You are not logged in.
Hi,
first of all: I don't know if this question really fits in "Kernel & Hardware", but since I'm quite new here I couldn't post it in "System Administration".
I'm running my system on an encrypted partition that needs to be decrypted on boot. This is done using the following hooks in my /etc/initcpio.conf:
HOOKS="base systemd autodetect modconf block sd-vconsole sd-encrypt sd-lvm2 filesystems keyboard fsck"
Besides, my /etc/crypttab.initramfs contains the following:
luks-lvm UUID=************* - luks,discard
Decrypting works just fine, the problem I have is that the password query times out after 90s, then I'm dropped into emergency shell. But according to this page (search for "timeout=") that shouldn't happen and it should wait forever.
So I searched for similar problems and got across a post in the OpenSUSE forum where one is experiencing the same problem with his home partition. He solves it by adding the option "initrd" to his crypttab, unfortunately that didn't solve it for me.
He also mentions a "crypto-early.service", which has a TimeoutStartUSec value of 90s, when I run "systemctl show crypto-early.service". But I couldn't find that service in my /boot/initramfs-linux.img.
In there I only found the following files containing the expression 'crypt' in their names:
usr/lib/libgcrypt.so.20
usr/lib/libcryptsetup.so.4
usr/lib/systemd/systemd-cryptsetup
usr/lib/systemd/system/cryptsetup.target
usr/lib/systemd/system/sysinit.target.wants/cryptsetup.target
usr/lib/systemd/system-generators/systemd-cryptsetup-generator
usr/lib/libcrypt.so.1
usr/lib/modules/4.13.4-1-ARCH/kernel/fscrypto.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/pcrypt.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/crypto_engine.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/dm-crypt.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/ccp-crypto.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/virtio_crypto.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/cryptd.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/tcrypt.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/fcrypt.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/crypto_user.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/mcryptd.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/crypto_simd.ko
etc/crypttab
Now I'm clueless what to do in order to remove that timeout and I'm hoping for helpful answers!
Thanks in advance,
jkhsjdhjs
Last edited by jkhsjdhjs (2017-11-07 16:10:22)
Offline
Can you check the timeout on the unit when you are dropped to the rescue prompt the unit should be in /run/systemd/generator/ probably called systemd-cryptsetup@root.service
Offline
Of course:
systemctl show systemd-cryptsetup@root.service
[...]
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
RuntimeMaxUSec=infinity
[...]
cat run/systemd/generator/systemd-cryptsetup@luks\\x2dlvm.service
[...]
[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
[...]
systemctl show systemd-cryptsetup@luks\\x2dlvm.service
[...]
TimeoutStartUSec=infinity
TimeoutStopUSec=infinity
RuntimeMaxUSec=infinity
[...]
systemctl status systemd-cryptsetup@root.service
-> Unit could not be found.
systemctl status systemd-cryptsetup@luks\\x2dlvm.service
[...]
Oct 11 01:00:06 archlinux systemd[1]: Starting Cryptography Setup for luks-lvm...
Oct 11 01:01:39 archlinux systemd-cryptsetup[147]: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/disk/by-uuid/*************
Oct 11 01:01:41 archlinux systemd-cryptsetup[147]: Invalid passphrase.
[...]
I didn't enter any passphrase btw, just let it time out.
Offline
So where is systemd-cryptsetup@root.service the unit or where are those values derived from.
Offline
I think the values for systemd-cryptsetup@root.service are derived from some default values because it is non-existent and systemd-cryptsetup@luks\\x2dlvm.service is the unit that is actually used for decryption.
Offline
If you set the timeout in /etc/crypttab.initramfs to 60 seconds does that reduce the timeout to 60 seconds and does the error message change?
You could also try 120 seconds.
Offline
Yes, it does!
Output with no timeout specified:
[...]
[ OK ] Started Journal Service.
[ OK ] Found device ST95005620AS 3.
Starting Cryptography Setup for luks-lvm...
Please enter passphrase for disk ST95005620AS (luks-lvm)!
[...90s later...]
You are in emergency mode. After logging in, type "journalctl -xb" to view system logs, "systemctl reboot" to reboot, "systemctl default" or ^D to boot
into default mode.
Press Enter for maintenance
(or press Control-D to continue):
Output with a timeout of 60s:
[...]
[ OK ] Started Journal Service.
[ OK ] Found device ST95005620AS 3.
Starting Cryptography Setup for luks-lvm...
Please enter passphrase for disk ST95005620AS (luks-lvm)!
[...60s later...]
[FAILED] Failed to start Cryptography Setup for luks-lvm.
See 'systemctl status "systemd-cryptography@luks\\x2dlvm.service"' for details.
[DEPEND] Dependency failed for Local Encrypted Volumes.
[...30s later...]
[ TIME ] Timed out waiting for device dev-mapper-lvm\x2droot.device.
[DEPEND] Dependency failed for Initrd Root Device.
[DEPEND] Dependency failed for File System Check on /dev/mapper/lvm-root.
[DEPEND] Dependency failed for /sysroot.
[DEPEND] Dependency failed for Initrd Root File System.
[DEPEND] Dependency failed for Reload Configuration from the Real Root.
[ TIME ] Timed out waiting for device dev-mapper-lvm\x2dswap.device.
[DEPEND] Dependency failed for Resume from hibernation using device /dev/mapper/lvm-swap.
[ OK ] Reached target Local File Systems (Pre).
[ OK ] Reached target Initrd File Systems.
[ OK ] Reached target Local File Systems.
[ OK ] Started Emergency Shell.
[ OK ] Reached target Emergency Mode.
You are in emergency mode. After logging in, type "journalctl -xb" to view system logs, "systemctl reboot" to reboot, "systemctl default" or ^D to boot
into default mode.
Press Enter for maintenance
(or press Control-D to continue):
EDIT: So apparently the problem is caused by lvm2 which times out after 90s, right?
Last edited by jkhsjdhjs (2017-10-11 21:52:54)
Offline
Output with no timeout specified:
Did you try an explicit 0 timeout?
Offline
Yes, got the same error message as with no timeout specified.
EDIT: I also tried adding x-systemd.device-timeout=0 to all lvm partitions in /etc/fstab, but it didn't change anything.
EDIT2: Of course it didn't, the root fs is still crypted at the point of failure....
Last edited by jkhsjdhjs (2017-10-12 15:34:39)
Offline
I just added my solution to the wiki.
To have unlimited timeout and unlimited number of attempts*, use the following kernel options:
rd.luks.uuid=... rd.luks.options=tries=0,timeout=0 root=UUID=... rootflags=x-systemd.device-timeout=0 rw
The trick is rootflags. Place everything that would normally go to fstab in that parameter in order to apply it to the root fs.
(*) Limiting to the default of three attempts is not really a security benefit because it can be overridden by editing the parameters from within the bootloader.
Last edited by Sebastian256 (2017-11-07 17:14:08)
Offline
Thank you very much!!! It works like a charm!
Last edited by jkhsjdhjs (2017-11-07 16:11:04)
Offline