Ibali laqala kudala, emva xa iCentos 7 (RHEL 7) yakhululwa. Ukuba usebenzise i-encryption kwiidrive nge-Centos 6, ngoko akukho ngxaki ngokuvula ngokuzenzekelayo iidrives xa uqhagamshele i-USB flash drive kunye nezitshixo eziyimfuneko. Nangona kunjalo, xa i-7 yakhululwa, ngokukhawuleza yonke into ayizange isebenze njengoko wawuqhelene nayo. Emva koko kwakunokwenzeka ukufumana isisombululo ekubuyiseleni i-dracut kwi-sysvinit usebenzisa umgca olula kuqwalaselo: echo βomit_dracutmodules+=" systemd "β > /etc/dracut.conf.d/luks-workaround.conf
Eye yasihlutha ngokukhawuleza bonke ubuhle be-systemd - ukuqaliswa ngokukhawuleza kunye nokuhambelanayo kweenkonzo zenkqubo, eyanciphisa kakhulu ixesha lokuqalisa inkqubo.
Izinto zisekhona:
Ngaphandle kokulinda isisombululo, ndizenzele, kwaye ngoku ndiyabelana noluntu, abanomdla, bafunde.
Intshayelelo
I-Systemd, xa ndiqala ukusebenza kunye ne-Centos 7, ayizange ibangele nayiphi na imvakalelo, ekubeni ngaphandle kotshintsho oluncinci kwi-syntax yolawulo lwenkonzo, andizange ndive ndihluke kakhulu ekuqaleni. Emva koko, ndithande inkqubo ye-systemd, kodwa umbono wokuqala wonakaliswe kancinane, kuba ababhekisi phambili be-dracut bengakhange bachithe ixesha elininzi ekuxhaseni inkqubo yesiqalo besebenzisa i-systemd ngokudibanisa nofihlo lwedisk. Ngokubanzi, isebenzile, kodwa ukufaka igama eligqithisiweyo ledisk ngalo lonke ixesha umncedisi eqala ayisiyonto inomdla kakhulu.
Emva kokuzama iqela leengcebiso kwaye ndafunda le ncwadana, ndaqonda ukuba kwimowudi ye-systemd uqwalaselo lwe-USB lunokwenzeka, kodwa kuphela ngokudibanisa ngesandla kwidiski nganye kunye nesitshixo kwidiski ye-USB, kwaye idiski ye-USB ngokwayo inokudityaniswa kuphela. UUID, LABEL ayisebenzanga. Kwakungekho lula ukugcina oku ekhaya, ke ekugqibeleni ndangena ekulindeni kwaye, emva kokulinda phantse iminyaka eyi-7, ndaqonda ukuba akukho mntu uza kuyicombulula le ngxaki.
Iingxaki
Ngokuqinisekileyo, phantse nabani na unokubhala iplagin yakhe ye-dracut, kodwa ukuyenza isebenze akusekho lula. Kuye kwavela ukuba ngenxa yobume obunxuseneyo bokuqaliswa kwe-systemd, akukho lula ukubandakanya ikhowudi yakho kunye nokutshintsha inkqubela yokulayisha. Amaxwebhu e-dracut awazange achaze yonke into. Noko ke, emva kovavanyo olude, ndakwazi ukuyicombulula le ngxaki.
Ingaba isebenza kanjani
Isekwe kwiiyunithi ezintathu:
- luks-auto-key.service - ikhangela iidrive ezinezitshixo zeLUKS
- luks-auto.target - isebenza njengoxhomekeko kwiyunithi eyakhelwe-ngaphakathi ye-systemd-cryptsetup
- luks-auto-clean.service - icoca iifayile zexeshana ezenziwe luks-auto-key.service
Kwaye i-luks-auto-generator.sh sisikripthi esiqaliswe yi-systemd kwaye sivelisa iiyunithi ezisekwe kwiiparamitha zekernel. Iijeneretha ezifanayo zenziwe ngeeyunithi ze-fstab, njl.
luks-auto-generator.sh
Ukusebenzisa i-drop-in.conf, ukuziphatha kwe-systemd-cryptsetup esemgangathweni iyatshintshwa ngokudibanisa i-luks-auto.target kukuxhomekeka kwayo.
luks-auto-key.service kunye ne-luks-auto-key.sh
Le yunithi iqhuba iscript se-luks-auto-key.sh, esekelwe kwi-rd.luks.* izitshixo, ifumana imidiya enezitshixo kwaye ikhuphele kulawulo lwexeshana ukuze isetyenziswe ngakumbi. Emva kokuba inkqubo igqityiwe, izitshixo ziyacinywa kulawulo lwethutyana luks-auto-clean.service.
Imithombo:
/usr/lib/dracut/modules.d/99luks-auto/module-setup.sh
#!/bin/bash
check () {
if ! dracut_module_included "systemd"; then
"luks-auto needs systemd in the initramfs"
return 1
fi
return 255
}
depends () {
echo "systemd"
return 0
}
install () {
inst "$systemdutildir/systemd-cryptsetup"
inst_script "$moddir/luks-auto-generator.sh" "$systemdutildir/system-generators/luks-auto-generator.sh"
inst_script "$moddir/luks-auto-key.sh" "/etc/systemd/system/luks-auto-key.sh"
inst_script "$moddir/luks-auto.sh" "/etc/systemd/system/luks-auto.sh"
inst "$moddir/luks-auto.target" "${systemdsystemunitdir}/luks-auto.target"
inst "$moddir/luks-auto-key.service" "${systemdsystemunitdir}/luks-auto-key.service"
inst "$moddir/luks-auto-clean.service" "${systemdsystemunitdir}/luks-auto-clean.service"
ln_r "${systemdsystemunitdir}/luks-auto.target" "${systemdsystemunitdir}/initrd.target.wants/luks-auto.target"
ln_r "${systemdsystemunitdir}/luks-auto-key.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-key.service"
ln_r "${systemdsystemunitdir}/luks-auto-clean.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-clean.service"
}
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-generator.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
. /lib/dracut-lib.sh
SYSTEMD_RUN='/run/systemd/system'
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
TOUT=$(getargs rd.luks.key.tout)
if [ ! -z "$TOUT" ]; then
mkdir -p "${SYSTEMD_RUN}/luks-auto-key.service.d"
cat > "${SYSTEMD_RUN}/luks-auto-key.service.d/drop-in.conf" <<EOF
[Service]
Type=oneshot
ExecStartPre=/usr/bin/sleep $TOUT
EOF
fi
mkdir -p "$SYSTEMD_RUN/luks-auto.target.wants"
for argv in $(getargs rd.luks.uuid -d rd_LUKS_UUID); do
_UUID=${argv#luks-}
_UUID_ESC=$(systemd-escape -p $_UUID)
mkdir -p "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d"
cat > "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d/drop-in.conf" <<EOF
[Unit]
After=luks-auto.target
ConditionPathExists=!/dev/mapper/luks-${_UUID}
EOF
cat > "${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service" <<EOF
[Unit]
Description=luks-auto Cryptography Setup for %I
DefaultDependencies=no
Conflicts=umount.target
IgnoreOnIsolate=true
Before=luks-auto.target
BindsTo=dev-disk-byx2duuid-${_UUID_ESC}.device
After=dev-disk-byx2duuid-${_UUID_ESC}.device luks-auto-key.service
Before=umount.target
[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStart=/etc/systemd/system/luks-auto.sh ${_UUID}
ExecStop=$CRYPTSETUP detach 'luks-${_UUID}'
Environment=DRACUT_SYSTEMD=1
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
EOF
ln -fs ${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service $SYSTEMD_RUN/luks-auto.target.wants/luks-auto@${_UUID_ESC}.service
done
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.service
[Unit]
Description=LUKS AUTO key searcher
After=cryptsetup-pre.target
Before=luks-auto.target
DefaultDependencies=no
[Service]
Environment=DRACUT_SYSTEMD=1
Type=oneshot
ExecStartPre=/usr/bin/sleep 1
ExecStart=/etc/systemd/system/luks-auto-key.sh
RemainAfterExit=true
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
ARG=$(getargs rd.luks.key)
IFS=$':' _t=(${ARG})
KEY=${_t[0]}
F_FIELD=''
F_VALUE=''
if [ ! -z $KEY ] && [ ! -z ${_t[1]} ];then
IFS=$'=' _t=(${_t[1]})
F_FIELD=${_t[0]}
F_VALUE=${_t[1]}
F_VALUE="${F_VALUE%"}"
F_VALUE="${F_VALUE#"}"
fi
mkdir -p $MNT_B
finding_luks_keys(){
local _DEVNAME=''
local _UUID=''
local _TYPE=''
local _LABEL=''
local _MNT=''
local _KEY="$1"
local _F_FIELD="$2"
local _F_VALUE="$3"
local _RET=0
blkid -s TYPE -s UUID -s LABEL -u filesystem | grep -v -E -e "TYPE=".*_member"" -e "TYPE="crypto_.*"" -e "TYPE="swap"" | while IFS=$'' read -r _line; do
IFS=$':' _t=($_line);
_DEVNAME=${_t[0]}
_UUID=''
_TYPE=''
_LABEL=''
_MNT=''
IFS=$' ' _t=(${_t[1]});
for _a in "${_t[@]}"; do
IFS=$'=' _v=(${_a});
temp="${_v[1]%"}"
temp="${temp#"}"
case ${_v[0]} in
'UUID')
_UUID=$temp
;;
'TYPE')
_TYPE=$temp
;;
'LABEL')
_LABEL=$temp
;;
esac
done
if [ ! -z "$_F_FIELD" ];then
case $_F_FIELD in
'UUID')
[ ! -z "$_F_VALUE" ] && [ "$_UUID" != "$_F_VALUE" ] && continue
;;
'LABEL')
[ ! -z "$_F_VALUE" ] && [ "$_LABEL" != "$_F_VALUE" ] && continue
;;
*)
[ "$_DEVNAME" != "$_F_FIELD" ] && continue
;;
esac
fi
_MNT=$(findmnt -n -o TARGET $_DEVNAME)
if [ -z "$_MNT" ]; then
_MNT=${MNT_B}/KEY-${_UUID}
mkdir -p "$_MNT" && mount -o ro "$_DEVNAME" "$_MNT"
_RET=$?
else
_RET=0
fi
if [ "${_RET}" -eq 0 ] && [ -f "${_MNT}/${_KEY}" ]; then
cp "${_MNT}/${_KEY}" "$MNT_B/${_UUID}.key"
info "Found ${_MNT}/${_KEY} on ${_UUID}"
fi
if [[ "${_MNT}" =~ "${MNT_B}" ]]; then
umount "$_MNT" && rm -rfd --one-file-system "$_MNT"
fi
done
return 0
}
finding_luks_keys $KEY $F_FIELD $F_VALUE
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.target
[Unit]
Description=LUKS AUTO target
After=systemd-readahead-collect.service systemd-readahead-replay.service
After=cryptsetup-pre.target luks-auto-key.service
Before=cryptsetup.target
/usr/lib/dracut/modules.d/99luks-auto/luks-auto.sh
#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
for i in $(ls -p $MNT_B | grep -v /);do
info "Trying $i on $1..."
$CRYPTSETUP attach "luks-$1" "/dev/disk/by-uuid/$1" $MNT_B/$i 'tries=1'
if [ "$?" -eq "0" ]; then
info "Found $i for $1"
exit 0
fi
done
warn "No key found for $1. Fallback to passphrase mode."
/usr/lib/dracut/modules.d/99luks-auto/luks-auto-clean.service
[Unit]
Description=LUKS AUTO key cleaner
After=cryptsetup.target
DefaultDependencies=no
[Service]
Type=oneshot
ExecStart=/usr/bin/rm -rfd --one-file-system /tmp/luks-auto
/etc/dracut.conf.d/luks-auto.conf
add_dracutmodules+=" luks-auto "isicwangciso
mkdir -p /usr/lib/dracut/modules.d/99luks-auto/
# ΡΠ°Π·ΠΌΠ΅ΡΠ°Π΅ΠΌ ΡΡΡ ΠΏΠΎΡΡΠΈ Π²ΡΠ΅ ΡΠ°ΠΉΠ»Ρ
chmod +x /usr/lib/dracut/modules.d/99luks-auto/*.sh
# ΡΠΎΠ·Π΄Π°Π΅ΠΌ ΡΠ°ΠΉΠ» /etc/dracut.conf.d/luks-auto.conf
# Π Π³Π΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ Π½ΠΎΠ²ΡΠΉ initramfs
dracut -f
isiphelo
Ukwenzela lula, ndigcine ukuhambelana neenketho zomgca womyalelo we kernel njengemowudi ye sysvinit, eyenza kube lula ukuyisebenzisa kufakelo oludala.
umthombo: www.habr.com