On Mon, 15.10.12 11:42, Jakob Hetzelein ([email protected]) wrote: > Dear list, > > since there don't seem to be many people around worrying about the > interaction between *Truecrypt and systemd*, I recently encountered the > problem of incorporating the mounting of my home directory neatly into > systemd's start up process. Since I use Arch, I mainly found information > on the respective¹ forums². Although this helped quite a lot, there are > still some questions open and I wanted to ask for some assistance here: > > Which way would you recommend to use to mount an encrypted filesystem in > the boot process using systemd?
We'd recommend following a scheme similar to what we implemented for LUKS here: at boot (and config reload), a small generator tool converts /etc/crypttab into native systemd units which are pulled in as necessary. Querying for passwords is done via the password agent logic implemented in systemd, which is enough to make things work correctly if Plymouth is used, i.e. the password prompt is properly brought to the screen regardless whether you use a text-only boot, or a graphical boot via plymouth. http://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html http://www.freedesktop.org/wiki/Software/systemd/Generators http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents > 1. Instinctively, I'd go for *fstab*, but that didn't work out. The > fstab way described in the Arch wiki³ works with sysv, but not with > systemd: I presume this is due to StandarInput not being given to tty in > the mount scripts. Is that possible somehow? When using truecrypt, it is > paramount to be able to enter the password/keyfiles while mounting the > volume, thus StandardInput=tty(-force) might be necessary at some pount > in the .mount mechanism, but I don't know where. We don't really support interactive scripts like this. Please use the password agent logic instead. "systemd-ask-password" is a command line tool to make use of this, which is easily used from shell scripts. > But here, my questions are: > > a) Do you consider this a sound service? I guess, but we can only advise against using StandardInput=tty... Also, you probably want to make this an early-boot service, so that this is fully initialized by the time the main system services are spawned. Use DefaultDependencies=no for that. > b) Should I change _WantedBy_ to _local-fs.target_ or any other > target? This really depends on your usage. local-fs.target sounds like a good idea though, but only if you use DefaultDependencies=no. That's because local-fs.target is ordered before basic.target, and services with the default of DefaultDependencies=yes will get ordered after that. Hence you would create a dep loop here. Instead of appropriating local-fs.target for this you might choose to appropriate cryptsetup.target for this instead, or introduce your own truecrypt.target. Also see: http://www.freedesktop.org/software/systemd/man/bootup.html > c) Should I insert an _After_ line? This might make sense to ensure that your service is only run after the low-level device showed up. > d) As you can see, I use mpd and thus have included a > _Before=mpd.service_ line in order to let mpd wait for this service to > finish loading. I think that is fine and should also determine the > shutdown process to proceed in the reverse order, right? mpd is a normal service, hence if you follow the advice regarding DefaultDependencies= above you don't need any special ordering. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
