* bug#30922: LUKS-encrypted root fails using device numbering, needs luksUUID
@ 2018-03-24 8:22 Jan Nieuwenhuizen
2018-03-26 13:37 ` Ludovic Courtès
0 siblings, 1 reply; 2+ messages in thread
From: Jan Nieuwenhuizen @ 2018-03-24 8:22 UTC (permalink / raw)
To: 30922
Hi!
Following the example in 6.2.4 Mapped Devices
(mapped-device
(source "/dev/sda3")
(target "home")
(type luks-device-mapping))
I chose not to use the UUID alternative for encrypted root; I'm terrible
at memorizing and typing UUIDs. So I used this snippet (full
bare-luks.scm below)
(mapped-device
;; This does not work
(source "/dev/nvme0n1p1")
;; This works (output of cryptsetup luksUUID /dev/nvme0n1p1)
;; (source (uuid "50d96f54-1dbb-48f8-bca5-2f1feb5ff144"))
(target "guix")
(type luks-device-mapping))
For disk partitioning, I did
cryptsetup luksFormat /dev/nvme0n1p1
cryptsetup open --type=luks /dev/nvme0n1p1 guix
mkfs.ext4 -L guix /dev/mapper/guix
then install, something like
mount /dev/mapper/guix /mnt
herd start cow-store /mnt
guix system init /mnt/root/bare-luks.scm /mnt
After booting I get
Device /dev/nvme0n1p1 doesn't exist or access denied
Using the luksUUID, it works. Except for this hurdle a pleasant and
straighforward fresh install :-)
Greetings,
janneke
--8<---------------cut here---------------start------------->8---
;; lsblk.out
;; NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
;; sda 8:0 1 14.5G 0 disk
;; ├─sda1 8:1 1 1.4G 0 part
;; └─sda2 8:2 1 40M 0 part
;; nvme0n1 259:0 0 477G 0 disk
;; └─nvme0n1p1 259:1 0 477G 0 part
;; └─guix 253:0 0 477G 0 crypt /mnt
--8<---------------cut here---------------end--------------->8---
--8<---------------cut here---------------start------------->8---
;; bare-luks.scm
(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules screen ssh)
(define %supplementary-groups '("wheel" "netdev" "audio" "video" "lp" "kvm"))
(operating-system
(host-name "dundal")
(timezone "Europe/Amsterdam")
(locale "en_US.utf8")
(bootloader (bootloader-configuration
(bootloader grub-bootloader)
(target "/dev/nvme0n1")))
(mapped-devices
(list (mapped-device
;; This does not work
(source "/dev/nvme0n1p1")
;; This works (output of cryptsetup luksUUID /dev/nvme0n1p1)
;; (source (uuid "50d96f54-1dbb-48f8-bca5-2f1feb5ff144"))
(target "guix")
(type luks-device-mapping))))
(file-systems
(cons* (file-system (title 'device)
(device "/dev/mapper/guix")
(mount-point "/")
(type "ext4")
(dependencies mapped-devices))
%base-file-systems))
(groups
(cons* (user-group (name "janneke"))
%base-groups))
(users
(cons* (user-account
(name "janneke")
(group "janneke")
(uid 1000)
(supplementary-groups %supplementary-groups)
(home-directory "/home/janneke"))
%base-user-accounts))
(packages (cons* screen openssh wpa-supplicant-minimal %base-packages))
(services (cons* (dhcp-client-service)
(console-keymap-service "dvorak" "ctrl")
(service openssh-service-type
(openssh-configuration
(port-number 2222)
(permit-root-login #t)
(allow-empty-passwords? #f)
(password-authentication? #t)))
%base-services)))
--8<---------------cut here---------------end--------------->8---
--
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com
^ permalink raw reply [flat|nested] 2+ messages in thread
* bug#30922: LUKS-encrypted root fails using device numbering, needs luksUUID
2018-03-24 8:22 bug#30922: LUKS-encrypted root fails using device numbering, needs luksUUID Jan Nieuwenhuizen
@ 2018-03-26 13:37 ` Ludovic Courtès
0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2018-03-26 13:37 UTC (permalink / raw)
To: Jan Nieuwenhuizen; +Cc: 30922, 30604
Hello,
Jan Nieuwenhuizen <janneke@gnu.org> skribis:
> After booting I get
>
> Device /dev/nvme0n1p1 doesn't exist or access denied
This message comes from ‘cryptsetup’.
The ‘init’ script for the config you posted does this:
--8<---------------cut here---------------start------------->8---
(boot-system #:mounts (map spec->file-system
(quote (("/dev/mapper/guix"
device "/" "ext4" ()
#f #t))))
#:pre-mount (lambda ()
(and (let ((source "/dev/nvme0n1p1"))
(use-modules (rnrs bytevectors)
((gnu build file-systems)
#:select
(find-partition-by-luks-uuid)))
(zero? (system*
"/gnu/store/v5r0dx5v08847rcy033kyish6m3b3621-cryptsetup-static-1.7.5/sbin/cryptsetup"
"open" "--type" "luks"
(if (bytevector? source)
(or (let loop ((tries-left 10))
(and (positive? tries-left)
(or (find-partition-by-luks-uuid source)
(begin
(sleep 1)
(loop (- tries-left 1))))))
(error "LUKS partition not found" source))
source)
"guix")))))
…
--8<---------------cut here---------------end--------------->8---
IOW, it does the right thing whether or not you’re using a UUID.
However, when using a UUID, it waits for the device to show up, whereas
otherwise it assumes the /dev node is already there and invokes
‘cryptsetup’ right away.
We should fix that and generalize the wait-for-device loop, which
already exists in a couple of instances.
There are connections with <https://bugs.gnu.org/30604>.
Ludo’.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-03-26 13:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-24 8:22 bug#30922: LUKS-encrypted root fails using device numbering, needs luksUUID Jan Nieuwenhuizen
2018-03-26 13:37 ` Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.