[pkg-cryptsetup-devel] Bug#842951: Bug#842951: Falsely identifies origin of a key file
martin f krafft
madduck at debian.org
Wed Nov 16 14:40:25 UTC 2016
also sprach Jonas Meurer <jonas at freesources.org> [2016-11-14 19:01 +0100]:
> > I think the reason for the confusion is that the "crypt" device is
> > actually a PV for the fishbowl LVM VG, and the root filesystem is
> > just an LV there, so it's not encrypted per se, but it's part of an
> > encrypted volume group…
>
> Can you give a bit more context here? In particular the shell script
> trace before and after the part that you parsed would be helpful. Could
> you send me the full shell script trace with 'set -x' enabled (and
> KEYFILE_PATTERN temporarely removed again)?
Here you go, hope this helps. more info below.
+ PREREQ=
+ prereqs
+ echo
+ exit 0
+ PREREQ=
+ . /usr/share/initramfs-tools/hook-functions
+ setup=no
+ rootdevs=
+ usrdevs=
+ resumedevs=
+ eval [ ${CRYPTSETUP+x} ]
+ [ ]
+ eval [ ${KEYFILE_PATTERN+x} ]
+ [ ]
+ [ -f /etc/cryptsetup-initramfs/conf-hook ]
+ . /etc/cryptsetup-initramfs/conf-hook
+ [ -n ]
+ [ ]
+ [ -r /etc/crypttab ]
+ get_fs_devices /
+ local device mount type options dump pass
+ local wantmount=/
+ [ ! -r /etc/fstab ]
+ + grep -s ^[^#] /etc/fstab
read device mount type options dump pass
+ [ swap = / ]
+ read device mount type options dump pass
+ [ / = / ]
+ local devices
+ [ ext4 = btrfs ]
+ canonical_device /dev/mapper/fishbowl-root
+ local dev altdev original
+ dev=/dev/mapper/fishbowl-root
+ opt=
+ [ /dev/mapper/fishbowl-root != /dev/mapper/fishbowl-root ]
+ [ /dev/mapper/fishbowl-root != /dev/mapper/fishbowl-root ]
+ original=/dev/mapper/fishbowl-root
+ [ -h /dev/mapper/fishbowl-root ]
+ readlink -e /dev/mapper/fishbowl-root
+ dev=/dev/dm-1
+ [ = --no-simplify ]
+ [ x = x ]
+ readlink -e /dev/mapper/control
+ [ /dev/mapper/control = /dev/dm-1 ]
+ readlink -e /dev/mapper/crypt
+ [ /dev/dm-0 = /dev/dm-1 ]
+ readlink -e /dev/mapper/fishbowl-root
+ [ /dev/dm-1 = /dev/dm-1 ]
+ dev=/dev/mapper/fishbowl-root
+ readlink -e /dev/mapper/fishbowl-srv
+ [ /dev/dm-5 = /dev/mapper/fishbowl-root ]
+ readlink -e /dev/mapper/fishbowl-swap
+ [ /dev/dm-2 = /dev/mapper/fishbowl-root ]
+ readlink -e /dev/mapper/fishbowl-usr
+ [ /dev/dm-3 = /dev/mapper/fishbowl-root ]
+ readlink -e /dev/mapper/fishbowl-var
+ [ /dev/dm-4 = /dev/mapper/fishbowl-root ]
+ readlink -e /dev/mapper/fishbowl-virt--BASE.virt
+ [ /dev/dm-11 = /dev/mapper/fishbowl-root ]
+ readlink -e /dev/mapper/fishbowl-win7--dupline
+ [ /dev/dm-7 = /dev/mapper/fishbowl-root ]
+ readlink -e /dev/mapper/fishbowl-win7--dupline--persistent
+ [ /dev/dm-10 = /dev/mapper/fishbowl-root ]
+ readlink -e /dev/mapper/fishbowl-win7--dupline--ss
+ [ /dev/dm-9 = /dev/mapper/fishbowl-root ]
+ readlink -e /dev/mapper/fishbowl-win7--dupline--ss-cow
+ [ /dev/dm-8 = /dev/mapper/fishbowl-root ]
+ readlink -e /dev/mapper/fishbowl-win7--dupline-real
+ [ /dev/dm-6 = /dev/mapper/fishbowl-root ]
+ altdev=fishbowl-root
+ [ fishbowl-root != /dev/mapper/fishbowl-root ]
+ printf %s fishbowl-root
+ return 0
+ devices=fishbowl-root
+ printf %s fishbowl-root
+ return
+ rootdevs=fishbowl-root
+ [ -z fishbowl-root ]
+ get_fs_devices /usr
+ local device mount type options dump pass
+ local wantmount=/usr
+ [ ! -r /etc/fstab ]
+ grep -s ^[^#] /etc/fstab
+ read device mount type options dump pass
+ [ swap = /usr ]
+ read device mount type options dump pass
+ [ / = /usr ]
+ read device mount type options dump pass
+ [ /boot/efi = /usr ]
+ read device mount type options dump pass
+ [ /srv = /usr ]
+ read device mount type options dump pass
+ [ /usr = /usr ]
+ local devices
+ [ ext4 = btrfs ]
+ canonical_device /dev/mapper/fishbowl-usr
+ local dev altdev original
+ dev=/dev/mapper/fishbowl-usr
+ opt=
+ [ /dev/mapper/fishbowl-usr != /dev/mapper/fishbowl-usr ]
+ [ /dev/mapper/fishbowl-usr != /dev/mapper/fishbowl-usr ]
+ original=/dev/mapper/fishbowl-usr
+ [ -h /dev/mapper/fishbowl-usr ]
+ readlink -e /dev/mapper/fishbowl-usr
+ dev=/dev/dm-3
+ [ = --no-simplify ]
+ [ x = x ]
+ readlink -e /dev/mapper/control
+ [ /dev/mapper/control = /dev/dm-3 ]
+ readlink -e /dev/mapper/crypt
+ [ /dev/dm-0 = /dev/dm-3 ]
+ readlink -e /dev/mapper/fishbowl-root
+ [ /dev/dm-1 = /dev/dm-3 ]
+ readlink -e /dev/mapper/fishbowl-srv
+ [ /dev/dm-5 = /dev/dm-3 ]
+ readlink -e /dev/mapper/fishbowl-swap
+ [ /dev/dm-2 = /dev/dm-3 ]
+ readlink -e /dev/mapper/fishbowl-usr
+ [ /dev/dm-3 = /dev/dm-3 ]
+ dev=/dev/mapper/fishbowl-usr
+ readlink -e /dev/mapper/fishbowl-var
+ [ /dev/dm-4 = /dev/mapper/fishbowl-usr ]
+ readlink -e /dev/mapper/fishbowl-virt--BASE.virt
+ [ /dev/dm-11 = /dev/mapper/fishbowl-usr ]
+ readlink -e /dev/mapper/fishbowl-win7--dupline
+ [ /dev/dm-7 = /dev/mapper/fishbowl-usr ]
+ readlink -e /dev/mapper/fishbowl-win7--dupline--persistent
+ [ /dev/dm-10 = /dev/mapper/fishbowl-usr ]
+ readlink -e /dev/mapper/fishbowl-win7--dupline--ss
+ [ /dev/dm-9 = /dev/mapper/fishbowl-usr ]
+ readlink -e /dev/mapper/fishbowl-win7--dupline--ss-cow
+ [ /dev/dm-8 = /dev/mapper/fishbowl-usr ]
+ readlink -e /dev/mapper/fishbowl-win7--dupline-real
+ [ /dev/dm-6 = /dev/mapper/fishbowl-usr ]
+ altdev=fishbowl-usr
+ [ fishbowl-usr != /dev/mapper/fishbowl-usr ]
+ printf %s fishbowl-usr
+ return 0
+ devices=fishbowl-usr
+ printf %s fishbowl-usr
+ return
+ usrdevs=fishbowl-usr
+ get_resume_devices
+ local device opt count dupe candidates devices derived
+ candidates=
+ [ -e /etc/uswsusp.conf ]
+ [ -e /etc/suspend.conf ]
+ cat /proc/cmdline
+ [ -e /etc/initramfs-tools/conf.d/resume ]
+ devices=
+ count=0
+ [ 0 -gt 1 ]
+ [ 0 -gt 0 ]
+ return 0
+ resumedevs=
+ get_initramfs_devices
+ local device opt count dupe target source key options candidates devices derived
+ grep -s ^[^#] /etc/crypttab
+ read target source key options
+ printf %s luks,discard
+ grep -Eq ^(.*,)?initramfs(,.*)?$
+ read target source key options
+ candidates=
+ devices=
+ count=0
+ [ 0 -gt 0 ]
+ return 0
+ initramfsdevs=
+ add_device fishbowl-root
+ local node nodes opts lastopts i count
+ nodes=fishbowl-root
+ opts=
+ lastopts=
+ [ -z fishbowl-root ]
+ printf %s fishbowl-root
+ tr \n
+ grep -Fxq fishbowl-root
+ opts=rootdev
+ node_is_in_crypttab fishbowl-root
+ [ -f /etc/crypttab ]
+ [ 1 -gt 0 ]
+ sed -rn s/^\s*([^#]\S*)\s.*/\1/p /etc/crypttab
+ grep -Fxq fishbowl-root
+ return 1
+ get_lvm_deps fishbowl-root
+ local node deps maj min depnode
+ node=fishbowl-root
+ [ -z fishbowl-root ]
+ dmsetup --noheadings splitname fishbowl-root
+ cut -d: -f1
+ vgs --noheadings -o pv_name fishbowl
+ deps= /dev/mapper/crypt
+ dmsetup info -c --noheadings -o name /dev/mapper/crypt
+ depnode=crypt
+ [ -z crypt ]
+ + dmsetupcut table crypt
-d -f3
+ [ crypt != crypt ]
+ printf %s\n crypt
+ return 0
+ lvmnodes=crypt
+ [ -z crypt ]
+ opts=rootdev,lvm=fishbowl-root
+ nodes=crypt
+ printf %s crypt
+ wc -w
+ count=1
+ i=1
+ [ 1 -eq 1 ]
+ [ -n ]
+ get_device_opts crypt rootdev,lvm=fishbowl-root
+ local target source link extraopts rootopts opt key
+ target=crypt
+ extraopts=rootdev,lvm=fishbowl-root
+ KEYSCRIPT=
+ KEYFILE=
+ CRYPTHEADER=
+ OPTIONS=
+ [ -z crypt ]
+ awk -vtarget=crypt $1 == target {gsub(/[ \t]+/," "); print; exit} /etc/crypttab
+ opt=crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /boot/nvme0n1.luks luks,discard
+ printf %s crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /boot/nvme0n1.luks luks,discard
+ cut -d -f2
+ source=UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc
+ printf %s crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /boot/nvme0n1.luks luks,discard
+ cut -d -f3
+ key=/boot/nvme0n1.luks
+ printf %s crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /boot/nvme0n1.luks luks,discard
+ cut -d -f4-
+ rootopts=luks,discard
+ [ -z crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /boot/nvme0n1.luks luks,discard ]
+ [ -z UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc ]
+ [ -z /boot/nvme0n1.luks ]
+ [ -z luks,discard ]
+ [ -h UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc ]
+ [ UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc = UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc -a ! -b /dev/disk/by-uuid/40aa3e9a-dd83-4789-822f-da3ed51b18cc ]
+ [ UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc != UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc -a ! -b UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc ]
+ [ /boot/nvme0n1.luks = /dev/random ]
+ [ /boot/nvme0n1.luks = /dev/urandom ]
+ [ -n rootdev,lvm=fishbowl-root ]
+ rootopts=rootdev,lvm=fishbowl-root,luks,discard
+ OPTIONS=target=crypt,source=UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc
+ local IFS=,
+ unset HASH_FOUND
+ unset LUKS_FOUND
+ OPTIONS=target=crypt,source=UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc,rootdev
+ OPTIONS=target=crypt,source=UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc,rootdev,lvm=fishbowl-root
+ LUKS_FOUND=1
+ OPTIONS=target=crypt,source=UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc,rootdev,lvm=fishbowl-root,discard
+ [ -z ]
+ [ -z 1 ]
+ [ -n ]
+ [ /boot/nvme0n1.luks != none ]
+ [ -z ]
+ readlink -e /boot/nvme0n1.luks
+ key=/boot/nvme0n1.luks
+ printf %s fishbowl-root
+ tr \n
+ grep -Fxq crypt
+ stat -c %m -- /boot/nvme0n1.luks
+ [ / != / ]
+ node_is_in_crypttab fishbowl-root
+ [ -f /etc/crypttab ]
+ [ 1 -gt 0 ]
+ sed -rn s/^\s*([^#]\S*)\s.*/\1/p /etc/crypttab
+ grep -Fxq fishbowl-root
+ return 1
+ echo cryptsetup: WARNING: crypt's key file /boot/nvme0n1.luks is not on an encrypted root FS, skipped
cryptsetup: WARNING: crypt's key file /boot/nvme0n1.luks is not on an encrypted root FS, skipped
+ return 1
+ continue
+ return 0
+ modules=
+ [ -n ]
+ [ no = no ]
+ continue
+ add_device fishbowl-usr
+ local node nodes opts lastopts i count
+ nodes=fishbowl-usr
+ opts=
+ lastopts=
+ [ -z fishbowl-usr ]
+ printf %s fishbowl-root
+ tr \n
+ grep -Fxq fishbowl-usr
+ node_is_in_crypttab fishbowl-usr
+ [ -f /etc/crypttab ]
+ [ 1 -gt 0 ]
+ sed -rn s/^\s*([^#]\S*)\s.*/\1/p /etc/crypttab
+ grep -Fxq fishbowl-usr
+ return 1
+ get_lvm_deps fishbowl-usr
+ local node deps maj min depnode
+ node=fishbowl-usr
+ [ -z fishbowl-usr ]
+ dmsetup --noheadings splitname fishbowl-usr
+ cut -d: -f1
+ vgs --noheadings -o pv_name fishbowl
+ deps= /dev/mapper/crypt
+ dmsetup info -c --noheadings -o name /dev/mapper/crypt
+ depnode=crypt
+ [ -z crypt ]
+ dmsetup table crypt
+ cut -d -f3
+ [ crypt != crypt ]
+ printf %s\n crypt
+ return 0
+ lvmnodes=crypt
+ [ -z crypt ]
+ opts=lvm=fishbowl-usr
+ nodes=crypt
+ printf+ %s crypt
wc -w
+ count=1
+ i=1
+ [ 1 -eq 1 ]
+ [ -n ]
+ get_device_opts crypt lvm=fishbowl-usr
+ local target source link extraopts rootopts opt key
+ target=crypt
+ extraopts=lvm=fishbowl-usr
+ KEYSCRIPT=
+ KEYFILE=
+ CRYPTHEADER=
+ OPTIONS=
+ [ -z crypt ]
+ awk -vtarget=crypt $1 == target {gsub(/[ \t]+/," "); print; exit} /etc/crypttab
+ opt=crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /boot/nvme0n1.luks luks,discard
+ printf %s crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /boot/nvme0n1.luks luks,discard
+ cut -d -f2
+ source=UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc
+ printf %s crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /boot/nvme0n1.luks luks,discard
+ cut -d -f3
+ key=/boot/nvme0n1.luks
+ printf %s crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /boot/nvme0n1.luks luks,discard
+ cut -d -f4-
+ rootopts=luks,discard
+ [ -z crypt UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc /boot/nvme0n1.luks luks,discard ]
+ [ -z UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc ]
+ [ -z /boot/nvme0n1.luks ]
+ [ -z luks,discard ]
+ [ -h UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc ]
+ [ UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc = UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc -a ! -b /dev/disk/by-uuid/40aa3e9a-dd83-4789-822f-da3ed51b18cc ]
+ [ UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc != UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc -a ! -b UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc ]
+ [ /boot/nvme0n1.luks = /dev/random ]
+ [ /boot/nvme0n1.luks = /dev/urandom ]
+ [ -n lvm=fishbowl-usr ]
+ rootopts=lvm=fishbowl-usr,luks,discard
+ OPTIONS=target=crypt,source=UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc
+ local IFS=,
+ unset HASH_FOUND
+ unset LUKS_FOUND
+ OPTIONS=target=crypt,source=UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc,lvm=fishbowl-usr
+ LUKS_FOUND=1
+ OPTIONS=target=crypt,source=UUID=40aa3e9a-dd83-4789-822f-da3ed51b18cc,lvm=fishbowl-usr,discard
+ [ -z ]
+ [ -z 1 ]
+ [ -n ]
+ [ /boot/nvme0n1.luks != none ]
+ [ -z ]
+ readlink -e /boot/nvme0n1.luks
+ key=/boot/nvme0n1.luks
+ printf %s fishbowl-root
+ tr \n
+ grep -Fxq crypt
+ stat -c %m -- /boot/nvme0n1.luks
+ [ / != / ]
+ node_is_in_crypttab fishbowl-root
+ [ -f /etc/crypttab ]
+ [ 1 -gt 0 ]
+ sed -rn s/^\s*([^#]\S*)\s.*/\1/p /etc/crypttab
+ grep -Fxq fishbowl-root
+ return 1
+ echo cryptsetup: WARNING: crypt's key file /boot/nvme0n1.luks is not on an encrypted root FS, skipped
cryptsetup: WARNING: crypt's key file /boot/nvme0n1.luks is not on an encrypted root FS, skipped
+ return 1
+ continue
+ return 0
+ modules=
+ [ -n ]
+ [ no = no ]
+ continue
+ [ dep != dep ]
+ [ no = yes ]
+ exit 0
> For some reason, 'node_is_in_crypttab fishbowl-root' expands to
> false. Is 'fishbowl-root' the name of your unlocked dm-crypt
> device or a the name of your LVM logical volume?
The setup is as follows:
/boot is on LV /dev/mapper/fishbowl-root
The fishbowl VG is on PV /dev/mapper/crypt
/dev/mapper/crypt is a dm-crypt mapping on top of /dev/nvme0n1p3
So to answer your question: 'root' is the LV in VG 'fishbowl', which
sits on PV 'crypt', which is the unlocked dm-crypt device
corresponding to the SSD.
--
.''`. martin f. krafft <madduck at d.o> @martinkrafft
: :' : proud Debian developer
`. `'` http://people.debian.org/~madduck
`- Debian - when you have better things to do than fixing systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1089 bytes
Desc: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20161116/25a961e7/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list