use entire disk with lvm/encrypted partitioning fails to boot

Moving to cryptsetup, since this is a bug in cryptsetup's initramfstools hooks.

confirming bug. I've done a test install and I'm currently looking into it.

13:49:04 < siretart> pitti: I found out why the cryptroot hook is broken
13:49:14 < siretart> pitti: its the UUID mangling in /etc/fstab
13:49:59 < siretart> pitti: the cryptsetup initramfs hook is comparing /etc/cryptab and /etc/fstab entries. with the UUID mangling, it fails to detect the root device. that's why it doesn't mount root by default

milestoning

I just tested the new versions on the current amd64 alternate daily, and this is still not fixed. Symptoms exactly as in the original description.

It seems that the recent udev update did not actually work. This is fstab:

# /dev/mapper/ubuntu-root
UUID=b744a30f-9186-4bd8-8b34-5ff4562bc466 / ext3 defaults,errors=remount-ro 0 1
# /dev/sda1
UUID=2d5ea572-70b1-43a8-a30a-ecd025ebf417 /boot ext3 defaults 0 2
# /dev/mapper/ubuntu-swap_1
UUID=ff29f720-9e0a-4e89-bce4-790b77668a5c none swap sw 0 0

crypttab seems to be as intended now, no UUIDs for the physical device:
sda5_crypt /dev/disk/by-uuid/cfb63807-6da8-4dc9-93da-892e336c2fb7 none luks

Ah, please forget about my previous comment, it was pretty much nonsense.

The root problem is that /usr/share/initramfs-tools/hooks/cryptroot does not know anything about UUIDs. It needs to be taught to recognize UUIDs in fstab and crypttab and write a sane /conf/conf.d/cryptroot into the initramfs.

Martin Pitt writes ("[Bug 144390] Re: use entire disk with lvm/encrypted partitioning fails to boot"):
> The root problem is that /usr/share/initramfs-tools/hooks/cryptroot does
> not know anything about UUIDs. It needs to be taught to recognize UUIDs
> in fstab and crypttab and write a sane /conf/conf.d/cryptroot into the
> initramfs.

This is not possible, because the UUID of the filesystem is in the
encrypted portion of the disk. So it is no good quoting the fs UUID
in the config file as the on-disk copy is not accessible until the
decryption for the relevant partition or LV has already been set up.

Ian.

Yay! Got it: http://people.ubuntu.com/~pitti/tmp/cryptroot.diff

Reinhard wants to merge some fixes from Debian, too. He'll incorporate the patch.

Hi,

Ian Jackson [2007-10-02 16:49 -0000]:
> Martin Pitt writes ("[Bug 144390] Re: use entire disk with lvm/encrypted partitioning fails to boot"):
> > The root problem is that /usr/share/initramfs-tools/hooks/cryptroot does
> > not know anything about UUIDs. It needs to be taught to recognize UUIDs
> > in fstab and crypttab and write a sane /conf/conf.d/cryptroot into the
> > initramfs.
>
> This is not possible, because the UUID of the filesystem is in the
> encrypted portion of the disk. So it is no good quoting the fs UUID
> in the config file as the on-disk copy is not accessible until the
> decryption for the relevant partition or LV has already been set up.

No, that's alright. The script I am talking about runs at
update-initramfs -u time. What it does is to read fstab and crypttab
and figure out the 'outer' (encrypted) devices that contains the root
file system (which is on the cleartext device in an LVM). It
essentially translates fstab and crypttab into a proper
conf/conf.d/cryptroot file in the initramfs, so that the initramfs
hook knows which device it needs to luksOpen to get the root fs.

cryptsetup (2:1.0.5-2ubuntu1) gutsy; urgency=low

  * Merge new debian version. Remaining changes:
    - cryptsetup is linked dynamically against libgcrypt and libgpg-error.
      This will break systems where /usr is a separate encrypted filesystem
      but not have other bad consequences (in particular, systems with
      encrypted root are still fine). The upsides include better
      security supportability and smaller packages.
    - libcryptsetup.so et al removed from the binary packages. They have
      no stable ABI and are not suitable for use by other packages, and
      were in violation of library policies etc. They're not needed since
      the cryptsetup executable statically contains the relevant parts of
      libcryptsetup.
    - cryptdisks.functions: remove #!/bin/bash as it isn't a script
      by itself; it's only sourced by other scripts. This gets rid
      of the lintian warning `script-not-executable' for this file.
    - stop usplash on user input. LP #62751
    - Always output and read from the console. LP #58794.
    - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
      bzr on launchpad.
    - Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate
      libnsl linkage;
    - debian/initramfs/cryptroot-hook: (LP: #73862)
      Added patch to install aes optimized cypher module
    - try to load optimized cypher module in cryptsetup.functions as well,
      because cryptroot-hook is only executed when we really have a
      cryptoroot.
    - apply patch from pitti for allowing UUIDs in /etc/crypttab.
      This allowes crypted PVs! LP: #144390.
    - remove README.ubuntu, since it contains old and obsolete information.

cryptsetup (2:1.0.5-2) unstable; urgency=low

  [ Jonas Meurer ]
  * Add libselinux1-dev and libsepol1-dev to build-depends. Detected by
    the build daemon from hell by Steinar H. Gunderson. Thanks to Manoj
    Srivastava for advice.
  * Fix the watchfile
  * Fix cryptopensc-hook to honor key=none. Thanks to Daniel Baumann
    (closes: #436434)
  * Remove outdated README.html and example usbcrypto.* scripts from
    documentation. Add example usbcrypto.udev script. Thanks to Volker Sauer
    for the update. (closes: #409775)
  * Document that stdin is read different with '--key-file=-' than without.
    Thanks to Marc Haber. (closes: #418450)
  * Document that --timeout is useless in conjunction with --key-file. Thanks
    Alexander Zangerl. (closes: #421693)
  * [03_check_for_root.dpatch] Check for UID == 0 before actually doing
    something. Thanks to Benjamin Seidenberg. (closes: #401766)
  * [04_fix_unused_or_unitialized_variables.dpatch] Fix some gcc warnings
    about unused or unitialized variables. Thanks to Ludwig Nussel for the
    patch.
  * [05_segfault_at_nonexisting_device.dpatch] Fix segfault when trying to
    open a non existing device. Thanks to Ludwig Nussel for the patch.
    (closes: #438198)
  * Add CFLAGS="$(CFLAGS)" before ./configure invocation in debian/rules.
    This way CFLAGS are passed to the configure script. Thanks to Gordon
    Farquharson for the patch. (closes: #438450)
  * Add a warning about missing hash option in crypt...

Is this going to make it into the final 7.10??

By the way, how do I get into the busybox shell?? It does not drop into this shell after 60s, but I am running in splash mode I guess...How do I boot in text mode? I do not see *anything* before the 'hang'...no grub, no nothing (yes I have an unencrypted /boot).

Andrew Henry <email address hidden> writes:

> Is this going to make it into the final 7.10??

yes, it should be on todays or tomorrows dailies.

> By the way, how do I get into the busybox shell?? It does not drop into
> this shell after 60s, but I am running in splash mode I guess...How do I
> boot in text mode? I do not see *anything* before the 'hang'...no grub,
> no nothing (yes I have an unencrypted /boot).

Please use
https://answers.edge.launchpad.net/ubuntu/+source/cryptsetup/+addquestion
for such questions.

short: edit your boot parameters: remove 'quiet' and 'splash', add
'verbose rootdelay=10'. If you want to break in anycase, add
'break=premount' (or any other point in the initramfs system, look at
the initramfs-tools source package)

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

I have just tried the current daily alternate cd.
Encrypting the whole disk works (or, at least, it seems to work, atm the installer is formatting my QEMU disk), but if I choose "Manual partitioning" (and create my boot partition+a encrypted one), the installer tells my that I haven't chosen a root partition...

Nikolai's issue was sorted out in IRC.

Reopening, though, since this is still not fixed yet. The initially present initramfs after installation does not have a /conf/conf.d/cryptroot at all. A mere update-initramfs -u fixes that now. So now we need to find out why the post-installation initramfs is broken.

Tested this with today's gutsy alternate CD iso. Still not fixed.

Updated summary:

* During installation, /target does not have a /dev/disk/ bind-mount, so that the initramfs hook cannot do UUID resolution. This could be fixed with adding bind mounting to /var/lib/dpkg/info/base-installer.postinst (to install_extra()).

* The d-i environment lacks /dev/disk/by-uuid for LVM devices, it only has the physical block devices (sda1 and sda5). Therefore, again, UUID resolution fails.

* In the d-i environment, there is /dev/disk/by-id/dm-uuid-LVM-<something strangely encoded that is not an UUID>; it could be a base64-encoded UUID, but I haven't checked that at all

At this point I do not have an idea how to fix it properly with a trivial fix which would be appropriate for gutsy.

The initramfs hook in cryptsetup works fine in the final system. We should make the d-i environment more conformant to the one in the installed system, so that stuff like cryptsetup, LVM, etc. can install properly. Since we committed to consistently using UUIDs everywhere, they should be provided by the installer environment's /dev/, too.

Any comment or hint appreciated, of course.

The original fix should be sufficient, so I close this task again.

Ah, the lack of UUIDs is because the VGs are formatted after being set up. udevtrigger fixes that bit.

Proposed debdiff for base-installer. I am currently testing this with a complete Ubuntu install (not just CLI).

I updated the patch with the following changes:

 * bind-mount the entire /dev, which is more consistent and less likely to break
 * remove the mkdir -p, since it is not necessary any more
 * fixed tab damage
 * updated changelog accordingly

Next try: We should not umount the bind mount of /dev that early, since packages like fuse are actually installed after the install_extras() packages. They also regenerate initramfs and thus UUIDs still need to be present.

With my latest patch from above, packages which call MAKEDEV now fail to install, such as libraw1394-8. This is a bug in those packages, but hard to fix for Gutsy.

New approach: Restore the diversion of update-initramfs and the final call in pkgsel, and just factor the bind-mounting and udevtrigger into this.

With this change, it actually worked!

pkgsel (0.13ubuntu3) gutsy; urgency=low

  * debian/postinst:
    - Revert the changes in 0.13ubuntu2 and use diversion of update-initramfs
      again. When not doing it, we have the unsolvable situation that some
      things (e. g. root on encrypted file system) fail with a static
      /target/dev/, and some other things (like configuration of libraw1394)
      fail with an udevish bind-mounted /target/dev.
    - Use a bind-mounted /target/dev for calling the final update-initramfs,
      so that scripts in the target system can resolve UUIDs. Also make /proc
      and /sys available.
    - Call udevtrigger, so that we get UUIDs for newly created and formatted
      partitions, too.
    - LP: #144390

 -- Martin Pitt <email address hidden> Mon, 08 Oct 2007 22:43:52 +0200