Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1029324: dracut: generic initrd does not work with encrypted root FS without further configuration
30 views
Skip to first unread message
David Härdeman
Jan 21, 2023, 6:30:03 AM1/21/23
to
Package: dracut
Version: 059-1
Severity: normal
Dear Maintainer,
since version 059-1, dracut defaults to building a generic initrd.
Unfortunately, the generic initrd means that it is not possible to
switch from initramfs-tools to dracut on a system which uses an
encrypted root FS without further configuration steps.
For example, installing Debian in a VM using a recent (testing) Debian
installer image, and opting for the guided partitioning, with an
encrypted root fs, the system will end up with a configuration which
looks something like this:
/etc/crypttab:
<dev>_crypt UUID=<some_uuid> none luks,discard
/etc/fstab:
/dev/mapper/<some_LVM_LV> / ext4 <options>
/boot/grub/grub.cfg:
linux /vmlinuz-6.0.0-6-amd64 root=/dev/mapper/<some_LVM_LV> ro quiet
Now, after switching to dracut, the new initrd which is built will not
contain the necessary configuration to actually setup the "<dev>_crypt"
device, since autoconfiguration (rd.auto) is disabled and a hostonly
initrd (which would include a custom /etc/crypttab in the initrd) is not
built.
The result is an initrd which will hang waiting for
/dev/mapper/<some_LVM_LV> to show up, and which will eventually time
out.
A workaround for now is to change /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.auto=1"
And then run "update-grub".
This, however, means that the name of the crypt device will change from
"<dev>_crypt" (as specified in /etc/crypttab) to "luks-<some_uuid>",
which will result in ugly error messages during boot (that's mostly
cosmetic though) since systemd will fail to setup the device
"<dev>_crypt".
That, in turn, can be fixed by changing /etc/crypttab from:
<dev>_crypt UUID=<some_uuid> none luks,discard
so that it reads:
luks-<some_uuid> UUID=<some_uuid> none luks,discard
(I think that part might need changes to debian-installer, which might
anyway be a good idea, since the luks-<uuid> naming provides a stable
name).
A further problem with building the generic initrd is that custom crypt
addons (like the fido2 support) won't be included in the initrd even if
fido2 is defined in /usr/lib/dracut/modules.d/90crypt/module-setup.sh
("fido2-device=auto").
I'm not 100% sure what the best way to address this would be, but I
think (hope) it should be easier to switch from initramfs-tools to
dracut, even when using an encrypted root FS.
Cheers,
David Härdeman
Version: 059-1
Severity: normal
Dear Maintainer,
since version 059-1, dracut defaults to building a generic initrd.
Unfortunately, the generic initrd means that it is not possible to
switch from initramfs-tools to dracut on a system which uses an
encrypted root FS without further configuration steps.
For example, installing Debian in a VM using a recent (testing) Debian
installer image, and opting for the guided partitioning, with an
encrypted root fs, the system will end up with a configuration which
looks something like this:
/etc/crypttab:
<dev>_crypt UUID=<some_uuid> none luks,discard
/etc/fstab:
/dev/mapper/<some_LVM_LV> / ext4 <options>
/boot/grub/grub.cfg:
linux /vmlinuz-6.0.0-6-amd64 root=/dev/mapper/<some_LVM_LV> ro quiet
Now, after switching to dracut, the new initrd which is built will not
contain the necessary configuration to actually setup the "<dev>_crypt"
device, since autoconfiguration (rd.auto) is disabled and a hostonly
initrd (which would include a custom /etc/crypttab in the initrd) is not
built.
The result is an initrd which will hang waiting for
/dev/mapper/<some_LVM_LV> to show up, and which will eventually time
out.
A workaround for now is to change /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.auto=1"
And then run "update-grub".
This, however, means that the name of the crypt device will change from
"<dev>_crypt" (as specified in /etc/crypttab) to "luks-<some_uuid>",
which will result in ugly error messages during boot (that's mostly
cosmetic though) since systemd will fail to setup the device
"<dev>_crypt".
That, in turn, can be fixed by changing /etc/crypttab from:
<dev>_crypt UUID=<some_uuid> none luks,discard
so that it reads:
luks-<some_uuid> UUID=<some_uuid> none luks,discard
(I think that part might need changes to debian-installer, which might
anyway be a good idea, since the luks-<uuid> naming provides a stable
name).
A further problem with building the generic initrd is that custom crypt
addons (like the fido2 support) won't be included in the initrd even if
fido2 is defined in /usr/lib/dracut/modules.d/90crypt/module-setup.sh
("fido2-device=auto").
I'm not 100% sure what the best way to address this would be, but I
think (hope) it should be easier to switch from initramfs-tools to
dracut, even when using an encrypted root FS.
Cheers,
David Härdeman
Patrick Schleizer
Jul 22, 2023, 9:20:05 AM7/22/23
to
Thanks to Laszlo Gombos, this has been reported upstream.
Generic initrd does not work with encrypted root FS without further
configuration
https://github.com/dracutdevs/dracut/issues/2437
Generic initrd does not work with encrypted root FS without further
configuration
https://github.com/dracutdevs/dracut/issues/2437
0 new messages