Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

cryptroot-unlock CRYPTTAB_NAME issue after debootstrap setup

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
jostrn
Posts: 3
Joined: 2014-07-02 13:24

cryptroot-unlock CRYPTTAB_NAME issue after debootstrap setup

#1 Post by jostrn »

Hi,

I reproducibly fail installing Debian with LUKS harddrive encryption via debootstrap. The same configuration installed with Debian installer works great. Unfortunately, I need to install the production systems via debootstrap.

My setup is:
sd{a,b}1 1049kB 538MB 537MB boot raid
sd{a,b}2 538MB 26.3GB 25.8GB
sd{a,b}3 26.3GB 2000GB 1974GB lvm raid
sd{a,b} 128 2000GB 2000GB 3219kB bios_grub

sd{a,b}1 are md0.
sd{a,b}3 are md1.

md1 is md1_crypto, which forms volume group vg0.

As written before, everything works great if the installation was done with Debian installer. If the installation was done with debootstrap, I struggle with some issues:
ssh host
To unlock root partition, and maybe others like swap, run `cryptroot-unlock`
~ # cryptroot-unlock
/bin/cryptroot-unlock: line 1: CRYPTTAB_NAME: parameter not set
The system installed via Debian installer has no issue with an unset CRYPTTAB_NAME parameter. It just mounts the encrypted root lv and starts init.
Server screen:
Please unlock disk cryptroot:
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Reading all physical volumes. This may take a while...
Found volume group "vg0" using metadata type lvm2
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
2 logical volume(s) in volume group "vg0" now active
cryptsetup (cryptroot): set up successfully
Please unlock disk md1_crypt:
Cannot use device /dev/disk/by-uuid/965........ which is in use (already mapped or mounted),
cryptsetup (md1_crypt): cryptsetup failed, bad password or options?
WTF is "cryptroot"? I never set this name, it only appears if installed via debootstrap. The system installed with Debian installer only asks to unlock md1_crypt. The debootstrap based system is locked in a loop because it can't unlock md1_crypt that it may have already unlocked as cryptroot.

/etc/crypttab in both cases is identical and only contains one line: md1_crypt UUID=... none luks

/conf/conf.d/cryptroot in both cases is identical too and only contains: target=md1_crypt,source=UUID=...,rootdev,lvm=vg0-root,key=none

I'm investigating this problem since three days and I don't get what goes wrong. In my lab I've a virtual machine installed via Debian installer and one installed via debootstrap. I tried to find configuration differences with md5sum checksum comparison, but all(?) relevant config files are identical.

Any ideas? Thx alot
Top
jostrn
Posts: 3
Joined: 2014-07-02 13:24

Re: cryptroot-unlock CRYPTTAB_NAME issue after debootstrap s

#2 Post by jostrn »

Please unlock disk cryptroot:
[...]
Please unlock disk md1_crypt:
It seems that both the name and the content of a config file in initramfs are used in the unlock process:

Code: Select all

/conf/conf.d/cryptroot:
target=md1_crypt,source=UUID=...,rootdev,lvm=vg0-root,key=none
If I rename /conf/conf.d/cryptroot to /conf/conf.d/md1_crypt, the cryptroot-unlock-question is gone. I'm not completely sure about this finding yet so I'll investigate this tomorrow in depth. So far it seems a very strange way of combining filename and file content into a runtime configuration.
Top
Post Reply

Return to “System and Network configuration”