Merge pull request #66856 from flokli/systemd-cryptsetup-lvm

systemd: build with cryptsetup support, add cryptsetup generators
This commit is contained in:
Florian Klink 2020-08-06 12:06:54 +02:00 committed by GitHub
commit 8e0b2b9177
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 53 additions and 44 deletions

View File

@ -25,7 +25,7 @@ let
"nss-lookup.target" "nss-lookup.target"
"nss-user-lookup.target" "nss-user-lookup.target"
"time-sync.target" "time-sync.target"
#"cryptsetup.target" "cryptsetup.target"
"sigpwr.target" "sigpwr.target"
"timers.target" "timers.target"
"paths.target" "paths.target"

View File

@ -4,7 +4,10 @@ import ./make-test-python.nix ({ pkgs, ... }: {
machine = { lib, ... }: { machine = { lib, ... }: {
imports = [ common/user-account.nix common/x11.nix ]; imports = [ common/user-account.nix common/x11.nix ];
virtualisation.emptyDiskImages = [ 512 ]; virtualisation.emptyDiskImages = [ 512 512 ];
virtualisation.memorySize = 1024;
environment.systemPackages = [ pkgs.cryptsetup ];
fileSystems = lib.mkVMOverride { fileSystems = lib.mkVMOverride {
"/test-x-initrd-mount" = { "/test-x-initrd-mount" = {
@ -144,5 +147,25 @@ import ./make-test-python.nix ({ pkgs, ... }: {
assert "RuntimeWatchdogUSec=30s" in output assert "RuntimeWatchdogUSec=30s" in output
assert "RebootWatchdogUSec=10m" in output assert "RebootWatchdogUSec=10m" in output
assert "KExecWatchdogUSec=5m" in output assert "KExecWatchdogUSec=5m" in output
# Test systemd cryptsetup support
with subtest("systemd successfully reads /etc/crypttab and unlocks volumes"):
# create a luks volume and put a filesystem on it
machine.succeed(
"echo -n supersecret | cryptsetup luksFormat -q /dev/vdc -",
"echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vdc foo",
"mkfs.ext3 /dev/mapper/foo",
)
# create a keyfile and /etc/crypttab
machine.succeed("echo -n supersecret > /var/lib/luks-keyfile")
machine.succeed("chmod 600 /var/lib/luks-keyfile")
machine.succeed("echo 'luks1 /dev/vdc /var/lib/luks-keyfile luks' > /etc/crypttab")
# after a reboot, systemd should unlock the volume and we should be able to mount it
machine.shutdown()
machine.succeed("systemctl status systemd-cryptsetup@luks1.service")
machine.succeed("mkdir -p /tmp/luks1")
machine.succeed("mount /dev/mapper/luks1 /tmp/luks1")
''; '';
}) })

View File

@ -1,34 +0,0 @@
{ systemd, cryptsetup }:
systemd.overrideAttrs (p: {
version = p.version;
name = "systemd-cryptsetup-generator-${p.version}";
buildInputs = p.buildInputs ++ [ cryptsetup ];
outputs = [ "out" ];
buildPhase = ''
ninja systemd-cryptsetup systemd-cryptsetup-generator
'';
# As ninja install is not used here, the rpath needs to be manually fixed.
# Otherwise the resulting binary doesn't properly link against systemd-shared.so
postFixup = ''
for prog in `find $out -type f -executable`; do
(patchelf --print-needed $prog | grep 'libsystemd-shared-.*\.so' > /dev/null) && (
patchelf --set-rpath `patchelf --print-rpath $prog`:"$out/lib/systemd" $prog
) || true
done
# test it's OK
"$out"/lib/systemd/systemd-cryptsetup
'';
installPhase = ''
mkdir -p $out/lib/systemd/
cp systemd-cryptsetup $out/lib/systemd/systemd-cryptsetup
cp src/shared/*.so $out/lib/systemd/
mkdir -p $out/lib/systemd/system-generators/
cp systemd-cryptsetup-generator $out/lib/systemd/system-generators/systemd-cryptsetup-generator
'';
})

View File

@ -1,5 +1,5 @@
{ stdenv, lib, fetchFromGitHub, fetchpatch, pkgconfig, intltool, gperf, libcap { stdenv, lib, fetchFromGitHub, pkgconfig, intltool, gperf, libcap
, curl, kmod, gnupg, gnutar, xz, pam, acl, libuuid, m4, utillinux, libffi , curl, kmod, gnupg, gnutar, xz, pam, acl, libuuid, m4, e2fsprogs, utillinux, libffi
, glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor , glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor
, audit, lz4, bzip2, pcre2 , audit, lz4, bzip2, pcre2
, linuxHeaders ? stdenv.cc.libc.linuxHeaders , linuxHeaders ? stdenv.cc.libc.linuxHeaders
@ -9,6 +9,7 @@
, patchelf , patchelf
, substituteAll , substituteAll
, getent , getent
, cryptsetup, lvm2
, buildPackages , buildPackages
, perl , perl
, withSelinux ? false, libselinux , withSelinux ? false, libselinux
@ -30,6 +31,7 @@ let gnupg-minimal = gnupg.override {
zlib = null; zlib = null;
bzip2 = null; bzip2 = null;
}; };
in stdenv.mkDerivation { in stdenv.mkDerivation {
version = "245.7"; version = "245.7";
pname = "systemd"; pname = "systemd";
@ -89,7 +91,7 @@ in stdenv.mkDerivation {
]; ];
buildInputs = buildInputs =
[ linuxHeaders libcap curl.dev kmod xz pam acl [ linuxHeaders libcap curl.dev kmod xz pam acl
/* cryptsetup */ libuuid glib libgcrypt libgpgerror libidn2 cryptsetup libuuid glib libgcrypt libgpgerror libidn2
pcre2 ] ++ pcre2 ] ++
stdenv.lib.optional withKexectools kexectools ++ stdenv.lib.optional withKexectools kexectools ++
stdenv.lib.optional withLibseccomp libseccomp ++ stdenv.lib.optional withLibseccomp libseccomp ++
@ -176,12 +178,28 @@ in stdenv.mkDerivation {
export LC_ALL="en_US.UTF-8"; export LC_ALL="en_US.UTF-8";
# FIXME: patch this in systemd properly (and send upstream). # FIXME: patch this in systemd properly (and send upstream).
# already fixed in f00929ad622c978f8ad83590a15a765b4beecac9: (u)mount # already fixed in f00929ad622c978f8ad83590a15a765b4beecac9: (u)mount
for i in src/remount-fs/remount-fs.c src/core/mount.c src/core/swap.c src/fsck/fsck.c units/emergency.service.in units/rescue.service.in src/journal/cat.c src/shutdown/shutdown.c src/nspawn/nspawn.c src/shared/generator.c units/systemd-logind.service.in units/systemd-nspawn@.service.in; do for i in \
src/core/mount.c \
src/core/swap.c \
src/cryptsetup/cryptsetup-generator.c \
src/fsck/fsck.c \
src/journal/cat.c \
src/nspawn/nspawn.c \
src/remount-fs/remount-fs.c \
src/shared/generator.c \
src/shutdown/shutdown.c \
units/emergency.service.in \
units/rescue.service.in \
units/systemd-logind.service.in \
units/systemd-nspawn@.service.in; \
do
test -e $i test -e $i
substituteInPlace $i \ substituteInPlace $i \
--replace /usr/bin/getent ${getent}/bin/getent \ --replace /usr/bin/getent ${getent}/bin/getent \
--replace /sbin/mkswap ${lib.getBin utillinux}/sbin/mkswap \
--replace /sbin/swapon ${lib.getBin utillinux}/sbin/swapon \ --replace /sbin/swapon ${lib.getBin utillinux}/sbin/swapon \
--replace /sbin/swapoff ${lib.getBin utillinux}/sbin/swapoff \ --replace /sbin/swapoff ${lib.getBin utillinux}/sbin/swapoff \
--replace /sbin/mke2fs ${lib.getBin e2fsprogs}/sbin/mke2fs \
--replace /sbin/fsck ${lib.getBin utillinux}/sbin/fsck \ --replace /sbin/fsck ${lib.getBin utillinux}/sbin/fsck \
--replace /bin/echo ${coreutils}/bin/echo \ --replace /bin/echo ${coreutils}/bin/echo \
--replace /bin/cat ${coreutils}/bin/cat \ --replace /bin/cat ${coreutils}/bin/cat \

View File

@ -546,6 +546,7 @@ mapAliases ({
surf-webkit2 = surf; # added 2017-04-02 surf-webkit2 = surf; # added 2017-04-02
sup = throw "deprecated in 2019-09-10: abandoned by upstream"; sup = throw "deprecated in 2019-09-10: abandoned by upstream";
system_config_printer = system-config-printer; # added 2016-01-03 system_config_printer = system-config-printer; # added 2016-01-03
systemd-cryptsetup-generator = throw "systemd-cryptsetup-generator is now included in the systemd package"; # added 2020-07-12
systemd_with_lvm2 = throw "obsolete, enabled by default via the lvm module"; # added 2020-07-12 systemd_with_lvm2 = throw "obsolete, enabled by default via the lvm module"; # added 2020-07-12
systool = sysfsutils; # added 2018-04-25 systool = sysfsutils; # added 2018-04-25
tahoelafs = tahoe-lafs; # added 2018-03-26 tahoelafs = tahoe-lafs; # added 2018-03-26

View File

@ -16953,7 +16953,11 @@ in
criu = callPackage ../os-specific/linux/criu { }; criu = callPackage ../os-specific/linux/criu { };
cryptsetup = callPackage ../os-specific/linux/cryptsetup { }; cryptsetup = callPackage ../os-specific/linux/cryptsetup {
# cryptsetup only really needs the devmapper component of cryptsetup
# but itself is used as a library in systemd (=udev)
lvm2 = lvm2.override { udev = null; };
};
cramfsswap = callPackage ../os-specific/linux/cramfsswap { }; cramfsswap = callPackage ../os-specific/linux/cramfsswap { };
@ -18003,9 +18007,6 @@ in
}; };
udev = systemd; # TODO: move to aliases.nix udev = systemd; # TODO: move to aliases.nix
# standalone cryptsetup generator for systemd
systemd-cryptsetup-generator = callPackage ../os-specific/linux/systemd/cryptsetup-generator.nix { };
systemd-wait = callPackage ../os-specific/linux/systemd-wait { }; systemd-wait = callPackage ../os-specific/linux/systemd-wait { };
sysvinit = callPackage ../os-specific/linux/sysvinit { }; sysvinit = callPackage ../os-specific/linux/sysvinit { };