You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2021-09-15 07:38:01
- TJM
- Member
- Registered: 2016-09-18
- Posts: 114
[Solved] Use x-systemd.makefs with swap
It's always good to encrypt the swap partition. So I purchased a small but fast SSD inserted into the M.2 slot wishing it will help my 8GiB RAM laptop run multiple memory-intensive software at once. To achieve this, I wrote the following configs:
[root@ArchLinux ~]# cat /etc/crypttab.initramfs
# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
# home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1
# data1 /dev/sda3 /etc/mypassword2
# data2 /dev/sda5 /etc/cryptfs.key
# swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# vol /dev/sdb7 none
cryptswap /dev/sdb /dev/urandom swap,cipher=aes-xts-plain64,size=256
cryptssd LABEL="cryptssd"
[root@ArchLinux ~]# cat /etc/fstab
#
# /etc/fstab: static file system information
#
# <file system> <dir> <type> <options> <dump> <pass>
# /dev/sda1 LABEL=SYSTEM_DRV
LABEL=BOOT /boot vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2
#/dev/mapper/cryptswap
/dev/mapper/cryptswap none swap x-systemd.makefs 0 0
[root@ArchLinux ~]# cat /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options rd.luks.crypttab=yes root="LABEL=ArchLinux" rw
[root@ArchLinux ~]#It looks good except the x-systemd.makefs seems not working, with the swap partition not mounted and the a manual swapon yielding "read swap header failed".
[root@ArchLinux ~]$ file /dev/mapper/cryptswap
/dev/mapper/cryptswap: symbolic link to ../dm-0
[root@ArchLinux ~]$ file /dev/dm-0
/dev/dm-0: block special (254/0)
[root@ArchLinux ~]$ parted /dev/mapper/cryptswap print
Error: /dev/mapper/cryptswap: unrecognised disk label
Model: Linux device-mapper (crypt) (dm)
Disk /dev/mapper/cryptswap: 32GB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:
[root@ArchLinux ~]$ swapon /dev/mapper/cryptswap
swapon: /dev/mapper/cryptswap: read swap header failed
[root@ArchLinux ~]$ mkswap /dev/mapper/cryptswap
Setting up swapspace version 1, size = 32 GiB (34359720776 bytes)
no label, UUID=b1d48de7-ee9b-4938-bff6-9c8214a5ccec
[root@ArchLinux ~]$ file /dev/mapper/cryptswap
/dev/mapper/cryptswap: symbolic link to ../dm-0
[root@ArchLinux ~]$ file /dev/dm-0
/dev/dm-0: block special (254/0)
[root@ArchLinux ~]$ parted /dev/mapper/cryptswap print
Model: Linux device-mapper (crypt) (dm)
Disk /dev/mapper/cryptswap: 32GB
Sector size (logical/physical): 512B/512B
Partition Table: loop
Disk Flags:
Number Start End Size File system Flags
1 0.00B 32GB 32GB linux-swap(v1)
[root@ArchLinux ~]$ swapon /dev/mapper/cryptswap
[root@ArchLinux ~]$ echo $?
0
[root@ArchLinux ~]$Any ideas on this?
Last edited by TJM (2021-09-22 20:06:02)
Offline
#2 2021-09-15 08:07:57
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 21,742
Re: [Solved] Use x-systemd.makefs with swap
If I'm reading this correctly the point of declaring it in the cryptsetup like this is that cryptsetup will take care of creating the swap filesystem anyway, so you're potentially killing the properly set up swap partition by trying to format it AGAIN after it's already done by cryptsetup. What do you need the makefs for? And you really don't want to use /dev/sdb for this. See the warning in your wiki link
Last edited by V1del (2021-09-15 08:13:32)
Offline
#3 2021-09-15 08:11:38
- TJM
- Member
- Registered: 2016-09-18
- Posts: 114
Re: [Solved] Use x-systemd.makefs with swap
I've tried 'defaults' instead of 'x-systemd.makefs', which ends up with a similar outcome. Probably cryptsetup(or the sd-encrypt hook in initramfs) didn't set up the swap filesystem correctly.
If I'm reading this correctly the point of declaring it in the cryptsetup like this is that cryptsetup will take care of creating the swap filesystem anyway, so you're potentially killing the properly set up swap partition by trying to format it AGAIN after it's already done by cryptsetup. What do you think you need the makefs for?
Last edited by TJM (2021-09-15 08:22:01)
Offline
#4 2021-09-17 03:26:52
- TJM
- Member
- Registered: 2016-09-18
- Posts: 114
Re: [Solved] Use x-systemd.makefs with swap
I double-checked whether cryptsetup(or the sd-encrypt hook in initramfs) correctly formated the cryptswap into the swap filesystem by commenting out the swap entry in fstab. However, it appears that it did nothing like formating:
[root@ArchLinux ~]$ cat /etc/crypttab.initramfs
# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
# home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1
# data1 /dev/sda3 /etc/mypassword2
# data2 /dev/sda5 /etc/cryptfs.key
# swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# vol /dev/sdb7 none
cryptswap /dev/sdb /dev/urandom swap,cipher=aes-xts-plain64,size=256
cryptssd LABEL="cryptssd"
[root@ArchLinux ~]$ cat /etc/fstab
#
# /etc/fstab: static file system information
#
# <file system> <dir> <type> <options> <dump> <pass>
# /dev/mapper/cryptroot
#UUID=8766c97a-b762-4755-ba0a-05ba81d4e0c7 / xfs rw 0 1
# /dev/sda1 LABEL=SYSTEM_DRV
LABEL=BOOT /boot vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2
# /dev/mapper/cryptswap
#/dev/mapper/cryptswap none swap x-systemd.makefs 0 0
[root@ArchLinux ~]$ cat /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options rd.luks.crypttab=yes root="LABEL=ArchLinux" rw
[root@ArchLinux ~]$ file /dev/mapper/cryptswap
/dev/mapper/cryptswap: symbolic link to ../dm-0
[root@ArchLinux ~]$ file /dev/dm-0
/dev/dm-0: block special (254/0)
[root@ArchLinux ~]$ parted /dev/mapper/cryptswap print
Error: /dev/mapper/cryptswap: unrecognised disk label
Model: Linux device-mapper (crypt) (dm)
Disk /dev/mapper/cryptswap: 32GB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:
[root@ArchLinux ~]$ swapon /dev/mapper/cryptswap
swapon: /dev/mapper/cryptswap: read swap header failed
[root@ArchLinux ~]$ mkswap /dev/mapper/cryptswap
Setting up swapspace version 1, size = 32 GiB (34359720776 bytes)
no label, UUID=f7eaea95-098e-4d90-b087-ee28000319dd
[root@ArchLinux ~]$ file /dev/mapper/cryptswap
/dev/mapper/cryptswap: symbolic link to ../dm-0
[root@ArchLinux ~]$ file /dev/dm-0
/dev/dm-0: block special (254/0)
[root@ArchLinux ~]$ parted /dev/mapper/cryptswap print
Model: Linux device-mapper (crypt) (dm)
Disk /dev/mapper/cryptswap: 32GB
Sector size (logical/physical): 512B/512B
Partition Table: loop
Disk Flags:
Number Start End Size File system Flags
1 0.00B 32GB 32GB linux-swap(v1)
[root@ArchLinux ~]$ swapon /dev/mapper/cryptswap
[root@ArchLinux ~]$ echo $?
0
[root@ArchLinux ~]$Offline
#5 2021-09-18 10:50:10
- TJM
- Member
- Registered: 2016-09-18
- Posts: 114
Re: [Solved] Use x-systemd.makefs with swap
I found something interesting: there is a systemd service called systemd-cryptsetup@cryptswap.service stating "Failed to locate executable /usr/lib/systemd/systemd-makefs: No such file or directory". However, the file exists.
[root@ArchLinux ~]$ systemctl --timestamp=utc --no-pager status -l systemd-cryptsetup@cryptswap.service
× systemd-cryptsetup@cryptswap.service
Loaded: not-found (Reason: Unit systemd-cryptsetup@cryptswap.service not found.)
Active: failed (Result: exit-code) since Fri 2021-09-17 02:55:00 UTC; 1 day 7h ago
Main PID: 175 (code=exited, status=0/SUCCESS)
CPU: 11ms
Sep 16 19:55:00 archlinux systemd[1]: Starting Cryptography Setup for cryptswap...
Sep 16 19:55:00 archlinux systemd-cryptsetup[175]: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/sdb.
Sep 16 19:55:00 archlinux systemd[208]: systemd-cryptsetup@cryptswap.service: Failed to locate executable /usr/lib/systemd/systemd-makefs: No such file or directory
Sep 16 19:55:00 archlinux systemd[208]: systemd-cryptsetup@cryptswap.service: Failed at step EXEC spawning /usr/lib/systemd/systemd-makefs: No such file or directory
Sep 16 19:55:00 archlinux systemd[1]: systemd-cryptsetup@cryptswap.service: Control process exited, code=exited, status=203/EXEC
Sep 16 19:55:00 archlinux systemd[1]: systemd-cryptsetup@cryptswap.service: Failed with result 'exit-code'.
Sep 16 19:55:00 archlinux systemd[1]: Failed to start Cryptography Setup for cryptswap.
[root@ArchLinux~]$ file /usr/lib/systemd/systemd-makefs
/usr/lib/systemd/systemd-makefs: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=184488e56a736d0885240254855fd6fb2398a753, for GNU/Linux 4.4.0, stripped
[root@ArchLinux ~]$Offline
#6 2021-09-18 11:38:05
- Raynman
- Member
- Registered: 2011-10-22
- Posts: 1,539
Re: [Solved] Use x-systemd.makefs with swap
Probably because systemd-makefs is not in your initramfs. You could add it (BINARIES in mkinitcpio.conf), or you could move the cryptswap line from /etc/crypttab.initramfs to /etc/crypttab.
Offline
#7 2021-09-19 04:58:34
- TJM
- Member
- Registered: 2016-09-18
- Posts: 114
Re: [Solved] Use x-systemd.makefs with swap
Probably because systemd-makefs is not in your initramfs. You could add it (BINARIES in mkinitcpio.conf), or you could move the cryptswap line from /etc/crypttab.initramfs to /etc/crypttab.
Thanks for your advice. I will probably try the former as I'm not sure whether /etc/crypttab will be picked-up during the boot process given the employment of sd-encrypt hooks rather than encrypt hook.
Offline
#8 2021-09-19 05:04:03
- TJM
- Member
- Registered: 2016-09-18
- Posts: 114
Re: [Solved] Use x-systemd.makefs with swap
I've changed the mkinicpio.conf into the following:
# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(piix ide_disk reiserfs)
MODULES=(xfs)
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=(/usr/lib/systemd/systemd-makefs)
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=(/etc/shadow)
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No raid, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect block filesystems)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev block filesystems)
#
## This setup assembles a pata mdadm array with an encrypted root FS.
## Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
# HOOKS=(base udev block mdadm encrypt filesystems)
#
## This setup loads an lvm2 volume group on a usb device.
# HOOKS=(base udev block lvm2 filesystems)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr, fsck and shutdown hooks.
HOOKS=(base systemd autodetect modconf block keyboard sd-vconsole sd-encrypt lvm2 fsck filesystems)
# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="zstd"
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()However, the mkinitcpio command didn't show whether the binaries has been picked-up ¯\_(ツ)_/¯
[root@ArchLinux etc]# mkinitcpio -p linux
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
-> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 5.13.13-arch1-1
-> Running build hook: [base]
-> Running build hook: [systemd]
-> Running build hook: [autodetect]
-> Running build hook: [modconf]
-> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: xhci_pci
-> Running build hook: [keyboard]
-> Running build hook: [sd-vconsole]
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: qat_4xxx
-> Running build hook: [lvm2]
-> Running build hook: [fsck]
-> Running build hook: [filesystems]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
-> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 5.13.13-arch1-1
-> Running build hook: [base]
-> Running build hook: [systemd]
-> Running build hook: [modconf]
-> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: xhci_pci
-> Running build hook: [keyboard]
-> Running build hook: [sd-vconsole]
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: qat_4xxx
-> Running build hook: [lvm2]
-> Running build hook: [fsck]
-> Running build hook: [filesystems]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successful
[root@ArchLinux etc]# Offline
#9 2021-09-19 11:07:01
- nl6720
- The Evil Wiki Admin
- Registered: 2016-07-02
- Posts: 596
Re: [Solved] Use x-systemd.makefs with swap
You can use lsinitcpio to inspect the initramfs image:
$ lsinitcpio /boot/initramfs-linux.imgI'm not sure whether /etc/crypttab will be picked-up during the boot process given the employment of sd-encrypt hooks rather than encrypt hook.
Why? Unless you explicitly disable /etc/crypttab parsing with luks.crypttab=no from the kernel command line, or if you use luks.* options (not rd.luks.*), there should be no issue.
Edit:
I opened FS#72174 about sd-encrypt not adding /usr/lib/systemd/systemd-makefs.
Last edited by nl6720 (2021-09-19 12:08:29)
Offline
#10 2021-09-20 02:05:57
- TJM
- Member
- Registered: 2016-09-18
- Posts: 114
Re: [Solved] Use x-systemd.makefs with swap
You can use lsinitcpio to inspect the initramfs image:
$ lsinitcpio /boot/initramfs-linux.imgTJM wrote:I'm not sure whether /etc/crypttab will be picked-up during the boot process given the employment of sd-encrypt hooks rather than encrypt hook.
Why? Unless you explicitly disable /etc/crypttab parsing with luks.crypttab=no from the kernel command line, or if you use luks.* options (not rd.luks.*), there should be no issue.
Edit:
I opened FS#72174 about sd-encrypt not adding /usr/lib/systemd/systemd-makefs.
Thanks, it looks like the initramfs has the binary now.
[root@ArchLinux ~]# lsinitcpio /boot/initramfs-linux.img | grep makefs
usr/lib/systemd/systemd-makefs
[root@ArchLinux ~]#Offline
#11 2021-09-22 20:05:47
- TJM
- Member
- Registered: 2016-09-18
- Posts: 114
Re: [Solved] Use x-systemd.makefs with swap
Confirmed with a recent reboot, the BINARIES in mkinitcpio.conf helps.
Offline
Pages: 1