Open kszczek opened 4 months ago
/usr/local/bin/get-secret
#!/bin/bash
echo -n "secret"
/etc/dracut.conf.d/get-secret.conf
install_items+=" /usr/local/bin/get-secret "
/etc/systemd/system/root-volume-key.socket
[Unit]
Description=Root Volume Key Socket
DefaultDependencies=no
Conflicts=multi-user.target shutdown.target
Before=cryptsetup-pre.target multi-user.target shutdown.target
Wants=cryptsetup-pre.target
[Socket]
ListenStream=/run/cryptsetup-keys.d/luks-<UUID>.key
SocketUser=root
SocketGroup=root
SocketMode=0400
DirectoryMode=0750
Accept=yes
MaxConnections=1
RemoveOnStop=yes
[Install]
WantedBy=sockets.target
/etc/systemd/system/root-volume-key@.service
[Unit]
Description=Root Volume Key Service
DefaultDependencies=no
After=root-volume-key.socket
Requisite=root-volume-key.socket
RefuseManualStart=yes
RefuseManualStop=yes
[Service]
Type=exec
ExecStart=/bin/bash /usr/local/bin/get-secret
StandardOutput=socket
StandardError=kmsg+console
/etc/crypttab
luks-<UUID> UUID=<UUID> none discard
Also, make sure to enable the root-volume-key.socket
before regenerating the initramfs.
This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions.
Commenting to keep this open.
Also opened a PR in the fork: https://github.com/dracut-ng/dracut-ng/pull/257
Force pushed to fix the commit message and shell lint issues.
systemd v248 introduced support for using AF_UNIX sockets as key files in
/etc/crypttab
. This pull request enhances the 90crypt module to identify socket units with matching socket file paths. It includes the first matching socket unit along with its corresponding service unit. This correspondence is determined by checking theService=
option in the socket unit or, if that's not available, by replacing the.socket
suffix with either@.service
or.service
, depending on theAccept=
option (see man page for systemd.socket). Futhermore, this functionality handles sockets located under/run/cryptsetup-keys.d/
, which are automatically discoverable by the systemd-cryptsetup utility when the key file field in/etc/crypttab
is empty.Checklist