How can I exclude cryptsetup hook from initramfs?

[maniacos]

Hello, that's the first time I try this on Debian, in Arch Linux I would exclude the encrypt hook from mkinitcpio.conf but I can't find something similar on Debian.

I have in my server two nvme disks and three sd disks.

They are all in RAID1.

Code: Select all

Personalities : [raid1] [linear] [multipath] [raid0] [raid6] [raid5] [raid4] [raid10] 
md3 : active (auto-read-only) raid1 sda1[0] sdb1[1] sdc1[2]
      5859242880 blocks super 1.2 [3/3] [UUU]
      bitmap: 0/44 pages [0KB], 65536KB chunk

md0 : active (auto-read-only) raid1 nvme1n1p1[1] nvme0n1p1[0]
      33521664 blocks super 1.2 [2/2] [UU]

md2 : active raid1 nvme1n1p3[1] nvme0n1p3[0]
      465895744 blocks super 1.2 [2/2] [UU]
      bitmap: 1/4 pages [4KB], 65536KB chunk

md1 : active raid1 nvme1n1p2[1] nvme0n1p2[0]
      523712 blocks super 1.2 [2/2] [UU]
unused devices: <none>

I now need md3 encrypted but NOT md2 where the operating system sits. md3 will get LVM devices (LVM on LUKS on MD) and is for backups and in case of server reboot supposed to be encrypted and mounted manually.

md3 is also NOT in fstab because of that reason, I will mount that manually when I need to.

Code: Select all

cat /etc/fstab 
proc /proc proc defaults 0 0
/dev/md/0 none swap sw 0 0
/dev/md/1 /boot ext3 defaults 0 0
/dev/md/2 / ext4 defaults 0 0

Now to encrypt md3, I installed cryptsetup, however since then my server fails to boot. I suppose because the initramfs gets messed up by cryptsetup, because the server boots as soon as I uninstall cryptsetup using the rescue system, the server boots fine again.

Code: Select all

update-initramfs -u
update-initramfs: Generating /boot/initrd.img-4.9.0-6-amd64
cryptsetup: WARNING: failed to detect canonical device of /dev/md2
cryptsetup: WARNING: could not determine root device from /etc/fstab
I: The initramfs will attempt to resume from /dev/md0
I: (UUID=51ae4c27-5fb7-493d-87ae-b98b44b84f9c)
I: Set the RESUME variable to override this.

How can I make cryptsetup stop messing with my initramfs? I don't need any encryption module in there.

I already tried setting CRYPTSETUP=n in /etc/cryptsetup-initramfs/conf-hook but that doesn't change anything.

Thank you for your help

[p.H]

A quick and easy workaround is to uninstall cryptsetup and keep only cryptsetup-bin, then rebuild the initramfs.
The cryptsetup package only provides the startup scripts.
The cryptsetup-bin package provides the cryptsetup program.

But I don't understand what is you problem with cryptsetup and the initramfs. What happens exactly ?

[maniacos]

Well I was just wildly guessing here, cryptsetup reported an error when running the initramfs hook

Code: Select all

cryptsetup: WARNING: failed to detect canonical device of /dev/md2
cryptsetup: WARNING: could not determine root device from /etc/fstab

And my server was not booting right after that. I have no KvM on that machine so I could not see what the acutal issue was. But when I started the server in rescue mode, mounted the disk and uninstalled cryptsetup, running update-initramfs -u again, the server was booting just fine so I thought cryptsetup messed my boot menu entry and so the bootloader couldnt find root filesystem.

I didn't want to dig further into this as I don't need crypto in the initramfs, so I just wanted to exclude the hook from initramfs. And that's where I didn't find out how.

[p.H]

cryptsetup reported an error when running the initramfs hook

It is a warning, not an error.
I must admit I cannot explain these warnings.

I thought cryptsetup messed my boot menu entry and so the bootloader couldnt find root filesystem.

cryptsetup did not mess the boot menu. It just rebuilt the initramfs to include the encryption tools and scripts.
Maybe the initramfs asked for a passphrase to open an encrypted device, and just sat there.
Do you have an /etc/crypttab file ? If yes, what does it contain ?

I just wanted to exclude the hook from initramfs. And that's where I didn't find out how.

As I wrote, uninstall cryptsetup and just keep cryptsetup-bin.

[maniacos]

I must admit I cannot explain these warnings.

Me neither. The partition complained is formatted with ext4 and in fstab mounted as / I don't get why cryptsetup complains about not finding root. It's also no LVM or similar, just plain RAID1 with 2 nvme partitions.
However as I did not want to encrypt these anyhow I also didn't bother to investigate further. Just would be nice to have no warnings on system upgrades as this is a production server.

cryptsetup did not mess the boot menu. It just rebuilt the initramfs to include the encryption tools and scripts.

Yeah and it shouldn't since I dont need the encryption at boot time. Unfortunately everything I found on the web about that is explaining how to boot from encrypted drives. To have a seperate hot-backup RAID encrytped that sensitive data seems to be out of scope for most...

Maybe the initramfs asked for a passphrase to open an encrypted device, and just sat there.

If that was the case then I certainly would have that removed since that's exactly the reason why I dont want encryption there. All sensitive data supposed to be in it's own decrypted raid device that gets mounted manually in case of a reboot.

Do you have an /etc/crypttab file ? If yes, what does it contain ?

Yes I have and it's empty.

As I wrote, uninstall cryptsetup and just keep cryptsetup-bin.

I will try that, thanks.