From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jookia <166291@gmail.com> Subject: Re: [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch. Date: Fri, 11 Mar 2016 08:11:49 +1100 Message-ID: <20160310211149.GA17073@novena-choice-citizen.lan> References: <56e0c4cf.08d0190a.6a127.0d35@mx.google.com> <87r3fitiu6.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45452) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <166291@gmail.com>) id 1ae7uo-0006ky-Vj for guix-devel@gnu.org; Thu, 10 Mar 2016 16:14:39 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <166291@gmail.com>) id 1ae7un-0003In-SP for guix-devel@gnu.org; Thu, 10 Mar 2016 16:14:38 -0500 Content-Disposition: inline In-Reply-To: <87r3fitiu6.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org On Thu, Mar 10, 2016 at 05:10:09PM +0100, Ludovic Courtès wrote: > Jookia <166291@gmail.com> skribis: > > > So I've come up with the following hack commit that effectively > > stops any sort of dependency management and adds some new targets > > for LVM and LUKS with a keyfile. > > > > Here's my current setup, take note that order of mapped devices > > matter since there's no dependency management: > > > > (mapped-devices (list (mapped-device > > (source "/dev/sda") > > (target "hdd") > > (type (luks-device-keyfile-mapping > > (local-file "/root/keyfile")))) > > (mapped-device > > (source "/dev/mapper/hdd") > > (target "matrix") > > (type lvm-device-mapping)))) > > > > (file-systems (cons (file-system > > (device "/dev/mapper/matrix-root") > > (title 'device) > > (mount-point "/") > > (type "ext4")) > > %base-file-systems)) > > > > (swap-devices '("/dev/mapper/matrix-swap")) > > As you note, and as discussed on IRC, this is not OK because the private > key ends up being stored world-readable in the store. :-/ That's one thing to talk about- Store permissions and what to do about them. I also have another situation where I want to run a container with an OpenVPN service, but I'd have to pass credentials to them somehow. It's tricky to do this on NixOS because I'd have to edit the container files which means I now have state not only in /etc but in my containers too! Setting permissions to just 'root' might be a bit bad if container's 'root' also get to read it, or containers can read each other's 'root' values. > Am I missing the part you wanted to discuss? I'd really like to discuss how much I needed to break to get the mapped-devices, file-systems and swap-devices to just 'work'. I even had to make a function to return a mapped-device type, and have swap-devices not do dependency tests since I technically don't use a device I've defined. It'd be much much better if I could do something like this in my services: (devices (list (file-system (uses '("/dev/matrix/root")) (creates '("/")) (device "/dev/matrix/root") (mount-point "/") (type "ext4")) (swap-device (uses '("/dev/mapper/matrix-swap")) (creates '())) (device "/dev/mapper/matrix-swap") (lvm-device (uses '("/dev/mapper/hdd" "/dev/sdb")) (creates '("/dev/matrix/" "/dev/mapper/matrix-swap")) (devices '("/dev/mapper/hdd" "/dev/sdb"))) (luks-device (uses '("UUID=4dab5feb-d176-45de-b287-9b0a6e4c01cb")) (creates '("/dev/mapper/hdd")) (device "UUID=4dab5feb-d176-45de-b287-9b0a6e4c01cb") (name "hdd") (key-file "...")))) The issue is that it has a lot of duplicate information as I'm not sure uses/creates could always map to device/mount-point, like LUKS names. But this should satisfy most dependency issues automatically, I hope. > Thanks, > Ludo’. > > PS: I still intend to look at the patch series you sent ;-), just > prioritizing things that relate to 0.9.1. That's fine. :) Jookia.