race condition between encrypted device creation and mountall probing with random-encrypted devices (swap, tmp)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cryptsetup (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Karmic |
Fix Released
|
High
|
Steve Langasek | ||
Lucid |
Fix Released
|
High
|
Unassigned |
Bug Description
Binary package hint: mountall
I am using Ubuntu 9.10 with the latest packages applied (apt-get uprade)
Version of mountall: 1.0
Expected results: /dev/mapper/tmp should be mounted on /tmp
Unexpected results: /dev/mapper/tmp is not mounted on /tmp
In my /etc/crypttab I have:
tmp /dev/sda2 /dev/urandom tmp
swap /dev/sda3 /dev/urandom swap
In my /etc/fstab I have (among other lines), this:
/dev/mapper/tmp /tmp ext2 relatime 0 2
Most of the time the system boots OK, but /tmp never gets mounted.
This appears to be an issue with mountall because if I run mountall from the command line, then /tmp does get mounted.
When the /dev/mapper/tmp device is created (part of the cryptsetup process), the mkfs -t ext2 command is run on /dev/mapper/tmp. It appears mountall is not waiting for this to complete. Should there be a timeout for a dynamically created tmp to be available before it is mounted?
TEST CASE:
1. select a spare partition on your disk, referred to below as /dev/sdf12
2. install the cryptsetup package from karmic.
3. configure it for use with cryptsetup as a device with a random key by adding this line to /etc/crypttab:
/dev/
4. configure the tmp partition to be auto-enabled by adding this line to /etc/fstab:
/dev/
5. ensure the device contains no other filesystem signatures by blanking it with 'dd if=/dev/zero of=/dev/sdf12 bs=$((1024*1024))'
5. reboot
6. verify that the tmp partition is not successfully mounted: mountall should refuse to continue booting the system because the device is unavailable.
7. boot into the rescue shell to comment out the tmp line from /etc/fstab, then reboot
8. upgrade to the karmic-proposed version of cryptsetup
9. re-enable the crypttmp line in /etc/fstab
10. reboot
11. verify that the tmp partition has been successfully mount, by checking the output of 'mount | grep /tmp'
REGRESSION POTENTIAL:
In order to prevent mountall from seeing the block device before it's been formatted / mkswap'ed for use, cryptsetup must create the device under a different name initially, format, and then rename to the public device name. For sanity's sake, the proposed patch does this for /all/ cryptsetup devices, not just those configured for tmp or swap; and there is a small but finite risk that someone will already have a /dev/mapper/
The '${name}
affects: | mountall (Ubuntu) → cryptsetup (Ubuntu) |
Changed in cryptsetup (Ubuntu Karmic): | |
assignee: | nobody → Steve Langasek (vorlon) |
importance: | Undecided → High |
milestone: | none → karmic-updates |
status: | New → Triaged |
description: | updated |
description: | updated |
tags: | added: regression-release |
description: | updated |
description: | updated |
Changed in cryptsetup (Ubuntu Karmic): | |
status: | Fix Committed → In Progress |
Changed in cryptsetup (Ubuntu Lucid): | |
status: | Fix Released → In Progress |
tags: |
added: verification-done removed: verification-needed |
Hi out there!
I had the same problem. On jaunty no problems but on karmic (complete updated on 4th Dec).
The new canonical-special init-system isn't perfect.
This routes to the unmountable (non-luks-) cryptsetup-devices:
The new init-system don't use the old /etc/inittab. That file is replaced by the *.conf-files in /etc/init/.
The *.conf-files uses a syntax for starting themselfs by events (see man startup, starting, started, stopping and stopped).
A normal init starts at /etc/init/ mountall. conf (and maybe some others). If started the script starts /etc/init/ udev.conf. These scripts start other scripts. And so on.
The cryptsetup-devices are starting after mountall.conf and udev.conf from /etc/init/ cryptdisks- enable. conf (including /lib/cryptsetup /cryptdisks. functions) . This script read the /etc/crypttab and /etc/default/ cryptdisks to create or open the crypted devices.
The mountall.conf runs the new command "mountall" (binary!) that reads the /etc/fstab and tries to mount all devices described therein (exclude the ones with "noauto" option).
Mounting a closed or not created crypt-device like /dev/mapper/ crypttmp isn't possible! This is the jumping point! It is necessary to open or create the crypt-devices BEFORE mounting them.
root-Luks- cryptsetup- devices with passphrase-input over keyboard seems to open automatically before running the *.conf-files.
This is my workaround:
--------
1) Basics (with and without an external key-file)
- log in as root (on console with "sudo -s") cryptdisks- enable. conf in an editor mountall. conf
- open /etc/init/
- replace "start on stopped udevtrigger" with "start on startup"
- save the script
- open /etc/init/
- replace "start on startup" with "start on stopping cryptdisks-enable"
- save the script
--------
2) Additionals (just for using a key-file on an external device)
- determine the external device (USB-stick) (e.g. /dev/sdb1) ro,dev, nouser, async 0 0" cryptdisks in an editor MOUNT=" "' with 'CRYPTDISKS_ MOUNT=" /dev/sdXY" '
- for rookies only: replace sdXY in the following codes with the determined indication of your external device
- open (still as root) /etc/fstab
- add "/dev/sdXY /mnt ext2 noauto,
- for rookies only: instead of /mnt you MUST choose the same directory you use for the key-file-path in /etc/crypttab
- for rookies only: instead of ext2 you MUST choose the filesystem of your external device /dev/sdXY
- for all: you can use other options, but MUST use "noauto", because mountall.conf will try to mount it if that option isn't set
- save fstab
- open /etc/default/
- replace 'CRYPTDISKS_
- save the script
so far so good? It works, but...
... there is still a little problem left!
/etc/init/ cryptdisks- enable. conf mounts /dev/sdXY but couldn't close it after using. I think, because udevd isn't running at the point of mounting /dev/sdXY. The script udev.conf is started after the cryptdisks- enable. conf stopped. So the mount isn't written in /etc/mtab or given to /proc/mounts.
fact: after booting the system, /dev/sdXY is still mounted on /mnt - but you cannot get any system-output for this! Nor "df" nor "cat /etc/mtab" nor "cat /proc/mounts" tells you something about it!
...