Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

decrypt-root: Rework around a udev rule to fix slow PXE/ISO boots #98

Merged
merged 1 commit into from
Aug 22, 2024

Conversation

chewi
Copy link
Contributor

@chewi chewi commented Aug 21, 2024

decrypt-root: Rework around a udev rule to fix slow boots

PXE and ISO boots were taking over 1m30s because decrypt-root.service was waiting for the ROOT partition to appear just in case it needed to be decrypted.

Making this service conditional on non-PXE/ISO boots was considered, but users may well want an encrypted ROOT when booting using these methods. Adding conditions didn't avoid the delay caused by the Wants directive in any case.

This change makes decrypt-root.service more reactive by having it triggered by a udev rule matching a LUKS-encrypted partition named ROOT. systemd knows to wait for /dev/mapper/rootencrypted to appear before attempting to switch root.

Adding After=ignition-disks.service ensures that the service does not try to decrypt ROOT before Ignition wipes it again due to flatcar.first_boot=1 being given.

The service itself has been simplified. crypttab is just as happy with a block device path, so there is no need to determine the UUID. The udev rule only matches LUKS-encrypted partitions, so there is no need to check the header either. The rest is simple enough to include in the service unit directly, removing the need for a separate shell script. systemd-cryptsetup-generator can read the crypttab from stdin, avoiding the creation of a temporary file. It is also important to call daemon-reload before attempting to start the generated unit.

Closes: flatcar/Flatcar#1514

How to use

Images are present on bincache. A regular ISO or PXE boot with QEMU should only take a few seconds. You can experiment with encryption using these:

variant: flatcar
version: 1.0.0
storage:
  disks:
  - device: /dev/vda
    wipe_table: true
    partitions:
    - label: ROOT
  luks:
    - name: rootencrypted
      wipe_volume: true
      device: "/dev/disk/by-partlabel/ROOT"
  filesystems:
    - device: /dev/mapper/rootencrypted
      format: ext4
      label: ROOT
systemd:
  units:
    - name: cryptenroll-helper.service
      enabled: true
      contents: |
        [Unit]
        ConditionFirstBoot=true
        OnFailure=emergency.target
        OnFailureJobMode=isolate
        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=systemd-cryptenroll --tpm2-device=auto --unlock-key-file=/etc/luks/rootencrypted --wipe-slot=0 --tpm2-pcrs= /dev/disk/by-partlabel/ROOT
        ExecStart=rm /etc/luks/rootencrypted
        [Install]
        WantedBy=multi-user.target
qemu-img create -f qcow2 disk.img 6g
./flatcar_production_pxe.sh -i ignition.json -I disk.img -T swtpm -- -append 'flatcar.autologin flatcar.first_boot=1 root=/dev/mapper/rootencrypted'

You can use the regular QCOW2 image by removing the disks section so that it encrypts the existing ROOT partition.

Testing done

A lot of manual testing around the above. The Jenkins packages_all_arches job passed fine.

  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update) -- I'll add this to flatcar/scripts
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@chewi chewi requested a review from a team August 21, 2024 12:55
@chewi chewi self-assigned this Aug 21, 2024
Copy link
Member

@krnowak krnowak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Asking only for a commit message update. Otherwise looks good. I assume that Jenkins job you mentioned was http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/4534/cldsv/, right?

dracut/31decrypt-root/decrypt-root.service Show resolved Hide resolved
PXE and ISO boots were taking over 1m30s because decrypt-root.service
was waiting for the ROOT partition to appear just in case it needed to
be decrypted.

Making this service conditional on non-PXE/ISO boots was considered, but
users may well want an encrypted ROOT when booting using these methods.
Adding conditions didn't avoid the delay caused by the `Wants` directive
in any case.

This change makes decrypt-root.service more reactive by having it
triggered by a udev rule matching a LUKS-encrypted partition named ROOT.
systemd knows to wait for `/dev/mapper/rootencrypted` to appear before
attempting to switch root, making `Before=dracut-initqueue.service`
(which concerns finding the real root) redundant. There is no guarantee
that the rule will trigger before this service starts anyway.

Removing `WantedBy=ignition-subsequent.target` is necessary because this
directive would start the service unconditionally rather than only when
triggered by the udev rule.

Adding `After=ignition-disks.service` ensures that the service does not
try to decrypt ROOT before Ignition wipes it again due to
`flatcar.first_boot=1` being given.

The service itself has been simplified. crypttab is just as happy with a
block device path, so there is no need to determine the UUID. The udev
rule only matches LUKS-encrypted partitions, so there is no need to
check the header either. The rest is simple enough to include in the
service unit directly, removing the need for a separate shell script.
systemd-cryptsetup-generator can read the crypttab from stdin, avoiding
the creation of a temporary file. It is also important to call
daemon-reload before attempting to start the generated unit.

Closes: flatcar/Flatcar#1514
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
@chewi chewi merged commit d2e2212 into flatcar-master Aug 22, 2024
@chewi chewi deleted the chewi/decrypt-root-udev branch August 22, 2024 10:53
chewi added a commit to flatcar/scripts that referenced this pull request Aug 22, 2024
Bug: flatcar/bootengine#98
Closes: flatcar/Flatcar#1514
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
chewi added a commit to flatcar/scripts that referenced this pull request Aug 22, 2024
Bug: flatcar/bootengine#98
Closes: flatcar/Flatcar#1514
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
chewi added a commit to flatcar/scripts that referenced this pull request Aug 22, 2024
chewi added a commit to flatcar/scripts that referenced this pull request Aug 29, 2024
tormath1 pushed a commit to flatcar/scripts that referenced this pull request Sep 16, 2024
tormath1 added a commit to flatcar/scripts that referenced this pull request Sep 20, 2024
 udev rule

See: flatcar/bootengine#98
See: flatcar/Flatcar#1514
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Boot time for ISO image 3975.2.0 release has increased to ~1m30s
2 participants