[pkg-cryptsetup-devel] Bug#838001: Bug#838001: cryptsetup does not support ZFS

Richard Laager rlaager at wiktel.com
Mon Sep 19 11:39:35 UTC 2016 

On 09/19/2016 04:48 AM, Guilhem Moulin wrote:
> On Mon, 19 Sep 2016 at 00:51:45 -0500, Richard Laager wrote:
>> On 09/18/2016 02:13 PM, Guilhem Moulin wrote:

> Fair enough it's not the first field, but by looking at the output I
> have the impression that the header is pretty much free form.

Fair point.

At an absolute minimum, the regex should be tightened up to require $1
to start with / rather than just contain it. Further options below...

> Alright, thanks!  I think a more robust AWK or sed script is desired to
> strip out the header, though.  Perhaps this AWK script

That awk script doesn't output anything for me.

How about this, which I used in the attached updated patch:
awk 'NR == 1, /^[\t ]*config:/ { next } { if ($1 ~ /^\//) { print $1 } }'

Or if you want to match the logic of GRUB2 (which I think is messier):
awk 'NR == 1, /^[\t ]*NAME[\t ]+STATE[\t ]+READ[\t ]+WRITE[\t ]+CKSUM/ { next } { if ($1 ~ /^\//) { print $1 } }'

>>> But I still think we can find a solution that's not FS-specific.  For
>>> instance, to ensure that an arbitrary device is unlocked at initramfs
>>> stage, you can add ‘initramfs’ to the 4th column of its crypttab(5)
>>> entry.  In your case, that should be enough to copy the key files of
>>> the underlying devices to the initramfs image.

Yes, that works. The "WARNING: could not determine root device" message
is still printed.

> Again, I'm not fond of your `zfs list` command because it's an
> FS-specific alternative for two FS-agnostic and de facto standard
> solutions, namely fstab(5) and kernel parameters.

I've attached another version of this patch. It first swaps from
/etc/fstab to /proc/self/mounts. Then adding ZFS support is trivial and
integrates in the same way as btrfs support.

-- 
Richard
-------------- next part --------------
diff -Nru cryptsetup-1.7.2/debian/changelog cryptsetup-1.7.2/debian/changelog
--- cryptsetup-1.7.2/debian/changelog	2016-07-01 03:57:14.000000000 -0500
+++ cryptsetup-1.7.2/debian/changelog	2016-09-19 06:19:26.000000000 -0500
@@ -1,3 +1,11 @@
+cryptsetup (2:1.7.2-0ubuntu2~rlaager2) yakkety; urgency=medium
+
+  * Modify the initramfs-tools hook to examine /proc/self/mounts instead of
+    /etc/fstab.
+  * Support ZFS in the cryptroot initramfs-tools hook.
+
+ -- Richard Laager <rlaager at wiktel.com>  Mon, 19 Sep 2016 06:18:23 -0500
+
 cryptsetup (2:1.7.2-0ubuntu1) yakkety; urgency=medium
 
   * New upstream release, merge from Debian unstable (LP: #1548137). Remaining
diff -Nru cryptsetup-1.7.2/debian/initramfs/cryptroot-hook cryptsetup-1.7.2/debian/initramfs/cryptroot-hook
--- cryptsetup-1.7.2/debian/initramfs/cryptroot-hook	2016-04-29 01:18:05.000000000 -0500
+++ cryptsetup-1.7.2/debian/initramfs/cryptroot-hook	2016-09-19 06:18:20.000000000 -0500
@@ -20,11 +20,11 @@
 	local device mount type options dump pass
 	local wantmount="$1"
 
-	if [ ! -r /etc/fstab ]; then
+	if [ ! -r /proc/self/mounts ]; then
 		return 1
 	fi
 
-	grep -s '^[^#]' /etc/fstab | \
+	cat /proc/self/mounts | \
 	while read device mount type options dump pass; do
 		if [ "$mount" = "$wantmount" ]; then
 			local devices
@@ -32,6 +32,10 @@
 				for dev in $(btrfs filesystem show $(canonical_device "$device" --no-simplify) 2>/dev/null | sed -r -e 's/.*devid .+ path (.+)/\1/;tx;d;:x') ; do
 					devices="$devices $(canonical_device "$dev")"
 				done
+			elif [ "$type" = "zfs" ]; then
+				for dev in $(zpool status -P "${device%%/*}" | awk 'NR == 1, /^[\t ]*config:/ { next } { if ($1 ~ /^\//) { print $1 } }'); do
+					devices="$devices $(canonical_device "$dev")"
+				done
 			else
 				devices=$(canonical_device "$device") || return 0
 			fi
@@ -653,7 +657,7 @@
 if [ -r /etc/crypttab ]; then
 	rootdevs=$(get_fs_devices /)
 	if [ -z "$rootdevs" ]; then
-		echo "cryptsetup: WARNING: could not determine root device from /etc/fstab" >&2
+		echo "cryptsetup: WARNING: could not determine root device from /proc/self/mounts" >&2
 	fi
 	usrdevs=$(get_fs_devices /usr)
 	resumedevs=$(get_resume_devices)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20160919/7051d5a4/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list