Sheekadu waxay bilaabatay wakhti dheer ka hor, ilaa markii Centos 7 (RHEL 7) la sii daayay. Haddii aad u isticmaashay sirta darawallada Centos 6, markaa wax dhib ah kama dhicin furista otomaatiga ah ee darawallada markii aad ku xirtay darawalka USB-ga furayaasha lagama maarmaanka ah. Si kastaba ha ahaatee, markii 7 la sii daayay, si lama filaan ah wax walba uma shaqeyn sidii aad u baran jirtay. Kadib waxaa suurtagal ahayd in xal loo helo soo celinta dracut ee sysvinit iyadoo la adeegsanayo xariiq fudud oo ku jira qaabeynta: echo 'omit_dracutmodules+=" systemd "' > /etc/dracut.conf.d/luks-workaround.conf
Taas oo isla markiiba naga diiday dhammaan quruxda nidaamka - si degdeg ah oo barbar socda furitaanka adeegyada nidaamka, taas oo si weyn hoos u dhigtay wakhtiga bilowga nidaamka.
Waxyaabuhu wali waa jiraan:
Anigoon xal sugin, ayaan is-gaadhsiyey, haddana waxaan la wadaagayaa dadweynaha, ciddii danaynaysa, sii akhri.
Horudhac
Systemd, markii ugu horeysay ee aan bilaabay la shaqeynta Centos 7, ma aysan keenin wax shucuur ah, tan iyo marka laga reebo isbeddel yar oo ku yimid habka maamulka adeegga, ma dareemin farqi badan marka hore. Ka dib, waan jeclaa nidaamka, laakiin aragtida ugu horreysa ayaa yara xumaatay, maadaama horumariyayaashu aysan waqti badan ku bixin taageerada habka boot-ka iyadoo la adeegsanayo systemd iyadoo lala kaashanayo sirta diskka. Guud ahaan, way shaqeysay, laakiin gelitaanka lambarka sirta ah ee diskka mar kasta oo uu serverku bilaabo maaha waxa ugu xiisaha badan.
Markii aan isku dayay farabadan talooyinka oo aan bartay buug-gacmeedka, waxaan ogaaday in qaabeynta habka nidaamka USB-ga ay suurtagal tahay, laakiin kaliya iyada oo la kaashanayo xiriirka gacanta ee disk kasta oo fure u ah diskka USB, iyo diskka USB laftiisa waxaa lala xiriirin karaa oo kaliya UUID, LABEL ma shaqayn Ma ahayn mid aad u habboon in tan guriga lagu ilaaliyo, markaa aakhirkii waxaan ku dhexjiray sugitaan, ka dib markii aan sugayay ku dhawaad ββββ7 sano, waxaan ogaaday in qofna uusan xallin doonin dhibaatada.
Dhibaatooyinka
Dabcan, ku dhawaad ββqof kasta ayaa qori kara plugin iyaga u gaar ah si ay u dracut, laakiin samaynta in ay shaqeeyaan hadda ma aha mid fudud. Waxaa soo baxday in dabeecadda isbarbar-dhigga ee bilowga habaysan awgeed, aysan aad u sahlanayn in lagu daro koodkaaga oo aad beddesho horumarka loading. Dukumeentigu ma sharaxin wax walba. Si kastaba ha ahaatee, tijaabooyin dheer ka dib, waxaan awooday inaan xalliyo dhibaatada.
Sidee u shaqaysaa
Waxay ku salaysan tahay saddex qaybood:
- luks-auto-key.adeegga - waxay raadisaa darawallada leh furayaasha LUKS
- luks-auto.target - waxay u shaqeysaa sidii ku-tiirsanaanta unugyada systemd-cryptsetup-ka la dhisay
- luks-auto-clean.service - waxay nadiifisaa faylasha ku meel gaadhka ah ee uu sameeyay luks-auto-key.service
Luks-auto-generator.sh waa qoraal uu bilaabay systemd oo soo saara unugyo ku salaysan xuduudaha kernel-ka. Soo-saareyaal la mid ah waxaa abuuray unugyo fstab, iwm.
luks-auto-generator.sh
Isticmaalka drop-in.conf, habdhaqanka nidaamka systemd-cryptsetup waa la beddelaa iyadoo lagu darayo luks-auto.target ku tiirsanaantooda.
luks-auto-key.adeegga iyo luks-auto-key.sh
Cutubkani waxa uu wadaa qoraalka luks-auto-key.sh, kaas oo, ku salaysan furayaasha rd.luks.*, ka helaya warbaahinta furayaasha oo koobiyaysa hagaha ku meel gaadhka ah si loo sii isticmaalo. Ka dib marka habka la dhammeeyo, furayaasha waxaa laga tirtirayaa hagaha ku meel gaadhka ah ee luks-auto-clean.service.
Ilaha:
/usr/lib/dracut/modules.d/99luks-auto/module-setup.sh
#!/bin/bash
check () {
if ! dracut_module_included "systemd"; then
"luks-auto needs systemd in the initramfs"
return 1
fi
return 255
}
depends () {
echo "systemd"
return 0
}
install () {
inst "$systemdutildir/systemd-cryptsetup"
inst_script "$moddir/luks-auto-generator.sh" "$systemdutildir/system-generators/luks-auto-generator.sh"
inst_script "$moddir/luks-auto-key.sh" "/etc/systemd/system/luks-auto-key.sh"
inst_script "$moddir/luks-auto.sh" "/etc/systemd/system/luks-auto.sh"
inst "$moddir/luks-auto.target" "${systemdsystemunitdir}/luks-auto.target"
inst "$moddir/luks-auto-key.service" "${systemdsystemunitdir}/luks-auto-key.service"
inst "$moddir/luks-auto-clean.service" "${systemdsystemunitdir}/luks-auto-clean.service"
ln_r "${systemdsystemunitdir}/luks-auto.target" "${systemdsystemunitdir}/initrd.target.wants/luks-auto.target"
ln_r "${systemdsystemunitdir}/luks-auto-key.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-key.service"
ln_r "${systemdsystemunitdir}/luks-auto-clean.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-clean.service"
}
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-generator.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
. /lib/dracut-lib.sh
SYSTEMD_RUN='/run/systemd/system'
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
TOUT=$(getargs rd.luks.key.tout)
if [ ! -z "$TOUT" ]; then
mkdir -p "${SYSTEMD_RUN}/luks-auto-key.service.d"
cat > "${SYSTEMD_RUN}/luks-auto-key.service.d/drop-in.conf" <<EOF
[Service]
Type=oneshot
ExecStartPre=/usr/bin/sleep $TOUT
EOF
fi
mkdir -p "$SYSTEMD_RUN/luks-auto.target.wants"
for argv in $(getargs rd.luks.uuid -d rd_LUKS_UUID); do
_UUID=${argv#luks-}
_UUID_ESC=$(systemd-escape -p $_UUID)
mkdir -p "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d"
cat > "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d/drop-in.conf" <<EOF
[Unit]
After=luks-auto.target
ConditionPathExists=!/dev/mapper/luks-${_UUID}
EOF
cat > "${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service" <<EOF
[Unit]
Description=luks-auto Cryptography Setup for %I
DefaultDependencies=no
Conflicts=umount.target
IgnoreOnIsolate=true
Before=luks-auto.target
BindsTo=dev-disk-byx2duuid-${_UUID_ESC}.device
After=dev-disk-byx2duuid-${_UUID_ESC}.device luks-auto-key.service
Before=umount.target
[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStart=/etc/systemd/system/luks-auto.sh ${_UUID}
ExecStop=$CRYPTSETUP detach 'luks-${_UUID}'
Environment=DRACUT_SYSTEMD=1
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
EOF
ln -fs ${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service $SYSTEMD_RUN/luks-auto.target.wants/luks-auto@${_UUID_ESC}.service
done
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.service
[Unit]
Description=LUKS AUTO key searcher
After=cryptsetup-pre.target
Before=luks-auto.target
DefaultDependencies=no
[Service]
Environment=DRACUT_SYSTEMD=1
Type=oneshot
ExecStartPre=/usr/bin/sleep 1
ExecStart=/etc/systemd/system/luks-auto-key.sh
RemainAfterExit=true
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
ARG=$(getargs rd.luks.key)
IFS=$':' _t=(${ARG})
KEY=${_t[0]}
F_FIELD=''
F_VALUE=''
if [ ! -z $KEY ] && [ ! -z ${_t[1]} ];then
IFS=$'=' _t=(${_t[1]})
F_FIELD=${_t[0]}
F_VALUE=${_t[1]}
F_VALUE="${F_VALUE%"}"
F_VALUE="${F_VALUE#"}"
fi
mkdir -p $MNT_B
finding_luks_keys(){
local _DEVNAME=''
local _UUID=''
local _TYPE=''
local _LABEL=''
local _MNT=''
local _KEY="$1"
local _F_FIELD="$2"
local _F_VALUE="$3"
local _RET=0
blkid -s TYPE -s UUID -s LABEL -u filesystem | grep -v -E -e "TYPE=".*_member"" -e "TYPE="crypto_.*"" -e "TYPE="swap"" | while IFS=$'' read -r _line; do
IFS=$':' _t=($_line);
_DEVNAME=${_t[0]}
_UUID=''
_TYPE=''
_LABEL=''
_MNT=''
IFS=$' ' _t=(${_t[1]});
for _a in "${_t[@]}"; do
IFS=$'=' _v=(${_a});
temp="${_v[1]%"}"
temp="${temp#"}"
case ${_v[0]} in
'UUID')
_UUID=$temp
;;
'TYPE')
_TYPE=$temp
;;
'LABEL')
_LABEL=$temp
;;
esac
done
if [ ! -z "$_F_FIELD" ];then
case $_F_FIELD in
'UUID')
[ ! -z "$_F_VALUE" ] && [ "$_UUID" != "$_F_VALUE" ] && continue
;;
'LABEL')
[ ! -z "$_F_VALUE" ] && [ "$_LABEL" != "$_F_VALUE" ] && continue
;;
*)
[ "$_DEVNAME" != "$_F_FIELD" ] && continue
;;
esac
fi
_MNT=$(findmnt -n -o TARGET $_DEVNAME)
if [ -z "$_MNT" ]; then
_MNT=${MNT_B}/KEY-${_UUID}
mkdir -p "$_MNT" && mount -o ro "$_DEVNAME" "$_MNT"
_RET=$?
else
_RET=0
fi
if [ "${_RET}" -eq 0 ] && [ -f "${_MNT}/${_KEY}" ]; then
cp "${_MNT}/${_KEY}" "$MNT_B/${_UUID}.key"
info "Found ${_MNT}/${_KEY} on ${_UUID}"
fi
if [[ "${_MNT}" =~ "${MNT_B}" ]]; then
umount "$_MNT" && rm -rfd --one-file-system "$_MNT"
fi
done
return 0
}
finding_luks_keys $KEY $F_FIELD $F_VALUE
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.target
[Unit]
Description=LUKS AUTO target
After=systemd-readahead-collect.service systemd-readahead-replay.service
After=cryptsetup-pre.target luks-auto-key.service
Before=cryptsetup.target
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
for i in $(ls -p $MNT_B | grep -v /);do
info "Trying $i on $1..."
$CRYPTSETUP attach "luks-$1" "/dev/disk/by-uuid/$1" $MNT_B/$i 'tries=1'
if [ "$?" -eq "0" ]; then
info "Found $i for $1"
exit 0
fi
done
warn "No key found for $1. Fallback to passphrase mode."
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-clean.service
[Unit]
Description=LUKS AUTO key cleaner
After=cryptsetup.target
DefaultDependencies=no
[Service]
Type=oneshot
ExecStart=/usr/bin/rm -rfd --one-file-system /tmp/luks-auto
/etc/dracut.conf.d/luks-auto.conf
add_dracutmodules+=" luks-auto "Ku rakibida
mkdir -p /usr/lib/dracut/modules.d/99luks-auto/
# ΡΠ°Π·ΠΌΠ΅ΡΠ°Π΅ΠΌ ΡΡΡ ΠΏΠΎΡΡΠΈ Π²ΡΠ΅ ΡΠ°ΠΉΠ»Ρ
chmod +x /usr/lib/dracut/modules.d/99luks-auto/*.sh
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΡΠ°ΠΉΠ» /etc/dracut.conf.d/luks-auto.conf
# Π Π³Π΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ Π½ΠΎΠ²ΡΠΉ initramfs
dracut -f
gunaanad
Si ay ugu habboonaato, waxaan sii waday la jaanqaadka ikhtiyaarrada khadka taliska kernel sida habka sysvinit, kaas oo sahlaya in loo isticmaalo rakibaadyadii hore.
Source: www.habr.com