group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1634310@xxxxxxxxxxxxxxxxxx>
Date: Wed, 21 Dec 2016 01:06:15 -0000
Reply-to: Bug 1634310 <1634310@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package cloud-initramfs-tools - 0.30ubuntu1.1

---------------
cloud-initramfs-tools (0.30ubuntu1.1) yakkety; urgency=medium

  * sync with upstream at 0.32ubuntu1 (revno 129)
    * overlayroot: fix overlayroot=crypt with newer initramfs-tools
      (LP: #1634310)
    * overlayroot: support random seed from systemd
      systemd-random-seed.service
    * cloud-initramfs-dyn-netconf: Further adjustments to support
      IPV6 and the new DEVICE6 and net6-DEVICE.conf files.
      (LP: #1621615)

 -- Scott Moser <smoser@xxxxxxxxxx>  Mon, 28 Nov 2016 20:21:14 -0500

** Changed in: cloud-initramfs-tools (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1634310

Title:
  crypt:dev=/dev/vdb parameter does not work with randomly generated
  passphrase

Status in cloud-initramfs-tools package in Ubuntu:
  Fix Released
Status in cloud-initramfs-tools source package in Xenial:
  Fix Released
Status in cloud-initramfs-tools source package in Yakkety:
  Fix Released

Bug description:
  === Begin SRU Template ===
  [Impact]
  Using overlay to put overlay data onto an encrypted volume with a randomly
  generated password does not function as documented.

  [Test Case]
  The following should work, but currently does not.
  Note, to test the fix, between step 1 and 2, you'll need to enable
  proposed and install overlayroot.

  1. Start an instance of a cloud image with 2 disks.
     One disk is the root disk, one disk is the target.
     This can be done locally with qemu or within openstack or any other cloud.

  2. configure overlayroot to write to target disk, reboot

     # remove the entry in /etc/fstab for the device we're using
     $ sudo sed -i.dist '/comment=cloudconfig/d' /etc/fstab

     $ target=/dev/vdb
     $ echo "overlayroot=crypt:dev=$target" | sudo tee /etc/overlayroot.local.conf
     $ sudo reboot

  3. log back in and look around

     a.) check that 'overlayroot' is in /proc/mounts
         $ awk '$1 == "overlayroot" { print $0 }' /proc/mounts
         overlayroot / overlay rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_ 0 0

     b.) check that the upperdir listed (/media/root-rw) is encrypted
         $ df -h /media/root-rw/
         Filesystem          Size  Used Avail Use% Mounted on
         /dev/mapper/secure   40G   50M   38G   1% /media/root-rw

     c.) check /run/initramfs/overlayroot.log
         $ grep success /run/initramfs/overlayroot.log
         [success]: configured root with 'crypt:dev=/dev/vdb' using overlay per /dev/vda1/etc/overlayroot.local.conf
     d.) show password file.
         $ pf=$(echo /run/initramfs/overlayroot.??????);
         $ for f in $pf; do ls -l $f; sudo cat $f; done
         -rw------- 1 root root 128 Nov 29 20:22 /run/initramfs/overlayroot.4bHuqg
         8c420e20a49254.<snip>.659eb663e

  [Regression Potential]
  The most likely path for failure on this I would think is related to setting
  of PERSIST_DIR.  If PERSIST_DIR was not set correctly, then the logging
  would likely fail and the password file would not be created.
  That should be caught and logged with:
   log_fail "failed creation of password file";

  [Other Info]
  The full overlayroot/init-bottom/overlayroot can be seen at [1].  The
  specific change that fixed the issue is in revision 126 at [2]

  [1] http://bazaar.launchpad.net/~cloud-initramfs-tools/cloud-initramfs-tools/trunk/view/head:/overlayroot/scripts/init-bottom/overlayroot
  [2] http://bazaar.launchpad.net/~cloud-initramfs-tools/cloud-initramfs-tools/trunk/revision/126
  === End SRU Template ===

  For the life of me I cannot get the parameter crypt:dev=/dev/vdb to
  work in /etc/overlayroot.conf.

  I have tried the line

  overlayroot=crypt:dev=/dev/vdb,pass=somepass,mkfs=0

  Which works when I create the LUKS device ahead of time, and set the
  passphrase 'somepass'. But when I try

  overlayroot=crypt:dev=/dev/vdb,mkfs=1

  or just

  overlayroot=crypt:dev=/dev/vdb

  I get no overlay after reboot. I have also tried the "debug=1"
  parameter and I'm not getting any debug output either. Where are the
  logs and/or where should I be able to see the debug output?

  As Dustin has so eloquently documented, it defeats the privacy of your
  encryption if you have to specify the passphrase in clear text in your
  unencrypted read-only directory. So the only way I will be using this
  is if I can use the simple "overlayroot=crypt:dev=/dev/vdb" one-liner
  and have the passphrase generated automatically on boot.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions