From b3d7b8659143ebad71a7a6e3c622c943501c93af Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Wed, 23 Nov 2022 08:34:22 +0000 Subject: [PATCH 1/8] Do not umount oem if we have found it out Signed-off-by: Ettore Di Giacinto --- dracut/29kcrypt/mount-local.sh | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/dracut/29kcrypt/mount-local.sh b/dracut/29kcrypt/mount-local.sh index 8a67533..85bece1 100755 --- a/dracut/29kcrypt/mount-local.sh +++ b/dracut/29kcrypt/mount-local.sh @@ -7,13 +7,10 @@ type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh PATH=/usr/sbin:/usr/bin:/sbin:/bin OEM=$(blkid -L COS_OEM) + if [ "$OEM" != "" ]; then mkdir /oem mount $OEM /oem fi -kcrypt unlock-all - -if [ "$OEM" != "" ]; then -umount /oem -fi +kcrypt unlock-all \ No newline at end of file From 7f397a34595ec60162cd61fc8f5b9990b2b96c17 Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Wed, 23 Nov 2022 09:44:39 +0000 Subject: [PATCH 2/8] Try to wait for oem mount instead --- dracut/29kcrypt/generator.sh | 46 +++++++++++++++++------------------- 1 file changed, 22 insertions(+), 24 deletions(-) diff --git a/dracut/29kcrypt/generator.sh b/dracut/29kcrypt/generator.sh index 37cc0c3..485cfb4 100755 --- a/dracut/29kcrypt/generator.sh +++ b/dracut/29kcrypt/generator.sh @@ -7,31 +7,29 @@ GENERATOR_DIR="$2" [ -z "$GENERATOR_DIR" ] && exit 1 [ -d "$GENERATOR_DIR" ] || mkdir "$GENERATOR_DIR" -if getargbool 0 rd.neednet; then - { - echo "[Unit]" - echo "DefaultDependencies=no" - echo "Description=kcrypt online mount" - echo "Before=cos-immutable-rootfs.service" - echo "After=network-online.target" +oem_label=$(getarg rd.cos.oemlabel=) +neednet="rd.neednet" + +# See https://github.com/kairos-io/packages/blob/d12b12b043a71d8471454f7b4fc84c3181d2bf60/packages/system/dracut/immutable-rootfs/30cos-immutable-rootfs/cos-generator.sh#L29 +{ + echo "[Unit]" + echo "DefaultDependencies=no" + echo "Description=kcrypt online mount" + echo "Before=cos-immutable-rootfs.service" + if getargbool 0 $neednet; then echo "Wants=network-online.target" - echo "[Service]" - echo "Type=oneshot" - echo "RemainAfterExit=no" - echo "ExecStart=/sbin/kcrypt-mount-local" - } > "$GENERATOR_DIR"/kcrypt.service -else - { - echo "[Unit]" - echo "DefaultDependencies=no" - echo "Description=kcrypt mount" - echo "Before=cos-immutable-rootfs.service" - echo "[Service]" - echo "Type=oneshot" - echo "RemainAfterExit=no" - echo "ExecStart=/sbin/kcrypt-mount-local" - } > "$GENERATOR_DIR"/kcrypt.service -fi + echo "After=network-online.target" + fi + # OEM is special as kcrypt plugins might need that in order to unlock other partitions and plugins can reside in /oem as well and kcrypt needs to find them + if [ -n "${oem_label}" ]; then + echo "After=oem.mount" + fi + echo "[Service]" + echo "Type=oneshot" + echo "RemainAfterExit=no" + echo "ExecStart=/sbin/kcrypt-mount-local" +} > "$GENERATOR_DIR"/kcrypt.service + if [ ! -e "$GENERATOR_DIR/initrd-fs.target.requires/kcrypt.service" ]; then mkdir -p "$GENERATOR_DIR"/initrd-fs.target.requires From 214ae513338fb5c2f1070259228d927e634aa92d Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Wed, 23 Nov 2022 09:59:55 +0000 Subject: [PATCH 3/8] Bind it to sysroot --- dracut/29kcrypt/generator.sh | 2 ++ pkg/bus/bus.go | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/dracut/29kcrypt/generator.sh b/dracut/29kcrypt/generator.sh index 485cfb4..c3443ff 100755 --- a/dracut/29kcrypt/generator.sh +++ b/dracut/29kcrypt/generator.sh @@ -16,6 +16,7 @@ neednet="rd.neednet" echo "DefaultDependencies=no" echo "Description=kcrypt online mount" echo "Before=cos-immutable-rootfs.service" + echo "Conflicts=initrd-switch-root.target" if getargbool 0 $neednet; then echo "Wants=network-online.target" echo "After=network-online.target" @@ -24,6 +25,7 @@ neednet="rd.neednet" if [ -n "${oem_label}" ]; then echo "After=oem.mount" fi + echo "After=sysroot.mount" echo "[Service]" echo "Type=oneshot" echo "RemainAfterExit=no" diff --git a/pkg/bus/bus.go b/pkg/bus/bus.go index ce2348a..b3045a5 100644 --- a/pkg/bus/bus.go +++ b/pkg/bus/bus.go @@ -28,7 +28,7 @@ type Bus struct { func (b *Bus) LoadProviders() { wd, _ := os.Getwd() - b.Manager.Autoload("kcrypt-discovery", "/system/discovery", "/oem/kcrypt", "/oem/system/discovery", wd).Register() + b.Manager.Autoload("kcrypt-discovery", "/sysroot/system/discovery", "/system/discovery", "/oem/kcrypt", "/oem/system/discovery", wd).Register() } func (b *Bus) Initialize() { From 641fc6ffa7fe9ce019448f3478e25822a6921dfd Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Wed, 23 Nov 2022 10:29:11 +0000 Subject: [PATCH 4/8] Try to run kcrypt directly --- dracut/29kcrypt/generator.sh | 2 +- dracut/29kcrypt/module-setup.sh | 3 +-- dracut/29kcrypt/mount-local.sh | 16 ---------------- 3 files changed, 2 insertions(+), 19 deletions(-) delete mode 100755 dracut/29kcrypt/mount-local.sh diff --git a/dracut/29kcrypt/generator.sh b/dracut/29kcrypt/generator.sh index c3443ff..f0451a8 100755 --- a/dracut/29kcrypt/generator.sh +++ b/dracut/29kcrypt/generator.sh @@ -29,7 +29,7 @@ neednet="rd.neednet" echo "[Service]" echo "Type=oneshot" echo "RemainAfterExit=no" - echo "ExecStart=/sbin/kcrypt-mount-local" + echo "ExecStart=/usr/bin/kcrypt unlock-all" } > "$GENERATOR_DIR"/kcrypt.service diff --git a/dracut/29kcrypt/module-setup.sh b/dracut/29kcrypt/module-setup.sh index 7ff7024..1b41f96 100644 --- a/dracut/29kcrypt/module-setup.sh +++ b/dracut/29kcrypt/module-setup.sh @@ -27,8 +27,7 @@ install() { inst_multiple \ kcrypt - inst_script "${moddir}/mount-local.sh" "/sbin/kcrypt-mount-local" - #inst_hook pre-trigger 10 "$moddir/mount-local.sh" + inst_script "${moddir}/generator.sh" \ "${systemdutildir}/system-generators/dracut-kcrypt-generator" diff --git a/dracut/29kcrypt/mount-local.sh b/dracut/29kcrypt/mount-local.sh deleted file mode 100755 index 85bece1..0000000 --- a/dracut/29kcrypt/mount-local.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh -# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- -# ex: ts=8 sw=4 sts=4 et filetype=sh - -type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh - -PATH=/usr/sbin:/usr/bin:/sbin:/bin - -OEM=$(blkid -L COS_OEM) - -if [ "$OEM" != "" ]; then - mkdir /oem - mount $OEM /oem -fi - -kcrypt unlock-all \ No newline at end of file From 1c3a3ac5104bc2eb2bb10323f418f198161f92ad Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Wed, 23 Nov 2022 12:51:55 +0100 Subject: [PATCH 5/8] Do not fail if we can't find a partition file --- dracut/29kcrypt/generator.sh | 9 +++++---- main.go | 8 +++++--- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/dracut/29kcrypt/generator.sh b/dracut/29kcrypt/generator.sh index f0451a8..a449e82 100755 --- a/dracut/29kcrypt/generator.sh +++ b/dracut/29kcrypt/generator.sh @@ -8,18 +8,19 @@ GENERATOR_DIR="$2" [ -d "$GENERATOR_DIR" ] || mkdir "$GENERATOR_DIR" oem_label=$(getarg rd.cos.oemlabel=) -neednet="rd.neednet" # See https://github.com/kairos-io/packages/blob/d12b12b043a71d8471454f7b4fc84c3181d2bf60/packages/system/dracut/immutable-rootfs/30cos-immutable-rootfs/cos-generator.sh#L29 { echo "[Unit]" echo "DefaultDependencies=no" - echo "Description=kcrypt online mount" echo "Before=cos-immutable-rootfs.service" echo "Conflicts=initrd-switch-root.target" - if getargbool 0 $neednet; then + if getargbool 0 rd.neednet; then echo "Wants=network-online.target" echo "After=network-online.target" + echo "Description=kcrypt online mount" + else + echo "Description=kcrypt mount" fi # OEM is special as kcrypt plugins might need that in order to unlock other partitions and plugins can reside in /oem as well and kcrypt needs to find them if [ -n "${oem_label}" ]; then @@ -37,4 +38,4 @@ if [ ! -e "$GENERATOR_DIR/initrd-fs.target.requires/kcrypt.service" ]; then mkdir -p "$GENERATOR_DIR"/initrd-fs.target.requires ln -s "$GENERATOR_DIR"/kcrypt.service \ "$GENERATOR_DIR"/initrd-fs.target.requires/kcrypt.service -fi \ No newline at end of file +fi diff --git a/main.go b/main.go index 522465e..1bb9e7a 100644 --- a/main.go +++ b/main.go @@ -283,7 +283,7 @@ func unlockAll() error { partitionInfo, _, err := pi.NewPartitionInfoFromFile(pi.DefaultPartitionInfoFile) if err != nil { - return err + fmt.Printf("Partition file not found '%s' \n", pi.DefaultPartitionInfoFile) } block, err := ghw.Block() @@ -291,7 +291,9 @@ func unlockAll() error { for _, disk := range block.Disks { for _, p := range disk.Partitions { if p.Type == "crypto_LUKS" { - p.Label = partitionInfo.LookupLabelForUUID(p.UUID) + if partitionInfo != nil { + p.Label = partitionInfo.LookupLabelForUUID(p.UUID) + } fmt.Printf("Unmounted Luks found at '%s' LABEL '%s' \n", p.Name, p.Label) err = multierror.Append(err, unlockDisk(p)) if err != nil { @@ -302,7 +304,7 @@ func unlockAll() error { } } } - return err + return nil } func main() { From e0316ade0a07ef1f1c88eb09c08201d797d06ddb Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Wed, 23 Nov 2022 15:16:04 +0100 Subject: [PATCH 6/8] Add earthly.sh --- earthly.sh | 3 +++ 1 file changed, 3 insertions(+) create mode 100755 earthly.sh diff --git a/earthly.sh b/earthly.sh new file mode 100755 index 0000000..12b82a9 --- /dev/null +++ b/earthly.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +docker run --privileged -v /var/run/docker.sock:/var/run/docker.sock --rm -t -v $(pwd):/workspace -v earthly-tmp:/tmp/earthly:rw earthly/earthly:v0.6.21 --allow-privileged $@ \ No newline at end of file From 193a7da9eedf93528db66cc387eaa6a57cd63749 Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Wed, 23 Nov 2022 16:05:44 +0100 Subject: [PATCH 7/8] Update main.go Co-authored-by: Dimitris Karakasilis --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index 1bb9e7a..6c657b6 100644 --- a/main.go +++ b/main.go @@ -283,7 +283,7 @@ func unlockAll() error { partitionInfo, _, err := pi.NewPartitionInfoFromFile(pi.DefaultPartitionInfoFile) if err != nil { - fmt.Printf("Partition file not found '%s' \n", pi.DefaultPartitionInfoFile) + fmt.Printf("Warning: Partition file not found '%s' \n", pi.DefaultPartitionInfoFile) } block, err := ghw.Block() From 4234ae70341957761ae6b87e115664089a170cb7 Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Wed, 23 Nov 2022 15:11:48 +0000 Subject: [PATCH 8/8] Incorporating feedback review --- main.go | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/main.go b/main.go index 6c657b6..ac1f8b8 100644 --- a/main.go +++ b/main.go @@ -287,20 +287,24 @@ func unlockAll() error { } block, err := ghw.Block() - if err == nil { - for _, disk := range block.Disks { - for _, p := range disk.Partitions { - if p.Type == "crypto_LUKS" { - if partitionInfo != nil { - p.Label = partitionInfo.LookupLabelForUUID(p.UUID) - } - fmt.Printf("Unmounted Luks found at '%s' LABEL '%s' \n", p.Name, p.Label) - err = multierror.Append(err, unlockDisk(p)) - if err != nil { - fmt.Printf("Unlocking failed: '%s'\n", err.Error()) - } - time.Sleep(10 * time.Second) + if err != nil { + fmt.Printf("Warning: Error reading partitions '%s \n", err.Error()) + + return nil + } + + for _, disk := range block.Disks { + for _, p := range disk.Partitions { + if p.Type == "crypto_LUKS" { + if partitionInfo != nil { + p.Label = partitionInfo.LookupLabelForUUID(p.UUID) } + fmt.Printf("Unmounted Luks found at '%s' LABEL '%s' \n", p.Name, p.Label) + err = multierror.Append(err, unlockDisk(p)) + if err != nil { + fmt.Printf("Unlocking failed: '%s'\n", err.Error()) + } + time.Sleep(10 * time.Second) } } }