cryptroot-unlock CRYPTTAB_NAME issue after debootstrap setup

Kernels & Hardware, configuring network, installing services

cryptroot-unlock CRYPTTAB_NAME issue after debootstrap setup

Postby jostrn » 2018-04-03 15:15

Hi,

I reproducibly fail installing Debian with LUKS harddrive encryption via debootstrap. The same configuration installed with Debian installer works great. Unfortunately, I need to install the production systems via debootstrap.

My setup is:
sd{a,b}1 1049kB 538MB 537MB boot raid
sd{a,b}2 538MB 26.3GB 25.8GB
sd{a,b}3 26.3GB 2000GB 1974GB lvm raid
sd{a,b} 128 2000GB 2000GB 3219kB bios_grub

sd{a,b}1 are md0.
sd{a,b}3 are md1.

md1 is md1_crypto, which forms volume group vg0.

As written before, everything works great if the installation was done with Debian installer. If the installation was done with debootstrap, I struggle with some issues:
ssh host
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`
~ # cryptroot-unlock
/bin/cryptroot-unlock: line 1: CRYPTTAB_NAME: parameter not set

The system installed via Debian installer has no issue with an unset CRYPTTAB_NAME parameter. It just mounts the encrypted root lv and starts init.

Server screen:
Please unlock disk cryptroot:
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Reading all physical volumes. This may take a while...
Found volume group "vg0" using metadata type lvm2
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
2 logical volume(s) in volume group "vg0" now active
cryptsetup (cryptroot): set up successfully
Please unlock disk md1_crypt:
Cannot use device /dev/disk/by-uuid/965........ which is in use (already mapped or mounted),
cryptsetup (md1_crypt): cryptsetup failed, bad password or options?

WTF is "cryptroot"? I never set this name, it only appears if installed via debootstrap. The system installed with Debian installer only asks to unlock md1_crypt. The debootstrap based system is locked in a loop because it can't unlock md1_crypt that it may have already unlocked as cryptroot.

/etc/crypttab in both cases is identical and only contains one line: md1_crypt UUID=... none luks

/conf/conf.d/cryptroot in both cases is identical too and only contains: target=md1_crypt,source=UUID=...,rootdev,lvm=vg0-root,key=none

I'm investigating this problem since three days and I don't get what goes wrong. In my lab I've a virtual machine installed via Debian installer and one installed via debootstrap. I tried to find configuration differences with md5sum checksum comparison, but all(?) relevant config files are identical.

Any ideas? Thx alot
jostrn
 
Posts: 3
Joined: 2014-07-02 13:24

Re: cryptroot-unlock CRYPTTAB_NAME issue after debootstrap s

Postby jostrn » 2018-04-03 21:46

Please unlock disk cryptroot:
[...]
Please unlock disk md1_crypt:


It seems that both the name and the content of a config file in initramfs are used in the unlock process:
Code: Select all
/conf/conf.d/cryptroot:
target=md1_crypt,source=UUID=...,rootdev,lvm=vg0-root,key=none


If I rename /conf/conf.d/cryptroot to /conf/conf.d/md1_crypt, the cryptroot-unlock-question is gone. I'm not completely sure about this finding yet so I'll investigate this tomorrow in depth. So far it seems a very strange way of combining filename and file content into a runtime configuration.
jostrn
 
Posts: 3
Joined: 2014-07-02 13:24


Return to System configuration

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable