Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Trouble with static USE for cryptsetup and lvm2
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
brendlefly62
Tux's lil' helper
Tux's lil' helper


Joined: 19 Dec 2009
Posts: 133

PostPosted: Sun Aug 24, 2014 4:02 am    Post subject: [Solved] Trouble with static USE for cryptsetup and lvm2 Reply with quote

On a stable system, I've been using a custom initramfs (root on lvm on encrypted drive partition) since 2008. I've upgraded it's parts a number of times. In december I upgraded to cryptsetup-1.6.2 and lvm2-2.02.103 (both with static USE). Today, I notice that if I try to re-emerge cryptsetup or lvm2, they want to disable the static USE flag.

I checked the ebuilds and saw that static is still a valid USE for both; I checked my package.use ( both set static) and make.conf (nothing)... and I've tried to discover what is overriding the USE I have set in package.use... what changed since my last initramfs build...

How do I determine what it is that is forcing these packages to turn off the static USE flag? :?

Code:
# emerge -av lvm2

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U  ] sys-block/thin-provisioning-tools-0.3.2-r1 [0.2.8-r1] USE="{-test}" 171 kB
[ebuild     U  ] sys-fs/lvm2-2.02.109 [2.02.103] USE="readline static-libs thin udev (-clvm) (-cman) -device-mapper-only% -lvm1* -lvm2create_initrd (-selinux) (-static*) -systemd%" 1,448 kB

Total: 2 packages (2 upgrades), Size of downloads: 1,619 kB


Code:
# emerge -av cryptsetup

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] sys-fs/cryptsetup-1.6.2  USE="gcrypt nls udev -kernel -nettle -openssl -python -reencrypt (-static*) -static-libs -urandom" PYTHON_SINGLE_TARGET="python2_7 (-python2_6%)" PYTHON_TARGETS="python2_7 (-python2_6%)" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB


Last edited by brendlefly62 on Mon Sep 29, 2014 12:15 am; edited 1 time in total
Back to top
View user's profile Send private message
russK
l33t
l33t


Joined: 27 Jun 2006
Posts: 665

PostPosted: Sun Aug 24, 2014 5:10 am    Post subject: Reply with quote

I see the same thing here. It could be getting turned off by your profile. For instance, on one of my boxes, I am using default/linux/amd64/13.0/desktop/gnome/systemd. If you follow the parent file, there is a package.use.mask file in profiles/targets/systemd containing:

Code:
sys-fs/cryptsetup static static-libs
sys-fs/lvm2 static static-libs



Maybe you are using a systemd profile or another similar?

I don't use cryptsetup, but I do use lvm and I have seen no ill-effects, but then again I use genkernel. I don't know if genkernel does anything special for lvm in the initrd.

HTH
Back to top
View user's profile Send private message
brendlefly62
Tux's lil' helper
Tux's lil' helper


Joined: 19 Dec 2009
Posts: 133

PostPosted: Sun Aug 24, 2014 1:14 pm    Post subject: Reply with quote

Ok, I've looked at the profile and followed the parent file. I'm using kde desktop, and openrc with USE="... -systemd ..." in my own package.mask. In the profile parents, I see lots of profiled USEs, but I don't see any package.mask type fle that would have turned the static USE off... what am I missing? (still confused :? )

I start in /etc/portage with make.profile -> ../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde

So I cd ../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
Code:
# for i in $(ls); do [ ! -d $i ] && echo "---[ $i ]---------------" && cat $i | grep -v "#" ; done
---[ eapi ]---------------
5
---[ parent ]---------------
..
../../../../../../targets/desktop/kde

So I cd ../../../../../../targets/desktop/kde
Code:
# for i in $(ls); do [ ! -d $i ] && echo "---[ $i ]---------------" && cat $i | grep -v "#" ; done
---[ eapi ]---------------
5
---[ make.defaults ]---------------
USE="consolekit declarative dri kde kipi phonon plasma policykit semantic-desktop xcomposite xinerama xscreensaver"
---[ package.use ]---------------
dev-python/PyQt4 script sql webkit
dev-qt/qtsql mysql
media-libs/gd fontconfig
sys-libs/zlib minizip
app-arch/unzip natspec
media-gfx/exiv2 xmp
dev-qt/qt-mobility multimedia
---[ package.use.force ]---------------
<kde-base/kdm-4.11.0 consolekit
---[ parent ]---------------
..
---[ use.force ]---------------
policykit

so I cd ..
Code:
# for i in $(ls); do [ ! -d $i ] && echo "---[ $i ]---------------" && cat $i | grep -v "#" ; done
---[ eapi ]---------------
5
---[ make.defaults ]---------------
USE="a52 aac acpi alsa bluetooth branding cairo cdda cdr consolekit cups dbus dri dts dvd dvdr emboss encode exif fam firefox flac gif gpm gtk jpeg lcms ldap libnotify mad mng mp3 mp4 mpeg ogg opengl pango pdf png policykit ppds qt3support qt4 sdl spell startup-notification svg tiff truetype vorbis udev udisks unicode upower usb wxwidgets X xcb x264 xml xv xvid"
---[ package.use ]---------------
net-libs/libpcap -bluetooth
<net-analyzer/wireshark-1.11.0 -qt4
app-emulation/emul-linux-x86-qtlibs -mng
x11-libs/libxcb xkb
x11-libs/cairo lto
media-video/mpv -sdl
<gnome-base/gvfs-1.14 gdu -udisks
dev-libs/libxml2 python
media-libs/libpng apng
sys-apps/systemd gudev introspection
sys-fs/eudev gudev introspection
sys-fs/udev gudev introspection
virtual/libgudev introspection
xfce-base/xfdesktop thunar
net-nds/openldap minimal
---[ package.use.force ]---------------
dev-libs/glib mime

In my own package.use, I set static for both cryptsetup and lvm2 (and libraries not shown)
Code:
sys-fs/lvm2 static static-libs udev -dynamic
sys-apps/busybox mdev static -dynamic
sys-fs/cryptsetup static -dynamic


Here's the cryptsetup ebuild - don't see it here, either. I do see a comment about non-support for nss, but I don't think that applies because although I have nss on my system, I'm not using it as a cryptsetup backend (as far as I know).
Code:
# cat /usr/portage/sys-fs/cryptsetup/cryptsetup-1.6.2.ebuild
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-fs/cryptsetup/cryptsetup-1.6.2.ebuild,v 1.12 2014/07/25 19:59:09 ssuominen Exp $

EAPI=5
PYTHON_COMPAT=( python{2_6,2_7} )

inherit autotools python-single-r1 linux-info libtool eutils

DESCRIPTION="Tool to setup encrypted devices with dm-crypt"
HOMEPAGE="http://code.google.com/p/cryptsetup/"
SRC_URI="http://cryptsetup.googlecode.com/files/${P}.tar.bz2"

LICENSE="GPL-2+"
SLOT="0"
KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86"
CRYPTO_BACKENDS="+gcrypt kernel nettle openssl"
# we don't support nss since it doesn't allow cryptsetup to be built statically
# and it's missing ripemd160 support so it can't provide full backward compatibility
IUSE="${CRYPTO_BACKENDS} nls python reencrypt static static-libs udev urandom"
REQUIRED_USE="^^ ( ${CRYPTO_BACKENDS//+/} )
   python? ( ${PYTHON_REQUIRED_USE} )"

LIB_DEPEND="dev-libs/libgpg-error[static-libs(+)]
   dev-libs/popt[static-libs(+)]
   sys-apps/util-linux[static-libs(+)]
   gcrypt? ( dev-libs/libgcrypt:0[static-libs(+)] )
   nettle? ( >=dev-libs/nettle-2.4[static-libs(+)] )
   openssl? ( dev-libs/openssl[static-libs(+)] )
   sys-fs/lvm2[static-libs(+)]
   sys-libs/e2fsprogs-libs[static-libs(+)]
   udev? ( virtual/libudev[static-libs(+)] )"
# We have to always depend on ${LIB_DEPEND} rather than put behind
# !static? () because we provide a shared library which links against
# these other packages. #414665
RDEPEND="static-libs? ( ${LIB_DEPEND} )
   ${LIB_DEPEND//\[static-libs\(+\)\]}
   python? ( ${PYTHON_DEPS} )"
DEPEND="${RDEPEND}
   virtual/pkgconfig
   static? ( ${LIB_DEPEND} )"

pkg_setup() {
   local CONFIG_CHECK="~DM_CRYPT ~CRYPTO ~CRYPTO_CBC"
   local WARNING_DM_CRYPT="CONFIG_DM_CRYPT:\tis not set (required for cryptsetup)\n"
   local WARNING_CRYPTO_CBC="CONFIG_CRYPTO_CBC:\tis not set (required for kernel 2.6.19)\n"
   local WARNING_CRYPTO="CONFIG_CRYPTO:\tis not set (required for cryptsetup)\n"
   check_extra_config

   use python && python-single-r1_pkg_setup
}

src_prepare() {
   sed -i '/^LOOPDEV=/s:$: || exit 0:' tests/{compat,mode}-test || die
   epatch "${FILESDIR}"/${PN}-1.6.1-openssl-static.patch
   eautoreconf
}

src_configure() {
   if use kernel ; then
      ewarn "Note that kernel backend is very slow for this type of operation"
      ewarn "and is provided mainly for embedded systems wanting to avoid"
      ewarn "userspace crypto libraries."
   fi

   econf \
      --sbindir=/sbin \
      --enable-shared \
      $(use_enable static static-cryptsetup) \
      $(use_enable static-libs static) \
      $(use_enable nls) \
      $(use_enable python) \
      $(use_enable reencrypt cryptsetup-reencrypt) \
      $(use_enable udev) \
      $(use_enable !urandom dev-random) \
      --with-crypto_backend=$(for x in ${CRYPTO_BACKENDS//+/}; do use ${x} && echo ${x} ; done)
}

src_test() {
   if [[ ! -e /dev/mapper/control ]] ; then
      ewarn "No /dev/mapper/control found -- skipping tests"
      return 0
   fi
   local p
   for p in /dev/mapper /dev/loop* ; do
      addwrite ${p}
   done
   default
}

src_install() {
   default
   if use static ; then
      mv "${ED}"/sbin/cryptsetup{.static,} || die
      mv "${ED}"/sbin/veritysetup{.static,} || die
      use reencrypt && { mv "${ED}"/sbin/cryptsetup-reencrypt{.static,} || die ; }
   fi
   prune_libtool_files --modules

   newconfd "${FILESDIR}"/1.0.6-dmcrypt.confd dmcrypt
   newinitd "${FILESDIR}"/1.5.1-dmcrypt.rc dmcrypt
}

pkg_postinst() {
   if [[ -z ${REPLACING_VERSIONS} ]] ; then
      elog "Please see the example for configuring a LUKS mountpoint"
      elog "in /etc/conf.d/dmcrypt"
      elog
      elog "If you are using baselayout-2 then please do:"
      elog "rc-update add dmcrypt boot"
      elog "This version introduces a command line arguement 'key_timeout'."
      elog "If you want the search for the removable key device to timeout"
      elog "after 10 seconds add the following to your bootloader config:"
      elog "key_timeout=10"
      elog "A timeout of 0 will mean it will wait indefinitely."
      elog
      elog "Users using cryptsetup-1.0.x (dm-crypt plain) volumes must use"
      elog "a compatibility mode when using cryptsetup-1.1.x. This can be"
      elog "done by specifying the cipher (-c), key size (-s) and hash (-h)."
      elog "For more info, see http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#6._Issues_with_Specific_Versions_of_cryptsetup"
   fi
}

This is what nss is doing on the system -
Code:
# equery d nss
 * These packages depend on nss:
app-emulation/qemu-2.0.0 (smartcard ? dev-libs/nss)
app-office/libreoffice-bin-4.2.5.2 (>=dev-libs/nss-3.12.9)
mail-client/thunderbird-24.7.0 (>=dev-libs/nss-3.16.2)
net-misc/curl-7.36.0 (curl_ssl_nss ? dev-libs/nss)
net-misc/networkmanager-0.9.8.10-r1 (nss ? >=dev-libs/nss-3.11)
www-client/firefox-24.7.0 (>=dev-libs/nss-3.16.2)
www-plugins/adobe-flash-11.2.202.400 (abi_x86_64 ? dev-libs/nss)
                                     (>=dev-libs/nss-3.15.4[abi_x86_32(-)])
                                     (x86 ? dev-libs/nss)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21489

PostPosted: Sun Aug 24, 2014 4:27 pm    Post subject: Reply with quote

brendlefly62 wrote:
So I cd ../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
Code:
# for i in $(ls); do [ ! -d $i ] && echo "---[ $i ]---------------" && cat $i | grep -v "#" ; done
This is bad practice for several reasons. Never use ls to feed other commands. Use [ -f "$i" ] to test if it is a file, since there are unreadable non-directories such as FIFOs and local domain sockets. Never engage in useless use of cat. Use grep -v "#" "$i" to read the file.

With regard to your actual problem, do you need static lvm/cryptsetup? You could instead put the required glibc libraries in the initramfs, then use regular non-static tools in the initramfs.
Back to top
View user's profile Send private message
SamuliSuominen
Retired Dev
Retired Dev


Joined: 30 Sep 2005
Posts: 2133
Location: Finland

PostPosted: Sun Aug 24, 2014 5:17 pm    Post subject: Reply with quote

It's because USE="static" is broken:

https://bugs.gentoo.org/show_bug.cgi?id=496612
https://bugs.gentoo.org/show_bug.cgi?id=520450

Instead of using USE="static", the required dynamic libraries should be copied to the initramfs, like both dracut and genkernel does.

However, you can still unmask USE="static" by file in /etc/portage/profile/package.use.stable.mask

Code:

# mkdir -p /etc/portage/profile
# echo 'sys-fs/crypsetup -static' >> /etc/portage/profile/package.use.stable.mask
# echo 'sys-fs/lvm2 -static' >> /etc/portage/profile/package.use.stable.mask
Back to top
View user's profile Send private message
russK
l33t
l33t


Joined: 27 Jun 2006
Posts: 665

PostPosted: Sun Aug 24, 2014 5:32 pm    Post subject: Reply with quote

ssuominen wrote:
It's because USE="static" is broken:

Bummer.

brendlefly62, maybe the size of the initramfs will be ok for you. Here is what mine have been over time:

Code:
# du -h /boot/initram*
3.9M   /boot/initramfs-genkernel-x86_64-2.6.34-gentoo-r1
3.9M   /boot/initramfs-genkernel-x86_64-2.6.36-gentoo-r5
3.9M   /boot/initramfs-genkernel-x86_64-2.6.37-gentoo-r4
4.9M   /boot/initramfs-genkernel-x86_64-2.6.38-gentoo-r6
4.9M   /boot/initramfs-genkernel-x86_64-2.6.39-gentoo-r3
6.1M   /boot/initramfs-genkernel-x86_64-3.10.17-gentoo
4.8M   /boot/initramfs-genkernel-x86_64-3.10.7-gentoo
4.9M   /boot/initramfs-genkernel-x86_64-3.10.7-gentoo-r1
6.1M   /boot/initramfs-genkernel-x86_64-3.12.13-gentoo
6.2M   /boot/initramfs-genkernel-x86_64-3.12.21-gentoo-r1
6.2M   /boot/initramfs-genkernel-x86_64-3.14.14-gentoo
5.1M   /boot/initramfs-genkernel-x86_64-3.1.6-gentoo
5.7M   /boot/initramfs-genkernel-x86_64-3.2.1-gentoo-r2
6.2M   /boot/initramfs-genkernel-x86_64-3.3.8-gentoo
4.0M   /boot/initramfs-genkernel-x86_64-3.4.9-gentoo
4.0M   /boot/initramfs-genkernel-x86_64-3.5.7-gentoo
4.1M   /boot/initramfs-genkernel-x86_64-3.7.10-gentoo
4.1M   /boot/initramfs-genkernel-x86_64-3.7.10-gentoo-r1
5.1M   /boot/initramfs-genkernel-x86_64-3.7.9-gentoo
4.1M   /boot/initramfs-genkernel-x86_64-3.8.13-gentoo
4.7M   /boot/initramfs-genkernel-x86_64-3.9.9-gentoo


My boot partition is only 69% full :D
Back to top
View user's profile Send private message
brendlefly62
Tux's lil' helper
Tux's lil' helper


Joined: 19 Dec 2009
Posts: 133

PostPosted: Sun Sep 07, 2014 1:39 pm    Post subject: Reply with quote

ssuominen and russK -- thanks for the guidance. I am working to include the necessary libs in my custom initramfs, and I'll post a "[solved]" update when I get it working ("never give up").

Hu -- Thanks for the lesson:
Quote:
brendlefly62 wrote:
So I cd ../../usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
Code:
# for i in $(ls); do [ ! -d $i ] && echo "---[ $i ]---------------" && cat $i | grep -v "#" ; done
This is bad practice for several reasons. Never use ls to feed other commands. Use [ -f "$i" ] to test if it is a file, since there are unreadable non-directories such as FIFOs and local domain sockets. Never engage in useless use of cat. Use grep -v "#" "$i" to read the file.

Is this better?
Code:
# cd /usr/portage/profiles/targets/desktop/kde
# for i in $(find . -type f); do echo; echo "---[ file: $i" ]-------; grep -v "#" "$i"; done

Output:
Code:

---[ file: ./make.defaults ]-------

USE="consolekit declarative dri kde kipi phonon plasma policykit semantic-desktop xcomposite xinerama xscreensaver"

---[ file: ./use.force ]-------
policykit

---[ file: ./parent ]-------
..

---[ file: ./package.use ]-------

dev-python/PyQt4 script sql webkit

dev-qt/qtsql mysql

media-libs/gd fontconfig

sys-libs/zlib minizip

app-arch/unzip natspec

media-gfx/exiv2 xmp

dev-qt/qt-mobility multimedia

---[ file: ./package.use.force ]-------
<kde-base/kdm-4.11.0 consolekit

---[ file: ./eapi ]-------
5
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21489

PostPosted: Sun Sep 07, 2014 4:18 pm    Post subject: Reply with quote

brendlefly62 wrote:
Hu -- Thanks for the lesson:
Is this better?
Code:
# cd /usr/portage/profiles/targets/desktop/kde
# for i in $(find . -type f); do echo; echo "---[ file: $i" ]-------; grep -v "#" "$i"; done
Better, but still not what I would recommend. Using find is preferred over ls, but your usage is still subject to being confused by embedded whitespace. To demonstrate:
Code:
touch './a b.x'
for i in $(find . -name \*.x -type f); do echo "$i"; cat "$i"; done
To fix, use instead:
Code:
find . -name \*.x -type f -print0 | while read -d '' i; do echo "$i"; done
However, this runs the loop in a subshell, so variables set inside the loop are not visible after the loop ends. If you need this, and can assume GNU bash (instead of POSIX-compatible sh), use:
Code:
while read -d '' i; do echo "$i"; done < <( find . -name \*.x -type f -print0)
Back to top
View user's profile Send private message
brendlefly62
Tux's lil' helper
Tux's lil' helper


Joined: 19 Dec 2009
Posts: 133

PostPosted: Mon Sep 29, 2014 12:46 am    Post subject: Reply with quote

Hu, russK, ssuominen,

Thanks for the help -- I've marked the original post [Solved]. :)

Just to follow up, I did validate the procedure above by completing two separate builds of successful initramfs without the static USE flag on cryptsetup or lvm2, by including all the necessary libraries.

For the first build, I did all that manually, and for the second, I wrote a script that does it all... For a luks encrypted disk wtih lvm vg/lv inside for at least / and /usr, my mkinitramfs.sh will create a complete initramfs structure, and my makeinitramfs.sh will compile and install it into /boot.

Unlike that produced by genkernel or dracut, my initramfs includes a custom init script reads init.conf and a cryptab in the initramfs and can unlock and mount encrypted block devices (which can be identified by UUID or /dev/<name>) using either a passphrase supplied interactively during boot, or a keyfile supplied on a removable block device (e.g. SD card, USB drive, floppy, etc.), or both keyfile AND passphrase if you want two-factor authentication.

I don't expect it's worth anything for anyone else, but I enjoyed doing it, and I learned a lot in the process -- including more practice wth Hu's point about handling whitespace. :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum