Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/fileystems: Fix boot fails with encrypted fs #29344

Merged
merged 1 commit into from Sep 22, 2017
Merged

nixos/fileystems: Fix boot fails with encrypted fs #29344

merged 1 commit into from Sep 22, 2017

Conversation

Moredread
Copy link
Contributor

@Moredread Moredread commented Sep 14, 2017
edited

Motivation for this change

Also see issue #29142.

Boot fails when a keyfile is configured for all encrypted filesystems
and no other luks devices are configured. This is because luks support is only
enabled in the initrd, when boot.initrd.luks.devices has entries. When a
fileystem has a keyfile configured though, it is setup by a custom
command, not by boot.initrd.luks.

This commit adds an internal config flag to enable luks support in the
initrd file, even if there are no luks devices configured.

A test for this issue is available via PR #29269. Without this PR applied the test fails, with it it succeeds.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@Moredread
nixos/fileystems: Fix boot fails with encrypted fs
2000fba 
Boot fails when a keyfile is configured for all encrypted filesystems
and no other luks devices are configured. This is because luks support is only
enabled in the initrd, when boot.initrd.luks.devices has entries. When a
fileystem has a keyfile configured though, it is setup by a custom
command, not by boot.initrd.luks.

This commit adds an internal config flag to enable luks support in the
initrd file, even if there are no luks devices configured.
@Moredread Moredread force-pushed the fix/fileystem-encrypted-keyfile-missing-initrd-support branch from 31ea1bb to 2000fba Compare September 14, 2017 03:28
@Moredread Moredread changed the title Fix issue where boot fails when all encrypted fs have keyfiles config… nixos/fileystems: Fix boot fails with encrypted fs Sep 14, 2017
@joachifm joachifm added this to the 17.09 milestone Sep 17, 2017
@Mic92
Copy link
Member

Mic92 commented Sep 20, 2017
edited

On the first glance, we could also check if any device has the encrypted.keyFile property set, right?
This would require not extra configuration from the user.

@Moredread
Copy link
Contributor Author

That would also be possible, but would add a dependency from the initrd luks module to the fileSystems module. personally find that less elegant, but it might still be the better solution.

The patch doesn't need additional configuration by the user, the flag is set internally in nixos/modules/system/boot/luksroot.nix

@Mic92
Copy link
Member

Mic92 commented Sep 22, 2017
edited

I have not noticed the line in nixos/modules/tasks/encrypted-devices.nix, then it is good to go.

@Mic92 Mic92 merged commit 42be8db into NixOS:master Sep 22, 2017
@Moredread Moredread deleted the fix/fileystem-encrypted-keyfile-missing-initrd-support branch September 22, 2017 18:29
@fpletz fpletz mentioned this pull request Nov 19, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos
Projects
None yet
Milestone
17.09
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Moredread @Mic92 @joachifm