View previous topic :: View next topic |
Author |
Message |
brendlefly62 Tux's lil' helper
Joined: 19 Dec 2009 Posts: 133
|
Posted: Sun Aug 24, 2014 4:02 am Post subject: [Solved] Trouble with static USE for cryptsetup and lvm2 |
|
|
On a stable system, I've been using a custom initramfs (root on lvm on encrypted drive partition) since 2008. I've upgraded it's parts a number of times. In december I upgraded to cryptsetup-1.6.2 and lvm2-2.02.103 (both with static USE). Today, I notice that if I try to re-emerge cryptsetup or lvm2, they want to disable the static USE flag.
I checked the ebuilds and saw that static is still a valid USE for both; I checked my package.use ( both set static) and make.conf (nothing)... and I've tried to discover what is overriding the USE I have set in package.use... what changed since my last initramfs build...
How do I determine what it is that is forcing these packages to turn off the static USE flag?
Code: | # emerge -av lvm2
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild U ] sys-block/thin-provisioning-tools-0.3.2-r1 [0.2.8-r1] USE="{-test}" 171 kB
[ebuild U ] sys-fs/lvm2-2.02.109 [2.02.103] USE="readline static-libs thin udev (-clvm) (-cman) -device-mapper-only% -lvm1* -lvm2create_initrd (-selinux) (-static*) -systemd%" 1,448 kB
Total: 2 packages (2 upgrades), Size of downloads: 1,619 kB
|
Code: | # emerge -av cryptsetup
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] sys-fs/cryptsetup-1.6.2 USE="gcrypt nls udev -kernel -nettle -openssl -python -reencrypt (-static*) -static-libs -urandom" PYTHON_SINGLE_TARGET="python2_7 (-python2_6%)" PYTHON_TARGETS="python2_7 (-python2_6%)" 0 kB
Total: 1 package (1 reinstall), Size of downloads: 0 kB
|
Last edited by brendlefly62 on Mon Sep 29, 2014 12:15 am; edited 1 time in total |
|
Back to top |
|
|
russK l33t
Joined: 27 Jun 2006 Posts: 665
|
Posted: Sun Aug 24, 2014 5:10 am Post subject: |
|
|
I see the same thing here. It could be getting turned off by your profile. For instance, on one of my boxes, I am using default/linux/amd64/13.0/desktop/gnome/systemd. If you follow the parent file, there is a package.use.mask file in profiles/targets/systemd containing:
Code: | sys-fs/cryptsetup static static-libs
sys-fs/lvm2 static static-libs
|
Maybe you are using a systemd profile or another similar?
I don't use cryptsetup, but I do use lvm and I have seen no ill-effects, but then again I use genkernel. I don't know if genkernel does anything special for lvm in the initrd.
HTH |
|
Back to top |
|
|
brendlefly62 Tux's lil' helper
Joined: 19 Dec 2009 Posts: 133
|
Posted: Sun Aug 24, 2014 1:14 pm Post subject: |
|
|
Ok, I've looked at the profile and followed the parent file. I'm using kde desktop, and openrc with USE="... -systemd ..." in my own package.mask. In the profile parents, I see lots of profiled USEs, but I don't see any package.mask type fle that would have turned the static USE off... what am I missing? (still confused )
I start in /etc/portage with make.profile -> ../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
So I cd ../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
Code: | # for i in $(ls); do [ ! -d $i ] && echo "---[ $i ]---------------" && cat $i | grep -v "#" ; done
---[ eapi ]---------------
5
---[ parent ]---------------
..
../../../../../../targets/desktop/kde |
So I cd ../../../../../../targets/desktop/kde
Code: | # for i in $(ls); do [ ! -d $i ] && echo "---[ $i ]---------------" && cat $i | grep -v "#" ; done
---[ eapi ]---------------
5
---[ make.defaults ]---------------
USE="consolekit declarative dri kde kipi phonon plasma policykit semantic-desktop xcomposite xinerama xscreensaver"
---[ package.use ]---------------
dev-python/PyQt4 script sql webkit
dev-qt/qtsql mysql
media-libs/gd fontconfig
sys-libs/zlib minizip
app-arch/unzip natspec
media-gfx/exiv2 xmp
dev-qt/qt-mobility multimedia
---[ package.use.force ]---------------
<kde-base/kdm-4.11.0 consolekit
---[ parent ]---------------
..
---[ use.force ]---------------
policykit
|
so I cd ..
Code: | # for i in $(ls); do [ ! -d $i ] && echo "---[ $i ]---------------" && cat $i | grep -v "#" ; done
---[ eapi ]---------------
5
---[ make.defaults ]---------------
USE="a52 aac acpi alsa bluetooth branding cairo cdda cdr consolekit cups dbus dri dts dvd dvdr emboss encode exif fam firefox flac gif gpm gtk jpeg lcms ldap libnotify mad mng mp3 mp4 mpeg ogg opengl pango pdf png policykit ppds qt3support qt4 sdl spell startup-notification svg tiff truetype vorbis udev udisks unicode upower usb wxwidgets X xcb x264 xml xv xvid"
---[ package.use ]---------------
net-libs/libpcap -bluetooth
<net-analyzer/wireshark-1.11.0 -qt4
app-emulation/emul-linux-x86-qtlibs -mng
x11-libs/libxcb xkb
x11-libs/cairo lto
media-video/mpv -sdl
<gnome-base/gvfs-1.14 gdu -udisks
dev-libs/libxml2 python
media-libs/libpng apng
sys-apps/systemd gudev introspection
sys-fs/eudev gudev introspection
sys-fs/udev gudev introspection
virtual/libgudev introspection
xfce-base/xfdesktop thunar
net-nds/openldap minimal
---[ package.use.force ]---------------
dev-libs/glib mime |
In my own package.use, I set static for both cryptsetup and lvm2 (and libraries not shown)
Code: | sys-fs/lvm2 static static-libs udev -dynamic
sys-apps/busybox mdev static -dynamic
sys-fs/cryptsetup static -dynamic
|
Here's the cryptsetup ebuild - don't see it here, either. I do see a comment about non-support for nss, but I don't think that applies because although I have nss on my system, I'm not using it as a cryptsetup backend (as far as I know).
Code: | # cat /usr/portage/sys-fs/cryptsetup/cryptsetup-1.6.2.ebuild
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-fs/cryptsetup/cryptsetup-1.6.2.ebuild,v 1.12 2014/07/25 19:59:09 ssuominen Exp $
EAPI=5
PYTHON_COMPAT=( python{2_6,2_7} )
inherit autotools python-single-r1 linux-info libtool eutils
DESCRIPTION="Tool to setup encrypted devices with dm-crypt"
HOMEPAGE="http://code.google.com/p/cryptsetup/"
SRC_URI="http://cryptsetup.googlecode.com/files/${P}.tar.bz2"
LICENSE="GPL-2+"
SLOT="0"
KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86"
CRYPTO_BACKENDS="+gcrypt kernel nettle openssl"
# we don't support nss since it doesn't allow cryptsetup to be built statically
# and it's missing ripemd160 support so it can't provide full backward compatibility
IUSE="${CRYPTO_BACKENDS} nls python reencrypt static static-libs udev urandom"
REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} )
python? ( ${PYTHON_REQUIRED_USE} )"
LIB_DEPEND="dev-libs/libgpg-error[static-libs(+)]
dev-libs/popt[static-libs(+)]
sys-apps/util-linux[static-libs(+)]
gcrypt? ( dev-libs/libgcrypt:0[static-libs(+)] )
nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] )
openssl? ( dev-libs/openssl[static-libs(+)] )
sys-fs/lvm2[static-libs(+)]
sys-libs/e2fsprogs-libs[static-libs(+)]
udev? ( virtual/libudev[static-libs(+)] )"
# We have to always depend on ${LIB_DEPEND} rather than put behind
# !static? () because we provide a shared library which links against
# these other packages. #414665
RDEPEND="static-libs? ( ${LIB_DEPEND} )
${LIB_DEPEND//\[static-libs\(+\)\]}
python? ( ${PYTHON_DEPS} )"
DEPEND="${RDEPEND}
virtual/pkgconfig
static? ( ${LIB_DEPEND} )"
pkg_setup() {
local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC"
local WARNING_DM_CRYPT="CONFIG_DM_CRYPT:\tis not set (required for cryptsetup)\n"
local WARNING_CRYPTO_CBC="CONFIG_CRYPTO_CBC:\tis not set (required for kernel 2.6.19)\n"
local WARNING_CRYPTO="CONFIG_CRYPTO:\tis not set (required for cryptsetup)\n"
check_extra_config
use python && python-single-r1_pkg_setup
}
src_prepare() {
sed -i '/^LOOPDEV=/s:$: || exit 0:' tests/{compat,mode}-test || die
epatch "${FILESDIR}"/${PN}-1.6.1-openssl-static.patch
eautoreconf
}
src_configure() {
if use kernel ; then
ewarn "Note that kernel backend is very slow for this type of operation"
ewarn "and is provided mainly for embedded systems wanting to avoid"
ewarn "userspace crypto libraries."
fi
econf \
--sbindir=/sbin \
--enable-shared \
$(use_enable static static-cryptsetup) \
$(use_enable static-libs static) \
$(use_enable nls) \
$(use_enable python) \
$(use_enable reencrypt cryptsetup-reencrypt) \
$(use_enable udev) \
$(use_enable !urandom dev-random) \
--with-crypto_backend=$(for x in ${CRYPTO_BACKENDS//+/}; do use ${x} && echo ${x} ; done)
}
src_test() {
if [[ ! -e /dev/mapper/control ]] ; then
ewarn "No /dev/mapper/control found -- skipping tests"
return 0
fi
local p
for p in /dev/mapper /dev/loop* ; do
addwrite ${p}
done
default
}
src_install() {
default
if use static ; then
mv "${ED}"/sbin/cryptsetup{.static,} || die
mv "${ED}"/sbin/veritysetup{.static,} || die
use reencrypt && { mv "${ED}"/sbin/cryptsetup-reencrypt{.static,} || die ; }
fi
prune_libtool_files --modules
newconfd "${FILESDIR}"/1.0.6-dmcrypt.confd dmcrypt
newinitd "${FILESDIR}"/1.5.1-dmcrypt.rc dmcrypt
}
pkg_postinst() {
if [[ -z ${REPLACING_VERSIONS} ]] ; then
elog "Please see the example for configuring a LUKS mountpoint"
elog "in /etc/conf.d/dmcrypt"
elog
elog "If you are using baselayout-2 then please do:"
elog "rc-update add dmcrypt boot"
elog "This version introduces a command line arguement 'key_timeout'."
elog "If you want the search for the removable key device to timeout"
elog "after 10 seconds add the following to your bootloader config:"
elog "key_timeout=10"
elog "A timeout of 0 will mean it will wait indefinitely."
elog
elog "Users using cryptsetup-1.0.x (dm-crypt plain) volumes must use"
elog "a compatibility mode when using cryptsetup-1.1.x. This can be"
elog "done by specifying the cipher (-c), key size (-s) and hash (-h)."
elog "For more info, see http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#6._Issues_with_Specific_Versions_of_cryptsetup"
fi
}
|
This is what nss is doing on the system -
Code: | # equery d nss
* These packages depend on nss:
app-emulation/qemu-2.0.0 (smartcard ? dev-libs/nss)
app-office/libreoffice-bin-4.2.5.2 (>=dev-libs/nss-3.12.9)
mail-client/thunderbird-24.7.0 (>=dev-libs/nss-3.16.2)
net-misc/curl-7.36.0 (curl_ssl_nss ? dev-libs/nss)
net-misc/networkmanager-0.9.8.10-r1 (nss ? >=dev-libs/nss-3.11)
www-client/firefox-24.7.0 (>=dev-libs/nss-3.16.2)
www-plugins/adobe-flash-11.2.202.400 (abi_x86_64 ? dev-libs/nss)
(>=dev-libs/nss-3.15.4[abi_x86_32(-)])
(x86 ? dev-libs/nss)
|
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21489
|
Posted: Sun Aug 24, 2014 4:27 pm Post subject: |
|
|
brendlefly62 wrote: | So I cd ../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
Code: | # for i in $(ls); do [ ! -d $i ] && echo "---[ $i ]---------------" && cat $i | grep -v "#" ; done |
| This is bad practice for several reasons. Never use ls to feed other commands. Use [ -f "$i" ] to test if it is a file, since there are unreadable non-directories such as FIFOs and local domain sockets. Never engage in useless use of cat. Use grep -v "#" "$i" to read the file.
With regard to your actual problem, do you need static lvm/cryptsetup? You could instead put the required glibc libraries in the initramfs, then use regular non-static tools in the initramfs. |
|
Back to top |
|
|
SamuliSuominen Retired Dev
Joined: 30 Sep 2005 Posts: 2133 Location: Finland
|
Posted: Sun Aug 24, 2014 5:17 pm Post subject: |
|
|
It's because USE="static" is broken:
https://bugs.gentoo.org/show_bug.cgi?id=496612
https://bugs.gentoo.org/show_bug.cgi?id=520450
Instead of using USE="static", the required dynamic libraries should be copied to the initramfs, like both dracut and genkernel does.
However, you can still unmask USE="static" by file in /etc/portage/profile/package.use.stable.mask
Code: |
# mkdir -p /etc/portage/profile
# echo 'sys-fs/crypsetup -static' >> /etc/portage/profile/package.use.stable.mask
# echo 'sys-fs/lvm2 -static' >> /etc/portage/profile/package.use.stable.mask
|
|
|
Back to top |
|
|
russK l33t
Joined: 27 Jun 2006 Posts: 665
|
Posted: Sun Aug 24, 2014 5:32 pm Post subject: |
|
|
ssuominen wrote: | It's because USE="static" is broken:
|
Bummer.
brendlefly62, maybe the size of the initramfs will be ok for you. Here is what mine have been over time:
Code: | # du -h /boot/initram*
3.9M /boot/initramfs-genkernel-x86_64-2.6.34-gentoo-r1
3.9M /boot/initramfs-genkernel-x86_64-2.6.36-gentoo-r5
3.9M /boot/initramfs-genkernel-x86_64-2.6.37-gentoo-r4
4.9M /boot/initramfs-genkernel-x86_64-2.6.38-gentoo-r6
4.9M /boot/initramfs-genkernel-x86_64-2.6.39-gentoo-r3
6.1M /boot/initramfs-genkernel-x86_64-3.10.17-gentoo
4.8M /boot/initramfs-genkernel-x86_64-3.10.7-gentoo
4.9M /boot/initramfs-genkernel-x86_64-3.10.7-gentoo-r1
6.1M /boot/initramfs-genkernel-x86_64-3.12.13-gentoo
6.2M /boot/initramfs-genkernel-x86_64-3.12.21-gentoo-r1
6.2M /boot/initramfs-genkernel-x86_64-3.14.14-gentoo
5.1M /boot/initramfs-genkernel-x86_64-3.1.6-gentoo
5.7M /boot/initramfs-genkernel-x86_64-3.2.1-gentoo-r2
6.2M /boot/initramfs-genkernel-x86_64-3.3.8-gentoo
4.0M /boot/initramfs-genkernel-x86_64-3.4.9-gentoo
4.0M /boot/initramfs-genkernel-x86_64-3.5.7-gentoo
4.1M /boot/initramfs-genkernel-x86_64-3.7.10-gentoo
4.1M /boot/initramfs-genkernel-x86_64-3.7.10-gentoo-r1
5.1M /boot/initramfs-genkernel-x86_64-3.7.9-gentoo
4.1M /boot/initramfs-genkernel-x86_64-3.8.13-gentoo
4.7M /boot/initramfs-genkernel-x86_64-3.9.9-gentoo
|
My boot partition is only 69% full |
|
Back to top |
|
|
brendlefly62 Tux's lil' helper
Joined: 19 Dec 2009 Posts: 133
|
Posted: Sun Sep 07, 2014 1:39 pm Post subject: |
|
|
ssuominen and russK -- thanks for the guidance. I am working to include the necessary libs in my custom initramfs, and I'll post a "[solved]" update when I get it working ("never give up").
Hu -- Thanks for the lesson:
Quote: | brendlefly62 wrote:
So I cd ../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
Code: | # for i in $(ls); do [ ! -d $i ] && echo "---[ $i ]---------------" && cat $i | grep -v "#" ; done | This is bad practice for several reasons. Never use ls to feed other commands. Use [ -f "$i" ] to test if it is a file, since there are unreadable non-directories such as FIFOs and local domain sockets. Never engage in useless use of cat. Use grep -v "#" "$i" to read the file. |
Is this better?
Code: | # cd /usr/portage/profiles/targets/desktop/kde
# for i in $(find . -type f); do echo; echo "---[ file: $i" ]-------; grep -v "#" "$i"; done |
Output:
Code: |
---[ file: ./make.defaults ]-------
USE="consolekit declarative dri kde kipi phonon plasma policykit semantic-desktop xcomposite xinerama xscreensaver"
---[ file: ./use.force ]-------
policykit
---[ file: ./parent ]-------
..
---[ file: ./package.use ]-------
dev-python/PyQt4 script sql webkit
dev-qt/qtsql mysql
media-libs/gd fontconfig
sys-libs/zlib minizip
app-arch/unzip natspec
media-gfx/exiv2 xmp
dev-qt/qt-mobility multimedia
---[ file: ./package.use.force ]-------
<kde-base/kdm-4.11.0 consolekit
---[ file: ./eapi ]-------
5
|
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21489
|
Posted: Sun Sep 07, 2014 4:18 pm Post subject: |
|
|
brendlefly62 wrote: | Hu -- Thanks for the lesson:
Is this better?
Code: | # cd /usr/portage/profiles/targets/desktop/kde
# for i in $(find . -type f); do echo; echo "---[ file: $i" ]-------; grep -v "#" "$i"; done |
| Better, but still not what I would recommend. Using find is preferred over ls, but your usage is still subject to being confused by embedded whitespace. To demonstrate: Code: | touch './a b.x'
for i in $(find . -name \*.x -type f); do echo "$i"; cat "$i"; done | To fix, use instead: Code: | find . -name \*.x -type f -print0 | while read -d '' i; do echo "$i"; done | However, this runs the loop in a subshell, so variables set inside the loop are not visible after the loop ends. If you need this, and can assume GNU bash (instead of POSIX-compatible sh), use: Code: | while read -d '' i; do echo "$i"; done < <( find . -name \*.x -type f -print0) |
|
|
Back to top |
|
|
brendlefly62 Tux's lil' helper
Joined: 19 Dec 2009 Posts: 133
|
Posted: Mon Sep 29, 2014 12:46 am Post subject: |
|
|
Hu, russK, ssuominen,
Thanks for the help -- I've marked the original post [Solved].
Just to follow up, I did validate the procedure above by completing two separate builds of successful initramfs without the static USE flag on cryptsetup or lvm2, by including all the necessary libraries.
For the first build, I did all that manually, and for the second, I wrote a script that does it all... For a luks encrypted disk wtih lvm vg/lv inside for at least / and /usr, my mkinitramfs.sh will create a complete initramfs structure, and my makeinitramfs.sh will compile and install it into /boot.
Unlike that produced by genkernel or dracut, my initramfs includes a custom init script reads init.conf and a cryptab in the initramfs and can unlock and mount encrypted block devices (which can be identified by UUID or /dev/<name>) using either a passphrase supplied interactively during boot, or a keyfile supplied on a removable block device (e.g. SD card, USB drive, floppy, etc.), or both keyfile AND passphrase if you want two-factor authentication.
I don't expect it's worth anything for anyone else, but I enjoyed doing it, and I learned a lot in the process -- including more practice wth Hu's point about handling whitespace. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|