GNU bug report logs

#30922 LUKS-encrypted root fails using device numbering, needs luksUUID

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#30922; Package guix. (Sat, 24 Mar 2018 08:23:02 GMT) (full text, mbox, link).

Acknowledgement sent to Jan Nieuwenhuizen <janneke@gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Sat, 24 Mar 2018 08:23:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Jan Nieuwenhuizen <janneke@gnu.org>
To: bug-guix@gnu.org
Subject: LUKS-encrypted root fails using device numbering, needs luksUUID
Date: Sat, 24 Mar 2018 09:22:29 +0100
Hi!

Following the example in 6.2.4 Mapped Devices

    (mapped-device
      (source "/dev/sda3")
      (target "home")
      (type luks-device-mapping))

I chose not to use the UUID alternative for encrypted root; I'm terrible
at memorizing and typing UUIDs.  So I used this snippet (full
bare-luks.scm below)

    (mapped-device
     ;; This does not work
     (source "/dev/nvme0n1p1")
     ;; This works (output of cryptsetup luksUUID /dev/nvme0n1p1)
     ;; (source (uuid "50d96f54-1dbb-48f8-bca5-2f1feb5ff144"))
     (target "guix")
     (type luks-device-mapping))

For disk partitioning, I did

     cryptsetup luksFormat /dev/nvme0n1p1
     cryptsetup open --type=luks /dev/nvme0n1p1 guix
     mkfs.ext4 -L guix /dev/mapper/guix

then install, something like

     mount /dev/mapper/guix /mnt
     herd start cow-store /mnt
     guix system init /mnt/root/bare-luks.scm /mnt

After booting I get

    Device /dev/nvme0n1p1 doesn't exist or access denied

Using the luksUUID, it works.  Except for this hurdle a pleasant and
straighforward fresh install :-)

Greetings,
janneke

--8<---------------cut here---------------start------------->8---
;; lsblk.out
;; NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
;; sda           8:0    1 14.5G  0 disk  
;; ├─sda1        8:1    1  1.4G  0 part  
;; └─sda2        8:2    1   40M  0 part  
;; nvme0n1     259:0    0  477G  0 disk  
;; └─nvme0n1p1 259:1    0  477G  0 part  
;;   └─guix    253:0    0  477G  0 crypt /mnt
--8<---------------cut here---------------end--------------->8---

--8<---------------cut here---------------start------------->8---
;; bare-luks.scm
(use-modules (gnu))
(use-service-modules networking ssh)
(use-package-modules screen ssh)

(define %supplementary-groups '("wheel" "netdev" "audio" "video" "lp" "kvm"))

(operating-system
  (host-name "dundal")
  (timezone "Europe/Amsterdam")
  (locale "en_US.utf8")

  (bootloader (bootloader-configuration
               (bootloader grub-bootloader)
               (target "/dev/nvme0n1")))
  (mapped-devices
   (list (mapped-device
          ;; This does not work
          (source "/dev/nvme0n1p1")
          ;; This works (output of cryptsetup luksUUID /dev/nvme0n1p1)
          ;; (source (uuid "50d96f54-1dbb-48f8-bca5-2f1feb5ff144"))
          (target "guix")
          (type luks-device-mapping))))
  (file-systems
   (cons* (file-system (title 'device)
                       (device "/dev/mapper/guix")
                       (mount-point "/")
                       (type "ext4")
                       (dependencies mapped-devices))
          %base-file-systems))
  (groups
   (cons* (user-group (name "janneke"))
          %base-groups))
  (users
   (cons* (user-account
           (name "janneke")
           (group "janneke")
           (uid 1000)
           (supplementary-groups %supplementary-groups)
           (home-directory "/home/janneke"))
          %base-user-accounts))

  (packages (cons* screen openssh wpa-supplicant-minimal %base-packages))

  (services (cons* (dhcp-client-service)
                   (console-keymap-service "dvorak" "ctrl")
                   (service openssh-service-type
                            (openssh-configuration
                             (port-number 2222)
                             (permit-root-login #t)
                             (allow-empty-passwords? #f)
                             (password-authentication? #t)))
                   %base-services)))
--8<---------------cut here---------------end--------------->8---

-- 
Jan Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond http://lilypond.org
Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com

Information forwarded to bug-guix@gnu.org:
bug#30922; Package guix. (Mon, 26 Mar 2018 13:38:02 GMT) (full text, mbox, link).

Message #8 received at 30922@debbugs.gnu.org (full text, mbox, reply):

From: ludo@gnu.org (Ludovic Courtès)
To: Jan Nieuwenhuizen <janneke@gnu.org>
Cc: 30922@debbugs.gnu.org, 30604@debbugs.gnu.org
Subject: Re: bug#30922: LUKS-encrypted root fails using device numbering, needs luksUUID
Date: Mon, 26 Mar 2018 15:37:01 +0200
Hello,

Jan Nieuwenhuizen <janneke@gnu.org> skribis:

> After booting I get
>
>     Device /dev/nvme0n1p1 doesn't exist or access denied

This message comes from ‘cryptsetup’.

The ‘init’ script for the config you posted does this:

--8<---------------cut here---------------start------------->8---
(boot-system #:mounts (map spec->file-system
                           (quote (("/dev/mapper/guix"
                                    device "/" "ext4" ()
                                    #f #t))))
             #:pre-mount (lambda ()
                           (and (let ((source "/dev/nvme0n1p1"))
                                  (use-modules (rnrs bytevectors)
                                               ((gnu build file-systems)
                                                #:select
                                                (find-partition-by-luks-uuid)))
                                  (zero? (system*
                                          "/gnu/store/v5r0dx5v08847rcy033kyish6m3b3621-cryptsetup-static-1.7.5/sbin/cryptsetup"
                                          "open" "--type" "luks"
                                          (if (bytevector? source)
                                              (or (let loop ((tries-left 10))
                                                    (and (positive? tries-left)
                                                         (or (find-partition-by-luks-uuid source)
                                                             (begin
                                                               (sleep 1)
                                                               (loop (- tries-left 1))))))
                                                  (error "LUKS partition not found" source))
                                              source)
                                          "guix")))))
             …
--8<---------------cut here---------------end--------------->8---

IOW, it does the right thing whether or not you’re using a UUID.

However, when using a UUID, it waits for the device to show up, whereas
otherwise it assumes the /dev node is already there and invokes
‘cryptsetup’ right away.

We should fix that and generalize the wait-for-device loop, which
already exists in a couple of instances.

There are connections with <https://bugs.gnu.org/30604>.

Ludo’.

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Wed Apr 16 04:04:50 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.