| View previous topic :: View next topic |
| Author |
Message |
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1768
Location: PB, Germany
|
 Posted: Wed Oct 25, 2017 12:48 pm Post subject: dracut with LUKS and OpenRC |
 |
|
dracut with LUKS and OpenRC
Hi,
dracut doesn't care much about Gentoo, and much less about OpenRC. That's what I learned from their IRC channel or upstream bug reports.
First of all, current prelink users on Gentoo need this patch: bug 585106#c3.
I switched from genkernel to dracut because I started to use things that genkernel initramfs don't support: bcache (topic 959542, topic 985174), and hibernated resuming from encrypted swap (topic 1069352)
I got my LUKS opened like this
| Code: | # grep "^GRUB_CMDLINE_LINUX_DEFAULT" /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="drm_kms_helper.edid_firmware=edid/1920x1080.bin rd.vconsole.font=ter-u12n rd.vconsole.keymap=de-latin1-nodeadkeys rd.locale.LANG=de_DE.UTF-8 rd.lvm=0 rd.md=0 rd.dm=0 rd.luks.uuid=cae6cb89-57c3-4837-91a1-e28b2e2f44e0 root=LABEL=gentoo rootflags=subvol=root" |
However with this setup I'm asked for 2 passwords, first is for the mentioned root fs uuid, and the second is for my encrypted swap that I did not mention in the CMDLINE. This should not happen as that partition is already opened by dmcrypt later:
/etc/conf.d/dmcrypt:
| Code: | target=swap_crypt_1
source='UUID=e58808c3-28c6-4d94-b55e-81f123a7d200'
key='/keyfile' |
Before I had randomized keys, but for later resuming from that I need a fixed key. For not entering multiple keys I usually open my root filesystem with a key and then all the other LUKS by keyfiles on that.
Next thing is, if trying to resume from that encrypted swap, so dracut must be able to open it. I thought I try to cascade the LUKS openings as dracut also supports opening from key, but that did not work at all as dracut tried to open the swap with a not-found key file, which I did not the thing I configured:
| Code: | # grep "^GRUB_CMDLINE_LINUX_DEFAULT" /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="drm_kms_helper.edid_firmware=edid/1920x1080.bin rd.vconsole.font=ter-u12n rd.vconsole.keymap=de-latin1-nodeadkeys rd.locale.LANG=de_DE.UTF-8 rd.lvm=0 rd.md=0 rd.dm=0 rd.luks.uuid=cae6cb89-57c3-4837-91a1-e28b2e2f44e0 root=LABEL=gentoo rootflags=subvol=root rd.luks.uuid=e58808c3-28c6-4d94-b55e-81f123a7d200 rd.luks.key=/keyfile:UUID=cae6cb89-57c3-4837-91a1-e28b2e2f44e0:UUID=e58808c3-28c6-4d94-b55e-81f123a7d200 resume=LABEL=swap_1" |
..at least from what I understand from current dracut.html which is from Revision 3.0 October 2013 HH and quite old but matching my /usr/share/doc/dracut-045-r2/dracut.html. Question if dracut is still actively maintened.
I was told here on #dracut, that I need to create my own OpenRC script doing that. But actually dracut could open both LUKS if the opening is done in 2 steps.
Links:
https://www.openhub.net/p/dracut
https://dracut.wiki.kernel.org
https://github.com/dracutdevs/dracut
https://www.kernel.org/pub/linux/utils/boot/dracut/
Here I found dracut-045.tar.xz is from 03-Apr-2017 08:40, but there already is dracut-046.tar.xz from 11-Aug-2017 11:48. So we could at least file a version bump here.
If dracut is the modern tool of today for creating initramfs then I'm willing to file upstream bug reports to make dracut also working with non-systemd and non-mainstream distributions.
At least asking people from distributions that are active lyusing dracut like OpenSuse, those people in general do know even less about it as they rarely ever need to configure it manually.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Last edited by Massimo B. on Thu Oct 26, 2017 6:33 am; edited 1 time in total |
|
| Back to top |
|
 |
msst
Apprentice
Joined: 07 Jun 2011
Posts: 259
|
| Posted: Wed Oct 25, 2017 11:33 pm Post subject: |
|
|
I am also using a luks / initramfs setup. Dracut was one of the things I tried, but I did not even get as far as you - it simply didn't interoperate very well with gentoo. Was also obvious for me that it is not made for gentoo but instead for systemd and the automatic distributions.
better-initramfs is working much more hassle free than dracut for me. The real plus is it does not need updating the initramfs with each kernel update...
Not sure if it offers all the features you are looking for, but it works with luks and dmcrypt.
P.S.: The featurelist
| Quote: |
Support for BCACHE.
Support for LVM.
Support for dmcrypt LUKS
Support for software RAID
Rescue shell
Remote rescue shell, available over ssh.
UUID/LABEL support for root and enc_root
Support for resume from TuxOnIce, in-kernel suspend (swsusp) and Userspace Software Suspend (uswsusp).
|
seems to support bcache and also some suspend modes. To be seen whether that goea also for encrypted swap resume |
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1768
Location: PB, Germany
|
| Posted: Thu Oct 26, 2017 5:02 am Post subject: |
|
|
Wow, never heard about better-initramfs, and we don't even have an ebuild for that.
With bcache it seems quite complete. Btw. one other thing I didn't mention was Plymouth, that was not supported by genkernel but with dracut. After first contact I did not really like Plymouth and more preferred the old splashutils that I'm going to try again some day (topic 1069124).
Looking at the #parameters features look quite equal like genkernel or dracut. However at first view I miss the option for a luks keyfile.
Anyway I don't see something that better-initramfs provides more than dracut. However this is even more rarely used than dracut, and a smaller userbase means even less support.
dracut script library is quite large, and if I understand how they work I could extend it. I did not understand why I got advised on #dracut that for resuming from encrypted swap I need a custom RC script doing that. If rd.luks.uuid would open the device that resume= requires then it could work.
However this here is really looking like a bug and I'm going to file that upstream: | Massimo B. wrote: | | Code: | # grep "^GRUB_CMDLINE_LINUX_DEFAULT" /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="drm_kms_helper.edid_firmware=edid/1920x1080.bin rd.vconsole.font=ter-u12n rd.vconsole.keymap=de-latin1-nodeadkeys rd.locale.LANG=de_DE.UTF-8 rd.lvm=0 rd.md=0 rd.dm=0 rd.luks.uuid=cae6cb89-57c3-4837-91a1-e28b2e2f44e0 root=LABEL=gentoo rootflags=subvol=root" |
..with this setup I'm asked for 2 passwords, first is for the mentioned root fs uuid, and the second is for my encrypted swap that I did not mention in the CMDLINE. This should not happen as that partition is already opened by dmcrypt later. |
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
Massimo B.
Veteran
Joined: 09 Feb 2005
Posts: 1768
Location: PB, Germany
|
| Posted: Thu Oct 26, 2017 6:32 am Post subject: Re: dracut with LUKS and OpenRC |
|
|
| Massimo B. wrote: | | Here I found dracut-045.tar.xz is from 03-Apr-2017 08:40, but there already is dracut-046.tar.xz from 11-Aug-2017 11:48. So we could at least file a version bump here. |
-> Already there: bug 627694
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
| Back to top |
|
|
msst
Apprentice
Joined: 07 Jun 2011
Posts: 259
|
| Posted: Wed Nov 22, 2017 9:58 pm Post subject: |
|
|
| Quote: | Looking at the #parameters features look quite equal like genkernel or dracut. However at first view I miss the option for a luks keyfile.
|
Correct, that is an omission which requires manually editing the functions.sh.
| Quote: |
Anyway I don't see something that better-initramfs provides more than dracut. However this is even more rarely used than dracut, and a smaller userbase means even less support. |
The maintainer was quite responsive and seems to support his product. It is a more exotic initramfs solution, however for me it was the only one that worked flawlessly and was not a huge hassle to set up. dracut is 100x more complex. I believe the philosophy of better-initramfs was not to offer more features than dracut or genkernel, but instead
1) To be simpler and less complicated
2) To exactly not rely on including the relevant parts of the host system but be completely independant on kernel version etc. This initramfs does not require a rebuild for each new kernel version. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Kernel & Hardware
