[Bug 568577] New: rccrypto fails after recent kernel update. Login to encripted home fails, too.
http://bugzilla.novell.com/show_bug.cgi?id=568577 http://bugzilla.novell.com/show_bug.cgi?id=568577#c0 Summary: rccrypto fails after recent kernel update. Login to encripted home fails, too. Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: i686 OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: carlos.e.r@opensuse.org QAContact: qa@suse.de Found By: --- Blocker: --- Warning: this bug must not be restricted to Novell employees, contrary to what bugzilla states for security related bugs. Classified as "security" as encryption is a security feature. After update to kernel 2.6.31.8-0.1-desktop, mounting encrypted partitions fail: bombadillo:~ # dmsetup ls No devices found bombadillo:~ # rccrypto start crmm_dvd_f1r Please enter passphrase for crmm_dvd_f1r: Please enter passphrase for crmm_dvd_f1r: key slot 0 unlocked. Command successful. [/sbin/fsck.reiserfs (1) -- /mnt/crypta.mm_dvd1.r] fsck.reiserfs -a /dev/mapper/crmm_dvd_f1r Reiserfs super block in block 16 on 0xfd00 of format 3.6 with standard journal Blocks (total/free): 1147200/4410 by 4096 bytes Filesystem is clean mount: /dev/mapper/crmm_dvd_f1r already mounted or /mnt/crypta.mm_dvd1.r busy Command failed: Device busy crmm_dvd_f1r... failed bombadillo:~ # rccrypto status crmm_dvd_f1r crmm_dvd_f1r [ loop0 mapped mounted ] running bombadillo:~ # rccrypto status crmm_dvd_f3r crmm_dvd_f3r unused bombadillo:~ # rccrypto start crmm_dvd_f3r Please enter passphrase for crmm_dvd_f3r: Please enter passphrase for crmm_dvd_f3r: key slot 0 unlocked. Command successful. [/sbin/fsck.reiserfs (1) -- /mnt/crypta.mm_dvd3.r] fsck.reiserfs -a /dev/mapper/crmm_dvd_f3r Reiserfs super block in block 16 on 0xfd01 of format 3.6 with standard journal Blocks (total/free): 1147200/2843 by 4096 bytes Filesystem is clean crmm_dvd_f3r... done however, the partitions are in fact mounted and mapped, as rccrypto status correctly shows. Log: Jan 6 15:11:30 bombadillo kernel: [ 1947.804623] REISERFS (device dm-0): found reiserfs format "3.6" with standard journal Jan 6 15:11:30 bombadillo kernel: [ 1947.804653] REISERFS (device dm-0): using ordered data mode Jan 6 15:11:30 bombadillo kernel: [ 1947.804660] reiserfs: using flush barriers Jan 6 15:11:30 bombadillo kernel: [ 1947.804835] REISERFS (device dm-0): journal params: device dm-0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 Jan 6 15:11:30 bombadillo kernel: [ 1947.805029] REISERFS (device dm-0): checking transaction log (dm-0) Jan 6 15:11:30 bombadillo kernel: [ 1947.831516] REISERFS (device dm-0): Using r5 hash to sort names Jan 6 15:12:09 bombadillo kernel: [ 1986.890241] REISERFS (device dm-1): found reiserfs format "3.6" with standard journal Jan 6 15:12:09 bombadillo kernel: [ 1986.890279] REISERFS (device dm-1): using ordered data mode Jan 6 15:12:09 bombadillo kernel: [ 1986.890286] reiserfs: using flush barriers Jan 6 15:12:09 bombadillo kernel: [ 1986.890422] REISERFS (device dm-1): journal params: device dm-1, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30 Jan 6 15:12:09 bombadillo kernel: [ 1986.890576] REISERFS (device dm-1): checking transaction log (dm-1) Jan 6 15:12:09 bombadillo kernel: [ 1986.954205] REISERFS (device dm-1): Using r5 hash to sort names Jan 6 15:12:09 bombadillo udev.mountd: mount: /dev/mapper/crmm_dvd_f3r already mounted or /mnt/crypta.mm_dvd3.r busy Jan 6 15:12:09 bombadillo udev.mountd: mount: according to mtab, /dev/mapper/crmm_dvd_f3r is already mounted on /mnt/crypta.mm_dvd3.r This problem is affecting people with encrypted home partitions. Seen in the Spanish mail list. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c1
Alfredo Amaya
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c2
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c3
Carlos Robinson
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c4
Ludwig Nussel
Jan 6 15:12:09 bombadillo udev.mountd: mount: /dev/mapper/crmm_dvd_f3r already mounted or /mnt/crypta.mm_dvd3.r busy Jan 6 15:12:09 bombadillo udev.mountd: mount: according to mtab, /dev/mapper/crmm_dvd_f3r is already mounted on /mnt/crypta.mm_dvd3.r
Looks like this mysterious udevmountd is getting in the way. No idea why this is triggered with the new kernel. (In reply to comment #3)
I also have the data for Alfredo, because he posted it on the Spanish mail list.
crypttab:
cr_sda1 /dev/disk/by-id/ata-ST3500830AS_9QG48Q9Z-part1 none swap cr_sda3 /dev/disk/by-id/ata-ST3500830AS_9QG48Q9Z-part3 none none
fstab:
/dev/mapper/cr_sda1 swap swap defaults 0 0 /dev/mapper/cr_sda3 /home ext4 acl,users_xattr,noauto 0 0
During boot he is prompted only once for the password (previously to the update he was prompted twice), and the script reports failure.
Maybe that udevmountd mounted the device while boot.crypto tried to run fsck? Need more debug output to find out. reassigning to udevmountd author -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c5
--- Comment #5 from Carlos Robinson
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c6
--- Comment #6 from Carlos Robinson
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c7
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c8
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c9
Carlos Robinson
to see what udevmountd does use this command and watch /var/log/messages: # udevadm control --log-priority=info
Ok, done. I then started the four fylesystems of #3. First one reported failure (but in fact succeeded, and the rest reported success. (This time I have the password ready and paste it within 3 seconds on each). bombadillo:~ # cryptodvds start Please enter passphrase for crmm_dvd_f1r: Please enter passphrase for crmm_dvd_f1r: key slot 0 unlocked. Command successful. [/sbin/fsck.reiserfs (1) -- /mnt/crypta.mm_dvd1.r] fsck.reiserfs -a /dev/mapper/crmm_dvd_f1r Reiserfs super block in block 16 on 0xfd00 of format 3.6 with standard journal Blocks (total/free): 1147200/61678 by 4096 bytes Filesystem is clean mount: /dev/mapper/crmm_dvd_f1r already mounted or /mnt/crypta.mm_dvd1.r busy Command failed: Device busy crmm_dvd_f1r... failed Please enter passphrase for crmm_dvd_f2r: Please enter passphrase for crmm_dvd_f2r: key slot 0 unlocked. Command successful. [/sbin/fsck.reiserfs (1) -- /mnt/crypta.mm_dvd2.r] fsck.reiserfs -a /dev/mapper/crmm_dvd_f2r Reiserfs super block in block 16 on 0xfd01 of format 3.6 with standard journal Blocks (total/free): 1147200/190750 by 4096 bytes Filesystem is clean crmm_dvd_f2r... done .. I will add the message log in a minute. HTH.
To disable udevmountd try adding the following line at the top of /etc/udev/rules.d/81-mount.rules: ACTION=="change", SUBSYSTEM=="block", KERNEL=="dm-*", ENV{DM_TARGET_TYPES}=="crypt", GOTO="skip_mount"
This part I don't have time to test tonight, it is late. Tomorrow, I hope.
Does that resolve your problems?
-- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c10
--- Comment #10 from Carlos Robinson
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c11
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c12
Carlos Robinson
according to the log udevmountd does mount the device in the background so the udev rules I posted should help. If you could confirm that I'll request an update.
Ok, tested, it does work fine. Thanks :-) I will add the log in a moment. I wonder if something of the sort could be used so that gnome does not try to mount encrypted DVDs? I'll have to think about it.
btw: you should set the last two columns in fstab to 0 for your dvd's. doesn't make sense to run fsck on a ro media...
Ah, but those are not DVDs, but DVD reiserfs images, wich are loop mounted rw. After I burn them to a DVD, they are ro, and I use a different entry: /etc/crypttab: crmm_dvd.l /dev/dvd.l none noauto,loop /etc/fstab: /dev/mapper/crmm_dvd.l /mnt/dvd.crypta.l \ auto ro,noauto,user,noatime,nodiratime 0 0 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c13
--- Comment #13 from Carlos Robinson
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c14
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c15
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c16
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c17
--- Comment #17 from Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c19
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c20
--- Comment #20 from Carlos Robinson
Submitted package with fix:
Descr: 'fix for bnc#568577 to not handle crypto devices in udevmountd but in boot.crypto'
In case it is related: If I put an encrypted DVD with entries in crypttab, gnome wants to handle it and prompts for the password. I'm not sure where this should be avoided: here, or requesting the gnome people they add a setting to disable this behaviour? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c21
--- Comment #21 from Ludwig Nussel
If I put an encrypted DVD with entries in crypttab, gnome wants to handle it and prompts for the password. I'm not sure where this should be avoided: here, or requesting the gnome people they add a setting to disable this behaviour?
Well, you can try filing a separate bug but I somehow doubt it could be fixed in a general way. Your case is rather exotic. I don't know if gnome uses hal or devicekit on 11.2. For hal a rule that sets volume.ignore=TRUE should work. I guess devicekit has similar methods. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c27
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c29
Marius Tomaschewski
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c30
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=568577
http://bugzilla.novell.com/show_bug.cgi?id=568577#c33
--- Comment #33 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com