upstart hangs while starting cryptdisks

Bug #443980 reported by Christoph on 2009-10-05
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Medium
Unassigned
Karmic
Medium
Steve Langasek
Lucid
Medium
Unassigned

Bug Description

Binary package hint: upstart

Hi,
I am not sure if this bug is more cryptdisk releated, maybe you can decide when you read the provided solution.

My startup process needs both stages of the cryptdisk scripts. In the first step (stage early) a /dev/mapper/ entry is created for an USB Stick asking for a password. On this stick resides all keys for the second step.

The two step mechanism is not processed by the new upstart script in /etc/init/cryptdisks-enable.conf
Please change /etc/init/cryptdisks-enable.conf:
...
    esac

    INITSTATE="init"
    do_start
end script

to
...
    esac

    INITSTATE="early"
    do_start
    INITSTATE="init"
    do_start
end script

The second problem is a timing problem. If the Stick is not mounted fast enough the system fails to read some keys. When this happens the system hangs completly. I think this might be, because this partitions are marked as auto in /etc/fstab. If tey don't come up the upstart process waits endless.

To overcome this I changed /lib/cryptsetup/cryptdisks.functions.

Please change /lib/cryptsetup/cryptdisks.functions:
do_start () {
        local dst src key opts result

        modprobe -qb dm-mod || true
        modprobe -qb dm-crypt || true
        dmsetup mknodes > /dev/null 2>&1 || true
        log_action_begin_msg "Starting $INITSTATE crypto disks"
        mount_fs
        ...

to
do_start () {
        local dst src key opts result

        modprobe -qb dm-mod || true
        modprobe -qb dm-crypt || true
        dmsetup mknodes > /dev/null 2>&1 || true
        log_action_begin_msg "Starting $INITSTATE crypto disks"
        mount_fs
        sleep 1
        ...
Finally I deleted both symlinks /etc/rcS.d/S26cryptdisks-early and /etc/rcS.d/S28cryptdisks

Hope this helps cheers,
Christoph

ProblemType: Bug
Architecture: i386
Date: Mon Oct 5 21:51:47 2009
DistroRelease: Ubuntu 9.10
Package: upstart 0.6.3-7
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
ProcVersionSignature: Ubuntu 2.6.31-11.38-generic
SourcePackage: upstart
Uname: Linux 2.6.31-11-generic i686
XsessionErrors:
 (nautilus:5989): Eel-CRITICAL **: eel_preferences_get_boolean: assertion `preferences_is_initialized ()' failed
 (polkit-gnome-authentication-agent-1:6001): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed

Christoph (christoph-thomas) wrote :
affects: upstart (Ubuntu) → cryptsetup (Ubuntu)
Christoph (christoph-thomas) wrote :

Hi,
since the startup scripts for mountall and cryptsetup are under heavy development, the proposed solution does not work anymore. A better solution for the first part is to create an additional init script (eg. cryptdisks-early.conf). The second part (timing problem) seems more related to mountall.
Thanks,
Christoph

papukaija (papukaija) wrote :

Please set the importance of this bug to wishlist.

Christoph (christoph-thomas) wrote :

Hi,
with my account I can't select 'wishlist', so I changed the status to 'fix released'.

The good news, now I know what happens and there is some fix for the timing problem. If I get it correct, this occurs because there is a dirty trick in libdevmapper. It seems, that in the first step /dev/dm-1 is created ant then moved to /dev/mapper/yourcryptdevicename. If you use UUID=xyz in your /etc/fstab, mountall sees UUID=XYZ connected to /dev/dm-1 and tries to fsck /dev/dm-1. Now fsck returns an error because /dev/dm-1 doesen't exist anymore.

The (dirty) fix is to use /dev/mapper/yourcryptdevicename instead of UUID=xyz in your /etc/fstab.

For the part with the two steps ('early' and 'init') I prefer actually my own script in /usr/share/initramfs-tools/scripts/local-bottom/<_usbkey>. Since this is part of the initrd.img it has some advantages (dont forget to recreate your initrd.img, after creating or changing this file). My script looks like:

#!/bin/sh

set -e

# Hook for mounting encrypted usb stic, change usbdev in ... and USBKEY to reflect your environment

for ask_passphrase in first second third last ; do

 for in usb-0000_Removable_Drive_20112824060840760045-0:0-part5 \
                usb-0000_Removable_Drive_20031424060835920030-0:0-part5 ; do

 if [ -L /dev/disk/by-id/$usbdev ]; then
  if [ -r /dev/mapper/USBKEY ]; then
   /sbin/blkid /dev/mapper/USBKEY && exit 0
   cryptsetup remove USBKEY
   echo "wrong passphrase $ask_passphrase try"
  fi
  cryptsetup create USBKEY /dev/disk/by-id/$usbdev --readonly --tries 1
  sleep 0.2
 fi

 done
done

Changed in cryptsetup (Ubuntu):
status: New → Fix Committed
Changed in cryptsetup (Ubuntu):
status: Fix Committed → Invalid
Changed in cryptsetup (Ubuntu):
status: Invalid → Fix Committed
Steve Langasek (vorlon) on 2009-12-15
Changed in cryptsetup (Ubuntu):
status: Fix Committed → Triaged
importance: Undecided → Medium
Steve Langasek (vorlon) on 2009-12-16
Changed in cryptsetup (Ubuntu Karmic):
assignee: nobody → Steve Langasek (vorlon)
importance: Undecided → Medium
milestone: none → karmic-updates
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cryptsetup - 2:1.1.0~rc2-1ubuntu5

---------------
cryptsetup (2:1.1.0~rc2-1ubuntu5) lucid; urgency=low

  * Rename the upstart job introduced in the previous upload to
    cryptdisks-udev and restore the previous version of the job as
    cryptdisks-enable, to run at the end of udev coldplugging as before;
    this isn't entirely race-free, but should nevertheless give us the
    two passes needed to cover devices that are decrypted using keys stored
    on other encrypted disks. LP: #443980.
 -- Steve Langasek <email address hidden> Wed, 16 Dec 2009 06:41:30 +0000

Changed in cryptsetup (Ubuntu Lucid):
status: Triaged → Fix Released
Steve Langasek (vorlon) on 2009-12-16
Changed in cryptsetup (Ubuntu Karmic):
status: Triaged → In Progress

Accepted cryptsetup into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in cryptsetup (Ubuntu Karmic):
status: In Progress → Fix Committed
tags: added: verification-needed
Christoph (christoph-thomas) wrote :

I have changed to lucid, so I have tested there (Version 2:1.1.0~rc2-1ubuntu8).
For me this Fix did not work. I see the request 'Enter Passphrase' but the console is not overtaken by cryptsetup, so I can't type my passphrase. This might be, because my external device (the device where I store all Keys for the remaining devices) has no special ID, but I don't get the meaning of 'start on block-device-added ID_FS_USAGE=crypto' in your script /etc/init/cryptdisks-udev.conf. Is it necessary to set /dev/disk/by-id/here_is_my_partition_with_the_remaining_keys to /dev/disk/by-id/crypto via e2label?
Thanks, Christoph

Steve Langasek (vorlon) wrote :

Christoph,

If the passphrase prompt is not responsive to your keypresses, you're seeing a separate bug - bug #434232, which will be fully fixed once plymouth is installed by default in lucid.

ID_FS_USAGE has nothing to do with disk labels.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cryptsetup - 2:1.0.6+20090405.svn49-1ubuntu7.2

---------------
cryptsetup (2:1.0.6+20090405.svn49-1ubuntu7.2) karmic-proposed; urgency=low

  * Depend on watershed.
  * cryptdisks.functions: do_tmp should mount under /var/run/cryptsetup for
    changing the permissions of the filesystem root, not directly on /tmp,
    since mounting on /tmp a) is racy, b) confuses mountall something fierce.
    LP: #475936.

cryptsetup (2:1.0.6+20090405.svn49-1ubuntu7.1) karmic-proposed; urgency=low

  * debian/cryptdisks.functions:
    - wrap the call to /lib/cryptsetup/askpass with watershed, to make sure
      we only ever have one of these running at a time; otherwise multiple
      invocations could steal each other's input and/or write over each
      other's output
    - new function, crypttab_start_one_disk, to look for the named source
      device in /etc/crypttab (by device name, UUID, or label) and start it
      if configured to do so
  * debian/cryptdisks-udev.upstart: new, additional upstart job run once for
    each block device, using the new crypttab_start_one_disk function,
    triggered by udev; this doesn't eliminate the possibility of a race with
    gdm when the decrypted volume isn't a 'bootwait' mount point (since gdm
    kills usplash), but it does eliminate the race between udev and
    cryptsetup. LP: #454898.
    The other cryptdisks-enable job is still needed as well, to give us the
    second pass needed to cover devices that are decrypted using keys stored
    on other encrypted disks. LP: #443980.
  * debian/cryptdisk.functions: initially create the device under a temporary
    name and rename it only at the end using 'dmsetup rename', to ensure that
    upstart/mountall doesn't see our device before it's ready to go.
    LP: #475936.
  * Make the 'start' action of the init script a no-op, this should be
    handled entirely by the upstart job now; ad remove any symlinks from
    /etc/rcS.d on upgrade. LP: #473615.
 -- Steve Langasek <email address hidden> Tue, 22 Dec 2009 23:29:32 +0000

Changed in cryptsetup (Ubuntu Karmic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers