|
 |
ac49c72 |
From 3acb27df403c9e5772eb1d81aba1c65b6c7acc08 Mon Sep 17 00:00:00 2001
|
|
|
ac49c72 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
ac49c72 |
Date: Tue, 5 Sep 2017 09:14:51 +0200
|
|
|
ac49c72 |
Subject: [PATCH 1/3] units: order cryptsetup-pre.target before
|
|
|
ac49c72 |
cryptsetup.target
|
|
|
ac49c72 |
|
|
|
ac49c72 |
Normally this happens automatically, but if it happened that both targets were
|
|
|
ac49c72 |
pulled in, even though there were no cryptsetup units, they could be started
|
|
|
ac49c72 |
in reverse order, which would be somewhat confusing. Add an explicit ordering
|
|
|
ac49c72 |
to avoid this potential issue.
|
|
|
ac49c72 |
---
|
|
|
ac49c72 |
units/cryptsetup-pre.target | 1 +
|
|
|
ac49c72 |
1 file changed, 1 insertion(+)
|
|
|
ac49c72 |
|
|
|
ac49c72 |
diff --git a/units/cryptsetup-pre.target b/units/cryptsetup-pre.target
|
|
|
ac49c72 |
index 65353419f..42e35dd4e 100644
|
|
|
ac49c72 |
--- a/units/cryptsetup-pre.target
|
|
|
ac49c72 |
+++ b/units/cryptsetup-pre.target
|
|
|
ac49c72 |
@@ -9,3 +9,4 @@
|
|
|
ac49c72 |
Description=Encrypted Volumes (Pre)
|
|
|
ac49c72 |
Documentation=man:systemd.special(7)
|
|
|
ac49c72 |
RefuseManualStart=yes
|
|
|
ac49c72 |
+Before=cryptsetup.target
|
|
|
ac49c72 |
--
|
|
|
ac49c72 |
2.14.1
|
|
|
ac49c72 |
|
|
|
ac49c72 |
|
|
|
ac49c72 |
From 51a012da40e8d0d4d8df931b3bc56ea913c3856a Mon Sep 17 00:00:00 2001
|
|
|
ac49c72 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
ac49c72 |
Date: Tue, 5 Sep 2017 10:15:13 +0200
|
|
|
ac49c72 |
Subject: [PATCH 2/3] units: add remote-cryptsetup.target and
|
|
|
ac49c72 |
remote-cryptsetup-pre.target
|
|
|
ac49c72 |
|
|
|
ac49c72 |
The pair is similar to remote-fs.target and remote-fs-pre.target. Any
|
|
|
ac49c72 |
cryptsetup devices which require network shall be ordered after
|
|
|
ac49c72 |
remote-cryptsetup-pre.target and before remote-cryptsetup.target.
|
|
|
ac49c72 |
---
|
|
|
ac49c72 |
man/systemd.special.xml | 23 +++++++++++++++++++++++
|
|
|
ac49c72 |
units/cryptsetup-pre.target | 2 +-
|
|
|
ac49c72 |
units/cryptsetup.target | 2 +-
|
|
|
ac49c72 |
units/meson.build | 3 +++
|
|
|
ac49c72 |
units/remote-cryptsetup-pre.target | 15 +++++++++++++++
|
|
|
ac49c72 |
units/remote-cryptsetup.target | 10 ++++++++++
|
|
|
ac49c72 |
6 files changed, 53 insertions(+), 2 deletions(-)
|
|
|
ac49c72 |
create mode 100644 units/remote-cryptsetup-pre.target
|
|
|
ac49c72 |
create mode 100644 units/remote-cryptsetup.target
|
|
|
ac49c72 |
|
|
|
ac49c72 |
diff --git a/man/systemd.special.xml b/man/systemd.special.xml
|
|
|
ac49c72 |
index 66c45e39a..7107b8a92 100644
|
|
|
ac49c72 |
--- a/man/systemd.special.xml
|
|
|
ac49c72 |
+++ b/man/systemd.special.xml
|
|
|
ac49c72 |
@@ -81,6 +81,8 @@
|
|
|
ac49c72 |
<filename>poweroff.target</filename>,
|
|
|
ac49c72 |
<filename>printer.target</filename>,
|
|
|
ac49c72 |
<filename>reboot.target</filename>,
|
|
|
ac49c72 |
+ <filename>remote-cryptsetup-pre.target</filename>,
|
|
|
ac49c72 |
+ <filename>remote-cryptsetup.target</filename>,
|
|
|
ac49c72 |
<filename>remote-fs-pre.target</filename>,
|
|
|
ac49c72 |
<filename>remote-fs.target</filename>,
|
|
|
ac49c72 |
<filename>rescue.target</filename>,
|
|
|
ac49c72 |
@@ -450,6 +452,27 @@
|
|
|
ac49c72 |
this target unit, for compatibility with SysV.</para>
|
|
|
ac49c72 |
</listitem>
|
|
|
ac49c72 |
</varlistentry>
|
|
|
ac49c72 |
+ <varlistentry>
|
|
|
ac49c72 |
+ <term><filename>remote-cryptsetup-pre.target</filename></term>
|
|
|
ac49c72 |
+ <listitem>
|
|
|
ac49c72 |
+ <para>This target unit is automatically ordered before all cryptsetup devices
|
|
|
ac49c72 |
+ marked with the <option>_netdev</option>. It can be used to execute additional
|
|
|
ac49c72 |
+ units before such devices are set up.</para>
|
|
|
ac49c72 |
+
|
|
|
ac49c72 |
+ <para>It is ordered after <filename>network.target</filename> and
|
|
|
ac49c72 |
+ <filename>network-online.target</filename>, and also pulls the latter in as a
|
|
|
ac49c72 |
+ <varname>Wants=</varname> dependency.</para>
|
|
|
ac49c72 |
+ </listitem>
|
|
|
ac49c72 |
+ </varlistentry>
|
|
|
ac49c72 |
+ <varlistentry>
|
|
|
ac49c72 |
+ <term><filename>remote-cryptsetup.target</filename></term>
|
|
|
ac49c72 |
+ <listitem>
|
|
|
ac49c72 |
+ <para>Similar to <filename>cryptsetup.target</filename>, but for encrypted
|
|
|
ac49c72 |
+ devices which are accessed over the network. It is used for
|
|
|
ac49c72 |
+ <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
ac49c72 |
+ entries marked with <option>_netdev</option>.</para>
|
|
|
ac49c72 |
+ </listitem>
|
|
|
ac49c72 |
+ </varlistentry>
|
|
|
ac49c72 |
<varlistentry>
|
|
|
ac49c72 |
<term><filename>remote-fs.target</filename></term>
|
|
|
ac49c72 |
<listitem>
|
|
|
ac49c72 |
diff --git a/units/cryptsetup-pre.target b/units/cryptsetup-pre.target
|
|
|
ac49c72 |
index 42e35dd4e..6cb28a61a 100644
|
|
|
ac49c72 |
--- a/units/cryptsetup-pre.target
|
|
|
ac49c72 |
+++ b/units/cryptsetup-pre.target
|
|
|
ac49c72 |
@@ -6,7 +6,7 @@
|
|
|
ac49c72 |
# (at your option) any later version.
|
|
|
ac49c72 |
|
|
|
ac49c72 |
[Unit]
|
|
|
ac49c72 |
-Description=Encrypted Volumes (Pre)
|
|
|
ac49c72 |
+Description=Local Encrypted Volumes (Pre)
|
|
|
ac49c72 |
Documentation=man:systemd.special(7)
|
|
|
ac49c72 |
RefuseManualStart=yes
|
|
|
ac49c72 |
Before=cryptsetup.target
|
|
|
ac49c72 |
diff --git a/units/cryptsetup.target b/units/cryptsetup.target
|
|
|
ac49c72 |
index 25d3e33f6..10b17fd38 100644
|
|
|
ac49c72 |
--- a/units/cryptsetup.target
|
|
|
ac49c72 |
+++ b/units/cryptsetup.target
|
|
|
ac49c72 |
@@ -6,5 +6,5 @@
|
|
|
ac49c72 |
# (at your option) any later version.
|
|
|
ac49c72 |
|
|
|
ac49c72 |
[Unit]
|
|
|
ac49c72 |
-Description=Encrypted Volumes
|
|
|
ac49c72 |
+Description=Local Encrypted Volumes
|
|
|
ac49c72 |
Documentation=man:systemd.special(7)
|
|
|
ac49c72 |
diff --git a/units/meson.build b/units/meson.build
|
|
|
ac49c72 |
index e94add6a6..e6351c7a2 100644
|
|
|
ac49c72 |
--- a/units/meson.build
|
|
|
ac49c72 |
+++ b/units/meson.build
|
|
|
ac49c72 |
@@ -47,6 +47,9 @@ units = [
|
|
|
ac49c72 |
['proc-sys-fs-binfmt_misc.mount', 'ENABLE_BINFMT'],
|
|
|
ac49c72 |
['reboot.target', '',
|
|
|
ac49c72 |
'runlevel6.target ctrl-alt-del.target'],
|
|
|
ac49c72 |
+ ['remote-cryptsetup-pre.target', 'HAVE_LIBCRYPTSETUP'],
|
|
|
ac49c72 |
+ ['remote-cryptsetup.target', 'HAVE_LIBCRYPTSETUP',
|
|
|
ac49c72 |
+ join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
|
|
|
ac49c72 |
['remote-fs-pre.target', ''],
|
|
|
ac49c72 |
['remote-fs.target', '',
|
|
|
ac49c72 |
join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
|
|
|
ac49c72 |
diff --git a/units/remote-cryptsetup-pre.target b/units/remote-cryptsetup-pre.target
|
|
|
ac49c72 |
new file mode 100644
|
|
|
ac49c72 |
index 000000000..a375e6188
|
|
|
ac49c72 |
--- /dev/null
|
|
|
ac49c72 |
+++ b/units/remote-cryptsetup-pre.target
|
|
|
ac49c72 |
@@ -0,0 +1,15 @@
|
|
|
ac49c72 |
+# This file is part of systemd.
|
|
|
ac49c72 |
+#
|
|
|
ac49c72 |
+# systemd is free software; you can redistribute it and/or modify it
|
|
|
ac49c72 |
+# under the terms of the GNU Lesser General Public License as published by
|
|
|
ac49c72 |
+# the Free Software Foundation; either version 2.1 of the License, or
|
|
|
ac49c72 |
+# (at your option) any later version.
|
|
|
ac49c72 |
+
|
|
|
ac49c72 |
+[Unit]
|
|
|
ac49c72 |
+Description=Remote Encrypted Volumes (Pre)
|
|
|
ac49c72 |
+Documentation=man:systemd.special(7)
|
|
|
ac49c72 |
+RefuseManualStart=yes
|
|
|
ac49c72 |
+Before=remote-cryptsetup.target
|
|
|
ac49c72 |
+
|
|
|
ac49c72 |
+After=network.target network-online.target
|
|
|
ac49c72 |
+Wants=network-online.target
|
|
|
ac49c72 |
diff --git a/units/remote-cryptsetup.target b/units/remote-cryptsetup.target
|
|
|
ac49c72 |
new file mode 100644
|
|
|
ac49c72 |
index 000000000..60943bd1c
|
|
|
ac49c72 |
--- /dev/null
|
|
|
ac49c72 |
+++ b/units/remote-cryptsetup.target
|
|
|
ac49c72 |
@@ -0,0 +1,10 @@
|
|
|
ac49c72 |
+# This file is part of systemd.
|
|
|
ac49c72 |
+#
|
|
|
ac49c72 |
+# systemd is free software; you can redistribute it and/or modify it
|
|
|
ac49c72 |
+# under the terms of the GNU Lesser General Public License as published by
|
|
|
ac49c72 |
+# the Free Software Foundation; either version 2.1 of the License, or
|
|
|
ac49c72 |
+# (at your option) any later version.
|
|
|
ac49c72 |
+
|
|
|
ac49c72 |
+[Unit]
|
|
|
ac49c72 |
+Description=Remote Encrypted Volumes
|
|
|
ac49c72 |
+Documentation=man:systemd.special(7)
|
|
|
ac49c72 |
--
|
|
|
ac49c72 |
2.14.1
|
|
|
ac49c72 |
|
|
|
ac49c72 |
|
|
|
ac49c72 |
From 543a62336565c840bbda22df0eb2a1c19180a8d5 Mon Sep 17 00:00:00 2001
|
|
|
ac49c72 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
ac49c72 |
Date: Tue, 5 Sep 2017 11:30:33 +0200
|
|
|
ac49c72 |
Subject: [PATCH 3/3] cryptsetup-generator: use remote-cryptsetup.target when
|
|
|
ac49c72 |
_netdev is present
|
|
|
ac49c72 |
|
|
|
ac49c72 |
This allows such devices to depend on the network. Their startup will
|
|
|
ac49c72 |
be delayed similarly to network mount units.
|
|
|
ac49c72 |
|
|
|
ac49c72 |
Fixes #4642.
|
|
|
ac49c72 |
---
|
|
|
ac49c72 |
man/crypttab.xml | 13 +++++++++++++
|
|
|
ac49c72 |
src/cryptsetup/cryptsetup-generator.c | 36 ++++++++++++++++++-----------------
|
|
|
ac49c72 |
2 files changed, 32 insertions(+), 17 deletions(-)
|
|
|
ac49c72 |
|
|
|
ac49c72 |
diff --git a/man/crypttab.xml b/man/crypttab.xml
|
|
|
ac49c72 |
index 17976f370..162377ebc 100644
|
|
|
ac49c72 |
--- a/man/crypttab.xml
|
|
|
ac49c72 |
+++ b/man/crypttab.xml
|
|
|
ac49c72 |
@@ -213,6 +213,19 @@
|
|
|
ac49c72 |
<option>size=</option>.</para></listitem>
|
|
|
ac49c72 |
</varlistentry>
|
|
|
ac49c72 |
|
|
|
ac49c72 |
+ <varlistentry>
|
|
|
ac49c72 |
+ <term><option>_netdev</option></term>
|
|
|
ac49c72 |
+
|
|
|
ac49c72 |
+ <listitem><para>Marks this cryptsetup device as requiring network. It will be
|
|
|
ac49c72 |
+ started after the network is available, similarly to
|
|
|
ac49c72 |
+ <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
ac49c72 |
+ units marked with <option>_netdev</option>. The service unit to set up this device
|
|
|
ac49c72 |
+ will be ordered between <filename>remote-cryptsetup-pre.target</filename> and
|
|
|
ac49c72 |
+ <filename>remote-cryptsetup.target</filename>, instead of
|
|
|
ac49c72 |
+ <filename>cryptsetup-pre.target</filename> and
|
|
|
ac49c72 |
+ <filename>cryptsetup.target</filename>.</para></listitem>
|
|
|
ac49c72 |
+ </varlistentry>
|
|
|
ac49c72 |
+
|
|
|
ac49c72 |
<varlistentry>
|
|
|
ac49c72 |
<term><option>noauto</option></term>
|
|
|
ac49c72 |
|
|
|
ac49c72 |
diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
|
|
|
ac49c72 |
index b58b6db7c..8571ab06e 100644
|
|
|
ac49c72 |
--- a/src/cryptsetup/cryptsetup-generator.c
|
|
|
ac49c72 |
+++ b/src/cryptsetup/cryptsetup-generator.c
|
|
|
ac49c72 |
@@ -61,7 +61,7 @@ static int create_disk(
|
|
|
ac49c72 |
_cleanup_free_ char *p = NULL, *n = NULL, *d = NULL, *u = NULL, *to = NULL, *e = NULL,
|
|
|
ac49c72 |
*filtered = NULL;
|
|
|
ac49c72 |
_cleanup_fclose_ FILE *f = NULL;
|
|
|
ac49c72 |
- bool noauto, nofail, tmp, swap;
|
|
|
ac49c72 |
+ bool noauto, nofail, tmp, swap, netdev;
|
|
|
ac49c72 |
char *from;
|
|
|
ac49c72 |
int r;
|
|
|
ac49c72 |
|
|
|
ac49c72 |
@@ -72,6 +72,7 @@ static int create_disk(
|
|
|
ac49c72 |
nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
|
|
|
ac49c72 |
tmp = fstab_test_option(options, "tmp\0");
|
|
|
ac49c72 |
swap = fstab_test_option(options, "swap\0");
|
|
|
ac49c72 |
+ netdev = fstab_test_option(options, "_netdev\0");
|
|
|
ac49c72 |
|
|
|
ac49c72 |
if (tmp && swap) {
|
|
|
ac49c72 |
log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
|
|
|
ac49c72 |
@@ -102,21 +103,22 @@ static int create_disk(
|
|
|
ac49c72 |
if (!f)
|
|
|
ac49c72 |
return log_error_errno(errno, "Failed to create unit file %s: %m", p);
|
|
|
ac49c72 |
|
|
|
ac49c72 |
- fputs("# Automatically generated by systemd-cryptsetup-generator\n\n"
|
|
|
ac49c72 |
- "[Unit]\n"
|
|
|
ac49c72 |
- "Description=Cryptography Setup for %I\n"
|
|
|
ac49c72 |
- "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
|
|
|
ac49c72 |
- "SourcePath=/etc/crypttab\n"
|
|
|
ac49c72 |
- "DefaultDependencies=no\n"
|
|
|
ac49c72 |
- "Conflicts=umount.target\n"
|
|
|
ac49c72 |
- "BindsTo=dev-mapper-%i.device\n"
|
|
|
ac49c72 |
- "IgnoreOnIsolate=true\n"
|
|
|
ac49c72 |
- "After=cryptsetup-pre.target\n",
|
|
|
ac49c72 |
- f);
|
|
|
ac49c72 |
+ fprintf(f,
|
|
|
ac49c72 |
+ "# Automatically generated by systemd-cryptsetup-generator\n\n"
|
|
|
ac49c72 |
+ "[Unit]\n"
|
|
|
ac49c72 |
+ "Description=Cryptography Setup for %%I\n"
|
|
|
ac49c72 |
+ "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
|
|
|
ac49c72 |
+ "SourcePath=/etc/crypttab\n"
|
|
|
ac49c72 |
+ "DefaultDependencies=no\n"
|
|
|
ac49c72 |
+ "Conflicts=umount.target\n"
|
|
|
ac49c72 |
+ "IgnoreOnIsolate=true\n"
|
|
|
ac49c72 |
+ "After=%s\n",
|
|
|
ac49c72 |
+ netdev ? "remote-cryptsetup-pre.target" : "cryptsetup-pre.target");
|
|
|
ac49c72 |
|
|
|
ac49c72 |
if (!nofail)
|
|
|
ac49c72 |
fprintf(f,
|
|
|
ac49c72 |
- "Before=cryptsetup.target\n");
|
|
|
ac49c72 |
+ "Before=%s\n",
|
|
|
ac49c72 |
+ netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
|
|
|
ac49c72 |
|
|
|
ac49c72 |
if (password) {
|
|
|
ac49c72 |
if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
|
|
|
ac49c72 |
@@ -200,10 +202,10 @@ static int create_disk(
|
|
|
ac49c72 |
return log_error_errno(errno, "Failed to create symlink %s: %m", to);
|
|
|
ac49c72 |
|
|
|
ac49c72 |
free(to);
|
|
|
ac49c72 |
- if (!nofail)
|
|
|
ac49c72 |
- to = strjoin(arg_dest, "/cryptsetup.target.requires/", n);
|
|
|
ac49c72 |
- else
|
|
|
ac49c72 |
- to = strjoin(arg_dest, "/cryptsetup.target.wants/", n);
|
|
|
ac49c72 |
+ to = strjoin(arg_dest,
|
|
|
ac49c72 |
+ netdev ? "/remote-cryptsetup" : "/cryptsetup",
|
|
|
ac49c72 |
+ ".target.",
|
|
|
ac49c72 |
+ nofail ? "wants/" : "requires/", n);
|
|
|
ac49c72 |
if (!to)
|
|
|
ac49c72 |
return log_oom();
|
|
|
ac49c72 |
|
|
|
ac49c72 |
--
|
|
|
ac49c72 |
2.14.1
|
|
|
ac49c72 |
|