Re: [systemd-devel] systemctl reboot get terminated by signal 15
Thanks Lennart! I reproduced the issue after set "systemd-analyze log-level debug". It turns out 'systemctl reboot' triggered before all the steps logged in 'journalctl -a'. But I did get the stderr of 'systemctl reboot', paste it as below, please check if it helps to locate the root cause. And besides 'journalctl -a', where can I get the systemd debug logs? stderr: Bus n/a: changing state UNSET → OPENING Bus n/a: changing state OPENING → AUTHENTICATING Executing dbus call org.freedesktop.systemd1.Manager StartUnit(reboot.target, replace-irreversibly) Bus n/a: changing state AUTHENTICATING → RUNNING Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=StartUnit cookie=1 reply_cookie=0 signature=ss error-name=n/a error-message=n/a Got message type=method_return sender=org.freedesktop.systemd1 destination=n/a path=n/a interface=n/a member=n/a cookie=5 reply_cookie=1 signature=o error-name=n/a error-message=n/a Sent message type=method_call sender=n/a destination=org.freedesktop.systemd1 path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnit cookie=2 reply_cookie=0 signature=s error-name=n/a error-message=n/a -- Best regards, Pengpeng On 2021/4/19, 10:37 PM, "Lennart Poettering" wrote: On Mo, 19.04.21 14:29, Pengpeng Sun (pengpe...@vmware.com) wrote: > Hi there, > > Our program executes 'systemctl reboot' in a child process to reboot > Linux right after its booted, Sometimes there is no error, but > sometimes the child process terminated due to received uncaught > signal 15, then no reboot happened. WIFSIGNALED evaluated a non-zero > value, WTERMSIG evaluated 15. Don't understand why the uncaught > signal 15 happened here, could you please shed light on this, > Thanks. 15 is SIGTERM, i.e. the signal sent when a process is politely asked to shut down. Something is terminating your process. It could be systemd, could be something else. To track down what it is, maybe turn on debug logging in systemd, maybe you find the explanation there. i.e. "systemd-analyze log-level debug" and then reproduce the issue. ALternatively, install a signal handler for SIGTERM via sigaction, and look into the .si_pid field of the siginfo_t you can receive in the handler. It tells you which processes sent the SIGTERM. Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [dm-crypt] Kdump with full-disk LUKS encryption
Hi, Thanks a lot, these info are very helpful. Better to keep it for debugging for now, and ask users to use it very carefully. On Tue, Apr 20, 2021 at 3:54 PM Milan Broz wrote: > > Hi, > > TL;DR what you are trying to do is to actually reverse many security measures > we added. It is perhaps acceptable for debugging but hardly for real generic > system. > > - using memory-hard function increases cost of dictionary and brute-force > attacks > You can always decrease amount of memory needed, but you should do it only > if you know that security margin is ok (like password is randomly generated > with enough entropy). > > - key is in keyring to remove possibility for normal userspace to receive > the key from kernel. Moreover, there is no need to retain kernel in keyring > once > dm-crypt device is activated. (It is still in kernel memory but only in crypto > functions context). (Systemd also uses keyring to cache passphrase but that's > different thing.) > > You can still use old way for activation with --disable-keyring activation, > but then you disable this possibility. > > More comments below. > > On 19/04/2021 12:00, Kairui Song wrote: > > Hi all, > > > > I'm currently trying to add kdump support for systemd with full-disk > > LUKS encryption. vmcores contain sensitive data so they should also be > > protected, and network dumps sometimes are not available. So kdump has > > to open the LUKS encrypted device in the kdump environment. > > > > I'm using systemd/dracut, my work machine is running Fedora 34, and > > there are several problems I'm trying to solve: > > 1. Users have to input the password in the kdump kernel environment. > > But users often don't have shell access to the kdump environment. > > (headless server, graphic card not working after kexec, both are very > > common) > > 2. LUKS2 prefers Argon2 as the key derivation function, designed to > > use a lot of memory. kdump is expected to use a minimal amount of > > memory. Users will have to reserve a huge amount of memory for kdump > > to work (eg. 1G reserve for kdump with 4G total memory which is not > > reasonable). > > When I added Argon2 to LUKS2, I actually expected such issues. Despite > some people beats me that they cannot use arbitrary amount of memory, > we have some hard limits that were selected that it should work on most recent > systems. Maybe kdump can live with it. > > - maximum memory cost limit is 4GB, no LUKS2 device can use more for Argon2 > - we never use more than half of available physical memory >(measured on the host where the device was formatted) > - required amount of memory is visible in LUKS2 metadata (luksDump) >for the particular keyslot (Memory: the value is in kB) > - we use benchmark to calculate memory cost with prefered unlocking >time 2 seconds (again, on the device where LUKS was formatted) >Small systems (like RPi2) the uses much smaller acceptable values. > You can configure all costs (time, memory, threads) during format > or even set them to predefined values. > > I am sorry, but there is really no way around this - and the requeired > memory must be physical memory (otherwise it slows down extremely). > This is a feature, not a bug :-) > > > > To fix these problems, I tried to pass the master key to the second > > kernel directly via initramfs. Kdump will modify the initramfs in > > ramfs to include the key, kexec_load it, and never write to any actual > > back storage. This worked with old LUKS configurations. > > Well, passing volume key this way is quite insecure, but perhaps > acceptable for debugging. > > > > > But LUKS2/cryptsetup now stores the key in the kernel keyring by > > default. The key is accessible from userspace. > > If you are talking about volume key (not passsphrase), it is not > available from userspace. Only reference to it. But you can use > this reference to construct in-kernel dm-crypt device. > Please read > https://gitlab.com/cryptsetup/cryptsetup/-/blob/master/docs/Keyring.txt > > > Users can enter the password to start kdump manually and then it will > > work, but usually people expect kdump service to start automatically. > > > > (WIP patch series: > > https://lists.fedoraproject.org/archives/list/ke...@lists.fedoraproject.org/thread/RTYJEQ4BV25JYVYJHTTPOK476FUEJOWW/) > > > > I've several ideas about how to improve it but not sure which one is > > better, and if this is a good idea after all: > > 1. Simply introduce a config to let systemd-cryptsetup disable kernel > > keyring on setup, there is currently no such option. > > Well, that option could be useful anyway and we have support for it > in cryptsetup (--disable-keyring CLI option) and libcryptsetup, so why not. > Just this should not be a default option. > > This is should be patch for systemd-cryptsetup only as libcryptsetup supports > it. > > ... > > > 2. If we can let the key stay in userspace for a little longer, eg. > > for systems booted with dracut/systemd, when > >
[systemd-devel] Antw: [EXT] Kdump with full-disk LUKS encryption
>>> Kairui Song schrieb am 19.04.2021 um 12:00 in Nachricht : > Hi all, > > I'm currently trying to add kdump support for systemd with full‑disk > LUKS encryption. vmcores contain sensitive data so they should also be > protected, and network dumps sometimes are not available. So kdump has > to open the LUKS encrypted device in the kdump environment. > > I'm using systemd/dracut, my work machine is running Fedora 34, and > there are several problems I'm trying to solve: > 1. Users have to input the password in the kdump kernel environment. > But users often don't have shell access to the kdump environment. > (headless server, graphic card not working after kexec, both are very > common) > 2. LUKS2 prefers Argon2 as the key derivation function, designed to > use a lot of memory. kdump is expected to use a minimal amount of > memory. Users will have to reserve a huge amount of memory for kdump > to work (eg. 1G reserve for kdump with 4G total memory which is not > reasonable). I'm not a LUKS specialist, but can't you use different KDFs in a different key slot? That may weaken the security of course. > > To fix these problems, I tried to pass the master key to the second > kernel directly via initramfs. Kdump will modify the initramfs in > ramfs to include the key, kexec_load it, and never write to any actual > back storage. This worked with old LUKS configurations. > > But LUKS2/cryptsetup now stores the key in the kernel keyring by > default. The key is accessible from userspace. > > Users can enter the password to start kdump manually and then it will > work, but usually people expect kdump service to start automatically. > > (WIP patch series: > https://lists.fedoraproject.org/archives/list/ke...@lists.fedoraproject.org/ > thread/RTYJEQ4BV25JYVYJHTTPOK476FUEJOWW/) > > I've several ideas about how to improve it but not sure which one is > better, and if this is a good idea after all: > 1. Simply introduce a config to let systemd‑cryptsetup disable kernel > keyring on setup, there is currently no such option. > > 2. If we can let the key stay in userspace for a little longer, eg. > for systems booted with dracut/systemd, when > systemd‑cryptsetup@%s.service opens the crypt device, keep the key in > dm‑crypt. And later when services like kdump have finished loading, > cryptsetup can refresh the device and store the key in the kernel > keyring again. > > 3. Let kdump use some custom helper/service to load all needed > resources in the early initrd boot stage, prior to > systemd‑cryptsetup@%s.service. It will ask the password / parse the > keyfile and load kdump, then provide info for systemd‑cryptsetup or > just do the setup. Or maybe let systemd‑cryptsetup support some kind > of "plugins" so other tools can use it. > > 4. A better and safer solution seems to keep a consistent key ring > between kexec boots but also more complex and difficult as different > arch implements kexec differently. > > Any suggestions are welcomed! > > ‑‑ > Best Regards, > Kairui Song > > ___ > systemd‑devel mailing list > systemd‑de...@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd‑devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
