-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
decrypt-root: Rework around a udev rule to fix slow PXE/ISO boots #98
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
krnowak
approved these changes
Aug 21, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Asking only for a commit message update. Otherwise looks good. I assume that Jenkins job you mentioned was http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/4534/cldsv/, right?
PXE and ISO boots were taking over 1m30s because decrypt-root.service was waiting for the ROOT partition to appear just in case it needed to be decrypted. Making this service conditional on non-PXE/ISO boots was considered, but users may well want an encrypted ROOT when booting using these methods. Adding conditions didn't avoid the delay caused by the `Wants` directive in any case. This change makes decrypt-root.service more reactive by having it triggered by a udev rule matching a LUKS-encrypted partition named ROOT. systemd knows to wait for `/dev/mapper/rootencrypted` to appear before attempting to switch root, making `Before=dracut-initqueue.service` (which concerns finding the real root) redundant. There is no guarantee that the rule will trigger before this service starts anyway. Removing `WantedBy=ignition-subsequent.target` is necessary because this directive would start the service unconditionally rather than only when triggered by the udev rule. Adding `After=ignition-disks.service` ensures that the service does not try to decrypt ROOT before Ignition wipes it again due to `flatcar.first_boot=1` being given. The service itself has been simplified. crypttab is just as happy with a block device path, so there is no need to determine the UUID. The udev rule only matches LUKS-encrypted partitions, so there is no need to check the header either. The rest is simple enough to include in the service unit directly, removing the need for a separate shell script. systemd-cryptsetup-generator can read the crypttab from stdin, avoiding the creation of a temporary file. It is also important to call daemon-reload before attempting to start the generated unit. Closes: flatcar/Flatcar#1514 Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
chewi
force-pushed
the
chewi/decrypt-root-udev
branch
from
August 22, 2024 10:53
3692281
to
12f7ed5
Compare
chewi
added a commit
to flatcar/scripts
that referenced
this pull request
Aug 22, 2024
Bug: flatcar/bootengine#98 Closes: flatcar/Flatcar#1514 Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
chewi
added a commit
to flatcar/scripts
that referenced
this pull request
Aug 22, 2024
Bug: flatcar/bootengine#98 Closes: flatcar/Flatcar#1514 Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
2 tasks
chewi
added a commit
to flatcar/scripts
that referenced
this pull request
Aug 22, 2024
See: flatcar/bootengine#98 See: flatcar/Flatcar#1514 Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
chewi
added a commit
to flatcar/scripts
that referenced
this pull request
Aug 29, 2024
See: flatcar/bootengine#98 See: flatcar/Flatcar#1514 Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
tormath1
pushed a commit
to flatcar/scripts
that referenced
this pull request
Sep 16, 2024
See: flatcar/bootengine#98 See: flatcar/Flatcar#1514 Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
tormath1
added a commit
to flatcar/scripts
that referenced
this pull request
Sep 20, 2024
udev rule See: flatcar/bootengine#98 See: flatcar/Flatcar#1514 Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com> Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
decrypt-root: Rework around a udev rule to fix slow boots
PXE and ISO boots were taking over 1m30s because decrypt-root.service was waiting for the ROOT partition to appear just in case it needed to be decrypted.
Making this service conditional on non-PXE/ISO boots was considered, but users may well want an encrypted ROOT when booting using these methods. Adding conditions didn't avoid the delay caused by the
Wants
directive in any case.This change makes decrypt-root.service more reactive by having it triggered by a udev rule matching a LUKS-encrypted partition named ROOT. systemd knows to wait for
/dev/mapper/rootencrypted
to appear before attempting to switch root.Adding
After=ignition-disks.service
ensures that the service does not try to decrypt ROOT before Ignition wipes it again due toflatcar.first_boot=1
being given.The service itself has been simplified. crypttab is just as happy with a block device path, so there is no need to determine the UUID. The udev rule only matches LUKS-encrypted partitions, so there is no need to check the header either. The rest is simple enough to include in the service unit directly, removing the need for a separate shell script. systemd-cryptsetup-generator can read the crypttab from stdin, avoiding the creation of a temporary file. It is also important to call daemon-reload before attempting to start the generated unit.
Closes: flatcar/Flatcar#1514
How to use
Images are present on bincache. A regular ISO or PXE boot with QEMU should only take a few seconds. You can experiment with encryption using these:
You can use the regular QCOW2 image by removing the
disks
section so that it encrypts the existing ROOT partition.Testing done
A lot of manual testing around the above. The Jenkins packages_all_arches job passed fine.
changelog/
directory (user-facing change, bug fix, security fix, update) -- I'll add this to flatcar/scripts/boot
and/usr
size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.