Re: customizing systemd config
From: gsslist+deb...@anthropohedron.net > To: debian-user@lists.debian.org > > On Fri, Aug 11, 2017 at 07:04:54PM +0200, Christian Seiler wrote: >> Hi there, >> >> On 08/11/2017 04:42 AM, Gregory Seidman wrote: >> > I"m trying to recreate under systemd something I had previously cobbled >> > together with shell scripts and init levels under sysvinit. >> > >> > Only a few services ran under init 2, the default set in /etc/inittab, >> > including privoxy and ssh; the rest of the services I wanted running, such >> > as fetchmail, exim4, courier-imap, apache2, etc. would be started at init >> > level 3. Those services required an encrypted volume (actually a RAID that >> > was an encrypted LVM PV for a VG with several volumes) to be configured and >> > mounted before they could be started. >> >> I"ve blogged about this very scenario a while back: >> https://blog.iwakd.de/headless-luks-decryption-via-ssh >> >> Note that I wrote that mainly to explain some details about >> systemd using a specific example, I personally am not actually >> using that kind of setup. For a headless server of mine I use >> full disk encryption (LUKS) for everything except /boot and >> unlock the entire system in the initramfs. I also mention that >> approach in my blog post, but wanted to stress it here again >> because I think that the initramfs-based decryption is the >> better way to do this. For that alternative take a look at: >> https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ > > This not only gave me the understanding I was looking for, but a > new perspective on it as well. Thank you! > >> Regards, >> Christian > --Greg I think your getting off-topic here and hijacking the thread. Start a "different" one. I am expecting to see customization of systemd here not some wheezy crap! I am being sarcastic, don't take it personally! I recently installed a wheezy on my pc and for a little while I thought the NOS-valve has hit in my gas-powered old pc. WOW!! Of course that was just a test-bed to see how devuan would transform a pre-systemd system. Flawlessly I might say.
Re: customizing systemd config
On Fri, Aug 11, 2017 at 07:04:54PM +0200, Christian Seiler wrote: > Hi there, > > On 08/11/2017 04:42 AM, Gregory Seidman wrote: > > I'm trying to recreate under systemd something I had previously cobbled > > together with shell scripts and init levels under sysvinit. > > > > Only a few services ran under init 2, the default set in /etc/inittab, > > including privoxy and ssh; the rest of the services I wanted running, such > > as fetchmail, exim4, courier-imap, apache2, etc. would be started at init > > level 3. Those services required an encrypted volume (actually a RAID that > > was an encrypted LVM PV for a VG with several volumes) to be configured and > > mounted before they could be started. > > I've blogged about this very scenario a while back: > https://blog.iwakd.de/headless-luks-decryption-via-ssh > > Note that I wrote that mainly to explain some details about > systemd using a specific example, I personally am not actually > using that kind of setup. For a headless server of mine I use > full disk encryption (LUKS) for everything except /boot and > unlock the entire system in the initramfs. I also mention that > approach in my blog post, but wanted to stress it here again > because I think that the initramfs-based decryption is the > better way to do this. For that alternative take a look at: > https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ This not only gave me the understanding I was looking for, but a new perspective on it as well. Thank you! > Regards, > Christian --Greg
Re: customizing systemd config
Hi there, On 08/11/2017 04:42 AM, Gregory Seidman wrote: > I'm trying to recreate under systemd something I had previously cobbled > together with shell scripts and init levels under sysvinit. > > Only a few services ran under init 2, the default set in /etc/inittab, > including privoxy and ssh; the rest of the services I wanted running, such > as fetchmail, exim4, courier-imap, apache2, etc. would be started at init > level 3. Those services required an encrypted volume (actually a RAID that > was an encrypted LVM PV for a VG with several volumes) to be configured and > mounted before they could be started. I've blogged about this very scenario a while back: https://blog.iwakd.de/headless-luks-decryption-via-ssh Note that I wrote that mainly to explain some details about systemd using a specific example, I personally am not actually using that kind of setup. For a headless server of mine I use full disk encryption (LUKS) for everything except /boot and unlock the entire system in the initramfs. I also mention that approach in my blog post, but wanted to stress it here again because I think that the initramfs-based decryption is the better way to do this. For that alternative take a look at: https://projectgus.com/2013/05/encrypted-rootfs-over-ssh-with-debian-wheezy/ Regards, Christian
customizing systemd config
I'm trying to recreate under systemd something I had previously cobbled together with shell scripts and init levels under sysvinit. Only a few services ran under init 2, the default set in /etc/inittab, including privoxy and ssh; the rest of the services I wanted running, such as fetchmail, exim4, courier-imap, apache2, etc. would be started at init level 3. Those services required an encrypted volume (actually a RAID that was an encrypted LVM PV for a VG with several volumes) to be configured and mounted before they could be started. I wrote a shell script that I'd run manually which would take the encryption password (via /etc/init.d/cryptdisks start), ensure that the volume group was found, mount the filesystems, then run init 3. There was also a flag in case I needed to get the VG up without mounting any volumes (e.g. to run a manual fsck on some volume). I have a new server with a fresh install of stretch and I'm trying to make it just a systemctl start (or stop) to achieve the following: 1) the default.target (i.e. multi-user.target) is equivalent to init 2 with minimal services 2) "systemctl start decrypted" gets the encrypted VG up and running but doesn't mount any filesystems 3) "systemctl start operating" makes sure everything in "decrypted" is up before mounting the volumes then launching the various services 4) "systemctl stop operating" stops the various services and attempts to unmount those filesystems 5) "systemctl stop decrypted" stops everything from "operating" and shuts down the volume group and decryption The first challenge is that the cryptsetup package still installs itself (cryptdisks and cryptdisks-early) in /etc/init.d, which means that systemd goes through a process I don't properly understand to run it; it seems to be generating a unit file in /run/systemd/generator.late for it using the lsb header on the /etc/init.d script. (Also, by default and installed as part of the systemd package, /lib/systemd/system/cryptdisks.service is a symlink to /dev/null which, I believe, prevents the generated service from being enabled.) It looks like (and according to the systemd.unit man page) I can override the generated cryptdisks.service unit file with configuration in /etc/systemd/system/cryptdisks.service.d/override.conf, at least according to what "systemctl edit cryptdisks" creates. I know that's a piece of the puzzle, but I'm still missing something. If I'm even on the right track (and if I'm not please set me straight), I have the following questions (and probably more to come): 1) Should "decrypted" and "operating" be .target units or something else? 2) What would I put in e.g. /etc/systemd/system/fetchmail.d/override.conf to prevent it from starting under multi-user.target? Or is it a matter of removing symlinks from /*/systemd/*/*.wants directories? 3) Is there a systemd command to help me with managing this (including transitive wants)? Or is it requires? What's the difference between wants and requires anyway? 3) What would I put in /etc/systemd/system/cryptdisks.d/override.conf to remove its "Before=checkfs.service" reverse dependency? 4) How do I specify the post-decryption mounts? Can I just set them up in /etc/fstab as noauto then symlink the generated .mount units to a .wants? Thanks in advance, --Greg