cryptroot: updated due to changes in original.
This commit is contained in:
parent
b863712014
commit
2f968d3be4
3
ubuntu-20.04/etc/rc.local
Normal file → Executable file
3
ubuntu-20.04/etc/rc.local
Normal file → Executable file
|
@ -5,4 +5,7 @@ echo z3fold > /sys/module/zswap/parameters/zpool
|
||||||
echo 50 > /sys/module/zswap/parameters/max_pool_percent
|
echo 50 > /sys/module/zswap/parameters/max_pool_percent
|
||||||
echo lz4 > /sys/module/zswap/parameters/compressor
|
echo lz4 > /sys/module/zswap/parameters/compressor
|
||||||
grep -R . /sys/kernel/debug/zswap/
|
grep -R . /sys/kernel/debug/zswap/
|
||||||
|
# Do not overcommit memory
|
||||||
echo 2 > /proc/sys/vm/overcommit_memory
|
echo 2 > /proc/sys/vm/overcommit_memory
|
||||||
|
# But allow to use all physical+swap
|
||||||
|
echo 99 > /proc/sys/vm/overcommit_ratio
|
||||||
|
|
|
@ -18,8 +18,9 @@
|
||||||
[Service]
|
[Service]
|
||||||
Type=forking
|
Type=forking
|
||||||
ExecStart=/etc/rc.local start
|
ExecStart=/etc/rc.local start
|
||||||
|
ExecStop=/etc/rc.local.shutdown start
|
||||||
TimeoutSec=0
|
TimeoutSec=0
|
||||||
StandardOutput=tty
|
StandardOutput=journal+console
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
SysVStartPriority=99
|
SysVStartPriority=99
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
# passwd ubuntu
|
# passwd ubuntu
|
||||||
#
|
#
|
||||||
# read secretpassword
|
# read secretpassword
|
||||||
# password=`cat /mount/cryptkeys.txt`
|
# password=`cat /mount/cryptkey.txt`
|
||||||
|
|
||||||
secretpassword=${secretpassword:-MyLUKSPassword}
|
secretpassword=${secretpassword:-MyLUKSPassword}
|
||||||
password=${password:-MyLUKSPassword}
|
password=${password:-MyLUKSPassword}
|
||||||
|
@ -242,14 +242,7 @@ stage1() {
|
||||||
make_stage2
|
make_stage2
|
||||||
}
|
}
|
||||||
|
|
||||||
doall() {
|
umount_all() {
|
||||||
stage1
|
|
||||||
modprobe efivars
|
|
||||||
mount --rbind /dev /mnt/dev
|
|
||||||
mount --rbind /proc /mnt/proc
|
|
||||||
mount --rbind /sys /mnt/sys
|
|
||||||
chroot /mnt /usr/bin/env DISK=$DISK bash -x /stage2.sh
|
|
||||||
|
|
||||||
lazy_umount() {
|
lazy_umount() {
|
||||||
umount "$@" || umount -l "$@"
|
umount "$@" || umount -l "$@"
|
||||||
}
|
}
|
||||||
|
@ -264,3 +257,14 @@ doall() {
|
||||||
umount /mnt || umount -l /mnt
|
umount /mnt || umount -l /mnt
|
||||||
zpool export rpool || zpool export -f rpool
|
zpool export rpool || zpool export -f rpool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
doall() {
|
||||||
|
stage1
|
||||||
|
modprobe efivars
|
||||||
|
mount --rbind /dev /mnt/dev
|
||||||
|
mount --rbind /proc /mnt/proc
|
||||||
|
mount --rbind /sys /mnt/sys
|
||||||
|
chroot /mnt /usr/bin/env DISK=$DISK bash -x /stage2.sh
|
||||||
|
umount_all
|
||||||
|
}
|
||||||
|
|
|
@ -76,6 +76,7 @@ lvm2
|
||||||
#xserver-xorg-input-synaptics
|
#xserver-xorg-input-synaptics
|
||||||
uswsusp
|
uswsusp
|
||||||
gddrescue
|
gddrescue
|
||||||
|
lm-sensors
|
||||||
zfsutils-linux
|
zfsutils-linux
|
||||||
zstd
|
zstd
|
||||||
pixz
|
pixz
|
||||||
|
|
|
@ -31,8 +31,8 @@ esac
|
||||||
|
|
||||||
|
|
||||||
# wait_for_source()
|
# wait_for_source()
|
||||||
# Wait for encrypted $CRYPTTAB_SOURCE for up to 180s. Set
|
# Wait for encrypted $CRYPTTAB_SOURCE . Set $CRYPTTAB_SOURCE
|
||||||
# $CRYPTTAB_SOURCE to its normalized device name when it shows up;
|
# to its normalized device name when it shows up;
|
||||||
# return 1 if timeout.
|
# return 1 if timeout.
|
||||||
wait_for_source() {
|
wait_for_source() {
|
||||||
wait_for_udev 10
|
wait_for_udev 10
|
||||||
|
@ -42,17 +42,27 @@ wait_for_source() {
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# The lines below has been taken from
|
|
||||||
# /usr/share/initramfs-tools/scripts/local's local_device_setup(),
|
|
||||||
# as suggested per https://launchpad.net/bugs/164044
|
|
||||||
|
|
||||||
# If the source device hasn't shown up yet, give it a little while
|
# If the source device hasn't shown up yet, give it a little while
|
||||||
# to allow for asynchronous device discovery (e.g. USB).
|
# to allow for asynchronous device discovery (e.g. USB).
|
||||||
|
#
|
||||||
|
# We also need to take into account RAID or other devices that may
|
||||||
|
# only be available on local-block stage. So, wait 5 seconds upfront,
|
||||||
|
# in local-top; if that fails, end execution relying on local-block
|
||||||
|
# invocations. Allow $ROOTDELAY/3 invocations with 1s sleep times (with
|
||||||
|
# a minimum of 30 invocations), and if after that we still fail, then it's
|
||||||
|
# really time to give-up. Variable $initrd_cnt tracks the re-invocations.
|
||||||
|
#
|
||||||
|
# Part of the lines below has been taken from initramfs-tools
|
||||||
|
# scripts/local's local_device_setup(), as suggested per
|
||||||
|
# https://launchpad.net/bugs/164044 .
|
||||||
|
|
||||||
|
local slumber=1
|
||||||
|
if [ ! -f "${CRYPTR_LOCAL_BLOCK}" ]; then # we are running on local-top
|
||||||
|
slumber=5
|
||||||
|
fi
|
||||||
|
|
||||||
cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..."
|
cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..."
|
||||||
|
|
||||||
# Default delay is 180s, cf. initramfs-tools(8)
|
|
||||||
local slumber="${ROOTDELAY:-180}"
|
|
||||||
while [ $slumber -gt 0 ]; do
|
while [ $slumber -gt 0 ]; do
|
||||||
sleep 1
|
sleep 1
|
||||||
|
|
||||||
|
@ -75,7 +85,23 @@ wait_for_source() {
|
||||||
# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME,
|
# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME,
|
||||||
# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS.
|
# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS.
|
||||||
setup_mapping() {
|
setup_mapping() {
|
||||||
local dev
|
local dev initrd_cnt
|
||||||
|
|
||||||
|
# We control here the number of re-invocations of this script from
|
||||||
|
# local-block - the heuristic is $ROOTDELAY/3, with a minimum of 30.
|
||||||
|
# This number is somewhat dictated by mdadm, we want to run more times
|
||||||
|
# than that script, to allow decrypting volumes on top of arrays.
|
||||||
|
|
||||||
|
if [ -f "${CRYPTR_CNT_FILE}" ]; then
|
||||||
|
initrd_cnt=$(cat ${CRYPTR_CNT_FILE})
|
||||||
|
else
|
||||||
|
initrd_cnt=${ROOTDELAY:-90}
|
||||||
|
initrd_cnt=$((initrd_cnt/3))
|
||||||
|
if [ "${initrd_cnt}" -lt 30 ]; then
|
||||||
|
initrd_cnt=30
|
||||||
|
fi
|
||||||
|
echo ${initrd_cnt} > "${CRYPTR_CNT_FILE}"
|
||||||
|
fi
|
||||||
|
|
||||||
# The same target can be specified multiple times
|
# The same target can be specified multiple times
|
||||||
# e.g. root and resume lvs-on-lvm-on-crypto
|
# e.g. root and resume lvs-on-lvm-on-crypto
|
||||||
|
@ -86,17 +112,23 @@ setup_mapping() {
|
||||||
crypttab_parse_options --export --missing-path=fail || return 1
|
crypttab_parse_options --export --missing-path=fail || return 1
|
||||||
|
|
||||||
if ! wait_for_source; then
|
if ! wait_for_source; then
|
||||||
# we've given up
|
if [ ${initrd_cnt} -le 0 ]; then
|
||||||
if [ -n "$panic" ]; then
|
# we've given up
|
||||||
panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
|
if [ -n "$panic" ]; then
|
||||||
else
|
panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
|
||||||
# let the user fix matters if they can
|
else
|
||||||
echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
|
# let the user fix matters if they can
|
||||||
echo " Check cryptopts=source= bootarg: cat /proc/cmdline"
|
echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
|
||||||
echo " or missing modules, devices: cat /proc/modules; ls /dev"
|
echo " Check cryptopts=source= bootarg: cat /proc/cmdline"
|
||||||
panic "Dropping to a shell."
|
echo " or missing modules, devices: cat /proc/modules; ls /dev"
|
||||||
fi
|
panic "Dropping to a shell."
|
||||||
return 1 # can't continue because environment is lost
|
fi
|
||||||
|
return 1 # can't continue because environment is lost
|
||||||
|
else
|
||||||
|
initrd_cnt=$((initrd_cnt - 1))
|
||||||
|
echo ${initrd_cnt} > "${CRYPTR_CNT_FILE}"
|
||||||
|
return 0 # allow some attempts on local-block stage
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# our `cryptroot-unlock` script searches for cryptsetup processes
|
# our `cryptroot-unlock` script searches for cryptsetup processes
|
||||||
|
@ -208,6 +240,10 @@ setup_mapping() {
|
||||||
done
|
done
|
||||||
|
|
||||||
cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded"
|
cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded"
|
||||||
|
|
||||||
|
if [ -f "${CRYPTR_CNT_FILE}" ]; then
|
||||||
|
echo 0 > "${CRYPTR_CNT_FILE}"
|
||||||
|
fi
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue