[pkg-cryptsetup-devel] Bug#876477: Bug#876477: cryptsetup: Password requested three times on boot, when /root is plaintext, but swap is on LVM on crypt.

Guilhem Moulin guilhem at debian.org
Fri Jan 19 12:49:23 UTC 2018 

Control: tag -1 moreinfo

Hi Matthew,

On Fri, 22 Sep 2017 at 16:54:03 +0100, Matthew Wakeling wrote:
> I have set up my system with an unencrypted /root partition, but with
> /home, /var, /tmp, and swap all in an LVM inside a luks crypt
> partition.
> When booting, the system prompts for the crypto password, and then
> prints the error message:

I can't reproduce this in a fresh Stretch (9.3) VM.
 
> The problem exists in
> /usr/share/initramfs-tools/scripts/local-top/cryptroot. THe script
> assumes that it is having to unlock the /root partition, and gets the
> check for whether unlocking worked correctly wrong.  On line 341, the
> script sets $NEWROOT to the name of the LVM VG, instead of the swap
> volume inside the LVM. I guess normally it would set it to the /root
> volume inside the LVM, but the root filesystem in this case is on a
> separate partition. On line 348 it then sets $FSTYPE to the empty
> string, because the LVM VG name doesn't play well with blkid. On line
> 352 the script then decides that something has gone wrong, and the
> error message is produced.

Could you paste the output of lsblk(1)?  With

    vda            254:0    0    4G  0 disk
    ├─vda1         254:1    0  1.9G  0 part  /
    └─vda2         254:2    0  2.1G  0 part
      └─vda2_crypt 253:0    0  2.1G  0 crypt
        ├─vg-swap  253:1    0  488M  0 lvm   [SWAP]
        ├─vg-home  253:2    0  488M  0 lvm   /home
        ├─vg-tmp   253:3    0   32M  0 lvm   /tmp
        └─vg-var   253:4    0  512M  0 lvm   /var

The initrd's /conf/conf.d/cryptroot contains a single line for
/dev/vg/swap AKA /dev/mapper/vg-swap (/home and /tmp aren't required at
initramfs stage)

    target=vda2_crypt,source=UUID=fdffd6a8-8da1-4479-9196-39a4c7a2fc24,resumedev,lvm=vg-swap,key=none

and I have a single prompt “Please unlock disk vda2_crypt:” (log
attached).  After unlocking and `activate_vg` NEWROOT is set to
/dev/mapper/vg-swap, which is indeed the (mapped) device holding swap.

You might want to activate debug mode in the the cryptroot initramfs
script, see https://wiki.debian.org/CryptsetupDebug for details.

-- 
Guilhem.
-------------- next part --------------
+ /sbin/cryptsetup isLuks /dev/disk/by-uuid/fdffd6a8-8da1-4479-9196-39a4c7a2fc24
+ cryptopen=/sbin/cryptsetup -T 1 open --type luks /dev/disk/by-uuid/fdffd6a8-8da1-4479-9196-39a4c7a2fc24 vda2_crypt --key-file=-
+ cryptremove=/sbin/cryptsetup remove vda2_crypt
+ NEWROOT=/dev/mapper/vda2_crypt
+ count=0
+ [ 3 -le 0 ]
+ [ 0 -lt 3 ]
+ export CRYPTTAB_TRIED=0
+ count=1
+ [ ! -e /dev/mapper/vda2_crypt ]
+ /sbin/cryptsetup -T 1 open --type luks /dev/disk/by-uuid/fdffd6a8-8da1-4479-9196-39a4c7a2fc24 vda2_crypt --key-file=-
+ crypttarget=vda2_crypt cryptsource=/dev/disk/by-uuid/fdffd6a8-8da1-4479-9196-39a4c7a2fc24 /lib/cryptsetup/askpass Please unlock disk vda2_crypt: 
Please unlock disk vda2_crypt: 
+ [ ! -e /dev/mapper/vda2_crypt ]
+ /sbin/blkid -s TYPE -o value /dev/mapper/vda2_crypt
+ FSTYPE=LVM2_member
+ [ LVM2_member = LVM_member ]
+ [ LVM2_member = LVM2_member ]
+ [ -z vg-swap ]
+ activate_vg
+ [ ! -x /sbin/lvm ]
+ /sbin/lvm vgscan
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Reading all physical volumes.  This may take a while...
  Found volume group "vg" using metadata type lvm2
+ /sbin/lvm vgchange -a y --sysinit
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  4 logical volume(s) in volume group "vg" now active
+ return 0
+ [ -f /conf/param.conf ]
+ NEWROOT=/dev/mapper/vg-swap
+ [  = yes ]
+ /sbin/blkid -s TYPE -o value /dev/mapper/vg-swap
+ FSTYPE=swap
+ [ -z swap ]
+ count=0
+ message cryptsetup (vda2_crypt): set up successfully
+ [ -x /bin/plymouth ]
+ echo cryptsetup (vda2_crypt): set up successfully
cryptsetup (vda2_crypt): set up successfully
+ return 0
+ break
+ failsleep=60
+ [  = yes ]
+ udev_settle
+ command -v udevadm
+ udevadm settle --timeout=30
+ return 0
+ return 0
+ read mapping
+ exit 0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20180119/34b2c7de/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list