How to shut down initramfs-activated dm-crypt volumes?

[Irom]

Hi,

my setup: I have 13 logical volumes: 3 are unencrypted (/boot/, /usr/, /usr/portage/), the rest are encrypted.
"/" is an encrypted volume too, so I made an initramfs.
I don't have to type 10 passwords during boot, the initramfs luksOpen's all volumes with the same password, that I only have to type once.

Gentoo isn't involved in bringing up the encrypted volumes, and therefore doesn't know about them. This works fine during boot, but on shutdown my problems begin:

• Where to luksClose?
  
  • the only possibility that I found to do my own luksClose was overwriting /lib/rcscripts/addons/dm-crypt-stop.sh. Not the best solution, because I would have to take care that the file never gets overwritten. Writing an init.d-script didn't work, because there is no way to run it after umount, but before lvm-stop.sh AFAICT.
    
  • /etc/conf.d/dmcrypt doesn't work, because I only need gentoo to *stop* the volumes
• Gentoo can't stop LVM/RAID
  • /lib/rcscripts/addons/lvm-stop.sh is not able to stop the volume group (can't deactivate volume group"), because the encrypted root ist still active.
    
  • the vgchange command (/sbin/lvchange --config "${config}" --sysinit -a ln ${VGS}) used in /lib/rcscripts/addons/lvm-stop.sh results in "node ... was not removed by udev. Falling back to direct node removal". udev ist still running at this point. The activation in initramfs works fine, without any error messages.
    

Can anybody nudge me in the right direction how to deactivate dm-crypt volumes during shutdown in baselayout1?

Or maybe there is a better way to do this? I don't want to do RAID -> fdisk -> dm-crypt -> lvm, because that seems very inflexible. I don't want to use genkernel or /etc/conf.d/dmcrypt, because (I guess) it doesn't allow me to decrypt all volumes with a single password prompt. I don't want to use key files, because I don't want to store the keys on disk.
_________________
http://ftp.fukt.bsnet.se/pub/movies/stallman/ (Please watch this before you form an opinion about GNU)
https://apfelboymchen.net/gnu/

[stelardactek]

I actually have a similar problem. I'm not using encryption, but I have the same issue with /lib/rcscripts/addons/lvm-stop.sh trying (and failing) to deactivate the volume group at shutdown because the root LV is still active (and cannot be deactivated because / is still mounted).
I'm thinking the way to properly unmount and deactivate the root LV is to have the system mount a RAM FS at shutdown and swap to that. But I don't know how to go about doing that, or how to get lvm-stop.sh to give an unsightly error message when it tries to do that too early...

[cach0rr0]

I'd be happy if I got an initramfs that actually worked for crypt-root. Every attempt I've made has failed. Got it working years ago, no idea how I did it =/


</unhelpful off-topic reply>

The only thing I could possibly suggest, which is likely an idea you've had already as you mention your BL version, is drawing inspiration from the init script used for this on BL2. No idea how it would handle root unfortunately.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash

[frostschutz]

You're seeing problems where there are none. luksClose and deactivating LVM do not actually write anything on disk, they just remove the kernel resources that allow access to the mapped devices. The same thing will happen anyway when you shutdown / reboot, so you can just skip that step entirely. What your system already should do is remount the root partition read-only during shutdown; once that's done, all physical write operations are done too, and it's safe to cut power at that point. Strictly speaking, you could remove lvm-stop.sh entirely since all it does is waste time. It's still good to have it though so it can show error messages if there is actually something really wrong with your setup (like when there's something still mounted that shouldn't be - can't be helped for the root partition).

If you really wanted to, you could put in some effort to work around this, like switching the root partition back to a memory file system (same way you switch from initramfs to the root partition). However getting that right is not easy (you have to obtain, and exec the init process itself, can't be done in an init subscript), and the effort is entirely pointless.

[Irom]

Thanks all for the answers.

I kind of worked around the dm-crypt problem: after configuring /etc/conf.d/dmcrypt I get informational messages that the encrypted volumes are already opened at boot, and gentoo takes care of them at shutdown. I can live with that.

[stelardactek]

Thank you, frostschutz. I do hope you're right about this.

[frostschutz]

[Irom]