Bug 588302 - RFE: support 'noauto' in crypttab
RFE: support 'noauto' in crypttab
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: systemd (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Lennart Poettering
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-03 08:49 EDT by Jelle Geerts
Modified: 2011-02-28 15:01 EST (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-28 15:01:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jelle Geerts 2010-05-03 08:49:04 EDT
Description of problem:
Fedora 12 keeps asking me whether I want to mount my LUKS partition at boot-time.

Steps to Reproduce:
1. Create a LUKS partition.
2. Install Fedora 12.
3. Reboot, and you will be asked for the password to mount the LUKS partition.
(This happens to be the way I stumbled upon the problem. Perhaps it also happens on an already existing Fedora installation when you create a new LUKS partition.)

Expected behavior:
1) I think it ought to be possible to configure per LUKS partition whether Fedora will ask a password for it at boot-time.
2) The Fedora installer should ask which LUKS partitions the user wants to mount at boot-time.
3) After installing Fedora, it should also be configurable (preferably without using the terminal?) which LUKS partitions to mount at boot-time.

Additional info:
In the #fedora channel on Freenode I got the advice to add a 'noauto' flag to '/etc/crypttab'. But as it turns out, my '/etc/crypttab' is empty. Perhaps it is empty because I answered 'No' at the point where the Fedora installer asked me if I wanted to supply a password for this partition at the "partition stage" of the setup.

If it helps, another user who I think would like the mentioned feature to be implemented: http://forums.fedoraforum.org/showthread.php?t=209288
Comment 1 Adam Williamson 2010-05-03 12:10:06 EDT
You can make this an Anaconda RFE if you like, but essentially this is already implemented. It's dracut, not anaconda, and there are kernel parameters you can use:

rd_NO_LUKS

Disable crypto LUKS detection

rd_LUKS_UUID=<luks uuid>

Only activate the LUKS partitions with the given UUID

see http://fedoraproject.org/wiki/Dracut/Options .



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 2 Jelle Geerts 2010-05-03 12:24:18 EDT
It isn't really implemented in the way requested in this report, though. Also, anaconda isn't the only component this feature request is for, since I pointed out / requested that this be configurable after the installation (I think a lot of users would for example like it to be configurable from a GUI).
Comment 3 d. johnson 2010-05-03 13:00:04 EDT
Example, test setup - F12:

##############################################################################
### file 1 of 4: blkid.txt
##############################################################################
/dev/sda1: UUID="dcc4648f-f242-4613-b199-c2c48997b1b7" TYPE="ext4" LABEL="/boot" 
/dev/sda2: UUID="NhSWGe-WwAd-4e9j-X05i-f1Wf-RCH9-h2hRKM" TYPE="LVM2_member" 
/dev/mapper/VolGroup-lv_root: UUID="26452833-9fb3-4d0d-b1ce-40e65b87ed86" TYPE="ext4" LABEL="/rootfs" 
/dev/mapper/VolGroup-lv_swap: UUID="f2e6d5fe-f6e4-47ad-ad66-b662cf18ad48" TYPE="swap" 
/dev/mapper/VolGroup-LogVol03: UUID="c97cd5b9-cecd-4db8-9551-52c475157e62" TYPE="crypto_LUKS" 
/dev/mapper/VolGroup-LogVol02: UUID="1df7aea9-8026-4d2e-b486-04d5ced33619" TYPE="crypto_LUKS" 
/dev/mapper/luks-c97cd5b9-cecd-4db8-9551-52c475157e62: UUID="f571a9d4-f2d6-48be-a386-146b9ff6b57e" TYPE="ext4" LABEL="/trash" 
/dev/mapper/luks-1df7aea9-8026-4d2e-b486-04d5ced33619: UUID="1fac30d4-f39a-4d72-8862-4594b32272d4" TYPE="ext4" LABEL="/home" 
##############################################################################
### file 2 of 4: crypttab.orig
##############################################################################
luks-c97cd5b9-cecd-4db8-9551-52c475157e62 UUID=c97cd5b9-cecd-4db8-9551-52c475157e62 none 
luks-1df7aea9-8026-4d2e-b486-04d5ced33619 UUID=1df7aea9-8026-4d2e-b486-04d5ced33619 none 
##############################################################################
### file 3 of 4: crypttab
##############################################################################
luks-1df7aea9-8026-4d2e-b486-04d5ced33619 UUID=1df7aea9-8026-4d2e-b486-04d5ced33619 none 
##############################################################################
### file 4 of 4: grub.conf
##############################################################################
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/VolGroup-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=0
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Fedora (2.6.32.11-99.fc12.x86_64)
	root (hd0,0)
	kernel /vmlinuz-2.6.32.11-99.fc12.x86_64 ro root=/dev/mapper/VolGroup-lv_root  LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet rd_LUKS_UUID="1fac30d4-f39a-4d72-8862-4594b32272d4" rd_NO_LUKS
	initrd /initramfs-2.6.32.11-99.fc12.x86_64.img


By using /etc/crypttab.orig, it still asks for /trash's password.

Deleting the line that matches /trash from crypttab, rerun dracut, and it boots but fsck insists that a partition is dirty.

If you also remove that line (comment) from fstab, it boots.

Sadly, that means you need to edit /etc/{crypttab,fstab,grub.conf} to all match or it tries to mount both crypto filesystems.  You could add the entry to autofs so that it would be mountable by the user at will.

Debian's solution to this was to use 'noauto' as the 4th param in crypttab.  dracut/initrd would need to look for the 4th param to make this work.
Comment 4 Hans de Goede 2010-05-07 08:39:33 EDT
For F-13 and later anaconda writes a dracut cmdline in such a way, that dracut will only ask for LUKS passwords if they are needed to mount /. This puts this RGE out of anaconda and dracut hands.

I think that rc.sysinit will then still ask for LUKS passwords after / has been mounted. Making that configurable would fall up on rc.sysinit, changing component.
Comment 5 Bill Nottingham 2010-08-03 10:28:13 EDT
*** Bug 620589 has been marked as a duplicate of this bug. ***
Comment 6 Bill Nottingham 2011-02-28 15:01:47 EST
systemd in F-15 supports 'noauto' for crypttab handling; closing as fixed in rawhide.

Note You need to log in before you can comment on or make changes to this bug.