[pkg-cryptsetup-devel] Boot Debian Buster with encrypted root on degraded raid1 (md-raid)

Magnus Sandberg mem at datakon.se
Sat Jun 29 16:44:23 BST 2019


Dear Debian developers,

Sorry for crossposting but the two parts of this is related to each other.


First for the cryptsetup developers. A comment for mdadm developers, see below.

I'm setting up a new Debian Buster computer with LVM ontop of LUKS ontop of MD 
raid1 with UEFI and GPT.

It was some manual disk setup to get even /boot/efi on raid (with metadata 
1.0), etc. The short version is: md0 as /boot/efi, md1 as /boot and md2 holds 
a LUKS container. Inside the LUKS container I use LVM to have all my other 
parititions including swap and root (/), /home, etc.

Everything works as expected until I disconnect one of the disks to verify 
that the system works even in degraded mode. Without the patch below I had to 
wait for the initramfs timeout and while in busybox I cound do "mdadm --run 
md0", etc followed by exit and then enter the passphrase for the LUKS 
container.

After trying a number of things/scripts to put into 
/etc/initramfs-tools/scipts/..., I ended up with this short patch that does it 
all;

diff -u /usr/share/initramfs-tools/scripts/local-top/cryptroot 
/etc/initramfs-tools/scripts/local-top/cryptroot
--- /usr/share/initramfs-tools/scripts/local-top/cryptroot	2019-06-10 
14:51:15.000000000 +0200
+++ /etc/initramfs-tools/scripts/local-top/cryptroot	2019-06-29 
16:38:13.117078786 +0200
@@ -56,6 +56,11 @@
     while [ $slumber -gt 0 ]; do
         sleep 1
 
+	# Added by Mem, 2019-06-29
+	if [ -x /scripts/local-block/mdadm ] ; then
+	    /scripts/local-block/mdadm
+	fi
+
         if [ -x /scripts/local-block/lvm2 ]; then
             # activate any VG that might hold $CRYPTTAB_SOURCE
             /scripts/local-block/lvm2 "$CRYPTTAB_SOURCE"


I hope the patch is useful to include in 'cryptsetup-initramfs' package. I am 
not a real developer and don't really know how to put it in the correct git 
repository or wherever to put it. You're fine to remove my comment line.


For the mdadm developers, the following patch is an idea of how to inform the 
user during boot that something is not as it should be.

diff -u /usr/share/initramfs-tools/scripts/local-block/mdadm 
/etc/initramfs-tools/scripts/local-block/mdadm
--- /usr/share/initramfs-tools/scripts/local-block/mdadm	2019-01-15 
19:23:53.000000000 +0100
+++ /etc/initramfs-tools/scripts/local-block/mdadm	2019-06-29 
16:52:25.584706119 +0200
@@ -50,6 +50,12 @@
 if [ "$COUNT" = "$MAX" ]
 then
     # Poor man's mdadm-last-resort at .service for incremental devices
+
+    # Added by Mem, 2019-06-29
+    echo "Doing poor man's last-resort for mdadm mount..."
+    echo "You probably have a degraded raid-set, PLEASE verify when system 
booted!!!"
+    echo
+
     mdadm -q --run /dev/md?*
 
     # And last try for all others

I use 'echo' instead of some 'log_xxx_msg' as I preferre to have the printout 
even when booting with "quiet" as kernel parameter.

Regards,

// Mem
(Debian sysadmin for some 20 odd years)





More information about the pkg-cryptsetup-devel mailing list