Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mount RHCOS LUKS #826

Merged
merged 1 commit into from
Oct 9, 2019
Merged

Mount RHCOS LUKS #826

merged 1 commit into from
Oct 9, 2019

Conversation

cgwalters
Copy link
Member

We need the internal libguestfs bits to work; at least
buildextend-installer uses them.

@cgwalters
Copy link
Member Author

So I am still banging my head against this:

guestfsd: <= luks_open (0x101) request length 84 bytes
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: udevadm --debug settle -E /dev/sda4
commandrvf: stdout=n stderr=y flags=0x0
commandrvf: cryptsetup -d /tmp/lukskwfgQY luksOpen /dev/sda4 crypt_root
guestfsd: error: 
guestfsd: => luks_open (0x101) took 0.04 secs
libguestfs: error: luks_open: 
libguestfs: closing guestfs handle 0x5599e70307e0 (state 2)

As best I can tell from reading the libguestfs source, that's saying that cryptsetup exited with nonzero, but emitted nothing to stderr. Or there's a bug in libguestfs.

@cgwalters
Copy link
Member Author

OK, built libguestfs from source and hacked in prefixing cryptsetup with strace and got:

uname({sysname="Linux", nodename="(none)", ...}) = 0
stat("/dev/mapper/control", {st_mode=S_IFCHR|0600, st_rdev=makedev(0xa, 0xec), ...}) = 0
openat(AT_FDCWD, "/dev/mapper/control", O_RDWR) = 6
openat(AT_FDCWD, "/proc/devices", O_RDONLY) = 7
fstat(7, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(7, "Character devices:\n  1 mem\n  4 /"..., 1024) = 563
close(7)                                = 0
ioctl(6, DM_VERSION, {version=4.0.0, data_size=16384, flags=DM_EXISTS_FLAG} => {version=4.40.0, data_size=16384, flags=DM_EXISTS_FLAG}) = 0
ioctl(6, DM_LIST_VERSIONS, {version=4.1.0, data_size=16384, data_start=312, flags=DM_EXISTS_FLAG} => {version=4.40.0, data_size=561, data_start=312, flags=DM_EXISTS_FLAG, ...}) = 0
semctl(0, 0, SEM_INFO, 0x7ffcbb59cf10)  = 0
access("/run/udev/control", F_OK)       = 0
ioctl(6, DM_TABLE_STATUS, {version=4.0.0, data_size=16384, data_start=312, name="luks-00000000-0000-4000-a000-000000000002", flags=DM_EXISTS_FLAG|DM_NOFLUSH_FLAG} => {version=4.40.0, data_size=16384, data_start=312, name="luks-00000000-0000-4000-a000-000000000002", flags=DM_EXISTS_FLAG|DM_NOFLUSH_FLAG}) = -1 ENXIO (N

Something about devmapper not being fully setup or something?

@cgwalters cgwalters marked this pull request as ready for review October 9, 2019 19:21
@cgwalters
Copy link
Member Author

So yeah, this took me a whole lot of time to debug because it was going OOM, but that was not at all obvious. See https://gitlab.com/cryptsetup/cryptsetup/issues/372

@cgwalters
guestfish: Support mounting RHCOS LUKS
dbf3e59 
We need the internal libguestfs bits to work; at least
`buildextend-installer` uses them.

First, the main mount code needs to detect this by looking for the
"luk_root"; if detected, use `luks-open` on it.

The thing that took me *FOREVER* to debug is that we need more
RAM for the libguestfs appliance, due to the new memory-hard argon2
KDF: https://gitlab.com/cryptsetup/cryptsetup/issues/372
@cgwalters cgwalters changed the title WIP: mount RHCOS luks Mount RHCOS LUKS Oct 9, 2019
@cgwalters
Copy link
Member Author

Lifting WIP on this, tested with both FCOS and RHCOS.

@cgwalters
Copy link
Member Author

Hm, actually this reveals that the memory we pass to qemu for create_disk.sh "leaks" into the default --pbkdf-memory - cryptsetup is (rationally) assuming that one is opening the LUKS device on the same machine as one created it.

I'm going to play with an explicit --pbkdf-memory 524288 or so too, although we almost certainly will still need to bump the libguestfs memory anyways.

@cgwalters cgwalters mentioned this pull request Oct 9, 2019
Merged
darkmuggle
darkmuggle approved these changes Oct 9, 2019
View reviewed changes
Copy link
Contributor

@darkmuggle darkmuggle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, and very similar to what I fleshed out.

@darkmuggle
Copy link
Contributor

Merging, this is _very similar to #830. I'm merging and putting another PR for the other improvements.

@darkmuggle darkmuggle merged commit ad808fe into coreos:master Oct 9, 2019
@jlebon jlebon mentioned this pull request Nov 19, 2019
Closed
Prashanth684 added a commit to Prashanth684/mantle that referenced this pull request Nov 19, 2019
@Prashanth684
Support LUKS devices when using guestfish to inject ignition
5bbe94b 
Add support for recognizing LUKS filesystem when setting up ignition.
While not necessary for x86 because it uses fw_cfg, ppc64 and s390x use guestfish
and need this change for kola tests to run.

Introduced because of these changes: coreos/coreos-assembler#826
Prashanth684 added a commit to Prashanth684/mantle that referenced this pull request Nov 21, 2019
@Prashanth684
Do not mount root parition for injecting ignition
f0a47dd 
With the changes made recently: coreos/coreos-assembler#826, we need to add
support for detecting LUKS root partitions which is really unnecessary as we are just injecting ignition
in the boot partition.

Based on suggestions by @cgwalters and @tuan-hoang1 in coreos#1118
@Prashanth684 Prashanth684 mentioned this pull request Nov 21, 2019
Merged
@praveenkumar praveenkumar mentioned this pull request Nov 28, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darkmuggle darkmuggle darkmuggle approved these changes

@miabbott miabbott Awaiting requested review from miabbott

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cgwalters @darkmuggle