ααΏααααααΆαα
αΆααααααΎαααΆααααΈααΌαααΆαααΆααααα αΎα αααααααααα·ααα
αααααα Centos 7 (RHEL 7) ααααΌαααΆαα
ααααααΆαα ααααα·αααΎα’αααααΆαααααΎααΆαα’αα·αααααΈααα
ααΎααααΆαααΆαα½α Centos 6 ααααα·αααΆααααα αΆααΆαα½αααΉαααΆαααααααααααααααααααααα·ααααααΆααα
ααααααα’αααααααΆαα USB flash drive ααΆαα½αααΉαααα
αΆαααΆα
ααααααα αααααΆαααΆαααΆααααααα
αααααα 7 ααααΌαααΆαα
ααααααΆαααααΆααα’αααΈαααΆααα’αααα·αααααΎαααΆαααΌα
αααα’αααααααΆααααααΎαααααα αααααΆαααα ααα’αΆα
ααααααααααααααααΆααααα»αααΆααααα‘αα dracut αα
sysvinit αααααααΎαααααΆααααΆαααααααα»α configα echo 'omit_dracutmodules+=" systemd "' > /etc/dracut.conf.d/luks-workaround.conf
αααααααΎα±ααααΎαααΆαααααααΌαααΆααααααααα’αΆαααΆααα’αααα systemd ααααΆαα - ααΆαααΎαααααΎαααΆαααααΆααααααααααααααΏα αα·αααααααααΆ αααααΆααααααααααααααΆα
αΆααααααΎααααααααααααΆαααααΆααα
α’αααΈααα
ααααΆαα
αααβαα·αβαααα
αΆαβαααααααααΆα αααα»αβααΆαβαααααΎαβααΆβαααααΆααβαααα½αβαααα»α α αΎαβα₯α‘αΌαβαααβαααα»αβαααα»αβα
αααααααβααΆβαααβααΆααΆααααβαααβααΆαβα
αααΆααβα’αΆααααααβα’αΆαβααααα
ααα ααααΈααααΆα
Systemd αα
αααααααααα»αα
αΆααααααΎαααααΎααΆαααΆαα½α Centos 7 ααΆααΎαααααΌα αα·αααΆαααααα±ααααΆαα’αΆααααααααΆαα½αα‘αΎα α
αΆααααΆααααΈαααα
ααΈααΆαααααΆααααααΌαααααα·α
ααααα½α
αα
αααα»αααΆααααααααααααααααααααααααΆαααα αααα»ααα·αααΆαα’αΆαααααααα»αααααΆα
αααΎααααα
αααααααΌαα ααααααα αααα»αα
αΌαα
α·ααα systemd ααα»ααααα
αααΆααα’αΆααααααααααΌαααΊααΌα
ααααα·α
αααααΆαα’αααα’αα·αααααα dracut αα·αα
αααΆααααα
αααΎαααΎααΆαααΆααααααααΎαααΆαα
αΆααααααΎααααααααΎ systemd αααααααΆααααΆαα½αααΆαα’αα·αααααΈαααΆαα ααΆααΌαα
ααΆααααΎαααΆα ααα»ααααααΆααααα
αΌαααΆααααααααΆααααΆαααΆαααααααααααΆαααΈαααα
αΆααααααΎααα·ααααααΆααΏααα½αα±ααα
αΆααα’αΆαααααααααα»ααααααα
αααααΆαααΆαααααααΆαααααΆαααΆα
αααΎα αα·ααα·ααααΆααααα
αα αααα»αααΆαααΉαααΆαα
αααα»αααΆαααααααα
ααΆααααααααααααααααααααααΆαα½α USB ααΊα’αΆα
ααααΎαα
ααΆα ααα»ααααααΆαααααΆαααααΆαααααααααααΆαααΈαα½αααααααΆαααΌααααα
ααΎααΈα USB α αΎαααΆα USB αααα½αα―αα’αΆα
ααααΌαααΆαααααΆαααααααΆααααα»αααααα UUID, LABEL αα·αααααΎαααΆαααα ααΆαα·αααΆααααα½ααααααα»αααΆααααααααΆααΆαα
αααα»ααααααααααααα»α ααΌα
αααααα
ααΈαααα»ααααα»αααΆαααααΆααα
αΌααα
αααα»αααΆααααα
αΆα α αΎααααααΆααααΈαααα
αΆαα’αααααααααα·α 7 ααααΆα αααα»αααΆαααΉαααΆααααΆαααααΆααααΆααααΉααααααααΆααααα αΆαααααα
αααα αΆ
ααΆααΆααα·αααΆαα ααααΎααααααααααααΆα’αΆα ααααααααααα·ααΈαααα½αααααΆαααααα½ααααααα½ααααααααΆαα dracut ααα»ααααααΆαααααΎα±ααααΆααααΎαααΆαααΊαα·αααΆααααα½ααααααα ααΆααααααΆαααααΆαααααααααααααααααΆααααΆαα αΆααααααΎααααααααα ααΆαα·αααΆααααα½ααααααα»αααΆααααα αΌααααααΌαααααα’ααα αα·αααααΆααααααΌαααααΎαααΆααααα»αα α―αααΆααααααΆαα dracut αα·αααΆαααααααα’αααΈααΆααα’ααα αααΆαβααΆβααβααα αααααΆααβααΈβααΆαβαα·αααααβαααΆαβααΌα αααα»αβα’αΆα βαααβααααΆαβαααα αΆβααΆαα
ααΎβααΆβααααΎαααΆαβαααΆαβααΌα ααααα
ααΆααααΌαααΆαααα’ααααΎααΈα―αααΆα
- luks-auto-key.service - αααααααααααΆααααααΆααααααααΆαα LUKS
- luks-auto.target - ααΎααα½ααΆααΈααΆααΆαααΉαααα’αααααααΆααα―αααΆααα‘αΎα systemd-cryptsetup αααααααΆααααααΆαα½α
- luks-auto-clean.service - αααα’αΆαα―αααΆαααααααα’αΆααααααααααααΎαα‘αΎαααα luks-auto-key.service
α αΎα luks-auto-generator.sh ααΊααΆααααααΈααααααααΎαααΆαααα systemd αα·ααααααΎαα―αααΆαααααα’ααααΎαααΆαααΆααααααααΊαααα αααΆαααΈαααααΎαααααααααααΆααααΌαααΆααααααΎαα‘αΎααααα―αααΆ fstab ααα
luks-auto-generator.sh
αααααααΎ drop-in.conf α₯αα·ααΆαααααααααααΆα systemd-cryptsetup ααααΌαααΆαααααΆααααααΌαααααααααα luks-auto.target αα ααΆαα’αΆααααααααααα½αααα
luks-auto-key.service αα·α luks-auto-key.sh
α―αααΆαααααααΎαααΆαααααααΈα luks-auto-key.sh αααααα’ααααΎααααΆααα α»α rd.luks.* ααααααααααααααααααΎαα α αΎαα αααααα½αααΆαα ααααααααα’αΆαααααααααΆααααααΎααααΆααααααααα αααααΆααααΈααααΎαααΆαααααΌαααΆααααα αα ααααααΌαααΆααα»αα ααααΈααααααααα’αΆααααααα luks-auto-clean.service α
αααααα
/usr/lib/dracut/modules.d/99luks-auto/module-setup.sh
#!/bin/bash
check () {
if ! dracut_module_included "systemd"; then
"luks-auto needs systemd in the initramfs"
return 1
fi
return 255
}
depends () {
echo "systemd"
return 0
}
install () {
inst "$systemdutildir/systemd-cryptsetup"
inst_script "$moddir/luks-auto-generator.sh" "$systemdutildir/system-generators/luks-auto-generator.sh"
inst_script "$moddir/luks-auto-key.sh" "/etc/systemd/system/luks-auto-key.sh"
inst_script "$moddir/luks-auto.sh" "/etc/systemd/system/luks-auto.sh"
inst "$moddir/luks-auto.target" "${systemdsystemunitdir}/luks-auto.target"
inst "$moddir/luks-auto-key.service" "${systemdsystemunitdir}/luks-auto-key.service"
inst "$moddir/luks-auto-clean.service" "${systemdsystemunitdir}/luks-auto-clean.service"
ln_r "${systemdsystemunitdir}/luks-auto.target" "${systemdsystemunitdir}/initrd.target.wants/luks-auto.target"
ln_r "${systemdsystemunitdir}/luks-auto-key.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-key.service"
ln_r "${systemdsystemunitdir}/luks-auto-clean.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-clean.service"
}
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-generator.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
. /lib/dracut-lib.sh
SYSTEMD_RUN='/run/systemd/system'
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
TOUT=$(getargs rd.luks.key.tout)
if [ ! -z "$TOUT" ]; then
mkdir -p "${SYSTEMD_RUN}/luks-auto-key.service.d"
cat > "${SYSTEMD_RUN}/luks-auto-key.service.d/drop-in.conf" <<EOF
[Service]
Type=oneshot
ExecStartPre=/usr/bin/sleep $TOUT
EOF
fi
mkdir -p "$SYSTEMD_RUN/luks-auto.target.wants"
for argv in $(getargs rd.luks.uuid -d rd_LUKS_UUID); do
_UUID=${argv#luks-}
_UUID_ESC=$(systemd-escape -p $_UUID)
mkdir -p "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d"
cat > "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d/drop-in.conf" <<EOF
[Unit]
After=luks-auto.target
ConditionPathExists=!/dev/mapper/luks-${_UUID}
EOF
cat > "${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service" <<EOF
[Unit]
Description=luks-auto Cryptography Setup for %I
DefaultDependencies=no
Conflicts=umount.target
IgnoreOnIsolate=true
Before=luks-auto.target
BindsTo=dev-disk-byx2duuid-${_UUID_ESC}.device
After=dev-disk-byx2duuid-${_UUID_ESC}.device luks-auto-key.service
Before=umount.target
[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStart=/etc/systemd/system/luks-auto.sh ${_UUID}
ExecStop=$CRYPTSETUP detach 'luks-${_UUID}'
Environment=DRACUT_SYSTEMD=1
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
EOF
ln -fs ${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service $SYSTEMD_RUN/luks-auto.target.wants/luks-auto@${_UUID_ESC}.service
done
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.service
[Unit]
Description=LUKS AUTO key searcher
After=cryptsetup-pre.target
Before=luks-auto.target
DefaultDependencies=no
[Service]
Environment=DRACUT_SYSTEMD=1
Type=oneshot
ExecStartPre=/usr/bin/sleep 1
ExecStart=/etc/systemd/system/luks-auto-key.sh
RemainAfterExit=true
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
ARG=$(getargs rd.luks.key)
IFS=$':' _t=(${ARG})
KEY=${_t[0]}
F_FIELD=''
F_VALUE=''
if [ ! -z $KEY ] && [ ! -z ${_t[1]} ];then
IFS=$'=' _t=(${_t[1]})
F_FIELD=${_t[0]}
F_VALUE=${_t[1]}
F_VALUE="${F_VALUE%"}"
F_VALUE="${F_VALUE#"}"
fi
mkdir -p $MNT_B
finding_luks_keys(){
local _DEVNAME=''
local _UUID=''
local _TYPE=''
local _LABEL=''
local _MNT=''
local _KEY="$1"
local _F_FIELD="$2"
local _F_VALUE="$3"
local _RET=0
blkid -s TYPE -s UUID -s LABEL -u filesystem | grep -v -E -e "TYPE=".*_member"" -e "TYPE="crypto_.*"" -e "TYPE="swap"" | while IFS=$'' read -r _line; do
IFS=$':' _t=($_line);
_DEVNAME=${_t[0]}
_UUID=''
_TYPE=''
_LABEL=''
_MNT=''
IFS=$' ' _t=(${_t[1]});
for _a in "${_t[@]}"; do
IFS=$'=' _v=(${_a});
temp="${_v[1]%"}"
temp="${temp#"}"
case ${_v[0]} in
'UUID')
_UUID=$temp
;;
'TYPE')
_TYPE=$temp
;;
'LABEL')
_LABEL=$temp
;;
esac
done
if [ ! -z "$_F_FIELD" ];then
case $_F_FIELD in
'UUID')
[ ! -z "$_F_VALUE" ] && [ "$_UUID" != "$_F_VALUE" ] && continue
;;
'LABEL')
[ ! -z "$_F_VALUE" ] && [ "$_LABEL" != "$_F_VALUE" ] && continue
;;
*)
[ "$_DEVNAME" != "$_F_FIELD" ] && continue
;;
esac
fi
_MNT=$(findmnt -n -o TARGET $_DEVNAME)
if [ -z "$_MNT" ]; then
_MNT=${MNT_B}/KEY-${_UUID}
mkdir -p "$_MNT" && mount -o ro "$_DEVNAME" "$_MNT"
_RET=$?
else
_RET=0
fi
if [ "${_RET}" -eq 0 ] && [ -f "${_MNT}/${_KEY}" ]; then
cp "${_MNT}/${_KEY}" "$MNT_B/${_UUID}.key"
info "Found ${_MNT}/${_KEY} on ${_UUID}"
fi
if [[ "${_MNT}" =~ "${MNT_B}" ]]; then
umount "$_MNT" && rm -rfd --one-file-system "$_MNT"
fi
done
return 0
}
finding_luks_keys $KEY $F_FIELD $F_VALUE
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.target
[Unit]
Description=LUKS AUTO target
After=systemd-readahead-collect.service systemd-readahead-replay.service
After=cryptsetup-pre.target luks-auto-key.service
Before=cryptsetup.target
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
for i in $(ls -p $MNT_B | grep -v /);do
info "Trying $i on $1..."
$CRYPTSETUP attach "luks-$1" "/dev/disk/by-uuid/$1" $MNT_B/$i 'tries=1'
if [ "$?" -eq "0" ]; then
info "Found $i for $1"
exit 0
fi
done
warn "No key found for $1. Fallback to passphrase mode."
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-clean.service
[Unit]
Description=LUKS AUTO key cleaner
After=cryptsetup.target
DefaultDependencies=no
[Service]
Type=oneshot
ExecStart=/usr/bin/rm -rfd --one-file-system /tmp/luks-auto
/etc/dracut.conf.d/luks-auto.conf
add_dracutmodules+=" luks-auto "ααΆαααααα
mkdir -p /usr/lib/dracut/modules.d/99luks-auto/
# ΡΠ°Π·ΠΌΠ΅ΡΠ°Π΅ΠΌ ΡΡΡ ΠΏΠΎΡΡΠΈ Π²ΡΠ΅ ΡΠ°ΠΉΠ»Ρ
chmod +x /usr/lib/dracut/modules.d/99luks-auto/*.sh
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΡΠ°ΠΉΠ» /etc/dracut.conf.d/luks-auto.conf
# Π Π³Π΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ Π½ΠΎΠ²ΡΠΉ initramfs
dracut -f
ααα ααααΈααααα·ααααΆα
ααΎααααΈααΆαααΆααααα½α αααα»αααΆααααααΆααΆαααααααΆααΆαα½ααααααΎααααααΆααααΆααααααααΆ ααΊααα αααααΆαααααα sysvinit αααααααΎα±ααααΆααΆααααααΆααααα½αααααΎαααα»αααΆαααα‘αΎαα
αΆαααα
ααααα: www.habr.com