Merge pull request #66856 from flokli/systemd-cryptsetup-lvm
systemd: build with cryptsetup support, add cryptsetup generators
This commit is contained in:
commit
8e0b2b9177
|
@ -25,7 +25,7 @@ let
|
||||||
"nss-lookup.target"
|
"nss-lookup.target"
|
||||||
"nss-user-lookup.target"
|
"nss-user-lookup.target"
|
||||||
"time-sync.target"
|
"time-sync.target"
|
||||||
#"cryptsetup.target"
|
"cryptsetup.target"
|
||||||
"sigpwr.target"
|
"sigpwr.target"
|
||||||
"timers.target"
|
"timers.target"
|
||||||
"paths.target"
|
"paths.target"
|
||||||
|
|
|
@ -4,7 +4,10 @@ import ./make-test-python.nix ({ pkgs, ... }: {
|
||||||
machine = { lib, ... }: {
|
machine = { lib, ... }: {
|
||||||
imports = [ common/user-account.nix common/x11.nix ];
|
imports = [ common/user-account.nix common/x11.nix ];
|
||||||
|
|
||||||
virtualisation.emptyDiskImages = [ 512 ];
|
virtualisation.emptyDiskImages = [ 512 512 ];
|
||||||
|
virtualisation.memorySize = 1024;
|
||||||
|
|
||||||
|
environment.systemPackages = [ pkgs.cryptsetup ];
|
||||||
|
|
||||||
fileSystems = lib.mkVMOverride {
|
fileSystems = lib.mkVMOverride {
|
||||||
"/test-x-initrd-mount" = {
|
"/test-x-initrd-mount" = {
|
||||||
|
@ -144,5 +147,25 @@ import ./make-test-python.nix ({ pkgs, ... }: {
|
||||||
assert "RuntimeWatchdogUSec=30s" in output
|
assert "RuntimeWatchdogUSec=30s" in output
|
||||||
assert "RebootWatchdogUSec=10m" in output
|
assert "RebootWatchdogUSec=10m" in output
|
||||||
assert "KExecWatchdogUSec=5m" in output
|
assert "KExecWatchdogUSec=5m" in output
|
||||||
|
|
||||||
|
# Test systemd cryptsetup support
|
||||||
|
with subtest("systemd successfully reads /etc/crypttab and unlocks volumes"):
|
||||||
|
# create a luks volume and put a filesystem on it
|
||||||
|
machine.succeed(
|
||||||
|
"echo -n supersecret | cryptsetup luksFormat -q /dev/vdc -",
|
||||||
|
"echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vdc foo",
|
||||||
|
"mkfs.ext3 /dev/mapper/foo",
|
||||||
|
)
|
||||||
|
|
||||||
|
# create a keyfile and /etc/crypttab
|
||||||
|
machine.succeed("echo -n supersecret > /var/lib/luks-keyfile")
|
||||||
|
machine.succeed("chmod 600 /var/lib/luks-keyfile")
|
||||||
|
machine.succeed("echo 'luks1 /dev/vdc /var/lib/luks-keyfile luks' > /etc/crypttab")
|
||||||
|
|
||||||
|
# after a reboot, systemd should unlock the volume and we should be able to mount it
|
||||||
|
machine.shutdown()
|
||||||
|
machine.succeed("systemctl status systemd-cryptsetup@luks1.service")
|
||||||
|
machine.succeed("mkdir -p /tmp/luks1")
|
||||||
|
machine.succeed("mount /dev/mapper/luks1 /tmp/luks1")
|
||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
{ systemd, cryptsetup }:
|
|
||||||
|
|
||||||
systemd.overrideAttrs (p: {
|
|
||||||
version = p.version;
|
|
||||||
name = "systemd-cryptsetup-generator-${p.version}";
|
|
||||||
|
|
||||||
buildInputs = p.buildInputs ++ [ cryptsetup ];
|
|
||||||
outputs = [ "out" ];
|
|
||||||
|
|
||||||
buildPhase = ''
|
|
||||||
ninja systemd-cryptsetup systemd-cryptsetup-generator
|
|
||||||
'';
|
|
||||||
|
|
||||||
# As ninja install is not used here, the rpath needs to be manually fixed.
|
|
||||||
# Otherwise the resulting binary doesn't properly link against systemd-shared.so
|
|
||||||
postFixup = ''
|
|
||||||
for prog in `find $out -type f -executable`; do
|
|
||||||
(patchelf --print-needed $prog | grep 'libsystemd-shared-.*\.so' > /dev/null) && (
|
|
||||||
patchelf --set-rpath `patchelf --print-rpath $prog`:"$out/lib/systemd" $prog
|
|
||||||
) || true
|
|
||||||
done
|
|
||||||
# test it's OK
|
|
||||||
"$out"/lib/systemd/systemd-cryptsetup
|
|
||||||
'';
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
mkdir -p $out/lib/systemd/
|
|
||||||
cp systemd-cryptsetup $out/lib/systemd/systemd-cryptsetup
|
|
||||||
cp src/shared/*.so $out/lib/systemd/
|
|
||||||
|
|
||||||
mkdir -p $out/lib/systemd/system-generators/
|
|
||||||
cp systemd-cryptsetup-generator $out/lib/systemd/system-generators/systemd-cryptsetup-generator
|
|
||||||
'';
|
|
||||||
})
|
|
|
@ -1,5 +1,5 @@
|
||||||
{ stdenv, lib, fetchFromGitHub, fetchpatch, pkgconfig, intltool, gperf, libcap
|
{ stdenv, lib, fetchFromGitHub, pkgconfig, intltool, gperf, libcap
|
||||||
, curl, kmod, gnupg, gnutar, xz, pam, acl, libuuid, m4, utillinux, libffi
|
, curl, kmod, gnupg, gnutar, xz, pam, acl, libuuid, m4, e2fsprogs, utillinux, libffi
|
||||||
, glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor
|
, glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor
|
||||||
, audit, lz4, bzip2, pcre2
|
, audit, lz4, bzip2, pcre2
|
||||||
, linuxHeaders ? stdenv.cc.libc.linuxHeaders
|
, linuxHeaders ? stdenv.cc.libc.linuxHeaders
|
||||||
|
@ -9,6 +9,7 @@
|
||||||
, patchelf
|
, patchelf
|
||||||
, substituteAll
|
, substituteAll
|
||||||
, getent
|
, getent
|
||||||
|
, cryptsetup, lvm2
|
||||||
, buildPackages
|
, buildPackages
|
||||||
, perl
|
, perl
|
||||||
, withSelinux ? false, libselinux
|
, withSelinux ? false, libselinux
|
||||||
|
@ -30,6 +31,7 @@ let gnupg-minimal = gnupg.override {
|
||||||
zlib = null;
|
zlib = null;
|
||||||
bzip2 = null;
|
bzip2 = null;
|
||||||
};
|
};
|
||||||
|
|
||||||
in stdenv.mkDerivation {
|
in stdenv.mkDerivation {
|
||||||
version = "245.7";
|
version = "245.7";
|
||||||
pname = "systemd";
|
pname = "systemd";
|
||||||
|
@ -89,7 +91,7 @@ in stdenv.mkDerivation {
|
||||||
];
|
];
|
||||||
buildInputs =
|
buildInputs =
|
||||||
[ linuxHeaders libcap curl.dev kmod xz pam acl
|
[ linuxHeaders libcap curl.dev kmod xz pam acl
|
||||||
/* cryptsetup */ libuuid glib libgcrypt libgpgerror libidn2
|
cryptsetup libuuid glib libgcrypt libgpgerror libidn2
|
||||||
pcre2 ] ++
|
pcre2 ] ++
|
||||||
stdenv.lib.optional withKexectools kexectools ++
|
stdenv.lib.optional withKexectools kexectools ++
|
||||||
stdenv.lib.optional withLibseccomp libseccomp ++
|
stdenv.lib.optional withLibseccomp libseccomp ++
|
||||||
|
@ -176,12 +178,28 @@ in stdenv.mkDerivation {
|
||||||
export LC_ALL="en_US.UTF-8";
|
export LC_ALL="en_US.UTF-8";
|
||||||
# FIXME: patch this in systemd properly (and send upstream).
|
# FIXME: patch this in systemd properly (and send upstream).
|
||||||
# already fixed in f00929ad622c978f8ad83590a15a765b4beecac9: (u)mount
|
# already fixed in f00929ad622c978f8ad83590a15a765b4beecac9: (u)mount
|
||||||
for i in src/remount-fs/remount-fs.c src/core/mount.c src/core/swap.c src/fsck/fsck.c units/emergency.service.in units/rescue.service.in src/journal/cat.c src/shutdown/shutdown.c src/nspawn/nspawn.c src/shared/generator.c units/systemd-logind.service.in units/systemd-nspawn@.service.in; do
|
for i in \
|
||||||
|
src/core/mount.c \
|
||||||
|
src/core/swap.c \
|
||||||
|
src/cryptsetup/cryptsetup-generator.c \
|
||||||
|
src/fsck/fsck.c \
|
||||||
|
src/journal/cat.c \
|
||||||
|
src/nspawn/nspawn.c \
|
||||||
|
src/remount-fs/remount-fs.c \
|
||||||
|
src/shared/generator.c \
|
||||||
|
src/shutdown/shutdown.c \
|
||||||
|
units/emergency.service.in \
|
||||||
|
units/rescue.service.in \
|
||||||
|
units/systemd-logind.service.in \
|
||||||
|
units/systemd-nspawn@.service.in; \
|
||||||
|
do
|
||||||
test -e $i
|
test -e $i
|
||||||
substituteInPlace $i \
|
substituteInPlace $i \
|
||||||
--replace /usr/bin/getent ${getent}/bin/getent \
|
--replace /usr/bin/getent ${getent}/bin/getent \
|
||||||
|
--replace /sbin/mkswap ${lib.getBin utillinux}/sbin/mkswap \
|
||||||
--replace /sbin/swapon ${lib.getBin utillinux}/sbin/swapon \
|
--replace /sbin/swapon ${lib.getBin utillinux}/sbin/swapon \
|
||||||
--replace /sbin/swapoff ${lib.getBin utillinux}/sbin/swapoff \
|
--replace /sbin/swapoff ${lib.getBin utillinux}/sbin/swapoff \
|
||||||
|
--replace /sbin/mke2fs ${lib.getBin e2fsprogs}/sbin/mke2fs \
|
||||||
--replace /sbin/fsck ${lib.getBin utillinux}/sbin/fsck \
|
--replace /sbin/fsck ${lib.getBin utillinux}/sbin/fsck \
|
||||||
--replace /bin/echo ${coreutils}/bin/echo \
|
--replace /bin/echo ${coreutils}/bin/echo \
|
||||||
--replace /bin/cat ${coreutils}/bin/cat \
|
--replace /bin/cat ${coreutils}/bin/cat \
|
||||||
|
|
|
@ -546,6 +546,7 @@ mapAliases ({
|
||||||
surf-webkit2 = surf; # added 2017-04-02
|
surf-webkit2 = surf; # added 2017-04-02
|
||||||
sup = throw "deprecated in 2019-09-10: abandoned by upstream";
|
sup = throw "deprecated in 2019-09-10: abandoned by upstream";
|
||||||
system_config_printer = system-config-printer; # added 2016-01-03
|
system_config_printer = system-config-printer; # added 2016-01-03
|
||||||
|
systemd-cryptsetup-generator = throw "systemd-cryptsetup-generator is now included in the systemd package"; # added 2020-07-12
|
||||||
systemd_with_lvm2 = throw "obsolete, enabled by default via the lvm module"; # added 2020-07-12
|
systemd_with_lvm2 = throw "obsolete, enabled by default via the lvm module"; # added 2020-07-12
|
||||||
systool = sysfsutils; # added 2018-04-25
|
systool = sysfsutils; # added 2018-04-25
|
||||||
tahoelafs = tahoe-lafs; # added 2018-03-26
|
tahoelafs = tahoe-lafs; # added 2018-03-26
|
||||||
|
|
|
@ -16953,7 +16953,11 @@ in
|
||||||
|
|
||||||
criu = callPackage ../os-specific/linux/criu { };
|
criu = callPackage ../os-specific/linux/criu { };
|
||||||
|
|
||||||
cryptsetup = callPackage ../os-specific/linux/cryptsetup { };
|
cryptsetup = callPackage ../os-specific/linux/cryptsetup {
|
||||||
|
# cryptsetup only really needs the devmapper component of cryptsetup
|
||||||
|
# but itself is used as a library in systemd (=udev)
|
||||||
|
lvm2 = lvm2.override { udev = null; };
|
||||||
|
};
|
||||||
|
|
||||||
cramfsswap = callPackage ../os-specific/linux/cramfsswap { };
|
cramfsswap = callPackage ../os-specific/linux/cramfsswap { };
|
||||||
|
|
||||||
|
@ -18003,9 +18007,6 @@ in
|
||||||
};
|
};
|
||||||
udev = systemd; # TODO: move to aliases.nix
|
udev = systemd; # TODO: move to aliases.nix
|
||||||
|
|
||||||
# standalone cryptsetup generator for systemd
|
|
||||||
systemd-cryptsetup-generator = callPackage ../os-specific/linux/systemd/cryptsetup-generator.nix { };
|
|
||||||
|
|
||||||
systemd-wait = callPackage ../os-specific/linux/systemd-wait { };
|
systemd-wait = callPackage ../os-specific/linux/systemd-wait { };
|
||||||
|
|
||||||
sysvinit = callPackage ../os-specific/linux/sysvinit { };
|
sysvinit = callPackage ../os-specific/linux/sysvinit { };
|
||||||
|
|
Loading…
Reference in New Issue