luksroot: Wait for the header (device) to appear #24634
Conversation
|
|
||
| # Wait for luksRoot (and optionally keyFile and/or header) to appear, e.g. | ||
| # if on a USB drive. | ||
| wait_target "device" ${device} |
There was a problem hiding this comment.
mhm, I hope this can be replaced with systemd-cryptsetup in future with proper udev auto-detection.
There was a problem hiding this comment.
I don't know about systemd-cryptsetup but imho we should always have an alternative in case we want to replace systemd one day.
Edit: But I agree that this would most likely make sense when using systemd anyway.
There was a problem hiding this comment.
We have a waitDevice() in stage-1 using udev. Is this applicable here?
There was a problem hiding this comment.
Short answer: Yes (if we modify some stuff in stage-1-init.sh)
Long answer: It's a bit more complicated... Currently the commands from luksroot.nix are executed before waitDevice() is declared, i.e. we should move the code to the top (which would probably make sense for all/most functions in there). Then I would suggest that we extend the function so that we can keep the current output and the amount of seconds to wait should probably be a parameter as well (better an optional parameter, if possible). And then we would need to think about the LVM stuff (we have preLVMCommands and postDeviceCommands (post LVM) - running lvm vgchange -ay as pre LVM command would destroy that separation).
I thought about using waitDevice() but decided against it for the above reasons. Imho this commit/PR already does what it's supposed to do (imho) and improves the current situation - I hope you don't mind if I merge it 😄.
I agree that there are a lot of possible improvements for stage-1-init.sh but imho that should go into a separate commit/PR - actually I already thought about some (including using waitDevice()) but unfortunately that might have to wait for a while since I don't have enough time for that atm.
The LUKS header can be on another device (e.g. a USB stick). In my case it can take up to two seconds until the partition on my USB stick is available (i.e. the decryption fails without this patch). This will also remove some redundancy by providing the shell function `wait_target` and slightly improve the output (one "." per second and a success/failure indication after 10 seconds instead of always printing "ok").
The LUKS header can be on another device (e.g. a USB stick). In my case
it can take up to two seconds until the partition on my USB stick is
available (i.e. the decryption fails without this patch). This will also
remove some redundancy by providing the shell function
wait_targetandslightly improve the output (one "." per second and a success/failure
indication after 10 seconds instead of always printing "ok").
cc @Calrama @edolstra