Zaj dab neeg tau pib ntev dhau los, rov qab thaum Centos 7 (RHEL 7) raug tso tawm. Yog tias koj siv encryption ntawm drives nrog Centos 6, ces tsis muaj teeb meem nrog kev qhib lub qhov rooj tsis siv neeg thaum koj txuas USB flash drive nrog cov yuam sij tsim nyog. Txawm li cas los xij, thaum 7 raug tso tawm, tam sim ntawd txhua yam tsis ua haujlwm raws li koj tau siv. Tom qab ntawd nws tuaj yeem nrhiav kev daws teeb meem hauv kev xa rov qab dracut rau sysvinit siv cov kab yooj yim hauv kev teeb tsa: ncha 'omit_dracutmodules+=" systemd "' > /etc/dracut.conf.d/luks-workaround.conf
Uas tam sim ntawd deprived peb ntawm tag nrho cov kev zoo nkauj ntawm systemd - ceev thiab sib npaug zos launching ntawm cov kev pab cuam, uas ho txo ββlub sij hawm pib lub system.
Tej yam tseem muaj:
Tsis tau tos qhov kev daws teeb meem, kuv tau ua rau kuv tus kheej, thiab tam sim no kuv tab tom qhia rau pej xeem, leej twg txaus siab, nyeem rau.
Taw qhia
Systemd, thaum kuv thawj zaug pib ua haujlwm nrog Centos 7, tsis ua rau muaj kev xav, vim tias sib nrug los ntawm kev hloov pauv me me hauv kev tswj hwm kev pabcuam, kuv tsis xav tias muaj qhov txawv txav thaum xub thawj. Tom qab ntawd, kuv nyiam systemd, tab sis thawj qhov kev xav tau ua rau me ntsis lwj, txij li cov neeg tsim tawm dracut tsis siv sijhawm ntau los txhawb cov txheej txheem khau raj siv systemd ua ke nrog disk encryption. Feem ntau, nws ua haujlwm, tab sis nkag mus rau disk password txhua zaus lub server pib tsis yog qhov nthuav tshaj plaws.
Tau sim ntau cov lus pom zoo thiab kawm phau ntawv qhia, kuv pom tau hais tias nyob rau hauv systemd hom configuration nrog USB yog ua tau, tab sis tsuas yog nrog phau ntawv koom nrog ntawm txhua disk nrog tus yuam sij ntawm USB disk, thiab USB disk nws tus kheej tsuas yog cuam tshuam los ntawm nws. UUID, LABEL tsis ua haujlwm. Nws tsis yooj yim heev los tswj qhov no hauv tsev, yog li thaum kawg kuv poob rau hauv kev tos thiab, tom qab tos yuav luag 7 xyoo, kuv pom tau tias tsis muaj leej twg yuav daws qhov teeb meem.
Teeb meem
Tau kawg, yuav luag txhua tus tuaj yeem sau lawv tus kheej plugin rau dracut, tab sis ua rau nws ua haujlwm tsis yooj yim dua. Nws muab tawm tias vim yog qhov sib npaug ntawm qhov systemd pib, nws tsis yooj yim kom suav nrog koj cov cai thiab hloov pauv kev nce qib. Cov ntaub ntawv rau dracut tsis tau piav qhia txhua yam. Txawm li cas los xij, tom qab kev sim ntev, kuv tuaj yeem daws qhov teeb meem.
Nws ua haujlwm li cas
Nws yog nyob ntawm peb units:
- luks-auto-key.service - tshawb nrhiav tsav nrog cov yuam sij rau LUKS
- luks-auto.target - ua raws li kev vam khom rau built-in systemd-cryptsetup units
- luks-auto-clean.service - ntxuav cov ntaub ntawv ib ntus tsim los ntawm luks-auto-key.service
Thiab luks-auto-generator.sh yog ib tsab ntawv uas tau pib los ntawm systemd thiab tsim cov chav nyob raws li cov ntsiab lus tsis. Cov tshuab hluav taws xob zoo sib xws yog tsim los ntawm fstab units, thiab lwm yam.
luks-auto-generator.sh
Siv drop-in.conf, tus cwj pwm ntawm tus qauv systemd-cryptsetup hloov pauv los ntawm kev ntxiv luks-auto.target rau lawv qhov kev vam khom.
luks-auto-key.service and luks-auto-key.sh
Chav tsev no khiav cov ntawv luks-auto-key.sh, uas, raws li cov yuam sij rd.luks.*, nrhiav cov xov xwm nrog cov yuam sij thiab luam lawv mus rau ib ntus rau kev siv ntxiv. Tom qab cov txheej txheem tiav lawm, cov yuam sij raug rho tawm ntawm cov npe ib ntus los ntawm luks-auto-clean.service.
Qhov chaw:
/usr/lib/dracut/modules.d/99luks-auto/module-setup.sh
#!/bin/bash
check () {
if ! dracut_module_included "systemd"; then
"luks-auto needs systemd in the initramfs"
return 1
fi
return 255
}
depends () {
echo "systemd"
return 0
}
install () {
inst "$systemdutildir/systemd-cryptsetup"
inst_script "$moddir/luks-auto-generator.sh" "$systemdutildir/system-generators/luks-auto-generator.sh"
inst_script "$moddir/luks-auto-key.sh" "/etc/systemd/system/luks-auto-key.sh"
inst_script "$moddir/luks-auto.sh" "/etc/systemd/system/luks-auto.sh"
inst "$moddir/luks-auto.target" "${systemdsystemunitdir}/luks-auto.target"
inst "$moddir/luks-auto-key.service" "${systemdsystemunitdir}/luks-auto-key.service"
inst "$moddir/luks-auto-clean.service" "${systemdsystemunitdir}/luks-auto-clean.service"
ln_r "${systemdsystemunitdir}/luks-auto.target" "${systemdsystemunitdir}/initrd.target.wants/luks-auto.target"
ln_r "${systemdsystemunitdir}/luks-auto-key.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-key.service"
ln_r "${systemdsystemunitdir}/luks-auto-clean.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-clean.service"
}
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-generator.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
. /lib/dracut-lib.sh
SYSTEMD_RUN='/run/systemd/system'
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
TOUT=$(getargs rd.luks.key.tout)
if [ ! -z "$TOUT" ]; then
mkdir -p "${SYSTEMD_RUN}/luks-auto-key.service.d"
cat > "${SYSTEMD_RUN}/luks-auto-key.service.d/drop-in.conf" <<EOF
[Service]
Type=oneshot
ExecStartPre=/usr/bin/sleep $TOUT
EOF
fi
mkdir -p "$SYSTEMD_RUN/luks-auto.target.wants"
for argv in $(getargs rd.luks.uuid -d rd_LUKS_UUID); do
_UUID=${argv#luks-}
_UUID_ESC=$(systemd-escape -p $_UUID)
mkdir -p "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d"
cat > "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d/drop-in.conf" <<EOF
[Unit]
After=luks-auto.target
ConditionPathExists=!/dev/mapper/luks-${_UUID}
EOF
cat > "${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service" <<EOF
[Unit]
Description=luks-auto Cryptography Setup for %I
DefaultDependencies=no
Conflicts=umount.target
IgnoreOnIsolate=true
Before=luks-auto.target
BindsTo=dev-disk-byx2duuid-${_UUID_ESC}.device
After=dev-disk-byx2duuid-${_UUID_ESC}.device luks-auto-key.service
Before=umount.target
[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStart=/etc/systemd/system/luks-auto.sh ${_UUID}
ExecStop=$CRYPTSETUP detach 'luks-${_UUID}'
Environment=DRACUT_SYSTEMD=1
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
EOF
ln -fs ${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service $SYSTEMD_RUN/luks-auto.target.wants/luks-auto@${_UUID_ESC}.service
done
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.service
[Unit]
Description=LUKS AUTO key searcher
After=cryptsetup-pre.target
Before=luks-auto.target
DefaultDependencies=no
[Service]
Environment=DRACUT_SYSTEMD=1
Type=oneshot
ExecStartPre=/usr/bin/sleep 1
ExecStart=/etc/systemd/system/luks-auto-key.sh
RemainAfterExit=true
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
ARG=$(getargs rd.luks.key)
IFS=$':' _t=(${ARG})
KEY=${_t[0]}
F_FIELD=''
F_VALUE=''
if [ ! -z $KEY ] && [ ! -z ${_t[1]} ];then
IFS=$'=' _t=(${_t[1]})
F_FIELD=${_t[0]}
F_VALUE=${_t[1]}
F_VALUE="${F_VALUE%"}"
F_VALUE="${F_VALUE#"}"
fi
mkdir -p $MNT_B
finding_luks_keys(){
local _DEVNAME=''
local _UUID=''
local _TYPE=''
local _LABEL=''
local _MNT=''
local _KEY="$1"
local _F_FIELD="$2"
local _F_VALUE="$3"
local _RET=0
blkid -s TYPE -s UUID -s LABEL -u filesystem | grep -v -E -e "TYPE=".*_member"" -e "TYPE="crypto_.*"" -e "TYPE="swap"" | while IFS=$'' read -r _line; do
IFS=$':' _t=($_line);
_DEVNAME=${_t[0]}
_UUID=''
_TYPE=''
_LABEL=''
_MNT=''
IFS=$' ' _t=(${_t[1]});
for _a in "${_t[@]}"; do
IFS=$'=' _v=(${_a});
temp="${_v[1]%"}"
temp="${temp#"}"
case ${_v[0]} in
'UUID')
_UUID=$temp
;;
'TYPE')
_TYPE=$temp
;;
'LABEL')
_LABEL=$temp
;;
esac
done
if [ ! -z "$_F_FIELD" ];then
case $_F_FIELD in
'UUID')
[ ! -z "$_F_VALUE" ] && [ "$_UUID" != "$_F_VALUE" ] && continue
;;
'LABEL')
[ ! -z "$_F_VALUE" ] && [ "$_LABEL" != "$_F_VALUE" ] && continue
;;
*)
[ "$_DEVNAME" != "$_F_FIELD" ] && continue
;;
esac
fi
_MNT=$(findmnt -n -o TARGET $_DEVNAME)
if [ -z "$_MNT" ]; then
_MNT=${MNT_B}/KEY-${_UUID}
mkdir -p "$_MNT" && mount -o ro "$_DEVNAME" "$_MNT"
_RET=$?
else
_RET=0
fi
if [ "${_RET}" -eq 0 ] && [ -f "${_MNT}/${_KEY}" ]; then
cp "${_MNT}/${_KEY}" "$MNT_B/${_UUID}.key"
info "Found ${_MNT}/${_KEY} on ${_UUID}"
fi
if [[ "${_MNT}" =~ "${MNT_B}" ]]; then
umount "$_MNT" && rm -rfd --one-file-system "$_MNT"
fi
done
return 0
}
finding_luks_keys $KEY $F_FIELD $F_VALUE
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.target
[Unit]
Description=LUKS AUTO target
After=systemd-readahead-collect.service systemd-readahead-replay.service
After=cryptsetup-pre.target luks-auto-key.service
Before=cryptsetup.target
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
for i in $(ls -p $MNT_B | grep -v /);do
info "Trying $i on $1..."
$CRYPTSETUP attach "luks-$1" "/dev/disk/by-uuid/$1" $MNT_B/$i 'tries=1'
if [ "$?" -eq "0" ]; then
info "Found $i for $1"
exit 0
fi
done
warn "No key found for $1. Fallback to passphrase mode."
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-clean.service
[Unit]
Description=LUKS AUTO key cleaner
After=cryptsetup.target
DefaultDependencies=no
[Service]
Type=oneshot
ExecStart=/usr/bin/rm -rfd --one-file-system /tmp/luks-auto
/etc/dracut.conf.d/luks-auto.conf
add_dracutmodules+=" luks-auto "chaw
mkdir -p /usr/lib/dracut/modules.d/99luks-auto/
# ΡΠ°Π·ΠΌΠ΅ΡΠ°Π΅ΠΌ ΡΡΡ ΠΏΠΎΡΡΠΈ Π²ΡΠ΅ ΡΠ°ΠΉΠ»Ρ
chmod +x /usr/lib/dracut/modules.d/99luks-auto/*.sh
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΡΠ°ΠΉΠ» /etc/dracut.conf.d/luks-auto.conf
# Π Π³Π΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ Π½ΠΎΠ²ΡΠΉ initramfs
dracut -f
xaus
Txhawm rau kom yooj yim, kuv tau tswj hwm kev sib raug zoo nrog kernel hais kom ua kab xaiv raws li sysvinit hom, uas ua rau nws yooj yim dua rau kev siv hauv cov laus dua.
Tau qhov twg los: www.hab.com