guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GuixSD encrypted root?

From: Ludovic Courtès
Subject: Re: GuixSD encrypted root?
Date: Mon, 25 Apr 2016 10:02:43 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) 
Danny Milosavljevic <address@hidden> skribis:

> Hi,
>
>> Or, as Leo suggests, it could be that shepherd starts the device-mapping
>> service, which runs “cryptsetup luksOpen”, which never completes because
>> you don’t know it’s waiting for you to enter a passphrase.
>
> I doubt that it's that. The only change I have to do for it to work just fine 
> is to add "(mount? #f)". So I suspect that the cryptsetup works. (The only 
> thing I have to type manually is "mount /x" later - and that works, too)
>
> But I didn't know that Guix would run fsck on guix reconfigure.

‘guix system reconfigure’ starts new services, and that is part of a
service.

> Maybe I just have to wait longer as it's a huge partition (with almost
> nothing on it, though). Also, I've checked gnu/services/base.scm and
> it seems to hard-code e2fsprogs. I use btrfs, though.

Only ext[234] are supported currently, indeed.  There’s
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=19280> and it’s been
discussed on the mailing list recently (I think Tobias made progress in
that direction).

> My config (which is working fine because of the "(mount #f)") is:
>
> (define dayas-sys (mapped-device
>                          (source (uuid 
> "cedd378f-329c-44c4-ab40-f74f0c1701a2"))
>                          (target "dayas-sys")
>                          (type luks-device-mapping)))
>
> (operating-system
>   ;; ...
>   (mapped-devices (list dayas-sys))
>   (file-systems (cons* (file-system
>                         (device "/dev/sda1")
>                         (title 'dayas:/)
>                         (mount-point "/")
>                         (type "ext4")
>                         (needed-for-boot? #t))
>                        (file-system
>                         (device "/dev/mapper/dayas-sys")
>                         (mount-point "/x")
>                         (type "btrfs")
>                         (needed-for-boot? #f)
>                         (mount? #f) ; otherwise does not work.
>                         (dependencies (list dayas-sys)))
>                        %base-file-systems))
>   ;...
> )
>
> How come yours doesn't have a "dependencies" entry? Is it somehow computed by 
> examining the "device" (/dev/mapper/...) entry?

The ‘dependencies’ field can be omitted if you change the ’title’ field
of the /x entry to 'device (info "(guix) File Systems"):

          However, when the source of a file system is a mapped device
          (*note Mapped Devices::), its ‘device’ field _must_ refer to
          the mapped device name—e.g., ‘/dev/mapper/root-partition’—and
          consequently ‘title’ must be set to ‘'device’.  This is
          required so that the system knows that mounting the file
          system depends on having the corresponding device mapping
          established.

I admit this is not ideal.  I’d rather allow the ‘device’ field of
<file-system> to contain directly the <mapped-device>.

HTH,
Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]