Encrypted swap won't load on 20.04 with zfs root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
zfs-linux (Ubuntu) |
Fix Released
|
Low
|
Colin Ian King | ||
Focal |
Fix Released
|
Medium
|
Heitor Alves de Siqueira |
Bug Description
[Impact]
Encrypted swap partitions may not load correctly with ZFS root, due to ordering cycle on zfs-mount.service.
[Test Plan]
1. Install Ubuntu 20.04 using ZFS-on-root
2. Add encrypted partition to /etc/crypttab:
swap /dev/nvme0n1p1 /dev/urandom swap,cipher=
3. Add swap partition to /etc/fstab:
/dev/mapper/swap none swap sw 0 0
4. Reboot and check whether swap has loaded correctly, and whether boot logs show ordering cycle:
[ 6.638228] systemd[1]: systemd-
[ 6.639418] systemd[1]: systemd-
[ 6.640474] systemd[1]: systemd-
[ 6.641637] systemd[1]: systemd-
[ 6.642734] systemd[1]: systemd-
[ 6.643951] systemd[1]: systemd-
[ 6.645098] systemd[1]: systemd-
[ SKIP ] Ordering cycle found, skipping Mount ZFS filesystems
[Where problems could occur]
Since we're changing the zfs-mount-generator service, regressions could show up during mounting of ZFS partitions. We should thoroughly test different scenarios of ZFS such as ZFS-on-root, separate ZFS partitions and the presence of swap, to make sure all partitions are mounted correctly and no ordering cycles are present.
Below is a list of suggested test scenarios that we should check for regressions:
1. ZFS-on-root + encrypted swap (see "Test Plan" section above)
2. Encrypted root + separate ZFS partitions
3. ZFS on LUKS
4. ZFS on dm-raid
Although scenario 4 is usually advised against (ZFS itself should handle RAID), it's a good smoke test to validate that mount order is being handled correctly.
[Other Info]
This has been fixed upstream by the following commits:
* ec41cafee1da Fix a dependency loop [0]
* 62663fb7ec19 Fix another dependency loop [1]
The patches above have been introduced in version 2.1.0, with upstream backports to zfs-2.0. In Ubuntu, it's present in Groovy and later releases, so it's still needed in Focal.
$ rmadison -a source zfs-linux
zfs-linux | 0.8.3-1ubuntu12 | focal | source
zfs-linux | 0.8.3-1ubuntu12.9 | focal-security | source
zfs-linux | 0.8.3-1ubuntu12.10 | focal-updates | source
zfs-linux | 0.8.4-1ubuntu11 | groovy | source
zfs-linux | 0.8.4-1ubuntu11.2 | groovy-updates | source
zfs-linux | 2.0.2-1ubuntu5 | hirsute | source
zfs-linux | 2.0.3-8ubuntu5 | impish | source
[0] https:/
[1] https:/
ORIGINAL DESCRIPTION
=======
root@eu1:/var/log# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
root@eu1:/var/log# apt-cache policy cryptsetup
cryptsetup:
Installed: (none)
Candidate: 2:2.2.2-3ubuntu2
Version table:
2:
500 http://
OTHER BACKGROUND INFO:
=======
1. machine has 2 drives. each drive is partitioned into 2 partitions, zfs and swap
2. Ubuntu 20.04 installed on ZFS root using debootstrap (debootstrap_
3. The ZFS root pool is a 2 partition mirror (the first partition of each disk)
4. /etc/crypttab is set up as follows:
swap /dev/disk/
swap /dev/disk/
WHAT I EXPECTED
===============
I expected machine would reboot and have encrypted swap that used two devices under /dev/mapper
WHAT HAPPENED INSTEAD
=======
On reboot, swap setup fails with the following messages in /var/log/syslog:
Apr 28 17:13:01 eu1 kernel: [ 5.360793] systemd[1]: cryptsetup.target: Found ordering cycle on <email address hidden>/start
Apr 28 17:13:01 eu1 kernel: [ 5.360795] systemd[1]: cryptsetup.target: Found dependency on systemd-
Apr 28 17:13:01 eu1 kernel: [ 5.360796] systemd[1]: cryptsetup.target: Found dependency on zfs-mount.
Apr 28 17:13:01 eu1 kernel: [ 5.360797] systemd[1]: cryptsetup.target: Found dependency on zfs-load-
Apr 28 17:13:01 eu1 kernel: [ 5.360798] systemd[1]: cryptsetup.target: Found dependency on cryptsetup.
Apr 28 17:13:01 eu1 kernel: [ 5.360799] systemd[1]: cryptsetup.target: Job <email address hidden>/start deleted to break ordering cycle starting with cryptsetup.
. . . . . .
Apr 28 17:13:01 eu1 kernel: [ 5.361082] systemd[1]: Unnecessary job for /dev/disk/
Also, /dev/mapper does not contain any swap devices:
root@eu1:/var/log# ls -l /dev/mapper
total 0
crw------- 1 root root 10, 236 Apr 28 17:13 control
root@eu1:/var/log#
And top shows no swap:
MiB Swap: 0.0 total, 0.0 free, 0.0 used. 63153.6 avail Mem
Changed in systemd (Ubuntu): | |
status: | Incomplete → New |
affects: | systemd (Ubuntu) → zfs-linux (Ubuntu) |
Changed in zfs-linux (Ubuntu Focal): | |
importance: | Undecided → Medium |
assignee: | nobody → Heitor Alves de Siqueira (halves) |
description: | updated |
I don't know exactly why this manifests as a dependency loop, but your /etc/crypttab is certainly wrong; the first column of /etc/crypttab is the target device name, and you cannot have two separate source encrypted devices map to the same decrypted device name.
If you give the two devices separate names (e.g. swap1, swap2), does this work for you?
If not this should probably be reassigned to systemd, since those systemd units are created by a systemd generator and not by the cryptsetup package.