[pkg-cryptsetup-devel] Boot Debian Buster with encrypted root on degraded raid1 (md-raid)

Magnus Sandberg mem at datakon.se
Tue Jul 23 08:04:00 BST 2019 

Hi,

Any reflections on the following?

Is it something to include or should I just continue using it as my own fix?

Regards,

// Mem



 ----- On 29th of June 2019 Magnus Sandberg wrote; -----

From: Magnus Sandberg <mem at datakon.se>
To: Debian Cryptsetup Team <pkg-cryptsetup-devel at alioth-lists.debian.net>
Cc: Debian mdadm maintainers <pkg-mdadm-devel at lists.alioth.debian.org>,
	mem at datakon.se
Subject: Boot Debian Buster with encrypted root on degraded raid1 (md-raid)
Date: Sat, 29 Jun 2019 17:44:23 +0200

Dear Debian developers,

Sorry for crossposting but the two parts of this is related to each other.


First for the cryptsetup developers. A comment for mdadm developers, see below.

I'm setting up a new Debian Buster computer with LVM ontop of LUKS ontop of MD 
raid1 with UEFI and GPT.

It was some manual disk setup to get even /boot/efi on raid (with metadata
1.0), etc. The short version is: md0 as /boot/efi, md1 as /boot and md2 holds
a LUKS container. Inside the LUKS container I use LVM to have all my other
parititions including swap and root (/), /home, etc.

Everything works as expected until I disconnect one of the disks to verify
that the system works even in degraded mode. Without the patch below I had to
wait for the initramfs timeout and while in busybox I cound do "mdadm -- -run
md0", etc followed by exit and then enter the passphrase for the LUKS
container.

After trying a number of things/scripts to put into
/etc/initramfs-tools/scipts/..., I ended up with this short patch that does it
all;

diff -u /usr/share/initramfs-tools/scripts/local-top/cryptroot 
/etc/initramfs-tools/scripts/local-top/cryptroot
--- /usr/share/initramfs-tools/scripts/local-top/cryptroot	2019-06-10 
14:51:15.000000000 +0200
+++ /etc/initramfs-tools/scripts/local-top/cryptroot	2019-06-29 
16:38:13.117078786 +0200
@@ -56,6 +56,11 @@
     while [ $slumber -gt 0 ]; do
         sleep 1

+	# Added by Mem, 2019-06-29
+	if [ -x /scripts/local-block/mdadm ] ; then
+	    /scripts/local-block/mdadm
+	fi
+
         if [ -x /scripts/local-block/lvm2 ]; then
             # activate any VG that might hold $CRYPTTAB_SOURCE
             /scripts/local-block/lvm2 "$CRYPTTAB_SOURCE"


I hope the patch is useful to include in 'cryptsetup-initramfs' package. I am
not a real developer and don't really know how to put it in the correct git
repository or wherever to put it. You're fine to remove my comment line.


For the mdadm developers, the following patch is an idea of how to inform the
user during boot that something is not as it should be.

diff -u /usr/share/initramfs-tools/scripts/local-block/mdadm 
/etc/initramfs-tools/scripts/local-block/mdadm
--- /usr/share/initramfs-tools/scripts/local-block/mdadm	2019-01-15 
19:23:53.000000000 +0100
+++ /etc/initramfs-tools/scripts/local-block/mdadm	2019-06-29 
16:52:25.584706119 +0200
@@ -50,6 +50,12 @@
 if [ "$COUNT" = "$MAX" ]
 then
     # Poor man's mdadm-last-resort at .service for incremental devices
+
+    # Added by Mem, 2019-06-29
+    echo "Doing poor man's last-resort for mdadm mount..."
+    echo "You probably have a degraded raid-set, PLEASE verify when system 
booted!!!"
+    echo
+
     mdadm -q --run /dev/md?*

     # And last try for all others

I use 'echo' instead of some 'log_xxx_msg' as I preferre to have the printout
even when booting with "quiet" as kernel parameter.

Regards,

// Mem
(Debian sysadmin for some 20 odd years)

More information about the pkg-cryptsetup-devel mailing list