LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 11-07-2019, 09:42 AM   #1
willkane
LQ Newbie
 
Registered: Nov 2019
Distribution: Slackware (x86_64) (current)
Posts: 3

Rep: Reputation: 0
slackware64-current: Close LUKS volumes not listed in /etc/crypttab on reboot/shutdown


LUKS volumes mounted and not listed in /etc/crypttab will be not properly closed after reboot/shutdown

So, I have this suggestion for the rc.6 script:

Code:
$ diff -u rc.6,orig rc.6
--- rc.6,orig	2019-08-28 20:25:14.000000000 +0200
+++ rc.6	2019-11-07 13:45:21.667164418 +0100
@@ -261,10 +261,7 @@
     LUKS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f1 -d' ')
     DEV=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f2 -d' ')
     OPTS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f4 -d' ')
-    if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then
-      echo "Locking LUKS crypt volume '${LUKS}':"
-      /sbin/cryptsetup luksClose ${LUKS}
-    elif echo $OPTS | grep -wq swap ; then
+    if echo $OPTS | grep -wq swap ; then
       # If any of the volumes was used as encrypted swap,
       # then run mkswap on the underlying device -
       # in case other Linux installations on this computer should use it:
@@ -275,6 +272,20 @@
   done
 fi
 
+LSBLK_OUTPUT=`lsblk -fs --raw --paths | grep crypto_LUKS | cut -d" " -f 1`
+echo $LSBLK_OUTPUT | while read -a devices; do
+  for dev in ${devices[@]}
+  do
+    LUKS_NAME=`lsblk --raw $dev | grep crypt | cut -d" " -f 1`
+    if [ $LUKS_NAME ]; then
+      if /sbin/cryptsetup isLuks $dev 2>/dev/null ; then
+        echo "Locking LUKS crypt volume '${LUKS_NAME}':"
+        /sbin/cryptsetup luksClose ${LUKS_NAME}
+      fi
+    fi
+  done
+done
+
 # Deactivate LVM volume groups:
 if [ -r /etc/lvmtab -o -d /etc/lvm/backup ]; then
   echo "Deactivating LVM volume groups:"
Basically, what it does is to iterate over the list of devices and get only
those with FSTYPE == crypto_LUKS; then for each crypto_LUKS device found,
check if it have a name, because if it do have one, then it needs to be closed.

The former way of closing LUKS volumes was left to manage the swap device case.
 
Old 11-08-2019, 09:35 AM   #2
GazL
LQ Guru
 
Registered: May 2008
Posts: 5,250
Blog Entries: 18

Rep: Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991
Welcome to LQ.

Unfortunately, you code has a number of issues.

Firstly, your for loop doesn't iterate over what you think it does. Secondly, and more importantly, the problem is more complicated than you think.

Here's my setup:
Code:
# lsblk --paths -o TYPE,FSTYPE,NAME,MOUNTPOINT
TYPE  FSTYPE      NAME                           MOUNTPOINT
disk              /dev/sda                       
part  vfat        ├─/dev/sda1                    /boot/efi
part              ├─/dev/sda2                    
part  ntfs        ├─/dev/sda3                    
part  LVM2_member ├─/dev/sda4                    
lvm   ext4        │ ├─/dev/mapper/rootvg-lvroot  /
lvm   ext4        │ ├─/dev/mapper/rootvg-lvsrc   /usr/src
lvm   ext4        │ ├─/dev/mapper/rootvg-lvsrv   /srv
lvm   crypto_LUKS │ ├─/dev/mapper/rootvg-lvcrypt 
crypt ext4        │ │ └─/dev/mapper/crypt        /srv/crypt
lvm   ext4        │ ├─/dev/mapper/rootvg-lvhome  /home
lvm   ext4        │ └─/dev/mapper/rootvg-lvvar   /var
part  ntfs        └─/dev/sda5                    
rom               /dev/sr0
Checking for fstype == crypto_LUKS is not the way to go.

There is also the case of lvm pv on luks, which will look different again.

Before LVM deactivation you would have to do something like:
Code:
lsblk --inverse --raw --paths --noheading -o TYPE,FSTYPE,NAME,MOUNTPOINT \
  | while read type fstype name mountpoint
    do
      if [ "$type" = 'crypt' ]  && [ "$fstype" != 'LVM2_member' ] && [ "$mountpoint" = '' ]; then
        cryptsetup luksClose "${name##*/}"
      fi
    done
that would prevent it hitting an in use lvm member or the rootfs.

Then after lvm deactivation one could deal with any TYPE == crypt, FSTYPE == LVM2_member devices in a similar fashion But even there, you'll be unable to close a device that is in the volume group containing the rootfs, so there's still additional checks to be made.

The existing code in rc.6 isn't perfect in this regard either.

Last edited by GazL; 11-08-2019 at 12:34 PM.
 
Old 11-08-2019, 01:54 PM   #3
willkane
LQ Newbie
 
Registered: Nov 2019
Distribution: Slackware (x86_64) (current)
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by GazL View Post
Welcome to LQ.
Thanks.

Nice catch.

Could you paste the output of this command?:
lsblk --inverse --raw --paths --noheading -o TYPE,FSTYPE,NAME,MOUNTPOINT

I have several encrypted partitions and one of them is the rootfs itself,
and yes, even after / is remounted ro, cryptsetup will not close it because
it detects the partition as being still used.

I'm not sure but if the rootfs is encrypted, the only way to close it properly
is to change root to another partition with the basic tools to manage crypto
volumes and try to close the rootfs from there, and then come back and keep
going with the rc.6 flow.
 
Old 11-08-2019, 02:34 PM   #4
GazL
LQ Guru
 
Registered: May 2008
Posts: 5,250
Blog Entries: 18

Rep: Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991Reputation: 2991
as requested:
Code:
# lsblk --inverse --raw --paths --noheading -o TYPE,FSTYPE,NAME,MOUNTPOINT
part vfat /dev/sda1 /boot/efi
part  /dev/sda2 
part ntfs /dev/sda3 
part ntfs /dev/sda5 
rom  /dev/sr0 
lvm ext4 /dev/mapper/rootvg-lvroot /
lvm ext4 /dev/mapper/rootvg-lvsrc /usr/src
part LVM2_member /dev/sda4 
disk  /dev/sda 
lvm ext4 /dev/mapper/rootvg-lvsrv /srv
lvm ext4 /dev/mapper/rootvg-lvhome /home
lvm ext4 /dev/mapper/rootvg-lvvar /var
crypt ext4 /dev/mapper/crypt /srv/crypt
lvm crypto_LUKS /dev/mapper/rootvg-lvcrypt

Quote:
Originally Posted by willkane View Post
I'm not sure but if the rootfs is encrypted, the only way to close it properly is to change root to another partition with the basic tools to manage crypto volumes and try to close the rootfs from there, and then come back and keep going with the rc.6 flow.
To be able to do that you'd probably need to revert back to an initrd some way but be very careful here: switch_root removes recursively all files and directories on the current root filesystem.. If you attempt that you're going to have a very bad day!

Probably best just to leave it ro and not close the luks containers. (closing them really doesn't matter all that much anyway).
 
Old 11-12-2019, 03:00 AM   #5
willkane
LQ Newbie
 
Registered: Nov 2019
Distribution: Slackware (x86_64) (current)
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the lsblk's output.

This is why I really like Slackware, its default layout covers very well all of
the common and usual scenarios, but for the edges cases, it allows for an easy
hack to have it solved.

My free time is scarce currently, but definitely I'll give your hack a try.
For the moment, I'm more than happy using my hack in rc.6 for my edge case =)

Thanks for the advices.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Slackware-current patch for improved /etc/crypttab handling; RFC WLD Slackware 3 11-09-2019 02:01 PM
luks img crypttab mounts as read only. khronosschoty Slackware 1 09-05-2016 04:04 AM
[PATCH] rc.S: interactive password prompt for LUKS devices with options in /etc/crypttab .Lightning Slackware 7 04-29-2016 10:42 AM
crypttab: opening luks volumes with TRIM on SSDs during boot thegoofeedude Slackware 0 11-03-2013 11:45 PM
[SOLVED] Bug in cryptsetup and/or in rc.S in processing /etc/crypttab in slackware-current fdeak Slackware 2 01-23-2011 10:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration