cryptroot: updated due to changes in original.

ubuntu-20.04/etc/rc.local

@@ -5,4 +5,7 @@ echo z3fold > /sys/module/zswap/parameters/zpool
 echo 50 > /sys/module/zswap/parameters/max_pool_percent
 echo lz4 > /sys/module/zswap/parameters/compressor
 grep -R . /sys/kernel/debug/zswap/
+# Do not overcommit memory
 echo 2 > /proc/sys/vm/overcommit_memory
+# But allow to use all physical+swap
+echo 99 > /proc/sys/vm/overcommit_ratio 

ubuntu-20.04/etc/systemd/system/rc-local.service

@@ -18,8 +18,9 @@
 [Service]
  Type=forking
  ExecStart=/etc/rc.local start
+ ExecStop=/etc/rc.local.shutdown start
  TimeoutSec=0
- StandardOutput=tty
+ StandardOutput=journal+console
  RemainAfterExit=yes
  SysVStartPriority=99
 

ubuntu-20.04/install-zfs-luks.sh

@@ -8,7 +8,7 @@
 # passwd ubuntu
 #
 # read secretpassword
-# password=`cat /mount/cryptkeys.txt`
+# password=`cat /mount/cryptkey.txt`
 
 secretpassword=${secretpassword:-MyLUKSPassword}
 password=${password:-MyLUKSPassword}
@@ -242,14 +242,7 @@ stage1() {
     make_stage2
 }
 
-doall() {
-    stage1    
-    modprobe efivars
-    mount --rbind /dev  /mnt/dev
-    mount --rbind /proc /mnt/proc
-    mount --rbind /sys  /mnt/sys
-    chroot /mnt /usr/bin/env DISK=$DISK bash -x /stage2.sh
-
+umount_all() {
     lazy_umount() {
 	umount "$@" || umount -l "$@"
     }
@@ -264,3 +257,14 @@ doall() {
     umount /mnt || umount -l /mnt
     zpool export rpool || zpool export -f rpool
 }
+
+
+doall() {
+    stage1    
+    modprobe efivars
+    mount --rbind /dev  /mnt/dev
+    mount --rbind /proc /mnt/proc
+    mount --rbind /sys  /mnt/sys
+    chroot /mnt /usr/bin/env DISK=$DISK bash -x /stage2.sh
+    umount_all
+}

ubuntu-20.04/packages

@@ -76,6 +76,7 @@ lvm2
 #xserver-xorg-input-synaptics
 uswsusp
 gddrescue
+lm-sensors
 zfsutils-linux
 zstd
 pixz

ubuntu-20.04/usr/share/initramfs-tools/scripts/local-top/cryptroot

@@ -31,8 +31,8 @@ esac
 
 
 # wait_for_source()
-#   Wait for encrypted $CRYPTTAB_SOURCE for up to 180s.  Set
-#   $CRYPTTAB_SOURCE to its normalized device name when it shows up;
+#   Wait for encrypted $CRYPTTAB_SOURCE . Set $CRYPTTAB_SOURCE
+#   to its normalized device name when it shows up;
 #   return 1 if timeout.
 wait_for_source() {
     wait_for_udev 10
@@ -42,17 +42,27 @@ wait_for_source() {
         return 0
     fi
 
-    # The lines below has been taken from
-    # /usr/share/initramfs-tools/scripts/local's local_device_setup(),
-    # as suggested per https://launchpad.net/bugs/164044
-
     # If the source device hasn't shown up yet, give it a little while
     # to allow for asynchronous device discovery (e.g. USB).
+    #
+    # We also need to take into account RAID or other devices that may
+    # only be available on local-block stage. So, wait 5 seconds upfront,
+    # in local-top; if that fails, end execution relying on local-block
+    # invocations. Allow $ROOTDELAY/3 invocations with 1s sleep times (with
+    # a minimum of 30 invocations), and if after that we still fail, then it's
+    # really time to give-up. Variable $initrd_cnt tracks the re-invocations.
+    #
+    # Part of the lines below has been taken from initramfs-tools
+    # scripts/local's local_device_setup(), as suggested per
+    # https://launchpad.net/bugs/164044 .
+
+    local slumber=1
+    if [ ! -f "${CRYPTR_LOCAL_BLOCK}" ]; then # we are running on local-top
+         slumber=5
+    fi
 
     cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..."
 
-    # Default delay is 180s, cf. initramfs-tools(8)
-    local slumber="${ROOTDELAY:-180}"
     while [ $slumber -gt 0 ]; do
         sleep 1
 
@@ -75,7 +85,23 @@ wait_for_source() {
 #   Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME,
 #   $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS.
 setup_mapping() {
-    local dev
+    local dev initrd_cnt
+
+    # We control here the number of re-invocations of this script from
+    # local-block - the heuristic is $ROOTDELAY/3, with a minimum of 30.
+    # This number is somewhat dictated by mdadm, we want to run more times
+    # than that script, to allow decrypting volumes on top of arrays.
+
+    if [ -f "${CRYPTR_CNT_FILE}" ]; then
+	initrd_cnt=$(cat ${CRYPTR_CNT_FILE})
+    else
+	initrd_cnt=${ROOTDELAY:-90}
+	initrd_cnt=$((initrd_cnt/3))
+	if [ "${initrd_cnt}" -lt 30 ]; then
+		initrd_cnt=30
+	fi
+	echo ${initrd_cnt} > "${CRYPTR_CNT_FILE}"
+    fi
 
     # The same target can be specified multiple times
     # e.g. root and resume lvs-on-lvm-on-crypto
@@ -86,6 +112,7 @@ setup_mapping() {
     crypttab_parse_options --export --missing-path=fail || return 1
 
     if ! wait_for_source; then
+	if [ ${initrd_cnt} -le 0 ]; then
 		# we've given up
 		if [ -n "$panic" ]; then
 			panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
@@ -97,6 +124,11 @@ setup_mapping() {
 			panic "Dropping to a shell."
 		fi
 		return 1 # can't continue because environment is lost
+	else
+		initrd_cnt=$((initrd_cnt - 1))
+		echo ${initrd_cnt} > "${CRYPTR_CNT_FILE}"
+		return 0 # allow some attempts on local-block stage
+	fi
     fi
 
     # our `cryptroot-unlock` script searches for cryptsetup processes
@@ -208,6 +240,10 @@ setup_mapping() {
     done
 
     cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded"
+
+    if [ -f "${CRYPTR_CNT_FILE}" ]; then
+	    echo 0 > "${CRYPTR_CNT_FILE}"
+    fi
     exit 1
 }