systemd encryption key support WIP

Modify zfs-mount-generator to produce a dependency on a new
zfs-import-key-*.service, dynamically created to call zfs load-key for
the encryption root before attempting to mount any encrypted datasets.

This dynamically generated unit RequiresMountsFor on the keyfile
location, if present, or calls systemd-ask-password if a passphrase is
requested.

This patch includes suggestions from @Fabian-Gruenbichler, @rlaager, and
@ryanjaeb.

Closes: openzfs#8750

Signed-off-by: Antonio Russo <[email protected]>

cmd/zed/zed.d/history_event-zfs-list-cacher.sh.in

@@ -47,7 +47,7 @@ case "${ZEVENT_HISTORY_INTERNAL_NAME}" in
         # Only act if one of the tracked properties is altered.
         case "${ZEVENT_HISTORY_INTERNAL_STR%%=*}" in
             canmount|mountpoint|atime|relatime|devices|exec| \
-                readonly|setuid|nbmand) ;;
+                readonly|setuid|nbmand|encroot|keylocation) ;;
             *) exit 0 ;;
         esac
       ;;
@@ -62,7 +62,7 @@ zed_lock zfs-list
 trap abort_alter EXIT
 
 PROPS="name,mountpoint,canmount,atime,relatime,devices,exec,readonly"
-PROPS="${PROPS},setuid,nbmand"
+PROPS="${PROPS},setuid,nbmand,encroot,keylocation"
 
 "${ZFS}" list -H -t filesystem -o $PROPS -r "${ZEVENT_POOL}" > "${FSLIST_TMP}"
 

etc/systemd/system-generators/zfs-mount-generator.in

@@ -71,6 +71,8 @@ process_line() {
   p_readonly="${8}"
   p_setuid="${9}"
   p_nbmand="${10}"
+  p_encroot="${11}"
+  p_keyloc="${12}"
 
   # Check for canmount=off .
   if [ "${p_canmount}" = "off" ] ; then
@@ -168,6 +170,46 @@ process_line() {
       "${dataset}" >/dev/kmsg
   fi
 
+  # Minimal pre-requisites to mount a ZFS dataset
+  wants="zfs-import.target"
+  if [ -n "${p_encroot}" ] &&
+      [ "${p_encroot}" != "-" ] ; then
+    keyloadunit="zfs-load-key-$(systemd-escape "${p_encroot}").service"
+    if [ "${p_encroot}" = "${dataset}" ] ; then
+        pathdep=""
+      if [ "${p_keyloc%%://*}" = "file" ] ; then
+        pathdep="RequiresMountsFor=${p_keyloc#file://}"
+        keyloadcmd="@sbindir@/zfs load-key ${dataset}"
+      elif [ "${p_keyloc}" = "prompt" ] ; then
+  keyloadcmd="sh -c 'systemd-ask-password | @sbindir@/zfs load-key ${dataset}'"
+      else
+        printf 'zfs-mount-generator: (%s) invalid keylocation\n' \
+          "${dataset}" >/dev/kmsg
+      fi
+      cat > "${dest_norm}/${keyloadunit}" << EOF
+# Automatically generated by zfs-mount-generator
+
+[Unit]
+Description=Load ZFS key for ${dataset}
+SourcePath=${cachefile}
+Documentation=man:zfs-mount-generator(8)
+DefaultDependencies=no
+Wants=${wants}
+After=${wants}
+${pathdep}
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=${keyloadcmd}
+ExecStop=@sbindir@/zfs unload=key ${dataset}
+EOF
+    fi
+    # Update the dependencies for the mount file to require the
+    # key-loading unit.
+    wants="${wants},${keyloadunit}"
+  fi
+
   # If the mountpoint has already been created, give it precedence.
   if [ -e "${dest_norm}/${mountfile}" ] ; then
     printf 'zfs-mount-generator: %s already exists\n' "${mountfile}" \
@@ -183,8 +225,8 @@ process_line() {
 SourcePath=${cachefile}
 Documentation=man:zfs-mount-generator(8)
 Before=local-fs.target zfs-mount.service
-After=zfs-import.target
-Wants=zfs-import.target
+After=${wants}
+Wants=${wants}
 
 [Mount]
 Where=${p_mountpoint}

man/man8/zfs-mount-generator.8.in

@@ -26,7 +26,7 @@ information on ZFS mountpoints must be stored separately. The output
 of the command
 .PP
 .RS 4
-zfs list -H -o name,mountpoint,canmount,atime,relatime,devices,exec,readonly,setuid,nbmand
+zfs list -H -o name,mountpoint,canmount,atime,relatime,devices,exec,readonly,setuid,nbmand,encroot,keylocation
 .RE
 .PP
 for datasets that should be mounted by systemd, should be kept