Systemd fights to (un)Luks home

vitaminace33 · October 25, 2024, 11:30am

Hi there!

I have installed EOS 2024.09.22. Since I wanted a fully encrypted system and the installer seems to be a bit restrictive with this, I ended up installing EOS on a single partition, then I added two more encrypted partitions. Bootloader is systemd.

My setup is 4 partitions (in order): efi, root, home, and swap, the last three of which are LUKS2 encrypted (all with the same passphrase for the moment). The first encrypted partition, root, was added at install time to crypttab and fstab. I manually added home and swap to both crypttab and fstab.

$ lsblk
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1                                       259:0    0 476,9G  0 disk  
├─nvme0n1p1                                   259:1    0     1G  0 part  /efi
├─nvme0n1p2                                   259:2    0    80G  0 part  
│ └─luks-edf905f4-2c57-4279-80f3-6061c918ebb1 254:0    0    80G  0 crypt /
├─nvme0n1p3                                   259:3    0   240G  0 part  
│ └─luks-e00e47f2-fda9-4c32-865f-d7d74501560d 254:1    0   240G  0 crypt /home
├─nvme0n1p4                                   259:4    0    18G  0 part  
│ └─luks-ee6cb58e-9c4e-4a7a-ac65-4e89c68c0354 254:2    0    18G  0 crypt [SWAP]
└─nvme0n1p5                                   259:5    0 137,9G  0 part

Sometimes, the system boots just fine. I enter the passphrase once and all is runs smoothly, but for the error message below. Other times (the most), the system hangs at a black screen after several job pauses (waiting for…).

Anyhow I get an error message about a systemd fight:

oct 25 12:31:12 host systemd[1]: Starting Cryptography Setup for luks-edf905f4-2c57-4279-80f3-6061c918ebb1...
oct 25 12:31:16 host systemd-cryptsetup[556]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/edf905f4-2c57-4279-80f3-6061c918ebb1.
oct 25 12:31:17 host systemd[1]: Finished Cryptography Setup for luks-edf905f4-2c57-4279-80f3-6061c918ebb1.
oct 25 12:31:19 host systemd[1]: Starting Cryptography Setup for home...
oct 25 12:31:19 host systemd[1]: Starting Cryptography Setup for luks-e00e47f2-fda9-4c32-865f-d7d74501560d...
oct 25 12:31:19 host systemd[1]: Starting Cryptography Setup for luks-ee6cb58e-9c4e-4a7a-ac65-4e89c68c0354...
oct 25 12:31:19 host systemd-cryptsetup[946]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/ee6cb58e-9c4e-4a7a-ac65-4e89c68c0354.
oct 25 12:31:19 host systemd-cryptsetup[945]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/e00e47f2-fda9-4c32-865f-d7d74501560d.
oct 25 12:31:19 host systemd-cryptsetup[944]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-diskseq/1-part3.
oct 25 12:31:21 host systemd[1]: Finished Cryptography Setup for luks-e00e47f2-fda9-4c32-865f-d7d74501560d.
oct 25 12:31:22 host systemd-cryptsetup[944]: Cannot use device /dev/disk/by-diskseq/1-part3 which is in use (already mapped or mounted).
oct 25 12:31:22 host systemd-cryptsetup[944]: Failed to activate with specified passphrase: Device or resource busy
oct 25 12:31:22 host systemd[1]: systemd-cryptsetup@home.service: Main process exited, code=exited, status=1/FAILURE
oct 25 12:31:22 host systemd[1]: systemd-cryptsetup@home.service: Failed with result 'exit-code'.
oct 25 12:31:22 host systemd[1]: Failed to start Cryptography Setup for home.
oct 25 12:31:22 host systemd[1]: systemd-cryptsetup@home.service: Consumed 4.030s CPU time, 1G memory peak.
oct 25 12:31:23 host systemd[1]: Finished Cryptography Setup for luks-ee6cb58e-9c4e-4a7a-ac65-4e89c68c0354.

As you may see, systemd tries to open home as home and as luks-e00e47f2-fda9-4c32-865f-d7d74501560d, and fails since only it can be opened only once. How can I prevent sytemd-cryptsetup@home.service of running or instruct systemd so that it does run two processes to open home?

BTW, not sure if the booting failure is directly because of this or an indirect consequence (very new system here).

thefrog · October 25, 2024, 12:02pm

can you also post the contents of your fstab?

vitaminace33 · October 25, 2024, 1:47pm

Of course!

cat /etc/crypttab
# /etc/crypttab: mappings for encrypted partitions.
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# See crypttab(5) for the supported syntax.
#
# NOTE: You need not list your root (/) partition here, but it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf). The same applies
#       to encrypted swap, which should be set up with mkinitcpio-openswap
#       for resume support.
#
# <name>               <device>                         <password> <options>
luks-edf905f4-2c57-4279-80f3-6061c918ebb1 UUID=edf905f4-2c57-4279-80f3-6061c918ebb1     none luks
luks-e00e47f2-fda9-4c32-865f-d7d74501560d UUID=e00e47f2-fda9-4c32-865f-d7d74501560d     none luks
luks-ee6cb58e-9c4e-4a7a-ac65-4e89c68c0354 UUID=ee6cb58e-9c4e-4a7a-ac65-4e89c68c0354     none luks

cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a device; this may
# be used with UUID= as a more robust way to name devices that works even if
# disks are added and removed. See fstab(5).
#
# <file system>             <mount point>  <type>  <options>  <dump>  <pass>
UUID=ABCE-55FB                            /efi           vfat    fmask=0137,dmask=0027 0 2
/dev/mapper/luks-edf905f4-2c57-4279-80f3-6061c918ebb1 /              ext4    noatime    0 1
/dev/mapper/luks-e00e47f2-fda9-4c32-865f-d7d74501560d /home          ext4    noatime    0 1
/dev/mapper/luks-ee6cb58e-9c4e-4a7a-ac65-4e89c68c0354 none           swap    defaults   0 0
tmpfs                                     /tmp           tmpfs   defaults,noatime,mode=1777 0 0

vitaminace33 · October 30, 2024, 10:49pm

bump

thefrog · October 30, 2024, 11:29pm

hey and thanks. I was hoping it would be something I could spot however I can’t really tell whats going on with it. I’m not sure why its trying to mount /dev/disk/by-diskseq/ after mounting it through uuid. maybe someone can shine better light for you than I can.

vitaminace33 · November 4, 2024, 10:56pm

I have deepened into the problem and found a partial solution, although I do not fully understand how does it works.

I realized systemd-cryptsetup-generator generates the units based supposedly on the content of /etc/crypttab. First I deleted the references to swap in /etc/crypttab and /etc/fstab, then dracut-rebuild, and all works fine. Surprisingly, the swap partition is magically unlocked on /dev/mapper/swap. How does it know it is swap? Second, I did the same for home, and it worked. I am even more puzzled now, how does it know to map it to /dev/mapper/home? However, since there was no reference in ‘/etc/fstab’, I had to add it for proper mounting at boot. Finally, I tried to change the luks device name for root to /dev/mapper/root, but then the system won’t boot. Again, puzzled.

The current crypttab and fstab files are as follows.

$ cat /etc/crypttab
# /etc/crypttab: mappings for encrypted partitions.
#
# <name>      <device>                                     <password> <options>
luks-edf905f4-2c57-4279-80f3-6061c918ebb1 UUID=edf905f4-2c57-4279-80f3-6061c918ebb1     none luks

$ cat /etc/fstab 
# /etc/fstab: static file system information.
#
# <file system>          <mount point>  <type>  <options> <dump> <pass>
UUID=ABCE-55FB            /efi           vfat    fmask=0137,dmask=0027 0 2
/dev/mapper/luks-edf905f4-2c57-4279-80f3-6061c918ebb1 /              ext4    noatime    0 1
/dev/mapper/home          /home          ext4    noatime    0 1
tmpfs                     /tmp           tmpfs   defaults,noatime,mode=1777 0 0

$ lsblk 
NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1                                       259:0    0 476,9G  0 disk  
├─nvme0n1p1                                   259:1    0     1G  0 part  /efi
├─nvme0n1p2                                   259:2    0    80G  0 part  
│ └─luks-edf905f4-2c57-4279-80f3-6061c918ebb1 254:0    0    80G  0 crypt /
├─nvme0n1p3                                   259:3    0   240G  0 part  
│ └─home                                      254:1    0   240G  0 crypt /home
├─nvme0n1p4                                   259:4    0    18G  0 part  
│ └─swap                                      254:2    0    18G  0 crypt [SWAP]
└─nvme0n1p5                                   259:5    0 137,9G  0 part

The system boots now with no errors. I would like to understand how the units are generated from no information and mapped to the “correct” names and change the root one to root.

I forgot to mention, the initial problem occurred because two different units for home are generated, one simply named home, the other named luks-, and the system only boots when the one in fstab is unlocked first.