Unlock two root drives (for ZFS mirror)?
Mike Klein
mike at kleinnet.com
Mon May 18 04:29:12 CEST 2020
In case it is of interest, here is the complete initramfs crypt related terminal I/O including the password prompts and ZFS module loading messages. Note that croot1’s password was prompted for twice, and croot2’s was not prompted at all. I inserted the added text based on a photo I took during boot. Maybe this helps illuminateÎ unexpected timing issues, if any.
mandos mk: starting cryptroot-unlock attempts
mandos mk: start a new plugin-runner to get a password
mandos mk: waiting for plugin-runner...
Reading all physical volumes. This may take a while...
IP-Config: eno1 hardware address xx:xx:xx:xx:xx:xx mtu 1500
/dev/sdi: open failed: No medium found
IP-Config: eno1 guessed broadcast address xxx.xxx.xxx.xxx
IP-Config: eno1 complete:
address: xxx.xxx.xxx.xxx broadcast: xxx.xxx.xxx.255 netmask: 255.255.255.0
gateway: 0.0.0.0 dns0 : 0.0.0.0 dns1 : 0.0.0.0
host : xxxxxxxxxx
rootserver: 0.0.0.0 rootpath:
filename :
Found volume group "tm" using metadata type lvm2
/dev/sdi: open failed: No medium found
5 logical volume(s) in volume group "tm" now active
Please unlock disk croot1:mandos mk: plugin-runner completed
mandos mk: trying cryptroot-unlock #1
Please unlock disk croot1: cryptroot-unlock #1 exited with 0
mandos mk: trying cryptroot-unlock #2
cryptroot-unlock #2 exited with 0
[ 20.708398] spl: loading out-of-tree module taints kernel.
[ 20.710746] znvpair: module license ‘CDDL’ taints kernel.
[ 20.710986] Disabling lock debugging due to kernel taint
mandos mk: trying cryptroot-unlock #3
/run/mandos-keep-running is gone; break
mandos mk: finished, or plugin-runner failed
-Mike
> On May 17, 2020, at 2:08 PM, Mike Klein <mike at kleinnet.com> wrote:
>
> Teddy, thank you — the change you suggested works. No problem now; both partitions are unlocked in quick succession with password from server.
>
> I added a number of echo commands into the loop in mandos-to-cryptroot-unlock to watch what was happening, as follows:
>
> echo "mandos mk: starting cryptroot-unlock attempts" >&2
> while command -v cryptroot-unlock >/dev/null 2>&1; do
> echo "mandos mk: start a new plugin-runner to get a password" >&2
> /lib/mandos/plugin-runner > "$passfile" &
> echo $! > /run/mandos-plugin-runner.pid
> echo "mandos mk: waiting for plugin-runner..." >&2
> wait %% || break
> echo "mandos mk: plugin-runner completed" >&2
>
> # Try this password ten times (or ten seconds)
> for loop in 1 2 3 4 5 6 7 8 9 10; do
> echo "mandos mk: trying cryptroot-unlock #$loop" >&2
> if [ -e /run/mandos-keep-running ]; then
> # Mike K 2020-05-17: On advice from Teddy Hogeborn, remove
> # the break since it stops providing password after a single successful attempt
> #cryptroot-unlock < "$passfile" >/dev/null 2>&1 && break 2
> cryptroot-unlock < "$passfile" >/dev/null 2>&1
> echo " cryptroot-unlock #$loop exited with $?" >&2
> sleep 1
> else
> echo " /run/mandos-keep-running is gone; break" >&2
> break 2
> fi
> done
> echo "mandos mk: finished" >&2
> done
> echo "mandos mk: finished, or plugin-runner failed" >&2
>
> /var/log/boot.log shows:
>
> mandos mk: starting cryptroot-unlock attempts
> mandos mk: start a new plugin-runner to get a password
> mandos mk: waiting for plugin-runner...
> Reading all physical volumes. This may take a while...
> IP-Config: eno1 hardware address xx:xx:xx:xx:xx:xx mtu 1500
> /dev/sdi: open failed: No medium found
> IP-Config: eno1 guessed broadcast address xxx.xxx.xxx.xxx
> IP-Config: eno1 complete:
> address: xxx.xxx.xxx.xxx broadcast: xxx.xxx.xxx.255 netmask: 255.255.255.0
> gateway: 0.0.0.0 dns0 : 0.0.0.0 dns1 : 0.0.0.0
> host : xxxxxxxxxx
> rootserver: 0.0.0.0 rootpath:
> filename :
> Found volume group "tm" using metadata type lvm2
> /dev/sdi: open failed: No medium found
> 5 logical volume(s) in volume group "tm" now active
> mandos mk: plugin-runner completed
> mandos mk: trying cryptroot-unlock #1
> cryptroot-unlock #1 exited with 0
> mandos mk: trying cryptroot-unlock #2
> cryptroot-unlock #2 exited with 0
> mandos mk: trying cryptroot-unlock #3
> /run/mandos-keep-running is gone; break
> mandos mk: finished, or plugin-runner failed
>
> Many thanks!
>
> -Mike
>
>> On May 17, 2020, at 6:33 AM, Teddy Hogeborn <teddy at recompile.se <mailto:teddy at recompile.se>> wrote:
>>
>> Mike Klein <mike at kleinnet.com <mailto:mike at kleinnet.com>> writes:
>>
>>>> In the case of an initramfs image created by initramfs-tools(7), the
>>>> Mandos client (actually the plugin-runner(8mandos) which in turn
>>>> runs the Mandos client) is started at boot and kept running
>>>> (re-started if it exits) until the root disk has been mounted.
>>>> Every time a password is recieved by the Mandos client, it is sent
>>>> as input to the "cryptroot-unlock" program (a part of the
>>>> "cryptsetup-initramfs" package, documented by
>>>> /usr/share/doc/cryptsetup-run/README.Debian.gz). That program, as
>>>> documented, keeps accepting passwords until all devices are
>>>> unlocked. Therefore, using the same password for multiple devices
>>>> should work, in theory.
>>>>
>>>> If you are having problems with this, debug by adding --debug and/or
>>>> --options-for=mandos-client:--debug to the
>>>> "/etc/mandos/plugin-runner.conf" file, rebuild the initramfs with
>>>> "update-initramfs -k all -u", and reboot.
>>>
>>> Thank you, Teddy. I finally got time to work on this again. I am
>>> replying to your email as I haven’t found a way to reply on the
>>> archive site. I’m going to attach a log file from setting --debug for
>>> mandos-client.
>>>
>>> The dual-drive automatic unlock is not working. From what I can gather:
>>>
>>> 1) plugin-runner runs early in the cryptsetup process and it actually
>>> contacts the server and gets the correct passphrase
>>> 2) However, it appears that cryptsetup ignores the output and asks for
>>> interactive entry of the passphrase for both file systems to be
>>> unlocked
>>
>> The initramfs-tools boot system always asks for passphrase on the
>> console; a password could still be provided by mandos-client in the
>> background even though a password prompt is visible and active.
>>
>>> 3) The debug log shows that mandos-client has exited and this is still
>>> on the screen when I see the prompt for the passphrase for the first
>>> file system
>>
>> This is probably normal. As seen in the script
>> /usr/lib/$ARCH/mandos/mandos-to-cryptroot-unlock, the Mandos
>> plugin-runner is run once, and the password obtained thereby is passed
>> to the cryptroot-unlock executable ten times in a row, after which the
>> password is discarded and new password is obtained. This continues
>> until the initramfs boot process has progressed far enough that the root
>> file system has been mounted.
>>
>> However, I now see that my initial description of this procedure was
>> incorrect; if the password is passed *successfully* to cryptroot-unlock,
>> the whole procedure stops, and will therefore not unlock more than one
>> device. If you want to keep using initramfs-tools, you could try
>> editing the mandos-to-cryptroot-unlock script to remove the "&& break 2"
>> at the end of line 72, and rebuild the initramfs image.
>>
>>> I’m attaching the debug output, with decrypted passphrase removed. The
>>> debug output scrolls by on the screen before I see the passphrase
>>> prompt, but it could be that the prompt occurs early and scrolls off
>>> the screen quickly and then is printed again.
>>
>> This debug output only tells us two useful things:
>>
>> 1. A password was successfully obtained.
>> 2. A password was only requested once.
>>
>>> I am using initramfs-tools.
>>
>> You could try using dracut; this, as I explained previously, uses
>> competely different password delivery mechanisms, both of which should,
>> theoretically, work with multiple encrypted devices.
>>
>>> I also agree that ZFS should be underneath and encryption on top, and
>>> this is the long term intent, but this is not available until ZFS
>>> implements native encryption, which also provides other features
>>> e.g. snapshots are encrypted so sending and saving snapshots offsite
>>> is encrypted throughout. If the dual-unlock does not work, I will
>>> probably go back to LUKS over software RAID1.
>>
>> /Teddy Hogeborn
>>
>> --
>> The Mandos Project
>> https://www.recompile.se/mandos <https://www.recompile.se/mandos>
>> _______________________________________________
>> Mandos-Dev mailing list
>> Mandos-Dev at recompile.se
>> https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20200517/2656b708/attachment-0001.htm>
More information about the Mandos-Dev
mailing list