continue fi - elif [ "$fstype" = lvm2 ]; then - if [ ! -x /sbin/lvm ]; then - cryptsetup_message "WARNING: $CRYPTTAB_NAME: lvm is not available" - return 1 - elif vg="$(lvm pvs --noheadings -o vg_name --config 'log{prefix=""}' -- "$dev")"; then - # activate the VG held by the PV we just unlocked - lvm lvchange -a y --sysinit --ignoreskippedcluster -- "$vg" - fi fi - cryptsetup_message "$CRYPTTAB_NAME: set up successfully" + cryptsetup_message "$CRYPTTAB_NAME: successfully unlocked" wait_for_udev 10 return 0 done @@ -173,6 +165,33 @@ setup_mapping() { exit 1 } +# setup_mapping() +# post unlock action(s) to fully setup the mapping defined by $CRYPTTAB_NAME, +# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS. +setup_mapping() { + local dev fstype vg + + if ! dev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then + # we failed to open the mapping in open_mapping + # -> silently return + return 1 + fi + + if fstype="$(get_fstype "$dev")" && [ "$fstype" = "lvm2" ]; then + if [ ! -x /sbin/lvm ]; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: lvm is not available" + return 1 + elif vg="$(lvm pvs --noheadings -o vg_name --config 'log{prefix=""}' -- "$dev")"; then + # activate the VG that this PV contributes to + lvm lvchange -a y --sysinit --ignoreskippedcluster -- "$vg" + fi + fi + + cryptsetup_message "$CRYPTTAB_NAME: set up successfully" + wait_for_udev 10 + return 0 +} + ####################################################################### # Begin real processing @@ -217,6 +236,7 @@ if [ -s "$TABFILE" ]; then mkdir -pm0700 /run/cryptsetup modprobe -q dm_crypt + crypttab_foreach_entry open_mapping crypttab_foreach_entry setup_mapping fi -- 2.20.1