systemd fails to mount encrypted volume

Prune · November 18, 2011, 8:32am

I have an encrypted swap and encrypted volume stored in a container file. Things were fine in 11.4 (64-bit), but after upgrading to 12.1 only the encrypted swap works.

This is my /etc/crypttab:

cswap /dev/disk/by-id/ata-WDC_WD3000HLFS-01G6U0_WD-WXLX08104386-part1 /dev/urandom swap
#csvn /srv/svn.cr none luks

and the relevant portion of /etc/fstab:

/dev/mapper/cswap swap swap defaults 0 0
#/dev/mapper/csvn /srv/svn ext3 acl,user_xattr,nofail 0 0

With the 2nd lines commented out, things are fine, and the swap seems to be working as evidenced by typing free -m.

svn.cr did not get corrupted either as it was working fine before the upgrade, and also now I can still mount it manually:

losetup /dev/loop0 /srv/svn.cr
cryptsetup luksOpen /dev/loop0 csvn [asks for password here]
mount /dev/mapper/csvn /srv/svn

However, the automatic mount with crypttab and fstab for this volume doesn’t work. If I uncomment the commented lines in fstab/crypttab, after the boot reaches the point where it should be asking me to type in the password for the volume, there is a horrible 60 second wait, and afterwards /var/log/messages contains the following:

Nov 17 18:52:40 fatt kernel: 95.164493] systemd[1]: Job srv-svn.cr.device/start timed out.
Nov 17 18:52:40 fatt kernel: 95.189630] systemd[1]: Job cryptsetup.target/start failed with result ‘dependency’.
Nov 17 18:52:40 fatt kernel: 95.215291] systemd[1]: Job srv-svn.mount/start failed with result ‘dependency’.
Nov 17 18:52:40 fatt kernel: 95.228349] systemd[1]: Job dev-mapper-csvn.device/start failed with result ‘dependency’.
Nov 17 18:52:40 fatt kernel: 95.241511] systemd[1]: Job cryptsetup@csvn.service/start failed with result ‘dependency’.
Nov 17 18:52:40 fatt kernel: 95.254792] systemd[1]: Job srv-svn.cr.device/start failed with result ‘timeout’.
Nov 17 18:52:40 fatt kernel: 95.596147] systemd[1]: Job dev-mapper-cswap.device/start timed out.
Nov 17 18:52:40 fatt kernel: 95.623273] systemd[1]: Job cryptsetup@cswap.service/start failed with result ‘dependency’.
Nov 17 18:52:40 fatt kernel: 95.650315] systemd[1]: Job dev-mapper-cswap.swap/start failed with result ‘dependency’.
Nov 17 18:52:40 fatt kernel: 95.663900] systemd[1]: Job dev-mapper-cswap.device/start failed with result ‘timeout’.

Strangely enough it’s showing errors for both the file-cointained volume and the swap file, even though the encrypted swap gets mounted fine when it’s the only one of the two being mounted.

Afterwards, the swap does succeed anyway:

Nov 17 18:52:40 fatt kernel: 98.787861] systemd-cryptsetup[902]: Set cipher aes, mode cbc-essiv:sha256, key size 256 bits for device /dev/disk/by-id/ata-WDC_WD3000HLFS-01G6U0_WD-WXLX08104386-part1.

I would guess systemd is either having some problem with the interactive password prompt or with using a file container. Those are the only apparent differences from the encrypted swap which works.

How do I fix this?

Additionally, I see some other errors in the startup messages, but I don’t know if they matter (the first one is near the beginning of the log, and the other one after the encrypted swap gets mounted successfully):

modprobe: FATAL: Error inserting padlock_sha (/lib/modules/3.1.0-1.2-default/kernel/drivers/crypto/padlock-sha.ko): No such device
…
Nov 17 18:52:40 fatt kernel: 98.867181] padlock_sha: VIA PadLock Hash Engine not detected.

By the way, in order to avoid another thread: the other thing that the upgrade broke is that apache2 stopped working. I found the most unusual cause: in /etc/sysconfig/apache2 the line APACHE_MODULES=" … " had a newline in the middle of the list of modules, and so modules weren’t loading. How the hell did the upgrade do that?

robin_listas · November 18, 2011, 1:13pm

On 2011-11-18 08:36, Prune wrote:
> I have an encrypted swap and encrypted volume stored in a container
> file. Things were fine in 11.4 (64-bit), but after upgrading to 12.1
> only the encrypted swap works.

Try booting with initv. Grub menu at the bottom, F5 or thereabouts. If it
works, report bug in bugzilla.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

nrickert · November 18, 2011, 2:08pm

It is probably the file container. If it were crypto in general, there would be more complaints. However, come to think of it, I never did test an encrypted partition other than swap. I should do that.

Originally, swap did not work either. See bug 721666 for details.

As Carlos suggested, you should report this as a bug. And then you will have to find a way of living with it until the bug is fixed.

That one is not a problem, and can be safely ignored. It only indicates a failure of the attempt to access crypto speed-ups in your processor, probably indicating that your processor does not have those features.

ab · November 18, 2011, 4:23pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For what it’s worth I use 11.4 with LVM-based encryption (perfect
implementation, imo… just fantastic) leaving /boot as the only thing
not encrypted, and did the same with a fresh 12.1 install (same
hardware, different machine) but this time using btrfs as the FS
(there’s a checkbox for it), LVM for encrypting everything (again,
except /boot), and without a separate /home partition (irrelevant to
this discussion) and so far everything has worked exactly the same as
before. I’m guessing this is a slightly different implementation since
I do not believe that systemd (or initv) is overly interested in the
initial decryption of volumes but maybe that is all in initrd and I have
just been blissfully unaware of it. Either way, it worked on my fresh
setup doing things in a fairly default fashion. I’d post a crypttab but
the box is not near me right now.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOxnf+AAoJEF+XTK08PnB5jAoP/0YsacFqgEMZMOUgV6Ma4UM8
3Et98Xq6wLECfBXKPm3/dBSjgIMjLcYhxhJYiW94u9kx9jidJjkAAlVyeApcmYG3
SLT0lZweYTwo9sfr/7pP2xC6cGio/X0aoOCihZkJ+Ii+o8y/SDkHalxZu8XSvqZI
XItYHnTO/B5wKTEaeMBUAnQs2XjlB1Jz5BRKIJoM34yZkAxuUJbdMwUsAHnkwIm3
mj2ARI5/SzY20IUcIHoXJI+b1+LAuZ9/pB4HuThOEO9rVmtHlN9CiCpRyvma2bT0
hX03Uq597ffqbqte5OZIyZzYkHXw0KGTCd7/koDOiSPmM/8Y467tm7TxEAwNIKus
ZQEhC7akC/XjmghcPqPCcn7IGlDILWPf8nUNBnoGuOZ7HdyiP6yzuysepv1AdB2/
WP7Amycasp18QISFez7SbmnY66g1Y7Y9xmhKEQmNE11/inxKtz3qyH6dHJClEcbB
EsKNMFS1t2ymQ/3XyVX5HDWgUNMUUJtgoueaF93t2vQ90Y7v+QZzahhr5QwPpm5J
hD9hemWMOXI+EXSyC7lvfAs7oju+42y0O+qfc22HmZzyUQaAr/veu3cFpCW+QjpT
cIvP4b16boKfZzgBq5aHV1RzVBITMqumqsxwcDOotWeze6RllwEOtjfoEjGX+wcR
gEEhQTBdlucHluNFNx5E
=RwPd
-----END PGP SIGNATURE-----

Prune · November 18, 2011, 8:16pm

I don’t understand. Can you please clarify?

robin_listas · November 18, 2011, 9:13pm

On 2011-11-18 20:26, Prune wrote:
>
> robin_listas;2405520 Wrote:
>>
>> Try booting with initv. Grub menu at the bottom, F5 or thereabouts. If
>> it works, report bug in bugzilla.
>>
> I don’t understand. Can you please clarify?

When you boot, there is a small menu at the bottom of the screen, to select
options with F1, F2, F3… one of them selects the new systemd (default)
and another the classic initv. Select that one and boot.

If that solves the problem, then report bug in Bugzilla against systemd.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)