Pale e qalile khale, morao ha Centos 7 (RHEL 7) e ne e lokolloa. Haeba u sebelisitse encryption ho li-drive tse nang le Centos 6, joale ho ne ho se na mathata ka ho notlolla li-drive ka boiketsetso ha o hokela USB Flash drive ka linotlolo tse hlokahalang. Leha ho le joalo, ha 7 e lokolloa, ka tšohanyetso ntho e 'ngoe le e' ngoe ha ea ka ea sebetsa kamoo u neng u tloaetse kateng. Joale ho ile ha khoneha ho fumana tharollo ea ho khutlisetsa dracut ho sysvinit ho sebelisa mola o bonolo ho config: echo 'omit_dracutmodules+=" systemd "' > /etc/dracut.conf.d/luks-workaround.conf
Eo hang-hang e ileng ea re amoha botle bohle ba systemd - ho qala ka potlako le ka tsela e ts'oanang ea lits'ebeletso tsa tsamaiso, e leng se ileng sa fokotsa haholo nako ea ho qala tsamaiso.
Lintho li ntse li le teng:
Ntle le ho emela tharollo, ke ile ka iketsetsa eona, 'me hona joale ke e arolelana le sechaba, ba thahasellang, bala ho ea pele.
Selelekela
Systemd, ha ke qala ho sebetsa le Centos 7, ha ea ka ea baka maikutlo leha e le afe, kaha ntle le phetoho e nyenyane ea syntax ea tsamaiso ea litšebeletso, ha kea ka ka ikutloa ke fapane haholo qalong. Kamora moo, ke ne ke rata systemd, empa maikutlo a pele a ne a senyehile hanyane, kaha baetsi ba dracut ha baa ka ba qeta nako e ngata ba ts'ehetsa ts'ebetso ea boot ba sebelisa systemd hammoho le disk encryption. Ka kakaretso, e ne e sebetsa, empa ho kenya password ea disk nako le nako ha seva se qala ha se ntho e thahasellisang ka ho fetisisa.
Ha ke se ke lekile letoto la likhothaletso le ho ithuta bukana, ke ile ka hlokomela hore ka mokhoa oa tsamaiso ea USB hoa khoneha, empa feela ka ho kopana le disk e 'ngoe le e' ngoe e nang le senotlolo ho disk ea USB, 'me disk ea USB ka boeona e ka amahanngoa le eona feela. UUID, LABEL ha e ea sebetsa. Ho ne ho se bonolo ho boloka sena lapeng, kahoo qetellong ke ile ka qala ho leta, 'me ka mor'a ho ema lilemo tse ka bang 7, ka hlokomela hore ha ho motho ea tla rarolla bothata.
Mathata
Ha e le hantle, hoo e ka bang mang kapa mang a ka ngola plugin ea bona bakeng sa dracut, empa ho e etsa hore e sebetse ha e sa le bonolo. Ho ile ha fumaneha hore ka lebaka la mofuta o tšoanang oa ho qala ha systemd, ha ho bonolo ho kenyelletsa khoutu ea hau le ho fetola tsoelo-pele ea ho kenya. Litokomane tsa dracut ha lia ka tsa hlalosa ntho e 'ngoe le e 'ngoe. Leha ho le joalo, ka mor’a liteko tse telele, ke ile ka khona ho rarolla bothata boo.
E sebetsa joang
E ipapisitse le li-unit tse tharo:
- luks-auto-key.service - e batla li-drive tse nang le linotlolo tsa LUKS
- luks-auto.target - e sebetsa e le motho ea itšetlehileng ka li-unit tsa systemd-cryptsetup tse hahiloeng ka hare.
- luks-auto-clean.service - e hloekisa lifaele tsa nakoana tse entsoeng ke luks-auto-key.service
'Me luks-auto-generator.sh ke sengoloa se qalisoang ke systemd mme se hlahisa likarolo tse ipapisitseng le liparamente tsa kernel. Lijenereithara tse tšoanang li entsoe ke li-unit tsa fstab, joalo-joalo.
luks-auto-generator.sh
Ka ho sebelisa drop-in.conf, boitšoaro ba standardd-cryptsetup bo fetoloa ka ho kenyelletsa luks-auto.target ho itšetlehileng ka bona.
luks-auto-key.service le luks-auto-key.sh
Yuniti ena e tsamaisa mongolo oa luks-auto-key.sh, oo, o ipapisitseng le linotlolo tsa rd.luks.*, o fumana mecha ea litaba ka linotlolo ebe o e kopiletsa bukeng ea nakoana hore e sebelisoe hape. Kamora hore ts'ebetso e phethoe, linotlolo li hlakoloa bukeng ea nakoana ka luks-auto-clean.service.
Mehloli:
/usr/lib/dracut/modules.d/99luks-auto/module-setup.sh
#!/bin/bash
check () {
if ! dracut_module_included "systemd"; then
"luks-auto needs systemd in the initramfs"
return 1
fi
return 255
}
depends () {
echo "systemd"
return 0
}
install () {
inst "$systemdutildir/systemd-cryptsetup"
inst_script "$moddir/luks-auto-generator.sh" "$systemdutildir/system-generators/luks-auto-generator.sh"
inst_script "$moddir/luks-auto-key.sh" "/etc/systemd/system/luks-auto-key.sh"
inst_script "$moddir/luks-auto.sh" "/etc/systemd/system/luks-auto.sh"
inst "$moddir/luks-auto.target" "${systemdsystemunitdir}/luks-auto.target"
inst "$moddir/luks-auto-key.service" "${systemdsystemunitdir}/luks-auto-key.service"
inst "$moddir/luks-auto-clean.service" "${systemdsystemunitdir}/luks-auto-clean.service"
ln_r "${systemdsystemunitdir}/luks-auto.target" "${systemdsystemunitdir}/initrd.target.wants/luks-auto.target"
ln_r "${systemdsystemunitdir}/luks-auto-key.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-key.service"
ln_r "${systemdsystemunitdir}/luks-auto-clean.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-clean.service"
}
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-generator.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
. /lib/dracut-lib.sh
SYSTEMD_RUN='/run/systemd/system'
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
TOUT=$(getargs rd.luks.key.tout)
if [ ! -z "$TOUT" ]; then
mkdir -p "${SYSTEMD_RUN}/luks-auto-key.service.d"
cat > "${SYSTEMD_RUN}/luks-auto-key.service.d/drop-in.conf" <<EOF
[Service]
Type=oneshot
ExecStartPre=/usr/bin/sleep $TOUT
EOF
fi
mkdir -p "$SYSTEMD_RUN/luks-auto.target.wants"
for argv in $(getargs rd.luks.uuid -d rd_LUKS_UUID); do
_UUID=${argv#luks-}
_UUID_ESC=$(systemd-escape -p $_UUID)
mkdir -p "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d"
cat > "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d/drop-in.conf" <<EOF
[Unit]
After=luks-auto.target
ConditionPathExists=!/dev/mapper/luks-${_UUID}
EOF
cat > "${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service" <<EOF
[Unit]
Description=luks-auto Cryptography Setup for %I
DefaultDependencies=no
Conflicts=umount.target
IgnoreOnIsolate=true
Before=luks-auto.target
BindsTo=dev-disk-byx2duuid-${_UUID_ESC}.device
After=dev-disk-byx2duuid-${_UUID_ESC}.device luks-auto-key.service
Before=umount.target
[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStart=/etc/systemd/system/luks-auto.sh ${_UUID}
ExecStop=$CRYPTSETUP detach 'luks-${_UUID}'
Environment=DRACUT_SYSTEMD=1
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
EOF
ln -fs ${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service $SYSTEMD_RUN/luks-auto.target.wants/luks-auto@${_UUID_ESC}.service
done
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.service
[Unit]
Description=LUKS AUTO key searcher
After=cryptsetup-pre.target
Before=luks-auto.target
DefaultDependencies=no
[Service]
Environment=DRACUT_SYSTEMD=1
Type=oneshot
ExecStartPre=/usr/bin/sleep 1
ExecStart=/etc/systemd/system/luks-auto-key.sh
RemainAfterExit=true
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
ARG=$(getargs rd.luks.key)
IFS=$':' _t=(${ARG})
KEY=${_t[0]}
F_FIELD=''
F_VALUE=''
if [ ! -z $KEY ] && [ ! -z ${_t[1]} ];then
IFS=$'=' _t=(${_t[1]})
F_FIELD=${_t[0]}
F_VALUE=${_t[1]}
F_VALUE="${F_VALUE%"}"
F_VALUE="${F_VALUE#"}"
fi
mkdir -p $MNT_B
finding_luks_keys(){
local _DEVNAME=''
local _UUID=''
local _TYPE=''
local _LABEL=''
local _MNT=''
local _KEY="$1"
local _F_FIELD="$2"
local _F_VALUE="$3"
local _RET=0
blkid -s TYPE -s UUID -s LABEL -u filesystem | grep -v -E -e "TYPE=".*_member"" -e "TYPE="crypto_.*"" -e "TYPE="swap"" | while IFS=$'' read -r _line; do
IFS=$':' _t=($_line);
_DEVNAME=${_t[0]}
_UUID=''
_TYPE=''
_LABEL=''
_MNT=''
IFS=$' ' _t=(${_t[1]});
for _a in "${_t[@]}"; do
IFS=$'=' _v=(${_a});
temp="${_v[1]%"}"
temp="${temp#"}"
case ${_v[0]} in
'UUID')
_UUID=$temp
;;
'TYPE')
_TYPE=$temp
;;
'LABEL')
_LABEL=$temp
;;
esac
done
if [ ! -z "$_F_FIELD" ];then
case $_F_FIELD in
'UUID')
[ ! -z "$_F_VALUE" ] && [ "$_UUID" != "$_F_VALUE" ] && continue
;;
'LABEL')
[ ! -z "$_F_VALUE" ] && [ "$_LABEL" != "$_F_VALUE" ] && continue
;;
*)
[ "$_DEVNAME" != "$_F_FIELD" ] && continue
;;
esac
fi
_MNT=$(findmnt -n -o TARGET $_DEVNAME)
if [ -z "$_MNT" ]; then
_MNT=${MNT_B}/KEY-${_UUID}
mkdir -p "$_MNT" && mount -o ro "$_DEVNAME" "$_MNT"
_RET=$?
else
_RET=0
fi
if [ "${_RET}" -eq 0 ] && [ -f "${_MNT}/${_KEY}" ]; then
cp "${_MNT}/${_KEY}" "$MNT_B/${_UUID}.key"
info "Found ${_MNT}/${_KEY} on ${_UUID}"
fi
if [[ "${_MNT}" =~ "${MNT_B}" ]]; then
umount "$_MNT" && rm -rfd --one-file-system "$_MNT"
fi
done
return 0
}
finding_luks_keys $KEY $F_FIELD $F_VALUE
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.target
[Unit]
Description=LUKS AUTO target
After=systemd-readahead-collect.service systemd-readahead-replay.service
After=cryptsetup-pre.target luks-auto-key.service
Before=cryptsetup.target
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
for i in $(ls -p $MNT_B | grep -v /);do
info "Trying $i on $1..."
$CRYPTSETUP attach "luks-$1" "/dev/disk/by-uuid/$1" $MNT_B/$i 'tries=1'
if [ "$?" -eq "0" ]; then
info "Found $i for $1"
exit 0
fi
done
warn "No key found for $1. Fallback to passphrase mode."
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-clean.service
[Unit]
Description=LUKS AUTO key cleaner
After=cryptsetup.target
DefaultDependencies=no
[Service]
Type=oneshot
ExecStart=/usr/bin/rm -rfd --one-file-system /tmp/luks-auto
/etc/dracut.conf.d/luks-auto.conf
add_dracutmodules+=" luks-auto "bophirima
mkdir -p /usr/lib/dracut/modules.d/99luks-auto/
# размещаем тут почти все файлы
chmod +x /usr/lib/dracut/modules.d/99luks-auto/*.sh
# создаем файл /etc/dracut.conf.d/luks-auto.conf
# И генерируем новый initramfs
dracut -f
fihlela qeto e
Bakeng sa boiketlo, ke bolokile ho lumellana le likhetho tsa mela ea taelo ea kernel joalo ka mokhoa oa sysvinit, o etsang hore ho be bonolo ho o sebelisa lits'ebetsong tsa khale.
Source: www.habr.com