Merge pull request #14235 from fbuihuu/cryptsetup-fixes

Cryptsetup fixes
network: do not drop foreign config if interface is in initialized state
2019-12-06 12:46:42 +01:00 · 2019-12-06 12:27:47 +01:00 · 2019-12-05 11:43:05 +01:00 · 2019-12-05 11:43:02 +01:00
9 changed files with 60 additions and 14 deletions
--- a/man/bootup.xml
+++ b/man/bootup.xml
@ -92,17 +92,24 @@
    <!-- note: do not use unicode ellipsis here, because docbook will replace that
         with three dots anyway, messing up alignment -->
-<programlisting>local-fs-pre.target
+<programlisting>(various cryptsetup
     devices...)
         |
         v
-(various mounts and   (various swap   (various cryptsetup
+  cryptsetup.target
- fsck services...)     devices...)        devices...)       (various low-level   (various low-level
+         |
-         |                  |                  |             services: udevd,     API VFS mounts:
+         v
-         v                  v                  v             tmpfiles, random     mqueue, configfs,
+ local-fs-pre.target
-  local-fs.target      swap.target     cryptsetup.target    seed, sysctl, ...)      debugfs, ...)
+         |
-         |                  |                  |                    |                    |
+         v
-         \__________________|_________________ | ___________________|____________________/
+(various mounts and   (various swap
-                                              \|/
+ fsck services...)     devices...)                        (various low-level      (various low-level
         |                  |                              services: udevd,        API VFS mounts:
         v                  v                              tmpfiles, random        mqueue, configfs,
  local-fs.target      swap.target                         seed, sysctl, ...)      debugfs, ...)
         |                  |                                     |                      |
         \__________________|_________________   _________________|______________________/
                                              \ /
                                               v
                                        sysinit.target
                                               |
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@ -431,6 +431,25 @@
        </para></listitem>
      </varlistentry>
      <varlistentry>
        <term><option>x-initrd.attach</option></term>
        <listitem><para>Setup this encrypted block device in the initramfs, similarly to
        <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        units marked with <option>x-initrd.mount</option>.</para>
        <para>Although it's not necessary to mark the mount entry for the root file system with
        <option>x-initrd.mount</option>, <option>x-initrd.attach</option> is still recommended with
        the encrypted block device containing the root file system as otherwise systemd will
        attempt to detach the device during the regular system shutdown while it's still in
        use. With this option the device will still be detached but later after the root file
        system is unmounted.</para>
        <para>All other encrypted block devices that contain file systems mounted in the initramfs
        should use this option.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>At early boot and when the system manager configuration is
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@ -227,7 +227,7 @@ static int create_disk(
                *filtered = NULL, *u_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL, *header_path = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        const char *dmname;
-        bool noauto, nofail, tmp, swap, netdev;
+        bool noauto, nofail, tmp, swap, netdev, attach_in_initrd;
        int r, detached_header, keyfile_can_timeout;
        assert(name);
@ -238,6 +238,7 @@ static int create_disk(
        tmp = fstab_test_option(options, "tmp\0");
        swap = fstab_test_option(options, "swap\0");
        netdev = fstab_test_option(options, "_netdev\0");
        attach_in_initrd = fstab_test_option(options, "x-initrd.attach\0");
        keyfile_can_timeout = fstab_filter_options(options, "keyfile-timeout\0", NULL, &keyfile_timeout_value, NULL);
        if (keyfile_can_timeout < 0)
@ -290,12 +291,15 @@ static int create_disk(
                "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
                "SourcePath=%s\n"
                "DefaultDependencies=no\n"
                "Conflicts=umount.target\n"
                "IgnoreOnIsolate=true\n"
                "After=%s\n",
                arg_crypttab,
                netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
        /* If initrd takes care of attaching the disk then it should also detach it during shutdown. */
        if (!attach_in_initrd)
                fprintf(f, "Conflicts=umount.target\n");
        if (password) {
                password_escaped = specifier_escape(password);
                if (!password_escaped)
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@ -228,7 +228,7 @@ static int parse_one_option(const char *option) {
                if (r < 0)
                        return log_error_errno(r, "Failed to parse %s: %m", option);
-        } else
+        } else if (!streq(option, "x-initrd.attach"))
                log_warning("Encountered unknown /etc/crypttab option '%s', ignoring.", option);
        return 0;
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@ -2924,7 +2924,7 @@ int link_reconfigure(Link *link, bool force) {
        if (r < 0)
                return r;
-        if (!IN_SET(link->state, LINK_STATE_UNMANAGED, LINK_STATE_PENDING)) {
+        if (!IN_SET(link->state, LINK_STATE_UNMANAGED, LINK_STATE_PENDING, LINK_STATE_INITIALIZED)) {
                log_link_debug(link, "State is %s, dropping config", link_state_to_string(link->state));
                r = link_drop_foreign_config(link);
                if (r < 0)
@ -3419,7 +3419,7 @@ static int link_carrier_lost(Link *link) {
        if (r < 0)
                return r;
-        if (!IN_SET(link->state, LINK_STATE_UNMANAGED, LINK_STATE_PENDING)) {
+        if (!IN_SET(link->state, LINK_STATE_UNMANAGED, LINK_STATE_PENDING, LINK_STATE_INITIALIZED)) {
                log_link_debug(link, "State is %s, dropping config", link_state_to_string(link->state));
                r = link_drop_foreign_config(link);
                if (r < 0)
--- a/units/local-fs-pre.target
+++ b/units/local-fs-pre.target
@ -11,3 +11,4 @@
 Description=Local File Systems (Pre)
 Documentation=man:systemd.special(7)
 RefuseManualStart=yes
 After=cryptsetup.target
--- a/units/meson.build
+++ b/units/meson.build
@ -74,6 +74,7 @@ units = [
         'sysinit.target.wants/'],
        ['sysinit.target',                      ''],
        ['syslog.socket',                       ''],
        ['system-systemd\\x2dcryptsetup.slice', 'HAVE_LIBCRYPTSETUP'],
        ['system-update.target',                ''],
        ['system-update-pre.target',            ''],
        ['system-update-cleanup.service',       ''],
--- a/units/remote-fs-pre.target
+++ b/units/remote-fs-pre.target
@ -11,3 +11,4 @@
 Description=Remote File Systems (Pre)
 Documentation=man:systemd.special(7)
 RefuseManualStart=yes
 After=remote-cryptsetup.target
--- a/units/system-systemd\x2dcryptsetup.slice
+++ b/units/system-systemd\x2dcryptsetup.slice
@ -0,0 +1,13 @@
 #  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU Lesser General Public License as published by
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 [Unit]
 Description=Cryptsetup Units Slice
 Documentation=man:systemd.special(7)
 DefaultDependencies=no
Author	SHA1	Message	Date
Zbigniew Jędrzejewski-Szmek	36f43076b9	Merge pull request #14235 from fbuihuu/cryptsetup-fixes Cryptsetup fixes	2019-12-06 12:46:42 +01:00
Yu Watanabe	2c7b826ddf	network: do not drop foreign config if interface is in initialized state If the interface is in initialized state, no network file is assigned to the interface. If an interface is not managed by networkd, previously, the foreign configs of the interface was dropped. Fixes #14250.	2019-12-06 12:27:47 +01:00
Franck Bui	362c378291	cryptsetup: umount encrypted devices before detaching it during shutdown This is done by ordering local-fs-pre.target and remote-fs-pre.target after cryptsetup.target and remote-cryptsetup.target respectively. Fixes: #8472	2019-12-05 11:43:05 +01:00
Franck Bui	1dc85eff1d	crypsetup: introduce x-initrd.attach option This option is an indication for PID1 that the entry in crypttab is handled by initrd only and therefore it shouldn't interfer during the usual start-up and shutdown process. It should be primarily used with the encrypted device containing the root FS as we want to keep it (and thus its encrypted device) until the very end of the shutdown process, i.e. when initrd takes over. This option is the counterpart of "x-initrd.mount" used in fstab. Note that the slice containing the cryptsetup services also needs to drop the usual shutdown dependencies as it's required by the cryptsetup services. Fixes: #14224	2019-12-05 11:43:02 +01:00