X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from apollo.thewebhostserver.com (apollomail.thewebhostserver.com [46.23.65.248]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 054E9DC0158 for ; Thu, 13 Feb 2014 23:07:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=it-offshore.co.uk; s=default; h=Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:Reply-To:From:Date:Message-ID; bh=6i0dcELZiCKNRm1zByJYkOss6grxBZovLZNz1/m5+hA=; b=JJRY+LZbR7K8HtxIlCEoNnwKWn8PAJ2FVG1rYzWSc8xcO4L0ZF3yUB2cbyrAdyQtsnW9YdVnpuX+qV3FLQHM7w2E4G5bQe+EMyFByXEiixk+wgTzILjNEtSngZVc/MnW; Received: from a95-93-2-88.cpe.netcabo.pt ([95.93.2.88]:56820 helo=[192.168.1.5]) by apollo.thewebhostserver.com with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.82) (envelope-from ) id 1WE5Nl-001PGI-8x; Thu, 13 Feb 2014 23:07:50 +0000 Message-ID: <52FD5043.30509@it-offshore.co.uk> Date: Thu, 13 Feb 2014 23:07:47 +0000 From: IT Developer Reply-To: developer@it-offshore.co.uk Organization: IT Offshore User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 To: Timo Teras CC: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] [PATCH] Main/mkinitfs - small Patch for LUKS / Cryptsetup References: <1392158622-21396-1-git-send-email-developer@it-offshore.co.uk> <20140212081021.24b9d693@vostro> <52FBCAD2.5070606@it-offshore.co.uk> <20140213105406.0b0c9eb6@vostro> In-Reply-To: <20140213105406.0b0c9eb6@vostro> X-Enigmail-Version: 1.5.2 Content-Type: multipart/alternative; boundary="------------070100010400060109070509" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - apollo.thewebhostserver.com X-AntiAbuse: Original Domain - lists.alpinelinux.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - it-offshore.co.uk X-Get-Message-Sender-Via: apollo.thewebhostserver.com: authenticated_id: developer@it-offshore.co.uk X-Source: X-Source-Args: X-Source-Dir: This is a multi-part message in MIME format. --------------070100010400060109070509 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit I did a LUKS + LVM install today in a virtual machine & the "apk fix --root /mnt linux-grsec" still works on a CHROOT. EXTLINUX correctly finds the boot partition & writes the needed files to /boot (for some reason EXTLINUX exits with "cannot open /dev/sda1 - exit error 1" - but the system boots ok. It's only on kernel upgrades that mkinitfs is not being triggered to rebuild with cryptsetup included which causes a problem. I would be happy to do a page for the wiki on LUKS + LVM installations. Stuart. On 02/13/2014 08:54 AM, Timo Teras wrote: > On Wed, 12 Feb 2014 19:26:10 +0000 > IT Developer wrote: > >> When mkinitfs is run on it's own for example (as shown on the wiki): >> >> /*mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT*/ > The differences are that when apk runs the trigger, it's executed in > chroot. And command is like 'mkinitfs -o /boot/$initfs $abi_release' > > This sounds like mkinitfs bug, or mismatch with running kernel and > installed kernel versions. The wiki should likely be updated or > mkinitfs fixed. > >> The initramfs does not contain cryptsetup >> >> Cryptsetup is included when apk is run with: >> >> /*apk fix --root $MNT linux-grsec*/ (or just /*apk fix linux-grsec*/ >> on a running system) > So the problem occurs only when doing chroot installs? > >> I don't know what extra "apk fix" does - but it does call mkinitfs >> correctly & generates an initramfs with cryptsetup included. At the >> moment upgrading a kernel on an encrypted system does not generate a >> new initramfs with cryptsetup included. >> >> I am using a system with LVM on top of LUKS - when I upgraded to the >> edge kernel a few days ago I did not see any initramfs regeneration - >> even for LVM. > Mkinitfs trigger is "$pkgname.trigger=/usr/share/kernel/*" and I > believe only kernel images touch those files. Sounds like kernel module > packages as well as userland packages that go to initramfs should also > trigger mkinitfs. > > ncopa, any idea how to do that properly? Perhaps we should have > some /usr/share/mkinitfs/components/ directory where each of these > package can install a file - and mkinitfs trigger monitors that > directory and in case something changes there it regens initfs for > all kernel flavors installed. > > - Timo > > --------------070100010400060109070509 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
I did a LUKS + LVM install today in a virtual machine & the "apk fix --root /mnt linux-grsec" still works on a CHROOT. EXTLINUX correctly finds the boot partition & writes the needed files to /boot (for some reason EXTLINUX exits with "cannot open /dev/sda1 - exit error 1" - but the system boots ok. It's only on kernel upgrades that mkinitfs is not being triggered to rebuild with cryptsetup included which causes a problem.

I would be happy to do a page for the wiki on LUKS + LVM installations.

Stuart.
On 02/13/2014 08:54 AM, Timo Teras wrote:
On Wed, 12 Feb 2014 19:26:10 +0000
IT Developer <developer@it-offshore.co.uk> wrote:


When mkinitfs is run on it's own for example (as shown on the wiki):

/*mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT*/

The differences are that when apk runs the trigger, it's executed in
chroot. And command is like 'mkinitfs -o /boot/$initfs $abi_release'

This sounds like mkinitfs bug, or mismatch with running kernel and
installed kernel versions. The wiki should likely be updated or
mkinitfs fixed.


The initramfs does not contain cryptsetup

Cryptsetup is included when apk is run with:

/*apk fix --root $MNT linux-grsec*/ (or just /*apk fix linux-grsec*/
on a running system)

So the problem occurs only when doing chroot installs?


I don't know what extra "apk fix" does - but it does call mkinitfs
correctly & generates an initramfs with cryptsetup included. At the
moment upgrading a kernel on an encrypted system does not generate a
new initramfs with cryptsetup included.

I am using a system with LVM on top of LUKS - when I upgraded to the
edge kernel a few days ago I did not see any initramfs regeneration -
even for LVM.

Mkinitfs trigger is "$pkgname.trigger=/usr/share/kernel/*" and I
believe only kernel images touch those files. Sounds like kernel module
packages as well as userland packages that go to initramfs should also
trigger mkinitfs.

ncopa, any idea how to do that properly? Perhaps we should have
some /usr/share/mkinitfs/components/ directory where each of these
package can install a file - and mkinitfs trigger monitors that
directory and in case something changes there it regens initfs for
all kernel flavors installed.

- Timo

--------------070100010400060109070509-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---