slackware64-current: Close LUKS volumes not listed in /etc/crypttab on reboot/shutdown
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
slackware64-current: Close LUKS volumes not listed in /etc/crypttab on reboot/shutdown
LUKS volumes mounted and not listed in /etc/crypttab will be not properly closed after reboot/shutdown
So, I have this suggestion for the rc.6 script:
Code:
$ diff -u rc.6,orig rc.6
--- rc.6,orig 2019-08-28 20:25:14.000000000 +0200
+++ rc.6 2019-11-07 13:45:21.667164418 +0100
@@ -261,10 +261,7 @@
LUKS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f1 -d' ')
DEV=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f2 -d' ')
OPTS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f4 -d' ')
- if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then
- echo "Locking LUKS crypt volume '${LUKS}':"
- /sbin/cryptsetup luksClose ${LUKS}
- elif echo $OPTS | grep -wq swap ; then
+ if echo $OPTS | grep -wq swap ; then
# If any of the volumes was used as encrypted swap,
# then run mkswap on the underlying device -
# in case other Linux installations on this computer should use it:
@@ -275,6 +272,20 @@
done
fi
+LSBLK_OUTPUT=`lsblk -fs --raw --paths | grep crypto_LUKS | cut -d" " -f 1`
+echo $LSBLK_OUTPUT | while read -a devices; do
+ for dev in ${devices[@]}
+ do
+ LUKS_NAME=`lsblk --raw $dev | grep crypt | cut -d" " -f 1`
+ if [ $LUKS_NAME ]; then
+ if /sbin/cryptsetup isLuks $dev 2>/dev/null ; then
+ echo "Locking LUKS crypt volume '${LUKS_NAME}':"
+ /sbin/cryptsetup luksClose ${LUKS_NAME}
+ fi
+ fi
+ done
+done
+
# Deactivate LVM volume groups:
if [ -r /etc/lvmtab -o -d /etc/lvm/backup ]; then
echo "Deactivating LVM volume groups:"
Basically, what it does is to iterate over the list of devices and get only
those with FSTYPE == crypto_LUKS; then for each crypto_LUKS device found,
check if it have a name, because if it do have one, then it needs to be closed.
The former way of closing LUKS volumes was left to manage the swap device case.
Firstly, your for loop doesn't iterate over what you think it does. Secondly, and more importantly, the problem is more complicated than you think.
Here's my setup:
Code:
# lsblk --paths -o TYPE,FSTYPE,NAME,MOUNTPOINT
TYPE FSTYPE NAME MOUNTPOINT
disk /dev/sda
part vfat ├─/dev/sda1 /boot/efi
part ├─/dev/sda2
part ntfs ├─/dev/sda3
part LVM2_member ├─/dev/sda4
lvm ext4 │ ├─/dev/mapper/rootvg-lvroot /
lvm ext4 │ ├─/dev/mapper/rootvg-lvsrc /usr/src
lvm ext4 │ ├─/dev/mapper/rootvg-lvsrv /srv
lvm crypto_LUKS │ ├─/dev/mapper/rootvg-lvcrypt
crypt ext4 │ │ └─/dev/mapper/crypt /srv/crypt
lvm ext4 │ ├─/dev/mapper/rootvg-lvhome /home
lvm ext4 │ └─/dev/mapper/rootvg-lvvar /var
part ntfs └─/dev/sda5
rom /dev/sr0
Checking for fstype == crypto_LUKS is not the way to go.
There is also the case of lvm pv on luks, which will look different again.
Before LVM deactivation you would have to do something like:
Code:
lsblk --inverse --raw --paths --noheading -o TYPE,FSTYPE,NAME,MOUNTPOINT \
| while read type fstype name mountpoint
do
if [ "$type" = 'crypt' ] && [ "$fstype" != 'LVM2_member' ] && [ "$mountpoint" = '' ]; then
cryptsetup luksClose "${name##*/}"
fi
done
that would prevent it hitting an in use lvm member or the rootfs.
Then after lvm deactivation one could deal with any TYPE == crypt, FSTYPE == LVM2_member devices in a similar fashion But even there, you'll be unable to close a device that is in the volume group containing the rootfs, so there's still additional checks to be made.
The existing code in rc.6 isn't perfect in this regard either.
Could you paste the output of this command?:
lsblk --inverse --raw --paths --noheading -o TYPE,FSTYPE,NAME,MOUNTPOINT
I have several encrypted partitions and one of them is the rootfs itself,
and yes, even after / is remounted ro, cryptsetup will not close it because
it detects the partition as being still used.
I'm not sure but if the rootfs is encrypted, the only way to close it properly
is to change root to another partition with the basic tools to manage crypto
volumes and try to close the rootfs from there, and then come back and keep
going with the rc.6 flow.
# lsblk --inverse --raw --paths --noheading -o TYPE,FSTYPE,NAME,MOUNTPOINT
part vfat /dev/sda1 /boot/efi
part /dev/sda2
part ntfs /dev/sda3
part ntfs /dev/sda5
rom /dev/sr0
lvm ext4 /dev/mapper/rootvg-lvroot /
lvm ext4 /dev/mapper/rootvg-lvsrc /usr/src
part LVM2_member /dev/sda4
disk /dev/sda
lvm ext4 /dev/mapper/rootvg-lvsrv /srv
lvm ext4 /dev/mapper/rootvg-lvhome /home
lvm ext4 /dev/mapper/rootvg-lvvar /var
crypt ext4 /dev/mapper/crypt /srv/crypt
lvm crypto_LUKS /dev/mapper/rootvg-lvcrypt
Quote:
Originally Posted by willkane
I'm not sure but if the rootfs is encrypted, the only way to close it properly is to change root to another partition with the basic tools to manage crypto volumes and try to close the rootfs from there, and then come back and keep going with the rc.6 flow.
To be able to do that you'd probably need to revert back to an initrd some way but be very careful here: switch_root removes recursively all files and directories on the current root filesystem.. If you attempt that you're going to have a very bad day!
Probably best just to leave it ro and not close the luks containers. (closing them really doesn't matter all that much anyway).
This is why I really like Slackware, its default layout covers very well all of
the common and usual scenarios, but for the edges cases, it allows for an easy
hack to have it solved.
My free time is scarce currently, but definitely I'll give your hack a try.
For the moment, I'm more than happy using my hack in rc.6 for my edge case =)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.