initramfs creates empty /cryptroot/crypttab file -- is it a bug in Bullseye?
by libCognition from LinuxQuestions.org on (#5JCZ2)
What am I doing wrong? I have a /etc/crypttab file with one line, and update-initramfs is creating an empty /cryptroot/crypttab file inside the initrd image. These are all the steps I took:
Code:$ sgdisk --clear\
-a 1 --new=1:34:2047 -c 1:"BIOS boot" --typecode=1:$(sgdisk --list-types | sed -ne 's/.*\(....\).bios.*/\1/gip')\
-a 2048 --new=2:0:0 -c 2:"mygroup" --typecode=2:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.LUKS.*/\1/gip')\
/dev/sdb
$ cryptsetup luksFormat --type luks1 /dev/sdb2; # GRUB supports luks1 not luks2
$ cryptsetup open /dev/sdb2 cryptlvm
$ aptitude install lvm2
$ pvcreate /dev/mapper/cryptlvm
$ vgcreate mygroup /dev/mapper/cryptlvm
$ lvcreate -L 6G mygroup -n swap
$ lvcreate -L 106G mygroup -n root
$ lvcreate -L 140G mygroup -n home
$ lvcreate -l 100%FREE mygroup -n var
$ mkswap --label swap /dev/mygroup/swap
$ mkfs.ext4 -L root /dev/mygroup/root
$ mkfs.ext4 -L home /dev/mygroup/home
$ mkfs.ext4 -L var /dev/mygroup/var
$ sync
$ swapon /dev/mygroup/swap
$ mkdir /mnt/debian_target
$ mount /dev/mygroup/root !$
$ for mp in /home /var; do mkdir /mnt/debian_target$mp; done
$ mount /dev/mygroup/home /mnt/debian_target/home
$ mount /dev/mygroup/var /mnt/debian_target/var
$ rsync -va --progress /images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /mnt/debian_target/images/
$ mkdir -p /mnt/debian_target/media/debian_install_bd
$ mount -o loop /mnt/debian_target/images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /mnt/debian_target/media/debian_install_bd
$ torsocks /usr/sbin/debootstrap --no-check-gpg --arch amd64 --include linux-image-amd64,grub-pc,locales,lvm2,cryptsetup,bash-completion,gdisk\
bullseye /mnt/debian_target file:///mnt/debian_target/media/debian_install_bd
$ mount --rbind /dev /mnt/debian_target/dev
$ cp /old_drive/etc/fstab /mnt/debian_target/etc/
$ blkid -l -t PARTLABEL=mygroup | awk '{gsub(/"/,""); print "cryptlvm " $2 " none luks,discard"}' > /mnt/debian_target/etc/crypttabIndeed running "cat /mnt/debian_target/etc/crypttab" shows the correct line there in etc/.
Code:$ blkid
$ emacs /mnt/debian_target/etc/*tab; # replace the blkids with the correct ones
$ cp /old_drive/etc/adjtime /mnt/debian_target/etc/
$ cat /etc/network/interfaces >> /mnt/debian_target/etc/network/interfaces
$ emacs /mnt/debian_target/etc/network/interfaces; # make sure it's proper
$ cp /etc/hosts /mnt/debian_target/etc/
$ cp /etc/modules /mnt/debian_target/etc/
$ emacs /mnt/debian_target/etc/modules; # comment out modules for not-yet-installed pkgs
$ sed -e 's/^deb/#uncomment-me-later#deb/;s/stretch/bullseye/gi' /etc/apt/sources.list > /mnt/debian_target/etc/apt/sources.list
$ find /etc/apt/sources.list.d -type f ! -iname \*~ -exec bash -c 'for fn; do sed -e "s/^deb/#uncomment-me-later#deb/;s/stretch/bullseye/gi" "$fn" > /mnt/debian_target"$fn"; done' _ {} +
$ printf '\n\n%s\n' '/repository/images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /media/debian_install_bd udf,iso9660 loop,ro,user,noauto 0 0' >> /mnt/debian_target/etc/fstab
$ chroot /mnt/debian_target apt-cdrom --no-auto-detect --no-mount -d=/media/debian_install_bd addSide issue: normally `apt update` should work at this point, but it failed. Not sure where apt-cdrom goes wrong, but it's a red herring. I mention it here in case anyone knows more, but my workaround is to comment out "deb cdrom:..." from sources.list and treat it like local files as follows:
Code:$ printf '\n\n%s\n' 'deb [trusted=yes check-valid-until=no] file:/media/debian_install_bd/ bullseye main contrib' >> /mnt/debian_target/etc/apt/sources.list
$ chroot /mnt/debian_target apt updateThis will overwrite lines that set GRUB_ENABLE_CRYPTODISK to ensure that it gets enabled. If that setting is not present, it will be added to the end. Also add rd.luks.name=<UUID>=cryptlvm kernel option.
Code:$ buuid=$(blkid -l -t PARTLABEL=mygroup | awk '{gsub(/"/,""); print "rd.luks.name=" $2 "=cryptlvm"}')
$ sed -ie '1{p;s/.*/GRUB_ENABLE_CRYPTODISK=y/;h;d};/^[[:blank:]]*GRUB_ENABLE_CRYPTODISK[[:blank:]]*=/I{s/.*//;x};/GRUB_CMDLINE_LINUX=/s/"/"'"$buuid"'/;$G' /mnt/debian_target/etc/default/grubThat results in these relevant lines in /mnt/debian_target/etc/default/grub:
Code:GRUB_CMDLINE_LINUX="rd.luks.name=UUID=(proper UUID redacted)=cryptlvm"
GRUB_ENABLE_CRYPTODISK=yCode:$ chroot /mnt/debian_target grub-install --recheck /dev/sdb
$ chroot /mnt/debian_target update-grub; # side issue: this searches for boot loaders on all drives even though os-prober is not installed. So all other drives must be unplugged -- is there a better way?
$ chroot /mnt/debian_target dpkg-reconfigure locales
$ chroot /mnt/debian_target update-initramfs -u -t -k all
$ chroot /mnt/debian_target adduser me
$ chroot /mnt/debian_target usermod -aG sudo meRebooting at this point fails because (initrd):cryptroot/crypttab is an empty file. The fix is to replace the empty crypttab in the initrd with the one in /etc/, like this:
Code:$ mkdir /tmp/initrd-hack
$ cd /tmp/initrd-hack
$ gunzip -c /mnt/debian_target/boot/initrd.img-5.10.0-6-amd64 | cpio -i
$ cp /mnt/debian_target/etc/crypttab cryptroot/crypttab
$ find . | cpio -H newc -o | gzip -9 > /mnt/debian_target/boot/initrd.img-5.10.0-6-amd64That hack should not be necessary. Is this a bug in Bullseye's update-initramfs or did I do something wrong?
Someone suggested looking at /etc/cryptsetup-initramfs/conf-hook but it doesn't seem relevant as it's for key files not passwords. OTOH, i wonder if creating a key file and using this mechanism might force crypttab to be populated.
Code:$ sgdisk --clear\
-a 1 --new=1:34:2047 -c 1:"BIOS boot" --typecode=1:$(sgdisk --list-types | sed -ne 's/.*\(....\).bios.*/\1/gip')\
-a 2048 --new=2:0:0 -c 2:"mygroup" --typecode=2:$(sgdisk --list-types | sed -ne 's/.*\(....\).Linux.LUKS.*/\1/gip')\
/dev/sdb
$ cryptsetup luksFormat --type luks1 /dev/sdb2; # GRUB supports luks1 not luks2
$ cryptsetup open /dev/sdb2 cryptlvm
$ aptitude install lvm2
$ pvcreate /dev/mapper/cryptlvm
$ vgcreate mygroup /dev/mapper/cryptlvm
$ lvcreate -L 6G mygroup -n swap
$ lvcreate -L 106G mygroup -n root
$ lvcreate -L 140G mygroup -n home
$ lvcreate -l 100%FREE mygroup -n var
$ mkswap --label swap /dev/mygroup/swap
$ mkfs.ext4 -L root /dev/mygroup/root
$ mkfs.ext4 -L home /dev/mygroup/home
$ mkfs.ext4 -L var /dev/mygroup/var
$ sync
$ swapon /dev/mygroup/swap
$ mkdir /mnt/debian_target
$ mount /dev/mygroup/root !$
$ for mp in /home /var; do mkdir /mnt/debian_target$mp; done
$ mount /dev/mygroup/home /mnt/debian_target/home
$ mount /dev/mygroup/var /mnt/debian_target/var
$ rsync -va --progress /images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /mnt/debian_target/images/
$ mkdir -p /mnt/debian_target/media/debian_install_bd
$ mount -o loop /mnt/debian_target/images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /mnt/debian_target/media/debian_install_bd
$ torsocks /usr/sbin/debootstrap --no-check-gpg --arch amd64 --include linux-image-amd64,grub-pc,locales,lvm2,cryptsetup,bash-completion,gdisk\
bullseye /mnt/debian_target file:///mnt/debian_target/media/debian_install_bd
$ mount --rbind /dev /mnt/debian_target/dev
$ cp /old_drive/etc/fstab /mnt/debian_target/etc/
$ blkid -l -t PARTLABEL=mygroup | awk '{gsub(/"/,""); print "cryptlvm " $2 " none luks,discard"}' > /mnt/debian_target/etc/crypttabIndeed running "cat /mnt/debian_target/etc/crypttab" shows the correct line there in etc/.
Code:$ blkid
$ emacs /mnt/debian_target/etc/*tab; # replace the blkids with the correct ones
$ cp /old_drive/etc/adjtime /mnt/debian_target/etc/
$ cat /etc/network/interfaces >> /mnt/debian_target/etc/network/interfaces
$ emacs /mnt/debian_target/etc/network/interfaces; # make sure it's proper
$ cp /etc/hosts /mnt/debian_target/etc/
$ cp /etc/modules /mnt/debian_target/etc/
$ emacs /mnt/debian_target/etc/modules; # comment out modules for not-yet-installed pkgs
$ sed -e 's/^deb/#uncomment-me-later#deb/;s/stretch/bullseye/gi' /etc/apt/sources.list > /mnt/debian_target/etc/apt/sources.list
$ find /etc/apt/sources.list.d -type f ! -iname \*~ -exec bash -c 'for fn; do sed -e "s/^deb/#uncomment-me-later#deb/;s/stretch/bullseye/gi" "$fn" > /mnt/debian_target"$fn"; done' _ {} +
$ printf '\n\n%s\n' '/repository/images/debian-edu-bullseye-DI-rc1-amd64-BD-1.iso /media/debian_install_bd udf,iso9660 loop,ro,user,noauto 0 0' >> /mnt/debian_target/etc/fstab
$ chroot /mnt/debian_target apt-cdrom --no-auto-detect --no-mount -d=/media/debian_install_bd addSide issue: normally `apt update` should work at this point, but it failed. Not sure where apt-cdrom goes wrong, but it's a red herring. I mention it here in case anyone knows more, but my workaround is to comment out "deb cdrom:..." from sources.list and treat it like local files as follows:
Code:$ printf '\n\n%s\n' 'deb [trusted=yes check-valid-until=no] file:/media/debian_install_bd/ bullseye main contrib' >> /mnt/debian_target/etc/apt/sources.list
$ chroot /mnt/debian_target apt updateThis will overwrite lines that set GRUB_ENABLE_CRYPTODISK to ensure that it gets enabled. If that setting is not present, it will be added to the end. Also add rd.luks.name=<UUID>=cryptlvm kernel option.
Code:$ buuid=$(blkid -l -t PARTLABEL=mygroup | awk '{gsub(/"/,""); print "rd.luks.name=" $2 "=cryptlvm"}')
$ sed -ie '1{p;s/.*/GRUB_ENABLE_CRYPTODISK=y/;h;d};/^[[:blank:]]*GRUB_ENABLE_CRYPTODISK[[:blank:]]*=/I{s/.*//;x};/GRUB_CMDLINE_LINUX=/s/"/"'"$buuid"'/;$G' /mnt/debian_target/etc/default/grubThat results in these relevant lines in /mnt/debian_target/etc/default/grub:
Code:GRUB_CMDLINE_LINUX="rd.luks.name=UUID=(proper UUID redacted)=cryptlvm"
GRUB_ENABLE_CRYPTODISK=yCode:$ chroot /mnt/debian_target grub-install --recheck /dev/sdb
$ chroot /mnt/debian_target update-grub; # side issue: this searches for boot loaders on all drives even though os-prober is not installed. So all other drives must be unplugged -- is there a better way?
$ chroot /mnt/debian_target dpkg-reconfigure locales
$ chroot /mnt/debian_target update-initramfs -u -t -k all
$ chroot /mnt/debian_target adduser me
$ chroot /mnt/debian_target usermod -aG sudo meRebooting at this point fails because (initrd):cryptroot/crypttab is an empty file. The fix is to replace the empty crypttab in the initrd with the one in /etc/, like this:
Code:$ mkdir /tmp/initrd-hack
$ cd /tmp/initrd-hack
$ gunzip -c /mnt/debian_target/boot/initrd.img-5.10.0-6-amd64 | cpio -i
$ cp /mnt/debian_target/etc/crypttab cryptroot/crypttab
$ find . | cpio -H newc -o | gzip -9 > /mnt/debian_target/boot/initrd.img-5.10.0-6-amd64That hack should not be necessary. Is this a bug in Bullseye's update-initramfs or did I do something wrong?
Someone suggested looking at /etc/cryptsetup-initramfs/conf-hook but it doesn't seem relevant as it's for key files not passwords. OTOH, i wonder if creating a key file and using this mechanism might force crypttab to be populated.