[pkg-cryptsetup-devel] Bug#1028250: debian-installer: broken cryptsetup support

Guilhem Moulin guilhem at debian.org
Sat Feb 18 13:09:19 GMT 2023 

X-Debbugs-Cc: pkg-cryptsetup-devel at alioth-lists.debian.net

Hi kibi!

On Thu, 16 Feb 2023 at 20:14:20 +0100, Cyril Brulebois wrote:
> Cyril Brulebois <kibi at debian.org> (2023-01-09):
>> Cyril Brulebois <kibi at debian.org> (2023-01-08):
>>> I'm seeing at least two problems with cryptsetup while testing daily
>>> builds:
>>> - with 6.1.0-1 (currently getting into the archive), my very usual 1G
>>>  RAM / 5G storage setup can no longer get an automated encrypted LVM
>>>  setup created: cryptsetup triggers the OOMK while creating the
>>>  encrypted storage; that doesn't happen with 6.0.0-6. Not sure
>>>  cryptsetup itself is the culprit, it might just be more components or
>>>  heavier components on the kernel side, pushing memory to the limit.
>>> - with either kernel (and 1G RAM for 6.0.0-6, 2G RAM for 6.1.0-1 due
>>>  to the first point), I cannot boot into the installed system: I'm not
>>>  getting the LVM passphrase prompt, and the root device is therefore
>>>  missing.
>>>
>>> I haven't investigated either issue, and I'm not sure when I'll be able
>>> to. Help welcome.
>>>
>>> The first point could be waved aside with an errata entry; the second
>>> point is going to be a blocker for the next release.
>>
>> Trying to investigate the second one, I cannot replicate my earlier
>> results, with either a clean unstable daily build using 6.1.0-1 or with
>> D-I Bookworm Alpha 1; and besides cryptsetup uploads in early December,
>> I must admit a quick look around didn't suggest anything obvious that
>> could explain what I were getting… Bad luck, maybe; lowering severity
>> accordingly for the time being.
>
> Testing d-i built against testing udebs again, I can replicate this
> issue now. I suppose this might be some component getting bigger over
> time, and pushing the limit somehow. And the various builds I tried back
> in January might have been tiptoeing around that limit…
>
> Looking at `free` with this netboot-gtk mini.iso build, inside kvm, with
> 1G RAM, `used` is ~100M, `free` is 500+ M, and yet, cryptsetup gets
> OOMK'd.
>
> Is cryptsetup being stupid and miscomputing RAM requirements for that
> setup? (ISTR LUKS2 means heavier computation, tweaked depending on
> hardware, but I haven't followed that closely.)
>
> The memory pressure at this particular point of the installation process
> seems quite low, so crashing with free at 50% feels very wrong to me…

By default the PBKDF benchmark caps the memory cost at 1GiB or half of
the physical memory, whichever is smaller.  So indeed with 1G RAM and
~50% free one might trigger the OOM killer.  A workaround is to pass
`--pbkdf-memory` with a suitable value (256M should be more than enough
in that case) on memory-constrained systems, but cryptsetup should
arguably adjust the memory cost on its own.  Reported the issue upstream
at https://gitlab.com/cryptsetup/cryptsetup/-/issues/802 .

But that's only for the first point.  Do you have a reproducer for the
second point?  Tried https://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/debian-testing-amd64-netinst.iso
in a VM with 2G RAM [0] and chose the “encrypted LVM” scheme (both on
the graphical and text install); the system refused to boot because the
initramfs image contained an older e2fsck (“/dev/mapper/debian--vg-root
has unsupported feature(s): FEATURE_C12”), however there was no problem
after upgrading to sid at finish-install stage (and in both cases I
could map the device, so neither bookworm's cryptsetup nor the kernel is
at fault AFAICT).

Cheers
-- 
Guilhem.

[0] kvm -smp cpus=2 -cpu host -m 2G -object rng-random,id=rng0,filename=/dev/urandom \
      -device virtio-rng-pci,rng=rng0 -drive file=/tmp/disk.img,format=raw \
      -cdrom /tmp/debian-testing-amd64-netinst.iso -boot once=d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20230218/fb4b8fe2/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list