Crita kasebut wiwit biyen, nalika Centos 7 (RHEL 7) dirilis. Yen sampeyan nggunakake enkripsi ing drive nganggo Centos 6, mula ora ana masalah karo mbukak kunci drive kanthi otomatis nalika nyambungake USB flash drive nganggo tombol sing dibutuhake. Nanging, nalika 7 dirilis, dumadakan kabeh ora bisa kaya biasane. Banjur iku bisa kanggo nemokake solusi ing bali dracut kanggo sysvinit nggunakake baris prasaja ing config: echo 'omit_dracutmodules+=" systemd "'> /etc/dracut.conf.d/luks-workaround.conf
Kang langsung sangsoro kita kabeh kaendahan systemd - Bukak cepet lan podo karo layanan sistem, kang Ngartekno suda wektu wiwitan sistem.
Perkara isih ana:
Tanpa ngenteni solusi, aku nggawe dhewe, lan saiki aku nuduhake karo masarakat, sing kasengsem, maca.
Pambuka
Systemd, nalika pisanan miwiti nggarap Centos 7, ora nyebabake emosi, amarga ora ana owah-owahan cilik ing sintaks manajemen layanan, mula aku ora ngrasakake bedane. Sabanjure, aku seneng systemd, nanging kesan pisanan rada rusak, amarga pangembang dracut ora nglampahi wektu akeh kanggo ndhukung proses boot nggunakake systemd bebarengan karo enkripsi disk. UmumΓ©, kerjane, nanging ngetik sandhi disk saben-saben server diwiwiti ora dadi sing paling menarik.
Sawise nyoba akeh rekomendasi lan sinau manual, aku ngerti manawa ing konfigurasi mode systemd karo USB bisa, nanging mung kanthi asosiasi manual saben disk kanthi kunci ing disk USB, lan disk USB dhewe mung bisa digandhengake karo piranti kasebut. UUID, LABEL ora bisa. Ora trep banget kanggo njaga iki ing omah, mula pungkasane aku ngenteni lan, sawise ngenteni meh 7 taun, aku ngerti yen ora ana sing bakal ngrampungake masalah kasebut.
Masalah
Mesthine, meh kabeh wong bisa nulis plugin dhewe kanggo dracut, nanging nggawe ora gampang maneh. Ternyata amarga sifat podo karo wiwitan systemd, ora gampang banget kanggo nyakup kode sampeyan lan ngganti kemajuan loading. Dokumentasi kanggo dracut ora nerangake kabeh. Nanging, sawise eksperimen sing dawa, aku bisa ngatasi masalah kasebut.
Cara kerjane
Iki adhedhasar telung unit:
- luks-auto-key.service - nggoleki drive karo tombol kanggo LUKS
- luks-auto.target - tumindak minangka katergantungan kanggo dibangun ing Unit systemd-cryptsetup
- luks-auto-clean.service - ngresiki file sementara sing digawe dening luks-auto-key.service
Lan luks-auto-generator.sh minangka skrip sing diluncurake dening systemd lan ngasilake unit adhedhasar paramèter kernel. Generator sing padha digawe dening unit fstab, lsp.
luks-auto-generator.sh
Nggunakake drop-in.conf, prilaku systemd-cryptsetup standar diganti kanthi nambahake luks-auto.target menyang dependensi.
luks-auto-key.service lan luks-auto-key.sh
Unit iki nganggo script luks-auto-key.sh, sing adhedhasar tombol rd.luks.*, nemokake media karo tombol lan nyalin menyang direktori sauntara kanggo nggunakake luwih. Sawise proses rampung, tombol dibusak saka direktori sauntara dening luks-auto-clean.service.
Sumber:
/usr/lib/dracut/modules.d/99luks-auto/module-setup.sh
#!/bin/bash
check () {
if ! dracut_module_included "systemd"; then
"luks-auto needs systemd in the initramfs"
return 1
fi
return 255
}
depends () {
echo "systemd"
return 0
}
install () {
inst "$systemdutildir/systemd-cryptsetup"
inst_script "$moddir/luks-auto-generator.sh" "$systemdutildir/system-generators/luks-auto-generator.sh"
inst_script "$moddir/luks-auto-key.sh" "/etc/systemd/system/luks-auto-key.sh"
inst_script "$moddir/luks-auto.sh" "/etc/systemd/system/luks-auto.sh"
inst "$moddir/luks-auto.target" "${systemdsystemunitdir}/luks-auto.target"
inst "$moddir/luks-auto-key.service" "${systemdsystemunitdir}/luks-auto-key.service"
inst "$moddir/luks-auto-clean.service" "${systemdsystemunitdir}/luks-auto-clean.service"
ln_r "${systemdsystemunitdir}/luks-auto.target" "${systemdsystemunitdir}/initrd.target.wants/luks-auto.target"
ln_r "${systemdsystemunitdir}/luks-auto-key.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-key.service"
ln_r "${systemdsystemunitdir}/luks-auto-clean.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-clean.service"
}
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-generator.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
. /lib/dracut-lib.sh
SYSTEMD_RUN='/run/systemd/system'
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
TOUT=$(getargs rd.luks.key.tout)
if [ ! -z "$TOUT" ]; then
mkdir -p "${SYSTEMD_RUN}/luks-auto-key.service.d"
cat > "${SYSTEMD_RUN}/luks-auto-key.service.d/drop-in.conf" <<EOF
[Service]
Type=oneshot
ExecStartPre=/usr/bin/sleep $TOUT
EOF
fi
mkdir -p "$SYSTEMD_RUN/luks-auto.target.wants"
for argv in $(getargs rd.luks.uuid -d rd_LUKS_UUID); do
_UUID=${argv#luks-}
_UUID_ESC=$(systemd-escape -p $_UUID)
mkdir -p "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d"
cat > "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d/drop-in.conf" <<EOF
[Unit]
After=luks-auto.target
ConditionPathExists=!/dev/mapper/luks-${_UUID}
EOF
cat > "${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service" <<EOF
[Unit]
Description=luks-auto Cryptography Setup for %I
DefaultDependencies=no
Conflicts=umount.target
IgnoreOnIsolate=true
Before=luks-auto.target
BindsTo=dev-disk-byx2duuid-${_UUID_ESC}.device
After=dev-disk-byx2duuid-${_UUID_ESC}.device luks-auto-key.service
Before=umount.target
[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStart=/etc/systemd/system/luks-auto.sh ${_UUID}
ExecStop=$CRYPTSETUP detach 'luks-${_UUID}'
Environment=DRACUT_SYSTEMD=1
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
EOF
ln -fs ${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service $SYSTEMD_RUN/luks-auto.target.wants/luks-auto@${_UUID_ESC}.service
done
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.service
[Unit]
Description=LUKS AUTO key searcher
After=cryptsetup-pre.target
Before=luks-auto.target
DefaultDependencies=no
[Service]
Environment=DRACUT_SYSTEMD=1
Type=oneshot
ExecStartPre=/usr/bin/sleep 1
ExecStart=/etc/systemd/system/luks-auto-key.sh
RemainAfterExit=true
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
ARG=$(getargs rd.luks.key)
IFS=$':' _t=(${ARG})
KEY=${_t[0]}
F_FIELD=''
F_VALUE=''
if [ ! -z $KEY ] && [ ! -z ${_t[1]} ];then
IFS=$'=' _t=(${_t[1]})
F_FIELD=${_t[0]}
F_VALUE=${_t[1]}
F_VALUE="${F_VALUE%"}"
F_VALUE="${F_VALUE#"}"
fi
mkdir -p $MNT_B
finding_luks_keys(){
local _DEVNAME=''
local _UUID=''
local _TYPE=''
local _LABEL=''
local _MNT=''
local _KEY="$1"
local _F_FIELD="$2"
local _F_VALUE="$3"
local _RET=0
blkid -s TYPE -s UUID -s LABEL -u filesystem | grep -v -E -e "TYPE=".*_member"" -e "TYPE="crypto_.*"" -e "TYPE="swap"" | while IFS=$'' read -r _line; do
IFS=$':' _t=($_line);
_DEVNAME=${_t[0]}
_UUID=''
_TYPE=''
_LABEL=''
_MNT=''
IFS=$' ' _t=(${_t[1]});
for _a in "${_t[@]}"; do
IFS=$'=' _v=(${_a});
temp="${_v[1]%"}"
temp="${temp#"}"
case ${_v[0]} in
'UUID')
_UUID=$temp
;;
'TYPE')
_TYPE=$temp
;;
'LABEL')
_LABEL=$temp
;;
esac
done
if [ ! -z "$_F_FIELD" ];then
case $_F_FIELD in
'UUID')
[ ! -z "$_F_VALUE" ] && [ "$_UUID" != "$_F_VALUE" ] && continue
;;
'LABEL')
[ ! -z "$_F_VALUE" ] && [ "$_LABEL" != "$_F_VALUE" ] && continue
;;
*)
[ "$_DEVNAME" != "$_F_FIELD" ] && continue
;;
esac
fi
_MNT=$(findmnt -n -o TARGET $_DEVNAME)
if [ -z "$_MNT" ]; then
_MNT=${MNT_B}/KEY-${_UUID}
mkdir -p "$_MNT" && mount -o ro "$_DEVNAME" "$_MNT"
_RET=$?
else
_RET=0
fi
if [ "${_RET}" -eq 0 ] && [ -f "${_MNT}/${_KEY}" ]; then
cp "${_MNT}/${_KEY}" "$MNT_B/${_UUID}.key"
info "Found ${_MNT}/${_KEY} on ${_UUID}"
fi
if [[ "${_MNT}" =~ "${MNT_B}" ]]; then
umount "$_MNT" && rm -rfd --one-file-system "$_MNT"
fi
done
return 0
}
finding_luks_keys $KEY $F_FIELD $F_VALUE
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.target
[Unit]
Description=LUKS AUTO target
After=systemd-readahead-collect.service systemd-readahead-replay.service
After=cryptsetup-pre.target luks-auto-key.service
Before=cryptsetup.target
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
for i in $(ls -p $MNT_B | grep -v /);do
info "Trying $i on $1..."
$CRYPTSETUP attach "luks-$1" "/dev/disk/by-uuid/$1" $MNT_B/$i 'tries=1'
if [ "$?" -eq "0" ]; then
info "Found $i for $1"
exit 0
fi
done
warn "No key found for $1. Fallback to passphrase mode."
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-clean.service
[Unit]
Description=LUKS AUTO key cleaner
After=cryptsetup.target
DefaultDependencies=no
[Service]
Type=oneshot
ExecStart=/usr/bin/rm -rfd --one-file-system /tmp/luks-auto
/etc/dracut.conf.d/luks-auto.conf
add_dracutmodules+=" luks-auto "Instalasi
mkdir -p /usr/lib/dracut/modules.d/99luks-auto/
# ΡΠ°Π·ΠΌΠ΅ΡΠ°Π΅ΠΌ ΡΡΡ ΠΏΠΎΡΡΠΈ Π²ΡΠ΅ ΡΠ°ΠΉΠ»Ρ
chmod +x /usr/lib/dracut/modules.d/99luks-auto/*.sh
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΡΠ°ΠΉΠ» /etc/dracut.conf.d/luks-auto.conf
# Π Π³Π΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ Π½ΠΎΠ²ΡΠΉ initramfs
dracut -f
kesimpulan
Kanggo penak, aku wis maintained kompatibilitas karo opsi baris printah kernel minangka kanggo mode sysvinit, kang nggampangake kanggo nggunakake ing panginstalan lawas.
Source: www.habr.com