systemd: build with cryptsetup support, add cryptsetup generators #66856
Conversation
ofborg
bot
added
6.topic: nixos
| @@ -831,6 +831,7 @@ in | |||
| [Sleep] | |||
| ''; | |||
|
|
|||
| "tmpfiles.d/lvm2.conf".source = "${pkgs.lvm2}/lib/tmpfiles.d/lvm2.conf"; | |||
There was a problem hiding this comment.
It would be nice if systemd.packages could do this automatically.
flokli
force-pushed
the
systemd-cryptsetup-lvm
branch
from
6ae1f5f
to
4fad5cf
Compare
flokli
force-pushed
the
systemd-cryptsetup-lvm
branch
from
4fad5cf
to
24fb5ae
Compare
flokli
force-pushed
the
systemd-cryptsetup-lvm
branch
from
24fb5ae
to
f21104b
Compare
ofborg
bot
added
6.topic: pantheon
flokli
force-pushed
the
systemd-cryptsetup-lvm
branch
from
f21104b
to
450fa7a
Compare
flokli
force-pushed
the
systemd-cryptsetup-lvm
branch
from
dfb6ab5
to
1e701c1
Compare
|
We did some further debugging, and got things to work 🎉 Also, the new It's probably best to break this down into two PRs - one incorporating all the lvm fixes (including the possibilities to build a smaller variant of it), and then a second one using such a smaller lvm package to bootstrap systemd's libdevmapper for its cryptsetup support. |
flokli
force-pushed
the
systemd-cryptsetup-lvm
branch
from
1e701c1
to
9a4e26c
Compare
flokli
force-pushed
the
systemd-cryptsetup-lvm
branch
from
9a4e26c
to
73f8032
Compare
flokli
force-pushed
the
systemd-cryptsetup-lvm
branch
from
73f8032
to
9c9fb29
Compare
|
With #93024 merged, rebased this on latest staging. |
|
For the scope of this PR, I don't intend to yet use this anywhere inside stage1/2 (which is more work), but it's a prerequisite for #72401. Even without systemd taking care of unlocking root volumes, we should add a test, relying on systemd to unlock a disk only described in a More advanced usecases could be also making use of the |
|
status? |
|
IIRC, the NixOS tests installer tests at least succeeded, but I'd like to see a small test being added, as commented in #66856 (comment). I'll see if I can get to that shortly, otherwise I'd appreciate if someone could come up with a small vm test. |
There's a circular dependency to systemd via cryptsetup and lvm2 (systemd -> cryptsetup -> lvm2 -> udev=systemd). However, cryptsetup only really needs the devmapper component shipped with lvm2. So build `pkgs.cryptsetup` with a lvm2 that doesn't come with udev.
…yptsetup-generator.c)
This package previously did override the systemd package, and instructed ninja, systemd's previous build system, to only build the cryptsetup-specific systemd generators (plus some manual rpath massaging, as ninja install wasn't used). Afterwards, users were expected to add this package to their `systemd.generator-packages` (or since https://github.com/NixOS/nixpkgs/pull/65376/files `systemd.packages`) NixOS module options, so systemd will use these generators. As the previous commit added cryptsetup support directly to the systemd package (and pkgs.systemd now already ships the cryptsetup generators), we don't need another package shipping the same generators.
This creates and opens a luks volume, puts its passphrase into a keyfile and writes a /etc/crypttab. It then reboots the machine, and verifies systemd parsed /etc/crypttab properly, and was able to unlock the volume with the keyfile provided (as we try to mount it). The memorySize of the VM had to be bumped, as luksFormat would otherwise run out of memory.
flokli
force-pushed
the
systemd-cryptsetup-lvm
branch
from
9c9fb29
to
eb58711
Compare
|
I rebased this on top of latest staging, and added a test verifying the functionality we enable - PTAL. |
The cyclic dependency of systemd → cryptsetup → lvm2 → udev=systemd needs to be broken somewhere. The previous strategy of building cryptsetup with an lvm2 built without udev (NixOS#66856) caused the installer.luksroot test to fail. Instead, build lvm2 with a udev built without cryptsetup. Fixes NixOS#96479. Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Motivation for this change
This adds systemd cryptsetup generators, allowing systemd to translate
/etc/crypttabinto native systemd units early at boot and when configuration of the system manager is reloaded.It depends on #93024 for the cleanups, which were needed in first place to allow bootstrapping systemd.
Afterwards, we can also get rid of
systemd-cryptsetup-generator(which is now integrated in systemd directly).I didn't do any manual testing yet, and we definitely should add some automated tests for it too :-)
Closes #75540.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @arianvp @7c6f434c (lvm2)