Mailinglist Archive: opensuse (1108 mails)

< Previous Next >
Re: [opensuse] Booting with an encrypted home
07.08.2018 22:33, Andrei Borzenkov пишет:
07.08.2018 11:52, Carlos E. R. пишет:


Hi,

On one machine (Leap 42.3) with encrypted home, when it boots and I'm
not there it waits forever at the password prompt (not using plymouth).

By default systemd service that decrypts container has no timeout. You
can change it in /etc/crypttab using timeout= option.

As it acts as my home server, this is incovenient:

/etc/crypttab:

cr_home /dev/disk/by-id/ata-KINGSTON... none none

/etc/fstab:

/dev/mapper/cr_home /home xfs lazytime,exec,nofail 1 2


On another machine (a laptop wit 15.0) if I don't type the password fast
enough it goes into emergency mode, prompting me to repair or pressing
control-D. It doesn't even wait 3 minutes:

/etc/crypttab:

cr_sda8 /dev/sda8

/etc/fstab:

LABEL=Home /home xfs lazytime 0 1



The difference is that in the former case systemd actually knows device
name (/dev/mapper/cr_home) and this device name has explicit dependency
on systemd-cryptsetup service which means job to mount filesystem is not
even started. While in the latter case there is no connection between
LABEL=Home and encrypted container (you need to decrypt it first to know
label) so mount job is started in parallel to decrypt job, times out and
triggers emergency mode. If you use same configuration in both case they
also behave identically (i.e. Leap 15 will wait indefinitely just as well).


It was not quite correct. systemd cryptsetup generator explicitly
disables start timeout for /dev/mapper/<device name>, so in the former
case it waits indefinitely for device to appear. In the latter case it
times out waiting for device with LABEL=Home because this device has no
connection to /dev/mapper/cr_sda8 (no way to scan for labels before it
is decrypted).

...>

I don't know how to control these timings decissions.


timeout= option in /etc/crypttab. Sometimes I wonder why people even
bother to write manual pages if nobody reads them anyway ...

Note that is does not work with Plymouth. Passphrase query screen
remains stuck and neither X11 GUI appears nor can I switch to text login
(I just get empty terminal). I believe this is plymouth bug - there is
job to stop plymouth at the end of boot sequence and it has infinite
timeout and it probably fails to properly stop plymouth in this state.



< Previous Next >