You are not logged in.

#1 2017-10-10 23:45:13

jkhsjdhjs
Member
Registered: 2017-09-05
Posts: 39

[SOLVED] systemd root fs decrypt password query times out after 90s

Hi,

first of all: I don't know if this question really fits in "Kernel & Hardware", but since I'm quite new here I couldn't post it in "System Administration".

I'm running my system on an encrypted partition that needs to be decrypted on boot. This is done using the following hooks in my /etc/initcpio.conf:

HOOKS="base systemd autodetect modconf block sd-vconsole sd-encrypt sd-lvm2 filesystems keyboard fsck"

Besides, my /etc/crypttab.initramfs contains the following:

luks-lvm        UUID=*************       -       luks,discard

Decrypting works just fine, the problem I have is that the password query times out after 90s, then I'm dropped into emergency shell. But according to this page (search for "timeout=") that shouldn't happen and it should wait forever.

So I searched for similar problems and got across a post in the OpenSUSE forum where one is experiencing the same problem with his home partition. He solves it by adding the option "initrd" to his crypttab, unfortunately that didn't solve it for me.

He also mentions a "crypto-early.service", which has a TimeoutStartUSec value of 90s, when I run "systemctl show crypto-early.service". But I couldn't find that service in my /boot/initramfs-linux.img.
In there I only found the following files containing the expression 'crypt' in their names:

usr/lib/libgcrypt.so.20
usr/lib/libcryptsetup.so.4
usr/lib/systemd/systemd-cryptsetup
usr/lib/systemd/system/cryptsetup.target
usr/lib/systemd/system/sysinit.target.wants/cryptsetup.target
usr/lib/systemd/system-generators/systemd-cryptsetup-generator
usr/lib/libcrypt.so.1
usr/lib/modules/4.13.4-1-ARCH/kernel/fscrypto.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/pcrypt.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/crypto_engine.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/dm-crypt.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/ccp-crypto.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/virtio_crypto.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/cryptd.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/tcrypt.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/fcrypt.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/crypto_user.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/mcryptd.ko
usr/lib/modules/4.13.4-1-ARCH/kernel/crypto_simd.ko
etc/crypttab

Now I'm clueless what to do in order to remove that timeout and I'm hoping for helpful answers!

Thanks in advance,

jkhsjdhjs

Last edited by jkhsjdhjs (2017-11-07 16:10:22)

Offline

#2 2017-10-11 00:45:03

loqs
Member
Registered: 2014-03-06
Posts: 17,196

Re: [SOLVED] systemd root fs decrypt password query times out after 90s

Can you check the timeout on the unit when you are dropped to the rescue prompt the unit should be in /run/systemd/generator/ probably called systemd-cryptsetup@root.service

Offline

#3 2017-10-11 01:17:32

jkhsjdhjs
Member
Registered: 2017-09-05
Posts: 39

Re: [SOLVED] systemd root fs decrypt password query times out after 90s

Of course:

systemctl show systemd-cryptsetup@root.service

[...]
TimeoutStartUSec=1min 30s
TimeoutStopUSec=1min 30s
RuntimeMaxUSec=infinity
[...]

cat run/systemd/generator/systemd-cryptsetup@luks\\x2dlvm.service

[...]
[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
[...]

systemctl show systemd-cryptsetup@luks\\x2dlvm.service

[...]
TimeoutStartUSec=infinity
TimeoutStopUSec=infinity
RuntimeMaxUSec=infinity
[...]

systemctl status systemd-cryptsetup@root.service
-> Unit could not be found.

systemctl status systemd-cryptsetup@luks\\x2dlvm.service

[...]
Oct 11 01:00:06 archlinux systemd[1]: Starting Cryptography Setup for luks-lvm...
Oct 11 01:01:39 archlinux systemd-cryptsetup[147]: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/disk/by-uuid/*************
Oct 11 01:01:41 archlinux systemd-cryptsetup[147]: Invalid passphrase.
[...]

I didn't enter any passphrase btw, just let it time out.

Offline

#4 2017-10-11 02:09:26

loqs
Member
Registered: 2014-03-06
Posts: 17,196

Re: [SOLVED] systemd root fs decrypt password query times out after 90s

So where is systemd-cryptsetup@root.service the unit or where are those values derived from.

Offline

#5 2017-10-11 15:18:14

jkhsjdhjs
Member
Registered: 2017-09-05
Posts: 39

Re: [SOLVED] systemd root fs decrypt password query times out after 90s

I think the values for systemd-cryptsetup@root.service are derived from some default values because it is non-existent and systemd-cryptsetup@luks\\x2dlvm.service is the unit that is actually used for decryption.

Offline

#6 2017-10-11 18:50:51

loqs
Member
Registered: 2014-03-06
Posts: 17,196

Re: [SOLVED] systemd root fs decrypt password query times out after 90s

If you set the timeout in /etc/crypttab.initramfs to 60 seconds does that reduce the timeout to 60 seconds and does the error message change?
You could also try 120 seconds.

Offline

#7 2017-10-11 21:08:07

jkhsjdhjs
Member
Registered: 2017-09-05
Posts: 39

Re: [SOLVED] systemd root fs decrypt password query times out after 90s

Yes, it does!

Output with no timeout specified:

[...]
[  OK  ] Started Journal Service.
[  OK  ] Found device ST95005620AS 3.
         Starting Cryptography Setup for luks-lvm...
Please enter passphrase for disk ST95005620AS (luks-lvm)!
[...90s later...]
You are in emergency mode. After logging in, type "journalctl -xb" to view system logs, "systemctl reboot" to reboot, "systemctl default" or ^D to boot
into default mode.
Press Enter for maintenance
(or press Control-D to continue):

Output with a timeout of 60s:

[...]
[  OK  ] Started Journal Service.
[  OK  ] Found device ST95005620AS 3.
         Starting Cryptography Setup for luks-lvm...
Please enter passphrase for disk ST95005620AS (luks-lvm)!
[...60s later...]
[FAILED] Failed to start Cryptography Setup for luks-lvm.
See 'systemctl status "systemd-cryptography@luks\\x2dlvm.service"' for details.
[DEPEND] Dependency failed for Local Encrypted Volumes.
[...30s later...]
[ TIME ] Timed out waiting for device dev-mapper-lvm\x2droot.device.
[DEPEND] Dependency failed for Initrd Root Device.
[DEPEND] Dependency failed for File System Check on /dev/mapper/lvm-root.
[DEPEND] Dependency failed for /sysroot.
[DEPEND] Dependency failed for Initrd Root File System.
[DEPEND] Dependency failed for Reload Configuration from the Real Root.
[ TIME ] Timed out waiting for device dev-mapper-lvm\x2dswap.device.
[DEPEND] Dependency failed for Resume from hibernation using device /dev/mapper/lvm-swap.
[  OK  ] Reached target Local File Systems (Pre).
[  OK  ] Reached target Initrd File Systems.
[  OK  ] Reached target Local File Systems.
[  OK  ] Started Emergency Shell.
[  OK  ] Reached target Emergency Mode.
You are in emergency mode. After logging in, type "journalctl -xb" to view system logs, "systemctl reboot" to reboot, "systemctl default" or ^D to boot
into default mode.
Press Enter for maintenance
(or press Control-D to continue):

EDIT: So apparently the problem is caused by lvm2 which times out after 90s, right?

Last edited by jkhsjdhjs (2017-10-11 21:52:54)

Offline

#8 2017-10-12 15:00:07

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: [SOLVED] systemd root fs decrypt password query times out after 90s

Output with no timeout specified:

Did you try an explicit 0 timeout?

Offline

#9 2017-10-12 15:02:12

jkhsjdhjs
Member
Registered: 2017-09-05
Posts: 39

Re: [SOLVED] systemd root fs decrypt password query times out after 90s

Yes, got the same error message as with no timeout specified.

EDIT: I also tried adding x-systemd.device-timeout=0 to all lvm partitions in /etc/fstab, but it didn't change anything.
EDIT2: Of course it didn't, the root fs is still crypted at the point of failure....

Last edited by jkhsjdhjs (2017-10-12 15:34:39)

Offline

#10 2017-11-07 13:28:18

Sebastian256
Member
Registered: 2017-11-06
Posts: 4

Re: [SOLVED] systemd root fs decrypt password query times out after 90s

I just added my solution to the wiki.
To have unlimited timeout and unlimited number of attempts*, use the following kernel options:

rd.luks.uuid=... rd.luks.options=tries=0,timeout=0 root=UUID=... rootflags=x-systemd.device-timeout=0 rw

The trick is rootflags. Place everything that would normally go to fstab in that parameter in order to apply it to the root fs.

(*) Limiting to the default of three attempts is not really a security benefit because it can be overridden by editing the parameters from within the bootloader.

Last edited by Sebastian256 (2017-11-07 17:14:08)

Offline

#11 2017-11-07 16:09:57

jkhsjdhjs
Member
Registered: 2017-09-05
Posts: 39

Re: [SOLVED] systemd root fs decrypt password query times out after 90s

Thank you very much!!! It works like a charm!

Last edited by jkhsjdhjs (2017-11-07 16:11:04)

Offline

Board footer

Powered by FluxBB