Comment 35 for bug 595648

Revision history for this message
Richard Hansen (rhansen) wrote :

The /scripts/local-top/cryptroot script in the initramfs only unlocks the root and resume filesystems. All other encrypted filesystems are unlocked by /etc/init/cryptdisks-udev.conf and /etc/init/cryptdisks.conf after the real / has been mounted.

This design is problematic for remote unlocking: If one of those non-root non-resume encrypted filesystems is essential to booting the system (it has the 'bootwait' option in /etc/fstab), then the initramfs will go away before the filesystem is unlocked (because the root filesystem is mounted), but sshd won't start because it's waiting for another essential filesystem to be unlocked. Thus, there's no way to remotely access the system and unlock the remaining filesystem(s).

Before this bug can be considered fixed, /usr/share/initramfs-tools/hooks/cryptroot will have to be edited to include all 'bootwait' filesystems in the /conf/conf.d/cryptroot config file it produces in the initramfs.

As a temporary workaround, users can add non-root non-resume 'bootwait' filesystems to /etc/initramfs-tools/conf.d/resume as if they were resume devices, though they must be listed BEFORE the real resume device. (/usr/share/initramfs-tools/hooks/cryptroot can handle multiple RESUME=* lines, and the initramfs init script ignores all RESUME=* lines but the last.)