ProHoster > Блог > Isakoso > dracut + systemd + LUKS + usbflash = ṣiṣi silẹ laifọwọyi

dracut + systemd + LUKS + usbflash = ṣiṣi silẹ laifọwọyi

Itan naa bẹrẹ ni igba pipẹ sẹhin, pada nigbati Centos 7 (RHEL 7) ti tu silẹ. Ti o ba lo fifi ẹnọ kọ nkan lori awọn awakọ pẹlu Centos 6, lẹhinna ko si awọn iṣoro pẹlu ṣiṣi awọn awakọ laifọwọyi nigbati o so kọnputa filasi USB pọ pẹlu awọn bọtini pataki. Sibẹsibẹ, nigbati 7 ti tu silẹ, lojiji ohun gbogbo ko ṣiṣẹ bi o ti lo. Lẹhinna o ṣee ṣe lati wa ojutu kan ni ipadabọ dracut si sysvinit ni lilo laini ti o rọrun ninu atunto: iwoyi 'omit_dracutmodules+=" systemd "'> /etc/dracut.conf.d/luks-workaround.conf
Eyi ti lẹsẹkẹsẹ fi wa gbogbo ẹwa ti systemd - iyara ati ifilọlẹ ni afiwe ti awọn iṣẹ eto, eyiti o dinku akoko ibẹrẹ eto ni pataki.
Awọn nkan si wa nibẹ: 905683
Laisi idaduro fun ojutu kan, Mo ṣe fun ara mi, ati nisisiyi Mo n pin pẹlu gbogbo eniyan, ti o nifẹ, ka siwaju.
dracut + systemd + LUKS + usbflash = ṣiṣi silẹ laifọwọyi

Ifihan

Systemd, nigbati mo kọkọ bẹrẹ si ṣiṣẹ pẹlu Centos 7, ko fa awọn ẹdun eyikeyi, nitori yato si iyipada kekere ninu sintasi iṣakoso iṣẹ, Emi ko ni rilara pupọ ti iyatọ ni akọkọ. Lẹhinna, Mo nifẹ si eto, ṣugbọn ifihan akọkọ jẹ ibajẹ diẹ, nitori awọn olupilẹṣẹ dracut ko lo akoko pupọ lori atilẹyin ilana bata nipa lilo eto ni apapo pẹlu fifi ẹnọ kọ nkan disk. Ni gbogbogbo, o ṣiṣẹ, ṣugbọn titẹ ọrọ igbaniwọle disk ni gbogbo igba ti olupin ba bẹrẹ kii ṣe ohun ti o nifẹ julọ.
Lẹhin ti o ti gbiyanju ọpọlọpọ awọn iṣeduro ati iwadi iwe-itọnisọna naa, Mo rii pe ni iṣeto ipo eto pẹlu USB ṣee ṣe, ṣugbọn pẹlu iṣọpọ afọwọṣe ti disk kọọkan pẹlu bọtini kan lori disiki USB, ati pe disiki USB funrararẹ le ni nkan ṣe nipasẹ rẹ nikan. UUID, LABEL ko sise. Ko rọrun pupọ lati ṣetọju eyi ni ile, nitorinaa ni ipari Mo wọ sinu idaduro ati, lẹhin ti nduro fun ọdun 7, Mo rii pe ko si ẹnikan ti yoo yanju iṣoro naa.

Isoro

Nitoribẹẹ, fere ẹnikẹni le kọ ohun itanna tirẹ fun dracut, ṣugbọn ṣiṣe ki o ṣiṣẹ ko rọrun mọ. O wa ni pe nitori iru isọdọkan ti ibẹrẹ eto, ko rọrun pupọ lati ṣafikun koodu rẹ ki o yi ilọsiwaju ikojọpọ naa pada. Awọn iwe fun dracut ko se alaye ohun gbogbo. Sibẹsibẹ, lẹhin awọn idanwo gigun, Mo ni anfani lati yanju iṣoro naa.

Bi o ṣe n ṣiṣẹ

O da lori awọn ẹya mẹta:

  1. luks-auto-key.service - n wa awọn awakọ pẹlu awọn bọtini fun LUKS
  2. luks-auto.target - ṣe bi igbẹkẹle fun awọn ẹya ti a ṣe sinu systemd-cryptsetup
  3. luks-auto-clean.service - nu awọn faili igba diẹ ti a ṣẹda nipasẹ luks-auto-key.service

Ati luks-auto-generator.sh jẹ iwe afọwọkọ ti o ṣe ifilọlẹ nipasẹ eto ati ṣe ipilẹṣẹ awọn ẹya ti o da lori awọn aye kernel. Awọn olupilẹṣẹ ti o jọra ni a ṣẹda nipasẹ awọn ẹya fstab, ati bẹbẹ lọ.

luks-auto-generator.sh

Lilo drop-in.conf, ihuwasi ti boṣewa systemd-cryptsetup ti yipada nipasẹ fifi luks-auto.target kun si igbẹkẹle wọn.

luks-auto-key.iṣẹ ati luks-auto-key.sh

Ẹka yii n ṣiṣẹ iwe afọwọkọ luks-auto-key.sh, eyiti, ti o da lori awọn bọtini rd.luks.*, wa media pẹlu awọn bọtini ati daakọ wọn si itọsọna igba diẹ fun lilo siwaju. Lẹhin ti ilana naa ti pari, awọn bọtini yoo paarẹ lati inu ilana igba diẹ nipasẹ luks-auto-clean.service.

Awọn orisun:

/usr/lib/dracut/modules.d/99luks-auto/module-setup.sh

#!/bin/bash

check () {
        if ! dracut_module_included "systemd"; then
                "luks-auto needs systemd in the initramfs"
                return 1
        fi
        return 255
}

depends () {
        echo "systemd"
        return 0
}

install () {
        inst "$systemdutildir/systemd-cryptsetup"
		inst_script "$moddir/luks-auto-generator.sh" "$systemdutildir/system-generators/luks-auto-generator.sh"
		inst_script "$moddir/luks-auto-key.sh" "/etc/systemd/system/luks-auto-key.sh"
		inst_script "$moddir/luks-auto.sh" "/etc/systemd/system/luks-auto.sh"
		inst "$moddir/luks-auto.target" "${systemdsystemunitdir}/luks-auto.target"
		inst "$moddir/luks-auto-key.service" "${systemdsystemunitdir}/luks-auto-key.service"
		inst "$moddir/luks-auto-clean.service" "${systemdsystemunitdir}/luks-auto-clean.service"
		ln_r "${systemdsystemunitdir}/luks-auto.target" "${systemdsystemunitdir}/initrd.target.wants/luks-auto.target"
		ln_r "${systemdsystemunitdir}/luks-auto-key.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-key.service"
		ln_r "${systemdsystemunitdir}/luks-auto-clean.service" "${systemdsystemunitdir}/initrd.target.wants/luks-auto-clean.service"
}

/usr/lib/dracut/modules.d/99luks-auto/luks-auto-generator.sh


#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh

. /lib/dracut-lib.sh

SYSTEMD_RUN='/run/systemd/system'
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'
TOUT=$(getargs rd.luks.key.tout)
if [ ! -z "$TOUT" ]; then
	mkdir -p "${SYSTEMD_RUN}/luks-auto-key.service.d"
	cat > "${SYSTEMD_RUN}/luks-auto-key.service.d/drop-in.conf"  <<EOF
[Service]
Type=oneshot
ExecStartPre=/usr/bin/sleep $TOUT

EOF
fi
mkdir -p "$SYSTEMD_RUN/luks-auto.target.wants"
for argv in $(getargs rd.luks.uuid -d rd_LUKS_UUID); do
	_UUID=${argv#luks-}
	_UUID_ESC=$(systemd-escape -p $_UUID)
	mkdir -p "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d"
	cat > "${SYSTEMD_RUN}/systemd-cryptsetup@luksx2d${_UUID_ESC}.service.d/drop-in.conf"  <<EOF
[Unit]
After=luks-auto.target
ConditionPathExists=!/dev/mapper/luks-${_UUID}

EOF
	cat > "${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service"  <<EOF
[Unit]
Description=luks-auto Cryptography Setup for %I
DefaultDependencies=no
Conflicts=umount.target
IgnoreOnIsolate=true
Before=luks-auto.target
BindsTo=dev-disk-byx2duuid-${_UUID_ESC}.device
After=dev-disk-byx2duuid-${_UUID_ESC}.device luks-auto-key.service
Before=umount.target

[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStart=/etc/systemd/system/luks-auto.sh ${_UUID}
ExecStop=$CRYPTSETUP detach 'luks-${_UUID}'
Environment=DRACUT_SYSTEMD=1
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console

EOF
ln -fs ${SYSTEMD_RUN}/luks-auto@${_UUID_ESC}.service $SYSTEMD_RUN/luks-auto.target.wants/luks-auto@${_UUID_ESC}.service
done

/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.service


[Unit]
Description=LUKS AUTO key searcher
After=cryptsetup-pre.target
Before=luks-auto.target
DefaultDependencies=no

[Service]
Environment=DRACUT_SYSTEMD=1
Type=oneshot
ExecStartPre=/usr/bin/sleep 1
ExecStart=/etc/systemd/system/luks-auto-key.sh
RemainAfterExit=true
StandardInput=null
StandardOutput=syslog
StandardError=syslog+console

/usr/lib/dracut/modules.d/99luks-auto/luks-auto-key.sh


#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1

. /lib/dracut-lib.sh
MNT_B="/tmp/luks-auto"
ARG=$(getargs rd.luks.key)
IFS=$':' _t=(${ARG})
KEY=${_t[0]}
F_FIELD=''
F_VALUE=''
if [ ! -z $KEY ] && [ ! -z ${_t[1]} ];then
	IFS=$'=' _t=(${_t[1]})
	F_FIELD=${_t[0]}
	F_VALUE=${_t[1]}
	F_VALUE="${F_VALUE%"}"
	F_VALUE="${F_VALUE#"}"
fi
mkdir -p $MNT_B

finding_luks_keys(){
	local _DEVNAME=''
	local _UUID=''
	local _TYPE=''
	local _LABEL=''
	local _MNT=''
	local _KEY="$1"
	local _F_FIELD="$2"
	local _F_VALUE="$3"
	local _RET=0	
	blkid -s TYPE -s UUID -s LABEL -u filesystem | grep -v -E -e "TYPE=".*_member"" -e "TYPE="crypto_.*"" -e "TYPE="swap"" | while IFS=$'' read -r _line; do
		IFS=$':' _t=($_line);
		_DEVNAME=${_t[0]}
		_UUID=''
		_TYPE=''
		_LABEL=''
		_MNT=''
		IFS=$' ' _t=(${_t[1]});
		for _a in "${_t[@]}"; do
			IFS=$'=' _v=(${_a});
			temp="${_v[1]%"}"
			temp="${temp#"}"
			case ${_v[0]} in
				'UUID')
					_UUID=$temp
				;;
				'TYPE')
					_TYPE=$temp
				;;
				'LABEL')
					_LABEL=$temp
				;;
			esac
		done
		if [ ! -z "$_F_FIELD" ];then
			case $_F_FIELD in
				'UUID')
					[ ! -z "$_F_VALUE" ] && [ "$_UUID" != "$_F_VALUE" ] && continue
				;;
				'LABEL')
					[ ! -z "$_F_VALUE" ] && [ "$_LABEL" != "$_F_VALUE" ] && continue
				;;
				*)
					[ "$_DEVNAME" != "$_F_FIELD" ] && continue
				;;
			esac
		fi
		_MNT=$(findmnt -n -o TARGET $_DEVNAME)
		if [ -z "$_MNT" ]; then
			_MNT=${MNT_B}/KEY-${_UUID}
			mkdir -p "$_MNT" && mount -o ro "$_DEVNAME" "$_MNT"
			_RET=$?
		else
			_RET=0
		fi
		if [ "${_RET}" -eq 0 ] && [ -f "${_MNT}/${_KEY}" ]; then
			cp "${_MNT}/${_KEY}" "$MNT_B/${_UUID}.key"
			info "Found ${_MNT}/${_KEY} on ${_UUID}"
		fi
		if [[ "${_MNT}" =~ "${MNT_B}" ]]; then
			umount "$_MNT" && rm -rfd --one-file-system "$_MNT"						
		fi
	done
	return 0
}
finding_luks_keys $KEY $F_FIELD $F_VALUE

/usr/lib/dracut/modules.d/99luks-auto/luks-auto.target


[Unit]
Description=LUKS AUTO target
After=systemd-readahead-collect.service systemd-readahead-replay.service
After=cryptsetup-pre.target luks-auto-key.service
Before=cryptsetup.target

/usr/lib/dracut/modules.d/99luks-auto/luks-auto.sh


#!/bin/sh
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
export DRACUT_SYSTEMD=1
. /lib/dracut-lib.sh

MNT_B="/tmp/luks-auto"
CRYPTSETUP='/usr/lib/systemd/systemd-cryptsetup'

for i in $(ls -p $MNT_B | grep -v /);do
	info "Trying $i on $1..."
	$CRYPTSETUP attach "luks-$1" "/dev/disk/by-uuid/$1" $MNT_B/$i 'tries=1'
	if [ "$?" -eq "0" ]; then
		info "Found $i for $1"
		exit 0
	fi
done
warn "No key found for $1.  Fallback to passphrase mode."

/usr/lib/dracut/modules.d/99luks-auto/luks-auto-clean.service

[Unit]
Description=LUKS AUTO key cleaner
After=cryptsetup.target
DefaultDependencies=no

[Service]
Type=oneshot
ExecStart=/usr/bin/rm -rfd --one-file-system /tmp/luks-auto

/etc/dracut.conf.d/luks-auto.conf

add_dracutmodules+=" luks-auto "

eto


mkdir -p /usr/lib/dracut/modules.d/99luks-auto/
# размещаем тут почти все файлы
chmod +x /usr/lib/dracut/modules.d/99luks-auto/*.sh
# создаем файл /etc/dracut.conf.d/luks-auto.conf
# И генерируем новый initramfs
dracut -f

ipari

Fun irọrun, Mo ti ṣetọju ibamu pẹlu awọn aṣayan laini aṣẹ kernel bi fun ipo sysvinit, eyiti o jẹ ki o rọrun lati lo ninu awọn fifi sori ẹrọ agbalagba.

orisun: www.habr.com

Fi ọrọìwòye kun