Nkhaniyi idayamba kalekale, pomwe Centos 7 (RHEL 7) idatulutsidwa. Ngati mumagwiritsa ntchito kubisa pama drive omwe ali ndi Centos 6, ndiye kuti panalibe zovuta pakutsegula zokha kwa ma drive mutalumikiza USB flash drive ndi makiyi ofunikira. Komabe, 7 itatulutsidwa, mwadzidzidzi zonse sizinagwire ntchito monga momwe munazolowera. Ndiye zinali zotheka kupeza yankho pobwezera dracut ku sysvinit pogwiritsa ntchito mzere wosavuta mu config: echo 'omit_dracutmodules+=" systemd "' > /etc/dracut.conf.d/luks-workaround.conf
Zomwe zidatilepheretsa nthawi yomweyo kukongola kwa systemd - mwachangu komanso kofananira kukhazikitsidwa kwautumiki wadongosolo, zomwe zidachepetsa nthawi yoyambira.
Zinthu zikadalipo:
Popanda kuyembekezera yankho, ndinadzipangira ndekha, ndipo tsopano ndikugawana ndi anthu, omwe ali ndi chidwi, werengani.
Mau oyamba
Systemd, nditayamba kugwira ntchito ndi Centos 7, sizinapangitse kutengeka kulikonse, popeza kupatula kusintha kwakung'ono mu kasamalidwe ka mautumiki, sindinamve kusiyana kwakukulu poyamba. Pambuyo pake, ndimakonda systemd, koma mawonekedwe oyamba adawonongeka pang'ono, popeza opanga ma dracut sanawononge nthawi yochulukirapo pothandizira dongosolo la boot pogwiritsa ntchito systemd molumikizana ndi disk encryption. Kawirikawiri, zinagwira ntchito, koma kulowetsa mawu achinsinsi a disk nthawi iliyonse seva ikayamba si chinthu chosangalatsa kwambiri.
Nditayesa malingaliro angapo ndikuwerenga bukuli, ndidazindikira kuti mumayendedwe a systemd ndi USB ndizotheka, koma polumikizana ndi diski iliyonse yokhala ndi kiyi pa USB diski, ndipo diski ya USB yokha imatha kulumikizidwa ndi gawo lake. UUID, LABEL sinagwire ntchito. Sizinali bwino kusamalira izi kunyumba, motero pamapeto pake ndinadikirira ndipo, nditangodikirira pafupifupi zaka 7, ndinazindikira kuti palibe amene angathetse vutoli.
Mavuto
Kumene, pafupifupi aliyense akhoza kulemba pulogalamu yowonjezera awo kwa dracut, koma kupanga izo ntchito sikonso kophweka. Zinapezeka kuti chifukwa cha kufanana kwa kuyambika kwa systemd, sikophweka kuphatikiza nambala yanu ndikusintha momwe mukukweza. Zolemba za dracut sizinafotokoze chilichonse. Komabe, pambuyo poyesa kwanthaΕ΅i yaitali, ndinatha kuthetsa vutolo.
Momwe zimagwirira ntchito
Zimatengera mayunitsi atatu:
- luks-auto-key.service - imasaka ma drive okhala ndi makiyi a LUKS
- luks-auto.target - imagwira ntchito ngati yodalira mayunitsi a systemd-cryptsetup
- luks-auto-clean.service - imayeretsa mafayilo osakhalitsa opangidwa ndi luks-auto-key.service
Ndipo luks-auto-generator.sh ndi script yomwe imayambitsidwa ndi systemd ndikupanga mayunitsi kutengera magawo a kernel. Majenereta ofanana amapangidwa ndi fstab mayunitsi, etc.
luks-auto-generator.sh
Pogwiritsa ntchito drop-in.conf, machitidwe a standard systemd-cryptsetup amasinthidwa powonjezera luks-auto.target ku kudalira kwawo.
luks-auto-key.service ndi luks-auto-key.sh
Chigawochi chimakhala ndi zolemba za luks-auto-key.sh, zomwe, kutengera makiyi a rd.luks.*, zimapeza media ndi makiyiwo ndikuzikopera ku bukhu losakhalitsa kuti ligwiritsidwenso ntchito. Ndondomekoyo ikamalizidwa, makiyi amachotsedwa ku bukhu losakhalitsa ndi luks-auto-clean.service.
Kochokera:
/usr/lib/dracut/modules.d/99luks-auto/module-setup.sh
#!/bin/bash
check () {
if ! dracut_module_included "systemd"; then
"luks-auto needs systemd in the initramfs"
return 1
fi
return 255
}
depends () {
echo "systemd"
return 0
}
install () {
inst "$systemdutildir/systemd-cryptsetup"
inst_script "$moddir/luks-auto-generator.sh" "$systemdutildir/system-generators/luks-auto-generator.sh"
inst_script "$moddir/luks-auto-key.sh" "/etc/systemd/system/luks-auto-key.sh"
inst_script "$moddir/luks-auto.sh" "/etc/systemd/system/luks-auto.sh"
inst "$moddir/luks-auto.target" "${systemdsystemunitdir}/luks-auto.target"
inst "$moddir/luks-auto-key.service" "${systemdsystemunitdir}/luks-auto-key.service"
inst "$moddir/luks-auto-clean.service" "${systemdsystemunitdir}/luks-auto-clean.service"
ln_r "${systemdsystemunitdir}/luks-auto.target" "${systemdsystemunitdir}/initrd.target.wants/luks-auto.target"
ln_r "${systemdsystemunitdir}/luks-auto-key.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-key.service"
ln_r "${systemdsystemunitdir}/luks-auto-clean.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-clean.service"
}
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-generator.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
. /lib/dracut-lib.sh
SYSTEMD_RUN='/run/systemd/system'
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
TOUT=$(getargs rd.luks.key.tout)
if [ ! -z "$TOUT" ]; then
mkdir -p "${SYSTEMD_RUN}/luks-auto-key.service.d"
cat > "${SYSTEMD_RUN}/luks-auto-key.service.d/drop-in.conf" <<EOF
[Service]
Type=oneshot
ExecStartPre=/usr/bin/sleep $TOUT
EOF
fi
mkdir -p "$SYSTEMD_RUN/luks-auto.target.wants"
for argv in $(getargs rd.luks.uuid -d rd_LUKS_UUID); do
_UUID=${argv#luks-}
_UUID_ESC=$(systemd-escape -p $_UUID)
mkdir -p "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d"
cat > "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d/drop-in.conf" <<EOF
[Unit]
After=luks-auto.target
ConditionPathExists=!/dev/mapper/luks-${_UUID}
EOF
cat > "${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service" <<EOF
[Unit]
Description=luks-auto Cryptography Setup for %I
DefaultDependencies=no
Conflicts=umount.target
IgnoreOnIsolate=true
Before=luks-auto.target
BindsTo=dev-disk-byx2duuid-${_UUID_ESC}.device
After=dev-disk-byx2duuid-${_UUID_ESC}.device luks-auto-key.service
Before=umount.target
[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStart=/etc/systemd/system/luks-auto.sh ${_UUID}
ExecStop=$CRYPTSETUP detach 'luks-${_UUID}'
Environment=DRACUT_SYSTEMD=1
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
EOF
ln -fs ${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service $SYSTEMD_RUN/luks-auto.target.wants/luks-auto@${_UUID_ESC}.service
done
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.service
[Unit]
Description=LUKS AUTO key searcher
After=cryptsetup-pre.target
Before=luks-auto.target
DefaultDependencies=no
[Service]
Environment=DRACUT_SYSTEMD=1
Type=oneshot
ExecStartPre=/usr/bin/sleep 1
ExecStart=/etc/systemd/system/luks-auto-key.sh
RemainAfterExit=true
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
ARG=$(getargs rd.luks.key)
IFS=$':' _t=(${ARG})
KEY=${_t[0]}
F_FIELD=''
F_VALUE=''
if [ ! -z $KEY ] && [ ! -z ${_t[1]} ];then
IFS=$'=' _t=(${_t[1]})
F_FIELD=${_t[0]}
F_VALUE=${_t[1]}
F_VALUE="${F_VALUE%"}"
F_VALUE="${F_VALUE#"}"
fi
mkdir -p $MNT_B
finding_luks_keys(){
local _DEVNAME=''
local _UUID=''
local _TYPE=''
local _LABEL=''
local _MNT=''
local _KEY="$1"
local _F_FIELD="$2"
local _F_VALUE="$3"
local _RET=0
blkid -s TYPE -s UUID -s LABEL -u filesystem | grep -v -E -e "TYPE=".*_member"" -e "TYPE="crypto_.*"" -e "TYPE="swap"" | while IFS=$'' read -r _line; do
IFS=$':' _t=($_line);
_DEVNAME=${_t[0]}
_UUID=''
_TYPE=''
_LABEL=''
_MNT=''
IFS=$' ' _t=(${_t[1]});
for _a in "${_t[@]}"; do
IFS=$'=' _v=(${_a});
temp="${_v[1]%"}"
temp="${temp#"}"
case ${_v[0]} in
'UUID')
_UUID=$temp
;;
'TYPE')
_TYPE=$temp
;;
'LABEL')
_LABEL=$temp
;;
esac
done
if [ ! -z "$_F_FIELD" ];then
case $_F_FIELD in
'UUID')
[ ! -z "$_F_VALUE" ] && [ "$_UUID" != "$_F_VALUE" ] && continue
;;
'LABEL')
[ ! -z "$_F_VALUE" ] && [ "$_LABEL" != "$_F_VALUE" ] && continue
;;
*)
[ "$_DEVNAME" != "$_F_FIELD" ] && continue
;;
esac
fi
_MNT=$(findmnt -n -o TARGET $_DEVNAME)
if [ -z "$_MNT" ]; then
_MNT=${MNT_B}/KEY-${_UUID}
mkdir -p "$_MNT" && mount -o ro "$_DEVNAME" "$_MNT"
_RET=$?
else
_RET=0
fi
if [ "${_RET}" -eq 0 ] && [ -f "${_MNT}/${_KEY}" ]; then
cp "${_MNT}/${_KEY}" "$MNT_B/${_UUID}.key"
info "Found ${_MNT}/${_KEY} on ${_UUID}"
fi
if [[ "${_MNT}" =~ "${MNT_B}" ]]; then
umount "$_MNT" && rm -rfd --one-file-system "$_MNT"
fi
done
return 0
}
finding_luks_keys $KEY $F_FIELD $F_VALUE
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.target
[Unit]
Description=LUKS AUTO target
After=systemd-readahead-collect.service systemd-readahead-replay.service
After=cryptsetup-pre.target luks-auto-key.service
Before=cryptsetup.target
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
for i in $(ls -p $MNT_B | grep -v /);do
info "Trying $i on $1..."
$CRYPTSETUP attach "luks-$1" "/dev/disk/by-uuid/$1" $MNT_B/$i 'tries=1'
if [ "$?" -eq "0" ]; then
info "Found $i for $1"
exit 0
fi
done
warn "No key found for $1. Fallback to passphrase mode."
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-clean.service
[Unit]
Description=LUKS AUTO key cleaner
After=cryptsetup.target
DefaultDependencies=no
[Service]
Type=oneshot
ExecStart=/usr/bin/rm -rfd --one-file-system /tmp/luks-auto
/etc/dracut.conf.d/luks-auto.conf
add_dracutmodules+=" luks-auto "kolowera
mkdir -p /usr/lib/dracut/modules.d/99luks-auto/
# ΡΠ°Π·ΠΌΠ΅ΡΠ°Π΅ΠΌ ΡΡΡ ΠΏΠΎΡΡΠΈ Π²ΡΠ΅ ΡΠ°ΠΉΠ»Ρ
chmod +x /usr/lib/dracut/modules.d/99luks-auto/*.sh
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΡΠ°ΠΉΠ» /etc/dracut.conf.d/luks-auto.conf
# Π Π³Π΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ Π½ΠΎΠ²ΡΠΉ initramfs
dracut -f
Pomaliza
Kuti zitheke, ndakhala ndikugwirizana ndi zosankha za mzere wa kernel monga sysvinit mode, zomwe zimapangitsa kuti zikhale zosavuta kugwiritsa ntchito pazoyika zakale.
Source: www.habr.com