search

dracutdevs / dracut

dracut the event driven initramfs infrastructure
https://github.com/dracutdevs/dracut/wiki
GNU General Public License v2.0
597 stars 396 forks source link

Dracut not recognizing device mapper name in /etc/crypttab inside initramfs #2512

Open phirince opened 11 months ago

phirince commented 11 months ago

Describe the bug I have a system which has an encrypted root partition on mdraid array.

$ sudo blkid /dev/md1
/dev/md1: UUID="c156b2c0-d516-48d7-805b-a78bac83d818" TYPE="crypto_LUKS"
$

In order to mount this during bootup, I have the following inside the crypttab file.

$ sudo lsinitrd /boot/initramfs-5.15.111.1-rolling-lts-linkedin.img --file /etc/crypttab
root_crypt /dev/md1 /etc/crypttab.headers/.key
$

Even though the key file is included in the crypttab file and contains the correct key to decrypt the partition, I get asked for the passphrase of device luks-c156b2c0-d516-48d7-805b-a78bac83d818. When I entered the initramfs shell with rd.break option, I found this:

switch_root:/# cat /etc/crypttab
root_crypt /dev/md1 /etc/crypttab.headers/.key
luks-c156b2c0-d516-48d7-805b-a78bac83d818 /dev/md1 - timeout=0,-

Apparently, parse-crypt.sh is not recognizing that an entry for the root device is already present in /etc/crypttab and adding that extra line. This issue goes away once I replace the mapper name to be same as the luks-UUID name

I think this new entry is generated at this line: https://github.com/dracutdevs/dracut/blob/6acfecae572fb457115b276b5b64d9424ad5187b/modules.d/90crypt/crypt-run-generator.sh#L25

PS: Interestingly, this issue only happen when rd.auto kernel parameter is set to 1.

Distribution used CentOS Linux release 7.9.2009 (Core)

Dracut version Version: 033-572.el7

Init system systemd

To Reproduce An encrypted root partition needs to be created on top of a software RAID1 array. The encryption key as well as the /etc/crypttab file as above should be added to the initramfs and the host should be booted up.

Expected behavior Dracut should have recognized that an entry for root partition is already present in /etc/crypttab and shouldn't have added additional entries.

Additional context Kernel commandline options:

BOOT_IMAGE=/vmlinuz-5.15.111.1-rolling-lts-linkedin root=UUID=77f76525-6fa8-472c-b33e-075c4def76be ro rhgb quiet crashkernel=256M spectre_v2=retpoline rd.auto=1 rd.md.uuid=f345b9a1:9108ad47:6aec1f96:b3305188 rd.md.uuid=5cc987c2:5a4e2f26:94f1d044:58121483 rd.md.uuid=fc60d2e2:e41e71d1:5ff3302d:2170d468 rd.md.uuid=3a44a932:11e2172b:b36a1610:9c069887 rd.md.uuid=966f8e8c:4ec324ab:2accc62d:a3993989 console=ttyS0 elevator=none debugfs=on iommu=p
PaulCharlton commented 2 months ago 
# /etc/crypttab
cryptroot /dev/mapper/cryptroot none luks,timeout=60

kernel command line args (must be provided to dracut via "kernel_commandline" or provided by GRUB -- Dracut concatenates, then parses those two sources)

# /etc/default/grub
GRUB_CMDLINE_LINUX="rd.auto=1 rd.driver.pre=btrfs rd.luks.allow-discards rd.luks.timeout=0 rd.luks.uuid=luks-<<uuid of encrypted volume>> root=/dev/mapper/cryptroot rootfstype=btrfs rootflags=rw,relatime,ssd,space_cache=v2,subvolid=5,subvol=/"

the dracut '90crypt' scripts will prompt you for the password of the volume that matches the rd.luks.uuid