-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd integration for encryption support #8848
Conversation
pathdep="RequiresMountsFor=${p_keyloc#file://}" | ||
keyloadcmd="@sbindir@/zfs load-key ${dataset}" | ||
elif [ "${p_keyloc}" = "prompt" ] ; then | ||
keyloadcmd="sh -c 'systemd-ask-password | @sbindir@/zfs load-key ${dataset}'" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a white space issue here? (I’m on mobile, so it may just be displaying weird.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if the passphrase is entered wrong? Does this need to be an sh loop of, say, up to 3 times?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I dropped the indentation back to let this fit on a single line, within the style guideline's length limitation. I'll change it to anything that's legible, though.
As for the passphrase issue, I think that should be considered a bug/feature request for systemd, where they can solve this issue for everyone, once and for all, instead of having everyone think about doing this, and maintaining it, themselves.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
systemd has no way of knowing if the passphrase entered was correct. I suppose the protocol could be changed from outputting the password to exec()ing something (in our case zfs load-key
) and checking its exit status. But for now, we need to work with what exists.
The sh code isn't particularly complicated, but it's probably too much for a one-liner in the unit. Here's a commit (on a systemd-integration branch on rlaager/zfs) which adds a systemd-load-key script and uses it: rlaager@a894797
I tested the script standalone. I tested that it gets installed to the right directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked into automatically restarting the unit up to three times on failure, but doing this for oneshot
services is not allowed, for some reason. A PR to get that changed stalled years ago, so I think we'll need to implement this functionality ourselves.
I adapted your script, and did include it as a one-liner in the service file, in the interest of making downstream maintainer's lives easier (i.e., to avoid needing to ensure another path is available at some point in the boot process).
I also added an error code return after three failed attempts.
0012450
to
5993bac
Compare
I'm not familiar with how I ask because I'll have datasets that I don't want unlocked on boot. |
Yes.
I believe all the units from the generator are enabled. (I'm not sure that it is even possible for a systemd generator to generate disabled units.)
If they aren't going to be unlocked on boot, then they cannot be mounted. I believe the consensus from #8750 was that you should mark those datasets as |
That's perfect for anything I can think of. Anything I don't want mounted on boot is going to end up underneath a single dataset, so I can set |
Reusing the mount generator seems like a good idea :) I am not convinced it can replace zfs-mount.service altogether (there are people that don't want to run ZED, there might be cases where the cache file is outdated for whatever reason, ...) so IMHO we still need some way to get prompting into I think I'd prefer a template unit for loading keys (parametrized by dataset/encroot). The Whether we ship a helper script that is used in the units that wraps systemd-ask-password and zfs-load-key together, or whether we add (./configure-able) systemd-ask-password support into zfs-load-key directly seems like not much of a difference, but the latter is more clean and enables proper prompting across the board (including easily skipping prompting in case the key has already been loaded some other way).. So I'd propose the following:
The generator would then just zfs-mount.service could then simply get a Final, semi-unrelated question: what about zvols? They might be referenced in non-ZFS .mount units, and would thus also benefit from a |
@Fabian-Gruenbichler I also would prefer compiling support for As for the compressed zvols, I think it makes sense to also have Another thing that's come up, if we're going to enable |
On Tue, Jun 04, 2019 at 08:58:45AM -0700, Antonio Russo wrote:
@Fabian-Gruenbichler I also would prefer compiling support for `systemd-ask-password` into `zfs load-key`, and I think it would probably make sense to push the same support into `zfs mount -l` in the same way. Then we directly solve the `zfs-mount.service` issue by just adding the `-l --systemd` options.
sounds good to me. the ask-passwork API is not exposed by systemd except
via systemd-ask-password unfortunately..
As for the compressed zvols, I think it makes sense to also have `zfs-mount-generator` produce the appropriate encryption root units as well, but let the user `systemctl enable` the templates if they're not explicitly required by another `canmount=auto` dataset.
the zvol support is only needed if you have another .mount unit for the
FS that is on top of the zvol, and only if that .mount unit is supposed
to get started on boot. I think involving the mount generator is
probably not needed, if I only need to do
```systemctl enable [email protected]``` and
optionally, add dependencies to this instance (for the keyfile) and to
the ```.mount``` unit (for ordering/dependency tracking).
Another thing that's come up, if we're going to enable `zfs-mount-generator` by default, is how do we manage automatically adding the `zfs-list.d` pool files? We already clear them on pool export, but what if we shut down a machine, with the pool imported, and then remove the pool hardware? This is something I'll often do, perhaps out of laziness. It will lead to lots of failed mount units in systemd, and could be a pain point for users.
Document that if you plan on doing that, you should either
- export the pool manually before shutting down (IIRC, dracut does an
export in the final stage of the shutdown?)
- set canmount appropriately for the to-be-removed pool to prune the
cachefile automatically via ZED
- edit the cache files manually to remove the problematic entries
we could also introduce an additional mechanism to ignore certain
pools/datasets/..., either via another (set of?) file(s), or via the
kernel command line (which is both available in systemd units via
"ConditionKernelCommandLine" directives, and in the generator via
"/proc/cmdline").
most of the above can also be done manually by the admin inside the
initrd or bootloader, in case the first hands-off boot attempt fails
because things fall apart too much.
|
If we move down this path, we need to decide how to modify the behavior of We shouldn't be hard-coding for a particular method of getting keys, so we probably want to send |
that would probably mean doing something like which then calls a helper script (in our case, wrapping systemd-ask-password) with
dataset/fsname, that would also allow opening up other storages (such as vault, pass, ...) to be easily used? OTOH, just writing the single |
d4e2e61
to
b690709
Compare
@aerusso @Fabian-Gruenbichler @rlaager and @ryanjaeb, how would you like to move forward with this? The proposed solution seems reasonable to me, but I'm unclear if there was a consensus reached. If you're happy with this approach can we get the PR rebased and the conflict resolved. |
I re-reviewed this and marked my review concerns as resolved. In re-reading the history here, it sounds like the remaining concerns relate to a combination of:
@aerusso What do you think of adding |
@behlendorf I have no preference. The originally proposed solution looks like it would work find for me, but my usage is pretty simple since I'm only unlocking volumes with a passphrase that's stored in a file. I don't know enough about everything involved to offer a well informed opinion on any of the interactive stuff. |
@rlaager I basically agree with everything here. I haven't had a chance to dig into |
b690709
to
0dc02e5
Compare
@rlaager summarized it quite nicely, and IMHO everything besides the decision on whether to use template unit instances or proper units can be done in a follow-up PR. I can volunteer for the zfs-load-key part starting at the end of next week. |
Codecov Report
@@ Coverage Diff @@
## master #8848 +/- ##
==========================================
+ Coverage 78.62% 78.62% +<.01%
==========================================
Files 401 401
Lines 120158 120158
==========================================
+ Hits 94476 94480 +4
+ Misses 25682 25678 -4
Continue to review full report at Codecov.
|
Thanks for the status feedback. Then I'll get this change integrated and we'll address the remaining work in a followup PR. |
It seems to me that the generator could be changed later to use the template units instead of writing out units. |
I changed my review from "Requested changes" to "Approved" to stop blocking this. I haven't actually run this, but the code looks reasonable to me. |
@aerusso can you confirm that you've tested this locally. |
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Closes: openzfs#8750 Signed-off-by: Antonio Russo <[email protected]>
Signed-off-by: Antonio Russo <[email protected]>
0dc02e5
to
dfce298
Compare
@behlendorf I tested this more thoroughly a few weeks ago. I just compiled it again, and a cursory test has it working. I also rebased onto master and squashed down to just two commits. The second commit enables the zed script, but users will still need to Regarding templates:
Getting proper mount dependence information into the templates is tricky (read: I don't see how that is possible). I don't think that should block this PR, and we can add that simplification later if it can be done. |
The suggestion was that the generator write out drop-in files to add the dependencies to the units that need them:
|
@rlaager Yes, that's correct. I suppose what I mean is, I don't see how to do this without using a drop-in, and I'm not sure what value there is to using a template and a generated drop-in, compared to just a single generated unit. For instance, there are twice as many files used in the drop-in case. Does that affect performance? I think we'd need to do a benchmark if we wanted to target that performance enhancement. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for verifying this locally. Then I'm going to go ahead and integrate this and we'll followup as appropriate with additional PRs.
Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes openzfs#8750 Closes openzfs#8848
Modify zfs-mount-generator to produce a dependency on new zfs-import-key-*.service units, dynamically created at boot to call zfs load-key for the encryption root, before attempting to mount any encrypted datasets. These units are created by zfs-mount-generator, and RequiresMountsFor on the keyfile, if present, or call systemd-ask-password if a passphrase is requested. This patch includes suggestions from @Fabian-Gruenbichler, @ryanjaeb and @rlaager, as well an adaptation of @rlaager's script to retry on incorrect password entry. Reviewed-by: Richard Laager <[email protected]> Reviewed-by: Fabian Grünbichler <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Antonio Russo <[email protected]> Closes #8750 Closes #8848
Motivation and Context
Per conversation in #8750, modifications should be made to the mounting framework used in systemd to allow for encrypted datasets keys to be loaded.
Description
Modify
zfs-mount-generator
to produce a dependency on a newzfs-import-key-*.service
, dynamically created to callzfs load-key
for the encryption root before attempting to mount any encrypted datasets.These dynamically generated units
RequiresMountsFor
on the keyfile, if present, or callssystemd-ask-password
if a passphrase is requested.This patch includes suggestions from @Fabian-Gruenbichler, @rlaager, and @ryanjaeb.
How Has This Been Tested?
I have NOT tested this.
Types of changes
Checklist:
Signed-off-by
.