[PATCH] mapped-devices/luks: Support extra options.

Open

Details

4 participants

45mg
Ludovic Courtès
Maxim Cournoyer
Maxim Cournoyer

Owner: unassigned

Submitted by: 45mg

Severity: normal

Debbugs page

45mg wrote on 3 Apr 10:43 -0700

Recipients:(address . guix-patches@gnu.org)

Message-ID:fb637872bd14abe305d810b9d32e0db290b26dd6.1743702237.git.45mg.writes@gmail.com

Allow passing extra options to the 'cryptsetup open' command.

* gnu/system/mapped-devices.scm (luks-device-mapping-with-options):

[#:extra-options]: New argument.

(open-luks-device): Use it.

* doc/guix.texi (Mapped Devices): Document it.

* gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New

test for it, as well as the previously untested #:allow-discards?

option.

(%encrypted-root-extra-options-os): New os declaration for the test.

Change-Id: Ia9fd129d1c66cbf27abdd3064d59188083465247

---

CCing everyone who worked on the allow-discards option - this change is very

similar.

%encrypted-root-extra-options-os is copied from %encrypted-root-os; only

the mapped-devices field is changed. I wish I could avoid this code

duplication by having `(inherit %encrypted-root-os)` in the os

definition, but when I do that, the test fails with this error in the

build log:

/mnt/etc/config.scm:1:100: error: %encrypted-root-os: unbound variable

Any chance you Guile wizards know how to make this work?

doc/guix.texi | 20 ++++++++++-

gnu/system/mapped-devices.scm | 25 ++++++++-----

gnu/tests/install.scm | 68 +++++++++++++++++++++++++++++++++++

3 files changed, 104 insertions(+), 9 deletions(-)

Toggle diff (187 lines)diff --git a/doc/guix.texi b/doc/guix.texi
index bcb1f9d9cf..9cd1304522 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -18461,7 +18461,7 @@ Mapped Devices
 @code{dm-crypt} Linux kernel module.
 @end defvar
 
-@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards?]
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards? #:extra-options]
 Return a @code{luks-device-mapping} object, which defines LUKS block
 device encryption using the @command{cryptsetup} command from the
 package with the same name.  It relies on the @code{dm-crypt} Linux
@@ -18492,6 +18492,24 @@ Mapped Devices
 information, refer to the description of the @code{--allow-discards}
 option in the @code{cryptsetup-open(8)} man page.
 
+@code{extra-options} may be used to specify a list of additional
+command-line options for the @code{cryptsetup open} command.  See the
+@code{cryptsetup-open(8)} man page for a list of supported options.
+
+For example, here is how you could specify the
+@code{--perf-no_read_workqueue} and @code{--perf-no_write_workqueue}
+options, along with @code{--allow-discards}:
+
+@lisp
+(mapped-device
+ (source "/dev/sdb1)
+ (target "data)
+ (type (luks-device-mapping-with-options
+        #:allow-discards? #t
+        #:extra-options '("--perf-no_read_workqueue"
+                          "--perf-no_write_workqueue"))))
+@end lisp
+
 @end deffn
 
 @defvar raid-device-mapping
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 667a495570..520ade9ef8 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -194,10 +194,12 @@ (define (check-device-initrd-modules device linux-modules location)
 ;;; Common device mappings.
 ;;;
 
-(define* (open-luks-device source targets #:key key-file allow-discards?)
+(define* (open-luks-device source targets
+                           #:key key-file allow-discards? extra-options)
   "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
 'cryptsetup'.  When ALLOW-DISCARDS? is true, the use of discard (TRIM)
-requests is allowed for the underlying device."
+requests is allowed for the underlying device.  EXTRA-OPTIONS is a list of
+additional options to be passed to the 'cryptsetup open' command."
   (with-imported-modules (source-module-closure
                           '((gnu build file-systems)
                             (guix build utils))) ;; For mkdir-p
@@ -238,10 +240,15 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
              (let ((cryptsetup #$(file-append cryptsetup-static
                                               "/sbin/cryptsetup"))
                    (cryptsetup-flags (cons*
-                                      "open" "--type" "luks" partition #$target
-                                      (if #$allow-discards?
-                                          '("--allow-discards")
-                                          '()))))
+                                      "open" "--type" "luks"
+                                      (append
+                                       (if #$allow-discards?
+                                           '("--allow-discards")
+                                           '())
+                                       (if (pair? '#$extra-options)
+                                           '#$extra-options
+                                           '())
+                                       (list partition #$target)))))
                ;; We want to fallback to the password unlock if the keyfile
                ;; fails.
                (or (and keyfile
@@ -290,7 +297,8 @@ (define luks-device-mapping
               ((gnu build file-systems)
                #:select (find-partition-by-luks-uuid system*/tty))))))
 
-(define* (luks-device-mapping-with-options #:key key-file allow-discards?)
+(define* (luks-device-mapping-with-options
+          #:key key-file allow-discards? extra-options)
   "Return a luks-device-mapping object with open modified to pass the arguments
 into the open-luks-device procedure."
   (mapped-device-kind
@@ -298,7 +306,8 @@ (define* (luks-device-mapping-with-options #:key key-file allow-discards?)
    (open (λ (source targets)
            (open-luks-device source targets
                              #:key-file key-file
-                             #:allow-discards? allow-discards?)))))
+                             #:allow-discards? allow-discards?
+                             #:extra-options extra-options)))))
 
 (define (open-raid-device sources targets)
   "Return a gexp that assembles SOURCES (a list of devices) to the RAID device
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index a837637b18..fd9f17eb4d 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -68,6 +68,7 @@ (define-module (gnu tests install)
             %test-separate-home-os
             %test-raid-root-os
             %test-encrypted-root-os
+            %test-encrypted-root-extra-options-os
             %test-encrypted-home-os
             %test-encrypted-home-os-key-file
             %test-encrypted-root-not-boot-os
@@ -843,6 +844,73 @@ (define %test-encrypted-root-os
       (run-basic-test %encrypted-root-os command "encrypted-root-os"
                       #:initialization enter-luks-passphrase)))))
 
+
+;;;
+;;; LUKS-encrypted root with extra options: --allow-discards,
+;;; --perf-no_read_workqueue and --perf-no_write_workqueue
+;;;
+
+;; Except for the 'mapped-devices' field, this is exactly the same as
+;; %encrypted-root-os.
+(define-os-with-source (%encrypted-root-extra-options-os
+                        %encrypted-root-extra-options-os-source)
+  ;; The OS we want to install.
+  (use-modules (gnu) (gnu tests) (srfi srfi-1))
+
+  (operating-system
+    (host-name "liberigilo")
+    (timezone "Europe/Paris")
+    (locale "en_US.UTF-8")
+
+    (bootloader (bootloader-configuration
+                 (bootloader grub-bootloader)
+                 (targets '("/dev/vdb"))))
+
+    ;; Note: Do not pass "console=ttyS0" so we can use our passphrase prompt
+    ;; detection logic in 'enter-luks-passphrase'.
+
+    (mapped-devices (list (mapped-device
+                           (source (uuid "12345678-1234-1234-1234-123456789abc"))
+                           (target "the-root-device")
+                           (type (luks-device-mapping-with-options
+                                  #:allow-discards? #t
+                                  #:extra-options
+                                  '("--perf-no_read_workqueue"
+                                    "--perf-no_write_workqueue"))))))
+    (file-systems (cons (file-system
+                          (device "/dev/mapper/the-root-device")
+                          (mount-point "/")
+                          (type "ext4"))
+                        %base-file-systems))
+    (users (cons (user-account
+                  (name "charlie")
+                  (group "users")
+                  (supplementary-groups '("wheel" "audio" "video")))
+                 %base-user-accounts))
+    (services (cons (service marionette-service-type
+                             (marionette-configuration
+                              (imported-modules '((gnu services herd)
+                                                  (guix combinators)))))
+                    %base-services))))
+
+(define %test-encrypted-root-extra-options-os
+  (system-test
+   (name "encrypted-root-extra-options-os")
+   (description
+    "Test basic functionality of an OS installed like one would do by hand,
+with an LUKS-encrypted root partition opened with extra options
+(--allow-discards, --perf-no_read_workqueue and --perf-no_write_workqueue).
+This test is expensive in terms of CPU and storage usage since we need to
+build (current-guix) and then store a couple of full system images.")
+   (value
+    (mlet* %store-monad ((images (run-install %encrypted-root-extra-options-os
+                                              %encrypted-root-extra-options-os-source
+                                              #:script
+                                              %encrypted-root-installation-script))
+                         (command (qemu-command* images)))
+      (run-basic-test %encrypted-root-os command "encrypted-root-extra-options-os"
+                      #:initialization enter-luks-passphrase)))))
+
 
 ;;;
 ;;; Separate /home on LVM

base-commit: 4ea012fc6ddcb32574fbd4a854b11808c34fbca8
-- 
2.49.0

Maxim Cournoyer wrote on 26 Apr 06:16 -0700

Recipients:(name . 45mg)(address . 45mg.writes@gmail.com)

Message-ID:87selvcbb8.fsf@gmail.com

Hi,

45mg <45mg.writes@gmail.com> writes:

Toggle quote (11 lines)> Allow passing extra options to the 'cryptsetup open' command.
>
> * gnu/system/mapped-devices.scm (luks-device-mapping-with-options):
> [#:extra-options]: New argument.
> (open-luks-device): Use it.
> * doc/guix.texi (Mapped Devices): Document it.
> * gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New
> test for it, as well as the previously untested #:allow-discards?
> option.
> (%encrypted-root-extra-options-os): New os declaration for the test.

Sounds good.

Toggle quote (15 lines)> Change-Id: Ia9fd129d1c66cbf27abdd3064d59188083465247
> ---
> CCing everyone who worked on the allow-discards option - this change is very
> similar.
>
> %encrypted-root-extra-options-os is copied from %encrypted-root-os; only
> the mapped-devices field is changed. I wish I could avoid this code
> duplication by having `(inherit %encrypted-root-os)` in the os
> definition, but when I do that, the test fails with this error in the
> build log:
>
> /mnt/etc/config.scm:1:100: error: %encrypted-root-os: unbound variable
>
> Any chance you Guile wizards know how to make this work?

I think I've probably banged my head on this at some point but don't

have an immediate idea.

Toggle quote (17 lines)>
>  doc/guix.texi                 | 20 ++++++++++-
>  gnu/system/mapped-devices.scm | 25 ++++++++-----
>  gnu/tests/install.scm         | 68 +++++++++++++++++++++++++++++++++++
>  3 files changed, 104 insertions(+), 9 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index bcb1f9d9cf..9cd1304522 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -18461,7 +18461,7 @@ Mapped Devices
>  @code{dm-crypt} Linux kernel module.
>  @end defvar
>  
> -@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards?]
> +@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards? #:extra-options]

Was there a way to break a line in Texinfo?

Toggle quote (15 lines)>  Return a @code{luks-device-mapping} object, which defines LUKS block
>  device encryption using the @command{cryptsetup} command from the
>  package with the same name.  It relies on the @code{dm-crypt} Linux
> @@ -18492,6 +18492,24 @@ Mapped Devices
>  information, refer to the description of the @code{--allow-discards}
>  option in the @code{cryptsetup-open(8)} man page.
>  
> +@code{extra-options} may be used to specify a list of additional
> +command-line options for the @code{cryptsetup open} command.  See the
> +@code{cryptsetup-open(8)} man page for a list of supported options.
> +
> +For example, here is how you could specify the
> +@code{--perf-no_read_workqueue} and @code{--perf-no_write_workqueue}
> +options, along with @code{--allow-discards}:

For the command-line options, you can use @option{...}

(see: (info "(texinfo) @option")).

Toggle quote (6 lines)

> +

> +@lisp

> +(mapped-device

> + (source "/dev/sdb1)

> + (target "data)

Your strings are double quoted only on the left side.

Toggle quote (151 lines)> + (type (luks-device-mapping-with-options
> +        #:allow-discards? #t
> +        #:extra-options '("--perf-no_read_workqueue"
> +                          "--perf-no_write_workqueue"))))
> +@end lisp
> +
>  @end deffn
>  
>  @defvar raid-device-mapping
> diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
> index 667a495570..520ade9ef8 100644
> --- a/gnu/system/mapped-devices.scm
> +++ b/gnu/system/mapped-devices.scm
> @@ -194,10 +194,12 @@ (define (check-device-initrd-modules device linux-modules location)
>  ;;; Common device mappings.
>  ;;;
>  
> -(define* (open-luks-device source targets #:key key-file allow-discards?)
> +(define* (open-luks-device source targets
> +                           #:key key-file allow-discards? extra-options)
>    "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
>  'cryptsetup'.  When ALLOW-DISCARDS? is true, the use of discard (TRIM)
> -requests is allowed for the underlying device."
> +requests is allowed for the underlying device.  EXTRA-OPTIONS is a list of
> +additional options to be passed to the 'cryptsetup open' command."
>    (with-imported-modules (source-module-closure
>                            '((gnu build file-systems)
>                              (guix build utils))) ;; For mkdir-p
> @@ -238,10 +240,15 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
>               (let ((cryptsetup #$(file-append cryptsetup-static
>                                                "/sbin/cryptsetup"))
>                     (cryptsetup-flags (cons*
> -                                      "open" "--type" "luks" partition #$target
> -                                      (if #$allow-discards?
> -                                          '("--allow-discards")
> -                                          '()))))
> +                                      "open" "--type" "luks"
> +                                      (append
> +                                       (if #$allow-discards?
> +                                           '("--allow-discards")
> +                                           '())
> +                                       (if (pair? '#$extra-options)
> +                                           '#$extra-options
> +                                           '())
> +                                       (list partition #$target)))))
>                 ;; We want to fallback to the password unlock if the keyfile
>                 ;; fails.
>                 (or (and keyfile
> @@ -290,7 +297,8 @@ (define luks-device-mapping
>                ((gnu build file-systems)
>                 #:select (find-partition-by-luks-uuid system*/tty))))))
>  
> -(define* (luks-device-mapping-with-options #:key key-file allow-discards?)
> +(define* (luks-device-mapping-with-options
> +          #:key key-file allow-discards? extra-options)
>    "Return a luks-device-mapping object with open modified to pass the arguments
>  into the open-luks-device procedure."
>    (mapped-device-kind
> @@ -298,7 +306,8 @@ (define* (luks-device-mapping-with-options #:key key-file allow-discards?)
>     (open (λ (source targets)
>             (open-luks-device source targets
>                               #:key-file key-file
> -                             #:allow-discards? allow-discards?)))))
> +                             #:allow-discards? allow-discards?
> +                             #:extra-options extra-options)))))
>  
>  (define (open-raid-device sources targets)
>    "Return a gexp that assembles SOURCES (a list of devices) to the RAID device
> diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
> index a837637b18..fd9f17eb4d 100644
> --- a/gnu/tests/install.scm
> +++ b/gnu/tests/install.scm
> @@ -68,6 +68,7 @@ (define-module (gnu tests install)
>              %test-separate-home-os
>              %test-raid-root-os
>              %test-encrypted-root-os
> +            %test-encrypted-root-extra-options-os
>              %test-encrypted-home-os
>              %test-encrypted-home-os-key-file
>              %test-encrypted-root-not-boot-os
> @@ -843,6 +844,73 @@ (define %test-encrypted-root-os
>        (run-basic-test %encrypted-root-os command "encrypted-root-os"
>                        #:initialization enter-luks-passphrase)))))
>  
> +
> +;;;
> +;;; LUKS-encrypted root with extra options: --allow-discards,
> +;;; --perf-no_read_workqueue and --perf-no_write_workqueue
> +;;;
> +
> +;; Except for the 'mapped-devices' field, this is exactly the same as
> +;; %encrypted-root-os.
> +(define-os-with-source (%encrypted-root-extra-options-os
> +                        %encrypted-root-extra-options-os-source)
> +  ;; The OS we want to install.
> +  (use-modules (gnu) (gnu tests) (srfi srfi-1))
> +
> +  (operating-system
> +    (host-name "liberigilo")
> +    (timezone "Europe/Paris")
> +    (locale "en_US.UTF-8")
> +
> +    (bootloader (bootloader-configuration
> +                 (bootloader grub-bootloader)
> +                 (targets '("/dev/vdb"))))
> +
> +    ;; Note: Do not pass "console=ttyS0" so we can use our passphrase prompt
> +    ;; detection logic in 'enter-luks-passphrase'.
> +
> +    (mapped-devices (list (mapped-device
> +                           (source (uuid "12345678-1234-1234-1234-123456789abc"))
> +                           (target "the-root-device")
> +                           (type (luks-device-mapping-with-options
> +                                  #:allow-discards? #t
> +                                  #:extra-options
> +                                  '("--perf-no_read_workqueue"
> +                                    "--perf-no_write_workqueue"))))))
> +    (file-systems (cons (file-system
> +                          (device "/dev/mapper/the-root-device")
> +                          (mount-point "/")
> +                          (type "ext4"))
> +                        %base-file-systems))
> +    (users (cons (user-account
> +                  (name "charlie")
> +                  (group "users")
> +                  (supplementary-groups '("wheel" "audio" "video")))
> +                 %base-user-accounts))
> +    (services (cons (service marionette-service-type
> +                             (marionette-configuration
> +                              (imported-modules '((gnu services herd)
> +                                                  (guix combinators)))))
> +                    %base-services))))
> +
> +(define %test-encrypted-root-extra-options-os
> +  (system-test
> +   (name "encrypted-root-extra-options-os")
> +   (description
> +    "Test basic functionality of an OS installed like one would do by hand,
> +with an LUKS-encrypted root partition opened with extra options
> +(--allow-discards, --perf-no_read_workqueue and --perf-no_write_workqueue).
> +This test is expensive in terms of CPU and storage usage since we need to
> +build (current-guix) and then store a couple of full system images.")
> +   (value
> +    (mlet* %store-monad ((images (run-install %encrypted-root-extra-options-os
> +                                              %encrypted-root-extra-options-os-source
> +                                              #:script
> +                                              %encrypted-root-installation-script))
> +                         (command (qemu-command* images)))
> +      (run-basic-test %encrypted-root-os command "encrypted-root-extra-options-os"
> +                      #:initialization enter-luks-passphrase)))))

Looks good to me.  I haven't tried running it yet; if you send a v2 with
the small problem I've seen above I'll happily try it and if it passes
merge it.

-- 
Thanks,
Maxim

45mg wrote on 9 Aug 05:10 -0700

[PATCH] mapped-devices/luks: Support extra options.

Recipients:

Message-ID:85a028e86a47aec2ce943b1a81904d2916627893.1754741432.git.45mg.writes@gmail.com

Allow passing extra options to the 'cryptsetup open' command.

* gnu/system/mapped-devices.scm (open-luks-device)

[#:extra-options]: New argument.

* doc/guix.texi (Mapped Devices): Document it.

* gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New

test for it, as well as the previously untested #:allow-discards?

option.

(%encrypted-root-extra-options-os): New os declaration for the test.

Change-Id: Ia9fd129d1c66cbf27abdd3064d59188083465247

---

Took into account Maxim's review. Also, luks-device-mapping-with-options is

now deprecated [1], so instead use the 'arguments' field of

luks-device-mapping.

[1] https://codeberg.org/guix/guix/pulls/1048

doc/guix.texi | 21 +++++++++++

gnu/system/mapped-devices.scm | 19 ++++++----

gnu/tests/install.scm | 68 +++++++++++++++++++++++++++++++++++

3 files changed, 102 insertions(+), 6 deletions(-)

Toggle diff (161 lines)diff --git a/doc/guix.texi b/doc/guix.texi
index bffaeb5bbc..4bb4f50200 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -18731,6 +18731,27 @@ Mapped Devices
 file system level operations visible on the physical device.  For more
 information, refer to the description of the @code{--allow-discards}
 option in the @code{cryptsetup-open(8)} man page.
+
+@item #:extra-options
+@code{extra-options} may be used to specify a list of additional
+command-line options for the @code{cryptsetup open} command.  See the
+@code{cryptsetup-open(8)} man page for a list of supported options.
+
+For example, here is how you could specify the
+@option{--perf-no_read_workqueue} and @option{--perf-no_write_workqueue}
+options, along with @option{--allow-discards}:
+
+@lisp
+(mapped-device
+(source "/dev/sdb1")
+(target "data")
+(type (type luks-device-mapping)
+      (arguments '(#:allow-discards? #t
+                   #:extra-options
+                   ("--perf-no_read_workqueue"
+                    "--perf-no_write_workqueue")))))
+@end lisp
+
 @end table
 @end defvar
 
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index b0a6beef28..034956c616 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -200,10 +200,12 @@ (define (check-device-initrd-modules device linux-modules location)
 ;;; Common device mappings.
 ;;;
 
-(define* (open-luks-device source targets #:key key-file allow-discards?)
+(define* (open-luks-device source targets
+                           #:key key-file allow-discards? extra-options)
   "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
 'cryptsetup'.  When ALLOW-DISCARDS? is true, the use of discard (TRIM)
-requests is allowed for the underlying device."
+requests is allowed for the underlying device.  EXTRA-OPTIONS is a list of
+additional options to be passed to the 'cryptsetup open' command."
   (with-imported-modules (source-module-closure
                           '((gnu build file-systems)
                             (guix build utils))) ;; For mkdir-p
@@ -244,10 +246,15 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
              (let ((cryptsetup #$(file-append cryptsetup-static
                                               "/sbin/cryptsetup"))
                    (cryptsetup-flags (cons*
-                                      "open" "--type" "luks" partition #$target
-                                      (if #$allow-discards?
-                                          '("--allow-discards")
-                                          '()))))
+                                      "open" "--type" "luks"
+                                      (append
+                                       (if #$allow-discards?
+                                           '("--allow-discards")
+                                           '())
+                                       (if (pair? '#$extra-options)
+                                           '#$extra-options
+                                           '())
+                                       (list partition #$target)))))
                ;; We want to fallback to the password unlock if the keyfile
                ;; fails.
                (or (and keyfile
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index ec31cf2bdf..c6715484cf 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -68,6 +68,7 @@ (define-module (gnu tests install)
             %test-separate-home-os
             %test-raid-root-os
             %test-encrypted-root-os
+            %test-encrypted-root-extra-options-os
             %test-encrypted-home-os
             %test-encrypted-home-os-key-file
             %test-encrypted-root-not-boot-os
@@ -843,6 +844,73 @@ (define %test-encrypted-root-os
       (run-basic-test %encrypted-root-os command "encrypted-root-os"
                       #:initialization enter-luks-passphrase)))))
 
+
+;;;
+;;; LUKS-encrypted root with extra options: --allow-discards,
+;;; --perf-no_read_workqueue and --perf-no_write_workqueue
+;;;
+
+;; Except for the 'mapped-devices' field, this is exactly the same as
+;; %encrypted-root-os.
+(define-os-with-source (%encrypted-root-extra-options-os
+                        %encrypted-root-extra-options-os-source)
+  ;; The OS we want to install.
+  (use-modules (gnu) (gnu tests) (srfi srfi-1))
+
+  (operating-system
+    (host-name "liberigilo")
+    (timezone "Europe/Paris")
+    (locale "en_US.UTF-8")
+
+    (bootloader (bootloader-configuration
+                 (bootloader grub-bootloader)
+                 (targets '("/dev/vdb"))))
+
+    ;; Note: Do not pass "console=ttyS0" so we can use our passphrase prompt
+    ;; detection logic in 'enter-luks-passphrase'.
+
+    (mapped-devices (list (mapped-device
+                            (source (uuid "12345678-1234-1234-1234-123456789abc"))
+                            (target "the-root-device")
+                            (type luks-device-mapping)
+                            (arguments '(#:allow-discards? #t
+                                         #:extra-options
+                                         ("--perf-no_read_workqueue"
+                                          "--perf-no_write_workqueue"))))))
+    (file-systems (cons (file-system
+                          (device "/dev/mapper/the-root-device")
+                          (mount-point "/")
+                          (type "ext4"))
+                        %base-file-systems))
+    (users (cons (user-account
+                  (name "charlie")
+                  (group "users")
+                  (supplementary-groups '("wheel" "audio" "video")))
+                 %base-user-accounts))
+    (services (cons (service marionette-service-type
+                             (marionette-configuration
+                              (imported-modules '((gnu services herd)
+                                                  (guix combinators)))))
+                    %base-services))))
+
+(define %test-encrypted-root-extra-options-os
+  (system-test
+   (name "encrypted-root-extra-options-os")
+   (description
+    "Test basic functionality of an OS installed like one would do by hand,
+with an LUKS-encrypted root partition opened with extra options
+(--allow-discards, --perf-no_read_workqueue and --perf-no_write_workqueue).
+This test is expensive in terms of CPU and storage usage since we need to
+build (current-guix) and then store a couple of full system images.")
+   (value
+    (mlet* %store-monad ((images (run-install %encrypted-root-extra-options-os
+                                              %encrypted-root-extra-options-os-source
+                                              #:script
+                                              %encrypted-root-installation-script))
+                         (command (qemu-command* images)))
+      (run-basic-test %encrypted-root-os command "encrypted-root-extra-options-os"
+                      #:initialization enter-luks-passphrase)))))
+
 
 ;;;
 ;;; Separate /home on LVM

base-commit: 0697809d64d525b5b9146a57f824641f6f9f81ca
-- 
2.50.1

Maxim Cournoyer wrote on 13 Aug 18:26 -0700

Recipients:(name . 45mg)(address . 45mg.writes@gmail.com)

Message-ID:87cy8ypubs.fsf@guixotic.coop

Hi,

45mg <45mg.writes@gmail.com> writes:

Toggle quote (68 lines)> Allow passing extra options to the 'cryptsetup open' command.
>
> * gnu/system/mapped-devices.scm (open-luks-device)
> [#:extra-options]: New argument.
> * doc/guix.texi (Mapped Devices): Document it.
> * gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New
> test for it, as well as the previously untested #:allow-discards?
> option.
> (%encrypted-root-extra-options-os): New os declaration for the test.
>
> Change-Id: Ia9fd129d1c66cbf27abdd3064d59188083465247
> ---
>
> Took into account Maxim's review. Also, luks-device-mapping-with-options is
> now deprecated [1], so instead use the 'arguments' field of
> luks-device-mapping.
>
> [1] https://codeberg.org/guix/guix/pulls/1048
>
>  doc/guix.texi                 | 21 +++++++++++
>  gnu/system/mapped-devices.scm | 19 ++++++----
>  gnu/tests/install.scm         | 68 +++++++++++++++++++++++++++++++++++
>  3 files changed, 102 insertions(+), 6 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index bffaeb5bbc..4bb4f50200 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -18731,6 +18731,27 @@ Mapped Devices
>  file system level operations visible on the physical device.  For more
>  information, refer to the description of the @code{--allow-discards}
>  option in the @code{cryptsetup-open(8)} man page.
> +
> +@item #:extra-options
> +@code{extra-options} may be used to specify a list of additional
> +command-line options for the @code{cryptsetup open} command.  See the
> +@code{cryptsetup-open(8)} man page for a list of supported options.
> +
> +For example, here is how you could specify the
> +@option{--perf-no_read_workqueue} and @option{--perf-no_write_workqueue}
> +options, along with @option{--allow-discards}:
> +
> +@lisp
> +(mapped-device
> +(source "/dev/sdb1")
> +(target "data")
> +(type (type luks-device-mapping)
> +      (arguments '(#:allow-discards? #t
> +                   #:extra-options
> +                   ("--perf-no_read_workqueue"
> +                    "--perf-no_write_workqueue")))))
> +@end lisp
> +
>  @end table
>  @end defvar
>  
> diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
> index b0a6beef28..034956c616 100644
> --- a/gnu/system/mapped-devices.scm
> +++ b/gnu/system/mapped-devices.scm
> @@ -200,10 +200,12 @@ (define (check-device-initrd-modules device linux-modules location)
>  ;;; Common device mappings.
>  ;;;
>  
> -(define* (open-luks-device source targets #:key key-file allow-discards?)
> +(define* (open-luks-device source targets
> +                           #:key key-file allow-discards? extra-options)

I guess it'd be nicer if the default was '() for extra-options, then you

don't need to check its value later (unless if you want to validate the

inputs).

Toggle quote (25 lines)>    "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
>  'cryptsetup'.  When ALLOW-DISCARDS? is true, the use of discard (TRIM)
> -requests is allowed for the underlying device."
> +requests is allowed for the underlying device.  EXTRA-OPTIONS is a list of
> +additional options to be passed to the 'cryptsetup open' command."
>    (with-imported-modules (source-module-closure
>                            '((gnu build file-systems)
>                              (guix build utils))) ;; For mkdir-p
> @@ -244,10 +246,15 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
>               (let ((cryptsetup #$(file-append cryptsetup-static
>                                                "/sbin/cryptsetup"))
>                     (cryptsetup-flags (cons*
> -                                      "open" "--type" "luks" partition #$target
> -                                      (if #$allow-discards?
> -                                          '("--allow-discards")
> -                                          '()))))
> +                                      "open" "--type" "luks"
> +                                      (append
> +                                       (if #$allow-discards?
> +                                           '("--allow-discards")
> +                                           '())
> +                                       (if (pair? '#$extra-options)
> +                                           '#$extra-options
> +                                           '())

Then the if can be removed, else turned into some input validation like:

Toggle snippet (4 lines)

(unless (pair? '#$extra-options)

(error "invalid value for #:extra-options argument of `open-luks-device'"))

I haven't reviewed where this gets used (I assume in the early boot);

perhaps it could be possible to use (guix diagnostics) as well if it's

already imported there to produce a nicer error message.

Could you send a revised version doing the above?

Thanks,

Maxim

45mg wrote on 16 Sep 05:17 -0700

[PATCH v3] mapped-devices/luks: Support extra options.

Recipients:

Message-ID:b1b89a7997c492def17e26d874d90a6d78a25c06.1758024769.git.45mg.writes@gmail.com

Allow passing extra options to the 'cryptsetup open' command.

* gnu/system/mapped-devices.scm (luks-device-mapping-with-options):

[#:extra-options]: New argument.

(open-luks-device): Use it.

(check-luks-device): Validate it.

* doc/guix.texi (Mapped Devices): Document it.

* gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New

test for it, as well as the previously untested #:allow-discards?

option.

(%encrypted-root-extra-options-os): New os declaration for the test.

Change-Id: Ibbc3cf4f2ee4d49099a3155a015f54d319515663

---

Add default value '() as suggested by Maxim. Also, add the suggested

validation in check-luks-device.

doc/guix.texi | 21 +++++++++++

gnu/system/mapped-devices.scm | 30 ++++++++++++----

gnu/tests/install.scm | 68 +++++++++++++++++++++++++++++++++++

3 files changed, 113 insertions(+), 6 deletions(-)

Toggle diff (186 lines)diff --git a/doc/guix.texi b/doc/guix.texi
index 0924aebf4a..74a6367e43 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -18774,6 +18774,27 @@ Mapped Devices
 file system level operations visible on the physical device.  For more
 information, refer to the description of the @code{--allow-discards}
 option in the @code{cryptsetup-open(8)} man page.
+
+@item #:extra-options
+@code{extra-options} may be used to specify a list of additional
+command-line options for the @code{cryptsetup open} command.  See the
+@code{cryptsetup-open(8)} man page for a list of supported options.
+
+For example, here is how you could specify the
+@option{--perf-no_read_workqueue} and @option{--perf-no_write_workqueue}
+options, along with @option{--allow-discards}:
+
+@lisp
+(mapped-device
+(source "/dev/sdb1")
+(target "data")
+(type (type luks-device-mapping)
+      (arguments '(#:allow-discards? #t
+                   #:extra-options
+                   ("--perf-no_read_workqueue"
+                    "--perf-no_write_workqueue")))))
+@end lisp
+
 @end table
 @end defvar
 
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index b0a6beef28..a2d49c55a5 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -43,6 +43,7 @@ (define-module (gnu system mapped-devices)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
   #:use-module (ice-9 match)
+  #:use-module (ice-9 optargs)
   #:use-module (ice-9 format)
   #:export (%mapped-device
             mapped-device
@@ -200,10 +201,12 @@ (define (check-device-initrd-modules device linux-modules location)
 ;;; Common device mappings.
 ;;;
 
-(define* (open-luks-device source targets #:key key-file allow-discards?)
+(define* (open-luks-device source targets
+                           #:key key-file allow-discards? (extra-options '()))
   "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
 'cryptsetup'.  When ALLOW-DISCARDS? is true, the use of discard (TRIM)
-requests is allowed for the underlying device."
+requests is allowed for the underlying device.  EXTRA-OPTIONS is a list of
+additional options to be passed to the 'cryptsetup open' command."
   (with-imported-modules (source-module-closure
                           '((gnu build file-systems)
                             (guix build utils))) ;; For mkdir-p
@@ -244,10 +247,15 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
              (let ((cryptsetup #$(file-append cryptsetup-static
                                               "/sbin/cryptsetup"))
                    (cryptsetup-flags (cons*
-                                      "open" "--type" "luks" partition #$target
-                                      (if #$allow-discards?
-                                          '("--allow-discards")
-                                          '()))))
+                                      "open" "--type" "luks"
+                                      (append
+                                       (if #$allow-discards?
+                                           '("--allow-discards")
+                                           '())
+                                       (if (pair? '#$extra-options)
+                                           '#$extra-options
+                                           '())
+                                       (list partition #$target)))))
                ;; We want to fallback to the password unlock if the keyfile
                ;; fails.
                (or (and keyfile
@@ -271,6 +279,16 @@ (define* (check-luks-device md #:key
   "Ensure the source of MD is valid."
   (let ((source   (mapped-device-source md))
         (location (mapped-device-location md)))
+    (let-keywords (mapped-device-arguments md) #t
+                  (key-file allow-discards extra-options)
+      (unless (pair? extra-options)
+        (raise (make-compound-condition
+                (formatted-message (G_ "invalid value ~s for #:extra-options \
+argument of `open-luks-device'")
+                                   extra-options)
+                (condition
+                 (&error-location
+                  (location (source-properties->location location))))))))
     (or (not (zero? (getuid)))
         (if (uuid? source)
             (match (find-partition-by-luks-uuid (uuid-bytevector source))
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index ec31cf2bdf..c6715484cf 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -68,6 +68,7 @@ (define-module (gnu tests install)
             %test-separate-home-os
             %test-raid-root-os
             %test-encrypted-root-os
+            %test-encrypted-root-extra-options-os
             %test-encrypted-home-os
             %test-encrypted-home-os-key-file
             %test-encrypted-root-not-boot-os
@@ -843,6 +844,73 @@ (define %test-encrypted-root-os
       (run-basic-test %encrypted-root-os command "encrypted-root-os"
                       #:initialization enter-luks-passphrase)))))
 
+
+;;;
+;;; LUKS-encrypted root with extra options: --allow-discards,
+;;; --perf-no_read_workqueue and --perf-no_write_workqueue
+;;;
+
+;; Except for the 'mapped-devices' field, this is exactly the same as
+;; %encrypted-root-os.
+(define-os-with-source (%encrypted-root-extra-options-os
+                        %encrypted-root-extra-options-os-source)
+  ;; The OS we want to install.
+  (use-modules (gnu) (gnu tests) (srfi srfi-1))
+
+  (operating-system
+    (host-name "liberigilo")
+    (timezone "Europe/Paris")
+    (locale "en_US.UTF-8")
+
+    (bootloader (bootloader-configuration
+                 (bootloader grub-bootloader)
+                 (targets '("/dev/vdb"))))
+
+    ;; Note: Do not pass "console=ttyS0" so we can use our passphrase prompt
+    ;; detection logic in 'enter-luks-passphrase'.
+
+    (mapped-devices (list (mapped-device
+                            (source (uuid "12345678-1234-1234-1234-123456789abc"))
+                            (target "the-root-device")
+                            (type luks-device-mapping)
+                            (arguments '(#:allow-discards? #t
+                                         #:extra-options
+                                         ("--perf-no_read_workqueue"
+                                          "--perf-no_write_workqueue"))))))
+    (file-systems (cons (file-system
+                          (device "/dev/mapper/the-root-device")
+                          (mount-point "/")
+                          (type "ext4"))
+                        %base-file-systems))
+    (users (cons (user-account
+                  (name "charlie")
+                  (group "users")
+                  (supplementary-groups '("wheel" "audio" "video")))
+                 %base-user-accounts))
+    (services (cons (service marionette-service-type
+                             (marionette-configuration
+                              (imported-modules '((gnu services herd)
+                                                  (guix combinators)))))
+                    %base-services))))
+
+(define %test-encrypted-root-extra-options-os
+  (system-test
+   (name "encrypted-root-extra-options-os")
+   (description
+    "Test basic functionality of an OS installed like one would do by hand,
+with an LUKS-encrypted root partition opened with extra options
+(--allow-discards, --perf-no_read_workqueue and --perf-no_write_workqueue).
+This test is expensive in terms of CPU and storage usage since we need to
+build (current-guix) and then store a couple of full system images.")
+   (value
+    (mlet* %store-monad ((images (run-install %encrypted-root-extra-options-os
+                                              %encrypted-root-extra-options-os-source
+                                              #:script
+                                              %encrypted-root-installation-script))
+                         (command (qemu-command* images)))
+      (run-basic-test %encrypted-root-os command "encrypted-root-extra-options-os"
+                      #:initialization enter-luks-passphrase)))))
+
 
 ;;;
 ;;; Separate /home on LVM

base-commit: ea4a3af73940e3fd578326510eccb2d5747352b4
-- 
2.50.1

Ludovic Courtès wrote on 16 Sep 06:55 -0700

Recipients:(name . 45mg)(address . 45mg.writes@gmail.com)

Message-ID:871po6biyr.fsf@gnu.org

Hello,

45mg <45mg.writes@gmail.com> writes:

Toggle quote (14 lines)> Allow passing extra options to the 'cryptsetup open' command.
>
> * gnu/system/mapped-devices.scm (luks-device-mapping-with-options):
> [#:extra-options]: New argument.
> (open-luks-device): Use it.
> (check-luks-device): Validate it.
> * doc/guix.texi (Mapped Devices): Document it.
> * gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New
> test for it, as well as the previously untested #:allow-discards?
> option.
> (%encrypted-root-extra-options-os): New os declaration for the test.
>
> Change-Id: Ibbc3cf4f2ee4d49099a3155a015f54d319515663

[...]

Toggle quote (4 lines)

> +@item #:extra-options

> +@code{extra-options} may be used to specify a list of additional

> +command-line options for the @code{cryptsetup open} command. See the

Instead of repeating the keyword name, maybe you can write:

List of additional command-line options for …

Toggle quote (10 lines)> +@lisp
> +(mapped-device
> +(source "/dev/sdb1")
> +(target "data")
> +(type (type luks-device-mapping)
> +      (arguments '(#:allow-discards? #t
> +                   #:extra-options
> +                   ("--perf-no_read_workqueue"
> +                    "--perf-no_write_workqueue")))))

The indentation and syntax are incorrect, if I’m not mistaken.

Otherwise LGTM!

Could you send an updated version?

Thanks,

Ludo’.

PS: Use of guix-patches will be discontinued at the end of the year. I

would encourage you to try out the pull request workflow on Codeberg

and to report any questions or issues you may have.

45mg wrote on 16 Sep 08:29 -0700

Recipients:

Message-ID:87h5x25sbh.fsf@gmail.com

Hi,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (7 lines)

> Hello,

> 45mg <45mg.writes@gmail.com> writes:

>> Allow passing extra options to the 'cryptsetup open' command.

[...]

Toggle quote (9 lines)

>> +@item #:extra-options

>> +@code{extra-options} may be used to specify a list of additional

>> +command-line options for the @code{cryptsetup open} command. See the

> Instead of repeating the keyword name, maybe you can write:

> List of additional command-line options for …

OK.

Toggle quote (12 lines)>> +@lisp
>> +(mapped-device
>> +(source "/dev/sdb1")
>> +(target "data")
>> +(type (type luks-device-mapping)
>> +      (arguments '(#:allow-discards? #t
>> +                   #:extra-options
>> +                   ("--perf-no_read_workqueue"
>> +                    "--perf-no_write_workqueue")))))
>
> The indentation and syntax are incorrect, if I’m not mistaken.

Is it? `indent-region` in Emacs (C-M-\) leaves it unchanged. How should I

indent it instead?

As for the syntax,

guix shell -D guix --pure -- make check-system TESTS=encrypted-root-extra-options-os

passes.

Toggle quote (10 lines)> Otherwise LGTM!
>
> Could you send an updated version?
>
> Thanks,
> Ludo’.
>
> PS: Use of guix-patches will be discontinued at the end of the year.  I
>     would encourage you to try out the pull request workflow on Codeberg
>     and to report any questions or issues you may have.

Maxim Cournoyer wrote 6 days ago

Re: bug#77499: [PATCH] mapped-devices/luks: Support extra options.

Recipients:(name . 45mg)(address . 45mg.writes@gmail.com)

Message-ID:874isw8au0.fsf_-_@guixotic.coop

Hi,

45mg <45mg.writes@gmail.com> writes:

[...]

Toggle quote (7 lines)

> Is it? `indent-region` in Emacs (C-M-\) leaves it unchanged. How should I

> indent it instead?

> As for the syntax,

> guix shell -D guix --pure -- make check-system TESTS=encrypted-root-extra-options-os

> passes.

Testing locally, it appears to hang at:

Toggle snippet (16 lines)

SeaBIOS (version 1.17.0/GNU Guix)

iPXE (https://ipxe.org) 00:03.0 CA00 PCI2.10 PnP PMM+0EFCAD30+0EF0AD30 CA00

Booting from Hard Disk...

GRUB loading..

Welcome to GRUB!

Enter passphrase for hd0,gpt2 (12345678-1234-1234-1234-123456789abc):

Attempting to decrypt master key...

Slot 0 opened

Perhaps something dirty in my tree; I'll have to retry from a clean
checkout later.

-- 
Thanks,
Maxim

45mg wrote 6 days ago

[PATCH v4] mapped-devices/luks: Support extra options.

Recipients:

Message-ID:aefbc039e28cd66a3f801a400dc803357e28d802.1758445667.git.45mg.writes@gmail.com

Allow passing extra options to the 'cryptsetup open' command.

* gnu/system/mapped-devices.scm (luks-device-mapping-with-options):
[#:extra-options]: New argument.
(open-luks-device): Use it.
(check-luks-device): Validate it.
* doc/guix.texi (Mapped Devices): Document it.
* gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New
test for it, as well as the previously untested #:allow-discards?
option.
(%encrypted-root-extra-options-os): New os declaration for the test.

Change-Id: I1bd8d2dcdfc50f4790a9fe0629ac7c25cbbce83d
---
Changed wording in doc/guix.texi as per Ludo's suggestion.
Removed superfluous validation from open-luks-device; it was already done in
check-luks-device.

 doc/guix.texi                 | 21 +++++++++++
 gnu/system/mapped-devices.scm | 28 +++++++++++----
 gnu/tests/install.scm         | 68 +++++++++++++++++++++++++++++++++++
 3 files changed, 111 insertions(+), 6 deletions(-)

Toggle diff (184 lines)diff --git a/doc/guix.texi b/doc/guix.texi
index 0924aebf4a..066143a35a 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -18774,6 +18774,27 @@ Mapped Devices
 file system level operations visible on the physical device.  For more
 information, refer to the description of the @code{--allow-discards}
 option in the @code{cryptsetup-open(8)} man page.
+
+@item #:extra-options
+List of additional command-line options for the @code{cryptsetup open}
+command.  See the @code{cryptsetup-open(8)} man page for a list of
+supported options.
+
+For example, here is how you could specify the
+@option{--perf-no_read_workqueue} and @option{--perf-no_write_workqueue}
+options, along with @option{--allow-discards}:
+
+@lisp
+(mapped-device
+(source "/dev/sdb1")
+(target "data")
+(type (type luks-device-mapping)
+      (arguments '(#:allow-discards? #t
+                   #:extra-options
+                   ("--perf-no_read_workqueue"
+                    "--perf-no_write_workqueue")))))
+@end lisp
+
 @end table
 @end defvar
 
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index b0a6beef28..a97bcc26b8 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -43,6 +43,7 @@ (define-module (gnu system mapped-devices)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
   #:use-module (ice-9 match)
+  #:use-module (ice-9 optargs)
   #:use-module (ice-9 format)
   #:export (%mapped-device
             mapped-device
@@ -200,10 +201,12 @@ (define (check-device-initrd-modules device linux-modules location)
 ;;; Common device mappings.
 ;;;
 
-(define* (open-luks-device source targets #:key key-file allow-discards?)
+(define* (open-luks-device source targets
+                           #:key key-file allow-discards? (extra-options '()))
   "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
 'cryptsetup'.  When ALLOW-DISCARDS? is true, the use of discard (TRIM)
-requests is allowed for the underlying device."
+requests is allowed for the underlying device.  EXTRA-OPTIONS is a list of
+additional options to be passed to the 'cryptsetup open' command."
   (with-imported-modules (source-module-closure
                           '((gnu build file-systems)
                             (guix build utils))) ;; For mkdir-p
@@ -244,10 +247,13 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
              (let ((cryptsetup #$(file-append cryptsetup-static
                                               "/sbin/cryptsetup"))
                    (cryptsetup-flags (cons*
-                                      "open" "--type" "luks" partition #$target
-                                      (if #$allow-discards?
-                                          '("--allow-discards")
-                                          '()))))
+                                      "open" "--type" "luks"
+                                      (append
+                                       (if #$allow-discards?
+                                           '("--allow-discards")
+                                           '())
+                                       '#$extra-options
+                                       (list partition #$target)))))
                ;; We want to fallback to the password unlock if the keyfile
                ;; fails.
                (or (and keyfile
@@ -271,6 +277,16 @@ (define* (check-luks-device md #:key
   "Ensure the source of MD is valid."
   (let ((source   (mapped-device-source md))
         (location (mapped-device-location md)))
+    (let-keywords (mapped-device-arguments md) #t
+                  (key-file allow-discards extra-options)
+      (unless (pair? extra-options)
+        (raise (make-compound-condition
+                (formatted-message (G_ "invalid value ~s for #:extra-options \
+argument of `open-luks-device'")
+                                   extra-options)
+                (condition
+                 (&error-location
+                  (location (source-properties->location location))))))))
     (or (not (zero? (getuid)))
         (if (uuid? source)
             (match (find-partition-by-luks-uuid (uuid-bytevector source))
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index ec31cf2bdf..c6715484cf 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -68,6 +68,7 @@ (define-module (gnu tests install)
             %test-separate-home-os
             %test-raid-root-os
             %test-encrypted-root-os
+            %test-encrypted-root-extra-options-os
             %test-encrypted-home-os
             %test-encrypted-home-os-key-file
             %test-encrypted-root-not-boot-os
@@ -843,6 +844,73 @@ (define %test-encrypted-root-os
       (run-basic-test %encrypted-root-os command "encrypted-root-os"
                       #:initialization enter-luks-passphrase)))))
 
+
+;;;
+;;; LUKS-encrypted root with extra options: --allow-discards,
+;;; --perf-no_read_workqueue and --perf-no_write_workqueue
+;;;
+
+;; Except for the 'mapped-devices' field, this is exactly the same as
+;; %encrypted-root-os.
+(define-os-with-source (%encrypted-root-extra-options-os
+                        %encrypted-root-extra-options-os-source)
+  ;; The OS we want to install.
+  (use-modules (gnu) (gnu tests) (srfi srfi-1))
+
+  (operating-system
+    (host-name "liberigilo")
+    (timezone "Europe/Paris")
+    (locale "en_US.UTF-8")
+
+    (bootloader (bootloader-configuration
+                 (bootloader grub-bootloader)
+                 (targets '("/dev/vdb"))))
+
+    ;; Note: Do not pass "console=ttyS0" so we can use our passphrase prompt
+    ;; detection logic in 'enter-luks-passphrase'.
+
+    (mapped-devices (list (mapped-device
+                            (source (uuid "12345678-1234-1234-1234-123456789abc"))
+                            (target "the-root-device")
+                            (type luks-device-mapping)
+                            (arguments '(#:allow-discards? #t
+                                         #:extra-options
+                                         ("--perf-no_read_workqueue"
+                                          "--perf-no_write_workqueue"))))))
+    (file-systems (cons (file-system
+                          (device "/dev/mapper/the-root-device")
+                          (mount-point "/")
+                          (type "ext4"))
+                        %base-file-systems))
+    (users (cons (user-account
+                  (name "charlie")
+                  (group "users")
+                  (supplementary-groups '("wheel" "audio" "video")))
+                 %base-user-accounts))
+    (services (cons (service marionette-service-type
+                             (marionette-configuration
+                              (imported-modules '((gnu services herd)
+                                                  (guix combinators)))))
+                    %base-services))))
+
+(define %test-encrypted-root-extra-options-os
+  (system-test
+   (name "encrypted-root-extra-options-os")
+   (description
+    "Test basic functionality of an OS installed like one would do by hand,
+with an LUKS-encrypted root partition opened with extra options
+(--allow-discards, --perf-no_read_workqueue and --perf-no_write_workqueue).
+This test is expensive in terms of CPU and storage usage since we need to
+build (current-guix) and then store a couple of full system images.")
+   (value
+    (mlet* %store-monad ((images (run-install %encrypted-root-extra-options-os
+                                              %encrypted-root-extra-options-os-source
+                                              #:script
+                                              %encrypted-root-installation-script))
+                         (command (qemu-command* images)))
+      (run-basic-test %encrypted-root-os command "encrypted-root-extra-options-os"
+                      #:initialization enter-luks-passphrase)))))
+
 
 ;;;
 ;;; Separate /home on LVM

base-commit: ea4a3af73940e3fd578326510eccb2d5747352b4
-- 
2.50.1

Ludovic Courtès wrote 6 days ago

Recipients:(name . 45mg)(address . 45mg.writes@gmail.com)

Message-ID:871pnzg103.fsf@gnu.org

45mg <45mg.writes@gmail.com> writes:

Toggle quote (6 lines)

> +@lisp

> +(mapped-device

> +(source "/dev/sdb1")

> +(target "data")

> +(type (type luks-device-mapping)

Every field below ‘mapped-devices’ should be indented (two columns).

Also, it cannot be (type (type …)).

(Clarifying what I wrote earlier.)

Thanks,

Ludo’.

Maxim Cournoyer wrote 6 days ago

Re: bug#77499: [PATCH] mapped-devices/luks: Support extra options.

Recipients:(name . 45mg)(address . 45mg.writes@gmail.com)

Message-ID:87zfan757b.fsf_-_@guixotic.coop

Hi,

45mg <45mg.writes@gmail.com> writes:

Toggle quote (12 lines)> Allow passing extra options to the 'cryptsetup open' command.
>
> * gnu/system/mapped-devices.scm (luks-device-mapping-with-options):
> [#:extra-options]: New argument.
> (open-luks-device): Use it.
> (check-luks-device): Validate it.
> * doc/guix.texi (Mapped Devices): Document it.
> * gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New
> test for it, as well as the previously untested #:allow-discards?
> option.
> (%encrypted-root-extra-options-os): New os declaration for the test.

Tried this (v4) with:

Toggle snippet (3 lines)

make check-system TESTS=encrypted-root-os

Got:

Toggle snippet (3 lines)

/mnt/etc/config.scm:1:267: error: invalid value #f for #:extra-options argument of `open-luks-device'

Could you please check?

Thanks,

Maxim

45mg wrote 5 days ago

[PATCH v5] mapped-devices/luks: Support extra options.

Recipients:

Message-ID:bf443daa7f73a81cd9dc638d2506822ed9c08623.1758546248.git.45mg.writes@gmail.com

Allow passing extra options to the 'cryptsetup open' command.

* gnu/system/mapped-devices.scm (luks-device-mapping-with-options):

[#:extra-options]: New argument.

(open-luks-device): Use it.

(check-luks-device): Validate it.

* doc/guix.texi (Mapped Devices): Document it.

* gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New

test for it, as well as the previously untested #:allow-discards?

option.

(%encrypted-root-extra-options-os): New os declaration for the test.

Change-Id: I265a431efb0c81ed7cfc984344c6b8a4cc2f1624

---

Specified default value of #:extra-options in check-luks-device; now system

tests should work again (ran encrypted-root-os,

encrypted-root-extra-options-os and encrypted-home-os-key-file successfully).

Fixed indentation of example in doc/guix.texi, per Ludo's input on v3.

doc/guix.texi | 21 +++++++++++

gnu/system/mapped-devices.scm | 29 +++++++++++----

gnu/tests/install.scm | 68 +++++++++++++++++++++++++++++++++++

3 files changed, 112 insertions(+), 6 deletions(-)

Toggle diff (185 lines)diff --git a/doc/guix.texi b/doc/guix.texi
index 0924aebf4a..c3010119a1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -18774,6 +18774,27 @@ Mapped Devices
 file system level operations visible on the physical device.  For more
 information, refer to the description of the @code{--allow-discards}
 option in the @code{cryptsetup-open(8)} man page.
+
+@item #:extra-options
+List of additional command-line options for the @code{cryptsetup open}
+command.  See the @code{cryptsetup-open(8)} man page for a list of
+supported options.
+
+For example, here is how you could specify the
+@option{--perf-no_read_workqueue} and @option{--perf-no_write_workqueue}
+options, along with @option{--allow-discards}:
+
+@lisp
+(mapped-device
+  (source "/dev/sdb1")
+  (target "data")
+  (type luks-device-mapping)
+  (arguments '(#:allow-discards? #t
+               #:extra-options
+               ("--perf-no_read_workqueue"
+                "--perf-no_write_workqueue")))))
+@end lisp
+
 @end table
 @end defvar
 
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index b0a6beef28..d568bddc4f 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -43,6 +43,7 @@ (define-module (gnu system mapped-devices)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
   #:use-module (ice-9 match)
+  #:use-module (ice-9 optargs)
   #:use-module (ice-9 format)
   #:export (%mapped-device
             mapped-device
@@ -200,10 +201,12 @@ (define (check-device-initrd-modules device linux-modules location)
 ;;; Common device mappings.
 ;;;
 
-(define* (open-luks-device source targets #:key key-file allow-discards?)
+(define* (open-luks-device source targets
+                           #:key key-file allow-discards? (extra-options '()))
   "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
 'cryptsetup'.  When ALLOW-DISCARDS? is true, the use of discard (TRIM)
-requests is allowed for the underlying device."
+requests is allowed for the underlying device.  EXTRA-OPTIONS is a list of
+additional options to be passed to the 'cryptsetup open' command."
   (with-imported-modules (source-module-closure
                           '((gnu build file-systems)
                             (guix build utils))) ;; For mkdir-p
@@ -244,10 +247,13 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
              (let ((cryptsetup #$(file-append cryptsetup-static
                                               "/sbin/cryptsetup"))
                    (cryptsetup-flags (cons*
-                                      "open" "--type" "luks" partition #$target
-                                      (if #$allow-discards?
-                                          '("--allow-discards")
-                                          '()))))
+                                      "open" "--type" "luks"
+                                      (append
+                                       (if #$allow-discards?
+                                           '("--allow-discards")
+                                           '())
+                                       '#$extra-options
+                                       (list partition #$target)))))
                ;; We want to fallback to the password unlock if the keyfile
                ;; fails.
                (or (and keyfile
@@ -271,6 +277,17 @@ (define* (check-luks-device md #:key
   "Ensure the source of MD is valid."
   (let ((source   (mapped-device-source md))
         (location (mapped-device-location md)))
+    (let-keywords (mapped-device-arguments md) #t
+                  ((extra-options '())
+                   key-file allow-discards)
+      (unless (list? extra-options)
+        (raise (make-compound-condition
+                (formatted-message (G_ "invalid value ~s for #:extra-options \
+argument of `open-luks-device'")
+                                   extra-options)
+                (condition
+                 (&error-location
+                  (location (source-properties->location location))))))))
     (or (not (zero? (getuid)))
         (if (uuid? source)
             (match (find-partition-by-luks-uuid (uuid-bytevector source))
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index ec31cf2bdf..c6715484cf 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -68,6 +68,7 @@ (define-module (gnu tests install)
             %test-separate-home-os
             %test-raid-root-os
             %test-encrypted-root-os
+            %test-encrypted-root-extra-options-os
             %test-encrypted-home-os
             %test-encrypted-home-os-key-file
             %test-encrypted-root-not-boot-os
@@ -843,6 +844,73 @@ (define %test-encrypted-root-os
       (run-basic-test %encrypted-root-os command "encrypted-root-os"
                       #:initialization enter-luks-passphrase)))))
 
+
+;;;
+;;; LUKS-encrypted root with extra options: --allow-discards,
+;;; --perf-no_read_workqueue and --perf-no_write_workqueue
+;;;
+
+;; Except for the 'mapped-devices' field, this is exactly the same as
+;; %encrypted-root-os.
+(define-os-with-source (%encrypted-root-extra-options-os
+                        %encrypted-root-extra-options-os-source)
+  ;; The OS we want to install.
+  (use-modules (gnu) (gnu tests) (srfi srfi-1))
+
+  (operating-system
+    (host-name "liberigilo")
+    (timezone "Europe/Paris")
+    (locale "en_US.UTF-8")
+
+    (bootloader (bootloader-configuration
+                 (bootloader grub-bootloader)
+                 (targets '("/dev/vdb"))))
+
+    ;; Note: Do not pass "console=ttyS0" so we can use our passphrase prompt
+    ;; detection logic in 'enter-luks-passphrase'.
+
+    (mapped-devices (list (mapped-device
+                            (source (uuid "12345678-1234-1234-1234-123456789abc"))
+                            (target "the-root-device")
+                            (type luks-device-mapping)
+                            (arguments '(#:allow-discards? #t
+                                         #:extra-options
+                                         ("--perf-no_read_workqueue"
+                                          "--perf-no_write_workqueue"))))))
+    (file-systems (cons (file-system
+                          (device "/dev/mapper/the-root-device")
+                          (mount-point "/")
+                          (type "ext4"))
+                        %base-file-systems))
+    (users (cons (user-account
+                  (name "charlie")
+                  (group "users")
+                  (supplementary-groups '("wheel" "audio" "video")))
+                 %base-user-accounts))
+    (services (cons (service marionette-service-type
+                             (marionette-configuration
+                              (imported-modules '((gnu services herd)
+                                                  (guix combinators)))))
+                    %base-services))))
+
+(define %test-encrypted-root-extra-options-os
+  (system-test
+   (name "encrypted-root-extra-options-os")
+   (description
+    "Test basic functionality of an OS installed like one would do by hand,
+with an LUKS-encrypted root partition opened with extra options
+(--allow-discards, --perf-no_read_workqueue and --perf-no_write_workqueue).
+This test is expensive in terms of CPU and storage usage since we need to
+build (current-guix) and then store a couple of full system images.")
+   (value
+    (mlet* %store-monad ((images (run-install %encrypted-root-extra-options-os
+                                              %encrypted-root-extra-options-os-source
+                                              #:script
+                                              %encrypted-root-installation-script))
+                         (command (qemu-command* images)))
+      (run-basic-test %encrypted-root-os command "encrypted-root-extra-options-os"
+                      #:initialization enter-luks-passphrase)))))
+
 
 ;;;
 ;;; Separate /home on LVM

base-commit: ea4a3af73940e3fd578326510eccb2d5747352b4
-- 
2.50.1

45mg wrote 5 days ago

Re: [PATCH v4] mapped-devices/luks: Support extra options.

Recipients:

Message-ID:875xda39xb.fsf@gmail.com

Hi,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (12 lines)> 45mg <45mg.writes@gmail.com> writes:
>
>> +@lisp
>> +(mapped-device
>> +(source "/dev/sdb1")
>> +(target "data")
>> +(type (type luks-device-mapping)
>
> Every field below ‘mapped-devices’ should be indented (two columns).
>
> Also, it cannot be (type (type …)).

Got it; for some reason I got confused and thought you were referring to
the similar snippet in gnu/tests/install.scm, which was correctly
indented. Sorry about that. I fixed the bit you're referring to in v5.

Maxim Cournoyer wrote 4 days ago

Re: [PATCH v5] mapped-devices/luks: Support extra options.

Recipients:(name . 45mg)(address . 45mg.writes@gmail.com)

Message-ID:87ms6lvavp.fsf@guixotic.coop

Hi,

The issue at the moment is that even the encrypted-root-os

hang, unrelated to this test (but this prevents validating this test

works too).

Thanks,

Maxim

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 77499@patchwise.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 77499

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date