shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-19 22:50:17 +03:00
Code

Merge pull request #6747 from keszybz/cryptsetup-netdev

Browse Source 
netdev option for crypttab
This commit is contained in:
Lennart Poettering 2017-09-05 19:45:18 +02:00 committed by GitHub
commit 39e29b765f
9 changed files with 147 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
man/crypttab.xml
View File

@ -69,8 +69,7 @@
<para>Empty lines and lines starting with the <literal>#</literal>
character are ignored. Each of the remaining lines describes one
encrypted block device, fields on the line are delimited by white
space.</para>
encrypted block device. Fields are delimited by white space.</para>
<para>Each line is in the form<programlisting><replaceable>name</replaceable> <replaceable>encrypted-device</replaceable> <replaceable>password</replaceable> <replaceable>options</replaceable></programlisting>
The first two fields are mandatory, the remaining two are
@ -108,14 +107,6 @@
<variablelist class='fstab-options'>
<varlistentry>
<term><option>discard</option></term>
<listitem><para>Allow discard requests to be passed through
the encrypted block device. This improves performance on SSD
storage but has security implications.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>cipher=</option></term>
@ -127,6 +118,14 @@
recommended.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>discard</option></term>
<listitem><para>Allow discard requests to be passed through the encrypted block
device. This improves performance on SSD storage but has security implications.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>hash=</option></term>
@ -148,30 +147,6 @@
option.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>offset=</option></term>
<listitem><para>Start offset in the backend device, in 512-byte sectors.
This option is only relevant for plain devices.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>skip=</option></term>
<listitem><para>How many 512-byte sectors of the encrypted data to skip
at the beginning. This is different from the <option>--offset</option>
option with respect to the sector numbers used in initialization vector
(IV) calculation. Using <option>--offset</option> will shift the IV
calculation by the same negative amount. Hence, if <option>--offset n</option> is given,
sector n will get a sector number of 0 for the IV calculation.
Using <option>--skip</option> causes sector n to also be the first
sector of the mapped device, but with its number for IV generation being n.</para>
<para>This option is only relevant for plain devices.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>keyfile-offset=</option></term>
@ -216,6 +191,19 @@
<option>size=</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>_netdev</option></term>
<listitem><para>Marks this cryptsetup device as requiring network. It will be
started after the network is available, similarly to
<citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
units marked with <option>_netdev</option>. The service unit to set up this device
will be ordered between <filename>remote-cryptsetup-pre.target</filename> and
<filename>remote-cryptsetup.target</filename>, instead of
<filename>cryptsetup-pre.target</filename> and
<filename>cryptsetup.target</filename>.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>noauto</option></term>
@ -231,6 +219,13 @@
does not show up.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>offset=</option></term>
<listitem><para>Start offset in the backend device, in 512-byte sectors. This
option is only relevant for plain devices.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>plain</option></term>
@ -244,6 +239,23 @@
mode.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>skip=</option></term>
<listitem><para>How many 512-byte sectors of the encrypted data to skip at the
beginning. This is different from the <option>offset=</option> option with respect
to the sector numbers used in initialization vector (IV) calculation. Using
<option>offset=</option> will shift the IV calculation by the same negative
amount. Hence, if <option>offset=<replaceable>n</replaceable></option> is given,
sector <replaceable>n</replaceable> will get a sector number of 0 for the IV
calculation. Using <option>skip=</option> causes sector
<replaceable>n</replaceable> to also be the first sector of the mapped device, but
with its number for IV generation being <replaceable>n</replaceable>.</para>
<para>This option is only relevant for plain devices.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>size=</option></term>
@ -349,19 +361,6 @@
indefinitely (which is the default).</para></listitem>
</varlistentry>
<varlistentry>
<term><option>x-systemd.device-timeout=</option></term>
<listitem><para>Specifies how long systemd should wait for a
device to show up before giving up on the entry. The argument
is a time in seconds or explicitly specified units of
<literal>s</literal>,
<literal>min</literal>,
<literal>h</literal>,
<literal>ms</literal>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>tmp</option></term>
@ -393,6 +392,19 @@
typos.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>x-systemd.device-timeout=</option></term>
<listitem><para>Specifies how long systemd should wait for a device to show up
before giving up on the entry. The argument is a time in seconds or explicitly
specified units of
<literal>s</literal>,
<literal>min</literal>,
<literal>h</literal>,
<literal>ms</literal>.
</para></listitem>
</varlistentry>
</variablelist>
<para>At early boot and when the system manager configuration is

17
man/systemd.mount.xml
View File

@ -298,6 +298,23 @@
details.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>_netdev</option></term>
<listitem><para>Normally the file system type is used to determine if a
mount is a "network mount", i.e. if it should only be started after the
network is available. Using this option overrides this detection and
specifies that the mount requires network.</para>
<para>Network mount units are ordered between <filename>remote-fs-pre.target</filename>
and <filename>remote-fs.target</filename>, instead of
<filename>local-fs-pre.target</filename> and <filename>local-fs.target</filename>.
They also pull in <filename>network-online.target</filename> and are ordered after
it and <filename>network.target</filename>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>noauto</option></term>
<term><option>auto</option></term>

23
man/systemd.special.xml
View File

@ -82,6 +82,8 @@
<filename>poweroff.target</filename>,
<filename>printer.target</filename>,
<filename>reboot.target</filename>,
<filename>remote-cryptsetup-pre.target</filename>,
<filename>remote-cryptsetup.target</filename>,
<filename>remote-fs-pre.target</filename>,
<filename>remote-fs.target</filename>,
<filename>rescue.target</filename>,
@ -477,6 +479,27 @@
this target unit, for compatibility with SysV.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>remote-cryptsetup-pre.target</filename></term>
<listitem>
<para>This target unit is automatically ordered before all cryptsetup devices
marked with the <option>_netdev</option>. It can be used to execute additional
units before such devices are set up.</para>
<para>It is ordered after <filename>network.target</filename> and
<filename>network-online.target</filename>, and also pulls the latter in as a
<varname>Wants=</varname> dependency.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>remote-cryptsetup.target</filename></term>
<listitem>
<para>Similar to <filename>cryptsetup.target</filename>, but for encrypted
devices which are accessed over the network. It is used for
<citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>8</manvolnum></citerefentry>
entries marked with <option>_netdev</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>remote-fs.target</filename></term>
<listitem>

30
src/cryptsetup/cryptsetup-generator.c
View File

@ -62,7 +62,7 @@ static int create_disk(
*filtered = NULL;
_cleanup_fclose_ FILE *f = NULL;
const char *dmname;
bool noauto, nofail, tmp, swap;
bool noauto, nofail, tmp, swap, netdev;
int r;
assert(name);
@ -72,6 +72,7 @@ static int create_disk(
nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");
tmp = fstab_test_option(options, "tmp\0");
swap = fstab_test_option(options, "swap\0");
netdev = fstab_test_option(options, "_netdev\0");
if (tmp && swap) {
log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
@ -102,20 +103,22 @@ static int create_disk(
if (!f)
return log_error_errno(errno, "Failed to create unit file %s: %m", p);
fputs_unlocked("# Automatically generated by systemd-cryptsetup-generator\n\n"
"[Unit]\n"
"Description=Cryptography Setup for %I\n"
"Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
"SourcePath=/etc/crypttab\n"
"DefaultDependencies=no\n"
"Conflicts=umount.target\n"
"IgnoreOnIsolate=true\n"
"After=cryptsetup-pre.target\n",
f);
fprintf(f,
"# Automatically generated by systemd-cryptsetup-generator\n\n"
"[Unit]\n"
"Description=Cryptography Setup for %%I\n"
"Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
"SourcePath=/etc/crypttab\n"
"DefaultDependencies=no\n"
"Conflicts=umount.target\n"
"IgnoreOnIsolate=true\n"
"After=%s\n",
netdev ? "remote-cryptsetup-pre.target" : "cryptsetup-pre.target");
if (!nofail)
fprintf(f,
"Before=cryptsetup.target\n");
"Before=%s\n",
netdev ? "remote-cryptsetup.target" : "cryptsetup.target");
if (password) {
if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
@ -191,7 +194,8 @@ static int create_disk(
if (r < 0)
return r;
r = generator_add_symlink(arg_dest, "cryptsetup.target",
r = generator_add_symlink(arg_dest,
netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
nofail ? "wants" : "requires", n);
if (r < 0)
return r;

3
units/cryptsetup-pre.target
View File

@ -6,6 +6,7 @@
# (at your option) any later version.
[Unit]
Description=Encrypted Volumes (Pre)
Description=Local Encrypted Volumes (Pre)
Documentation=man:systemd.special(7)
RefuseManualStart=yes
Before=cryptsetup.target

2
units/cryptsetup.target
View File

@ -6,5 +6,5 @@
# (at your option) any later version.
[Unit]
Description=Encrypted Volumes
Description=Local Encrypted Volumes
Documentation=man:systemd.special(7)

3
units/meson.build
View File

@ -48,6 +48,9 @@ units = [
['proc-sys-fs-binfmt_misc.mount', 'ENABLE_BINFMT'],
['reboot.target', '',
'runlevel6.target ctrl-alt-del.target'],
['remote-cryptsetup-pre.target', 'HAVE_LIBCRYPTSETUP'],
['remote-cryptsetup.target', 'HAVE_LIBCRYPTSETUP',
join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
['remote-fs-pre.target', ''],
['remote-fs.target', '',
join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],

15
units/remote-cryptsetup-pre.target Normal file
View File

@ -0,0 +1,15 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Remote Encrypted Volumes (Pre)
Documentation=man:systemd.special(7)
RefuseManualStart=yes
Before=remote-cryptsetup.target
After=network.target network-online.target
Wants=network-online.target

10
units/remote-cryptsetup.target Normal file
View File

@ -0,0 +1,10 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Remote Encrypted Volumes
Documentation=man:systemd.special(7)