Proper use of systemd mkinitcpio hook + encrypted root?

jwhendy · 2016-03-14 20:12:18

Greetings,

I've been trying to look into ways to speed up my boot time as I think it's somewhat long (~15s for kernel). In looking around, I ran into this post which stated that the systemd hook could be used instead of base and udev to split out the times of systemd-analyze into kernel, initrd, and userspace:

jonnsl wrote:

I assume that I need to change /etc/mkinitcpio.conf, from:
HOOKS="base udev autodetect modconf block lvm2 filesystems keyboard fsck"
to: HOOKS="systemd autodetect modconf block lvm2 filesystems keyboard fsck"
and than running `# mkinitcpio -p linux`. is this correct?

WonderWoofy wrote:

That is exactly what you need to do.

I've done this, but fail to get a root device at boot. It just hangs at "waiting for /dev/mapper/root". I'm running an encrypted system (plain dm-crypt/cryptsetup).

My partition was created like so:

# cryptsetup -v -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random -y luksFormat /dev/sda2
# cryptsetup open /dev/sda2 ssd
# mkfs.ext4 /dev/mapper/ssd

Relevant configs (using base/udev hooks)

### /etc/mkinitcpio.conf
MODULES="sd_mod ext4"
BINARIES="fsck fsck.ext4"
HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"

### /boot/syslinux/syslinux.cfg
LABEL arch
    MENU LABEL arch-ssd-uuid
    LINUX ../vmlinuz-linux
    APPEND root=/dev/mapper/root cryptdevice=UUID=7101e83b-31c0-4cdf-bc07-678e00e19c32:root:allow-discards crypto=sha512:aes-xts-plain64:512:: systemd.unit=multi-user.target rw
    INITRD ../intel-ucode.img,../initramfs-linux.img

Initially I just replaced base/udev with systemd, as that's what the quotes above sounded like. Further reading indicated I also needed sd-encrypt instead of encrypt, and based on finding this post, I understand that using the systemd hook requires different kernel options. After a lot of trial and error, I've succeeded in booting with this configuration:

### /etc/mkinitcpio.conf
MODULES="dm_crypt aes_x86_64 dm_mod sd_mod ext4 i915"
BINARIES="fsck fsck.ext4"
HOOKS="systemd autodetect modconf block sd-encrypt filesystems keyboard fsck"

### /boot/syslinux/syslinux.cfg
LABEL arch
    MENU LABEL arch-ssd-uuid
    LINUX ../vmlinuz-linux
    APPEND rd.luks.uuid=7101e83b-31c0-4cdf-bc07-678e00e19c32 root=UUID=eb20c219-0df8-4051-bad2-39d57aed7b59 crypto=sha512:aes-xts-plain64:512:: rd.luks.allow-discards rw
    INITRD ../intel-ucode.img,../initramfs-linux.img

Here's the crypt section from journalctl:

Mar 14 11:38:20 localhost systemd-cryptsetup[200]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/7101e83b-31c0-4cdf-bc07-678e00e19c32.
Mar 14 11:38:26 localhost systemd[1]: Found device /dev/mapper/luks-7101e83b-31c0-4cdf-bc07-678e00e19c32.
Mar 14 11:38:26 localhost systemd[1]: Found device /dev/disk/by-uuid/eb20c219-0df8-4051-bad2-39d57aed7b59.
Mar 14 11:38:26 localhost systemd[1]: Started Cryptography Setup for luks-7101e83b-31c0-4cdf-bc07-678e00e19c32.
Mar 14 11:38:26 localhost systemd[1]: Reached target Encrypted Volumes.
Mar 14 11:38:26 localhost systemd[1]: Reached target System Initialization.
Mar 14 11:38:26 localhost systemd[1]: Reached target Basic System.
Mar 14 11:38:26 localhost systemd[1]: Starting File System Check on /dev/disk/by-uuid/eb20c219-0df8-4051-bad2-39d57aed7b59...
Mar 14 11:38:26 localhost systemd-fsck[302]: /dev/mapper/luks-7101e83b-31c0-4cdf-bc07-678e00e19c32: clean, 201589/7290880 files, 2086964/29157752 blocks
Mar 14 11:38:26 localhost systemd[1]: Started File System Check on /dev/disk/by-uuid/eb20c219-0df8-4051-bad2-39d57aed7b59.
Mar 14 11:38:26 localhost systemd[1]: Mounting /sysroot...
Mar 14 11:38:26 localhost kernel: EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
Mar 14 11:38:26 localhost systemd[1]: Mounted /sysroot.

Does that look reasonable? I'm on my first boot so my recollection isn't perfect, but I swear there was a line about waiting 10sec for some device. I'm also wondering about rd.luks.option vs. luks.option... the docs differentiate each (prefixed by rd. or not) like so: "rd.luks.uuid= is honored only by initial RAM disk (initrd) while luks.uuid= is honored by both the main system and the initrd." So, my questions:

- are my mkinitcpio.conf and syslinux.cfg looking correct?
- I'm not clear on whether I need these "honored by the initrd" or both the initrd and "the main system." What's the difference?
- I enabled this hook purely to diagnose my boot time (thinking it would be simple!); what general advantage is there of systemd vs. base/udev?
- do I need to do anything to /etc/fstab based on the above? I had:

/dev/mapper/root      	/         	ext4      	rw,noatime,data=ordered 0 0

That worked, though I'm now realizing systemd must be mounting things automatically vs. me specifying the name of the cryptdevice and then having fstab pick it up from /dev/mapper? Would I just delete that entry in fstab?

I think the documentation is lacking in this area and plan to add something to the wiki at least to point users in the right direction about the modified options. I get no hits for "luks.uuid" or "rd.luks" on the Arch wiki, for example.

Last edited by jwhendy (2016-03-14 21:13:44)

Thorsten Reinbold · 2016-03-14 20:52:20

jwhendy wrote:

/dev/mapper/root      	/         	ext4      	rw,noatime,data=ordered0 0

Just one point, but shouldn't there be a space between "data=ordered" and "0 0"?

jwhendy · 2016-03-14 21:14:19

@Thorsten: Whoops! There is in the actual file... looks like it was a copy/paste error. Thanks for the catch.

jwhendy · 2016-03-15 05:37:37

So I think I'm mostly satisfied with my setup at this point. My curiosity now is related to the time after entering the cryptsetup password. It hangs for a bit with the message "a start job is running for luks-7101e83b-31c0-4cdf-bc07-678e00e19c32.device"

Here's my boot process, which looks like a long time to decrypt/mount root:

$ systemd-analyze 
Startup finished in 4.360s (kernel) + 11.526s (initrd) + 1.129s (userspace) = 17.016s

$ systemd-analyze blame
         10.059s systemd-cryptsetup@luks\x2d7101e83b\x2d31c0\x2d4cdf\x2dbc07\x2d678e00e19c32.service
          1.781s man-db.service
           166ms wicd.service
           112ms systemd-journald.service
            52ms systemd-rfkill.service
            41ms systemd-journal-flush.service
            31ms systemd-vconsole-setup.service
            30ms kmod-static-nodes.service
            29ms alsa-restore.service
            29ms systemd-udevd.service
            29ms polkit.service
            27ms dev-hugepages.mount
            24ms systemd-udev-trigger.service
            22ms systemd-logind.service
            22ms sys-kernel-debug.mount
            20ms dev-mqueue.mount
            19ms user@1000.service
            17ms systemd-sysctl.service
            17ms systemd-fsck-root.service
            13ms systemd-fsck@dev-sda1.service
            12ms systemd-tmpfiles-setup-dev.service
             9ms tmp.mount
             9ms systemd-tmpfiles-clean.service
             8ms shadow.service
             8ms systemd-remount-fs.service
             8ms systemd-user-sessions.service
             7ms logrotate.service
             7ms sys-kernel-config.mount
             5ms ntpd.service
             5ms systemd-tmpfiles-setup.service
             4ms systemd-update-utmp.service
             3ms systemd-random-seed.service
             3ms systemd-backlight@backlight:intel_backlight.service
             2ms rtkit-daemon.service
             1ms sys-fs-fuse-connections.mount

And just to clear up any confusion with the versions posted above, here's the setup I'm currently on with these results:

$ cat /etc/fstab
/dev/mapper/luks-7101e83b-31c0-4cdf-bc07-678e00e19c32	/ ext4	rw,noatime,data=ordered 0 0

# UUID=37441f68-9d76-45bc-b98c-996e68a3555c
/dev/sda1           	/boot     	ext2      	rw,relatime	0 2

$ grep HOOKS /etc/mkinitcpio.conf
HOOKS="systemd autodetect modconf block sd-encrypt filesystems keyboard fsck"

$ cat /boot/syslinux/syslinux.cfg
LABEL arch-ssd
    MENU LABEL arch-ssd-uuid
    LINUX ../vmlinuz-linux
    APPEND luks.uuid=7101e83b-31c0-4cdf-bc07-678e00e19c32 root=UUID=eb20c219-0df8-4051-bad2-39d57aed7b59 luks.allow-discards rw
    INITRD ../intel-ucode.img,../initramfs-linux.img

I removed the crypto options from my syslinux.cfg as I understand from the wiki that LUKS detects the crypto options automatically. I also dropped the rd. prefix from my device specifiers in case the "used only for initrd" vs. "used for initrd and system" made any difference.

My questions at this point:
- am I right to think the boot time is long given the high time for systemd-cryptsetup?
- do I have to add my root partition to /etc/crypttab for any reason? I've seen this mentioned, but am not sure if it's mandatory (I can boot, so thinking not!)
- should I have no root entry in /etc/fstab?
- anything look out of the ordinary?

Any input is apprecaited!

Arch Linux

#1 2016-03-14 20:12:18

Proper use of systemd mkinitcpio hook + encrypted root?

#2 2016-03-14 20:52:20

Re: Proper use of systemd mkinitcpio hook + encrypted root?

#3 2016-03-14 21:14:19

Re: Proper use of systemd mkinitcpio hook + encrypted root?

#4 2016-03-15 05:37:37

Re: Proper use of systemd mkinitcpio hook + encrypted root?

Board footer