Merge pull request #66856 from flokli/systemd-cryptsetup-lvm
systemd: build with cryptsetup support, add cryptsetup generators
This commit is contained in:
commit
8e0b2b9177
6 changed files with 53 additions and 44 deletions
|
@ -25,7 +25,7 @@ let
|
|||
"nss-lookup.target"
|
||||
"nss-user-lookup.target"
|
||||
"time-sync.target"
|
||||
#"cryptsetup.target"
|
||||
"cryptsetup.target"
|
||||
"sigpwr.target"
|
||||
"timers.target"
|
||||
"paths.target"
|
||||
|
|
|
@ -4,7 +4,10 @@ import ./make-test-python.nix ({ pkgs, ... }: {
|
|||
machine = { lib, ... }: {
|
||||
imports = [ common/user-account.nix common/x11.nix ];
|
||||
|
||||
virtualisation.emptyDiskImages = [ 512 ];
|
||||
virtualisation.emptyDiskImages = [ 512 512 ];
|
||||
virtualisation.memorySize = 1024;
|
||||
|
||||
environment.systemPackages = [ pkgs.cryptsetup ];
|
||||
|
||||
fileSystems = lib.mkVMOverride {
|
||||
"/test-x-initrd-mount" = {
|
||||
|
@ -144,5 +147,25 @@ import ./make-test-python.nix ({ pkgs, ... }: {
|
|||
assert "RuntimeWatchdogUSec=30s" in output
|
||||
assert "RebootWatchdogUSec=10m" in output
|
||||
assert "KExecWatchdogUSec=5m" in output
|
||||
|
||||
# Test systemd cryptsetup support
|
||||
with subtest("systemd successfully reads /etc/crypttab and unlocks volumes"):
|
||||
# create a luks volume and put a filesystem on it
|
||||
machine.succeed(
|
||||
"echo -n supersecret | cryptsetup luksFormat -q /dev/vdc -",
|
||||
"echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vdc foo",
|
||||
"mkfs.ext3 /dev/mapper/foo",
|
||||
)
|
||||
|
||||
# create a keyfile and /etc/crypttab
|
||||
machine.succeed("echo -n supersecret > /var/lib/luks-keyfile")
|
||||
machine.succeed("chmod 600 /var/lib/luks-keyfile")
|
||||
machine.succeed("echo 'luks1 /dev/vdc /var/lib/luks-keyfile luks' > /etc/crypttab")
|
||||
|
||||
# after a reboot, systemd should unlock the volume and we should be able to mount it
|
||||
machine.shutdown()
|
||||
machine.succeed("systemctl status systemd-cryptsetup@luks1.service")
|
||||
machine.succeed("mkdir -p /tmp/luks1")
|
||||
machine.succeed("mount /dev/mapper/luks1 /tmp/luks1")
|
||||
'';
|
||||
})
|
||||
|
|
|
@ -1,34 +0,0 @@
|
|||
{ systemd, cryptsetup }:
|
||||
|
||||
systemd.overrideAttrs (p: {
|
||||
version = p.version;
|
||||
name = "systemd-cryptsetup-generator-${p.version}";
|
||||
|
||||
buildInputs = p.buildInputs ++ [ cryptsetup ];
|
||||
outputs = [ "out" ];
|
||||
|
||||
buildPhase = ''
|
||||
ninja systemd-cryptsetup systemd-cryptsetup-generator
|
||||
'';
|
||||
|
||||
# As ninja install is not used here, the rpath needs to be manually fixed.
|
||||
# Otherwise the resulting binary doesn't properly link against systemd-shared.so
|
||||
postFixup = ''
|
||||
for prog in `find $out -type f -executable`; do
|
||||
(patchelf --print-needed $prog | grep 'libsystemd-shared-.*\.so' > /dev/null) && (
|
||||
patchelf --set-rpath `patchelf --print-rpath $prog`:"$out/lib/systemd" $prog
|
||||
) || true
|
||||
done
|
||||
# test it's OK
|
||||
"$out"/lib/systemd/systemd-cryptsetup
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/lib/systemd/
|
||||
cp systemd-cryptsetup $out/lib/systemd/systemd-cryptsetup
|
||||
cp src/shared/*.so $out/lib/systemd/
|
||||
|
||||
mkdir -p $out/lib/systemd/system-generators/
|
||||
cp systemd-cryptsetup-generator $out/lib/systemd/system-generators/systemd-cryptsetup-generator
|
||||
'';
|
||||
})
|
|
@ -1,5 +1,5 @@
|
|||
{ stdenv, lib, fetchFromGitHub, fetchpatch, pkgconfig, intltool, gperf, libcap
|
||||
, curl, kmod, gnupg, gnutar, xz, pam, acl, libuuid, m4, utillinux, libffi
|
||||
{ stdenv, lib, fetchFromGitHub, pkgconfig, intltool, gperf, libcap
|
||||
, curl, kmod, gnupg, gnutar, xz, pam, acl, libuuid, m4, e2fsprogs, utillinux, libffi
|
||||
, glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor
|
||||
, audit, lz4, bzip2, pcre2
|
||||
, linuxHeaders ? stdenv.cc.libc.linuxHeaders
|
||||
|
@ -9,6 +9,7 @@
|
|||
, patchelf
|
||||
, substituteAll
|
||||
, getent
|
||||
, cryptsetup, lvm2
|
||||
, buildPackages
|
||||
, perl
|
||||
, withSelinux ? false, libselinux
|
||||
|
@ -30,6 +31,7 @@ let gnupg-minimal = gnupg.override {
|
|||
zlib = null;
|
||||
bzip2 = null;
|
||||
};
|
||||
|
||||
in stdenv.mkDerivation {
|
||||
version = "245.7";
|
||||
pname = "systemd";
|
||||
|
@ -89,7 +91,7 @@ in stdenv.mkDerivation {
|
|||
];
|
||||
buildInputs =
|
||||
[ linuxHeaders libcap curl.dev kmod xz pam acl
|
||||
/* cryptsetup */ libuuid glib libgcrypt libgpgerror libidn2
|
||||
cryptsetup libuuid glib libgcrypt libgpgerror libidn2
|
||||
pcre2 ] ++
|
||||
stdenv.lib.optional withKexectools kexectools ++
|
||||
stdenv.lib.optional withLibseccomp libseccomp ++
|
||||
|
@ -176,12 +178,28 @@ in stdenv.mkDerivation {
|
|||
export LC_ALL="en_US.UTF-8";
|
||||
# FIXME: patch this in systemd properly (and send upstream).
|
||||
# already fixed in f00929ad622c978f8ad83590a15a765b4beecac9: (u)mount
|
||||
for i in src/remount-fs/remount-fs.c src/core/mount.c src/core/swap.c src/fsck/fsck.c units/emergency.service.in units/rescue.service.in src/journal/cat.c src/shutdown/shutdown.c src/nspawn/nspawn.c src/shared/generator.c units/systemd-logind.service.in units/systemd-nspawn@.service.in; do
|
||||
for i in \
|
||||
src/core/mount.c \
|
||||
src/core/swap.c \
|
||||
src/cryptsetup/cryptsetup-generator.c \
|
||||
src/fsck/fsck.c \
|
||||
src/journal/cat.c \
|
||||
src/nspawn/nspawn.c \
|
||||
src/remount-fs/remount-fs.c \
|
||||
src/shared/generator.c \
|
||||
src/shutdown/shutdown.c \
|
||||
units/emergency.service.in \
|
||||
units/rescue.service.in \
|
||||
units/systemd-logind.service.in \
|
||||
units/systemd-nspawn@.service.in; \
|
||||
do
|
||||
test -e $i
|
||||
substituteInPlace $i \
|
||||
--replace /usr/bin/getent ${getent}/bin/getent \
|
||||
--replace /sbin/mkswap ${lib.getBin utillinux}/sbin/mkswap \
|
||||
--replace /sbin/swapon ${lib.getBin utillinux}/sbin/swapon \
|
||||
--replace /sbin/swapoff ${lib.getBin utillinux}/sbin/swapoff \
|
||||
--replace /sbin/mke2fs ${lib.getBin e2fsprogs}/sbin/mke2fs \
|
||||
--replace /sbin/fsck ${lib.getBin utillinux}/sbin/fsck \
|
||||
--replace /bin/echo ${coreutils}/bin/echo \
|
||||
--replace /bin/cat ${coreutils}/bin/cat \
|
||||
|
|
|
@ -546,6 +546,7 @@ mapAliases ({
|
|||
surf-webkit2 = surf; # added 2017-04-02
|
||||
sup = throw "deprecated in 2019-09-10: abandoned by upstream";
|
||||
system_config_printer = system-config-printer; # added 2016-01-03
|
||||
systemd-cryptsetup-generator = throw "systemd-cryptsetup-generator is now included in the systemd package"; # added 2020-07-12
|
||||
systemd_with_lvm2 = throw "obsolete, enabled by default via the lvm module"; # added 2020-07-12
|
||||
systool = sysfsutils; # added 2018-04-25
|
||||
tahoelafs = tahoe-lafs; # added 2018-03-26
|
||||
|
|
|
@ -16953,7 +16953,11 @@ in
|
|||
|
||||
criu = callPackage ../os-specific/linux/criu { };
|
||||
|
||||
cryptsetup = callPackage ../os-specific/linux/cryptsetup { };
|
||||
cryptsetup = callPackage ../os-specific/linux/cryptsetup {
|
||||
# cryptsetup only really needs the devmapper component of cryptsetup
|
||||
# but itself is used as a library in systemd (=udev)
|
||||
lvm2 = lvm2.override { udev = null; };
|
||||
};
|
||||
|
||||
cramfsswap = callPackage ../os-specific/linux/cramfsswap { };
|
||||
|
||||
|
@ -18003,9 +18007,6 @@ in
|
|||
};
|
||||
udev = systemd; # TODO: move to aliases.nix
|
||||
|
||||
# standalone cryptsetup generator for systemd
|
||||
systemd-cryptsetup-generator = callPackage ../os-specific/linux/systemd/cryptsetup-generator.nix { };
|
||||
|
||||
systemd-wait = callPackage ../os-specific/linux/systemd-wait { };
|
||||
|
||||
sysvinit = callPackage ../os-specific/linux/sysvinit { };
|
||||
|
|
Loading…
Reference in a new issue