random-archer / mkinitcpio-systemd-tool Goto Github PK

View Code? Open in Web Editor NEW

112.0 9.0 27.0 181 KB

Provisioning tool for systemd in initramfs (systemd-tool)

Home Page: https://www.archlinux.org/packages/community/any/mkinitcpio-systemd-tool/

License: Other

Shell 47.24% Makefile 1.63% Python 51.13%

archlinux systemd cryptsetup dropbear ssh mkinitcpio-hook mkinitcpio systemd-service initrd provision

mkinitcpio-systemd-tool's Introduction

This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool

mkinitcpio-systemd-tool

Summary

Never write another mkinitcpio hook again: use systemd-tool.

Provisioning tool for systemd in initramfs (systemd-tool):

mkinitcpio hook name: `systemd-tool`

Core features provided by the hook:

unified systemd + mkinitcpio configuration
automatic provisioning of binary and config resources
on-demand invocation of mkinitcpio scripts and in-line functions

Features provided by the included service units:

initrd debugging
early network setup
interactive user shell
remote ssh access in initrd
cryptsetup + plymouth support
cryptsetup + custom password agent

Issues

Useful issues resolved in the past

Example

Basic usage steps:

study and practice system recovery
install the package

pacman -S mkinitcpio-systemd-tool

activate required hooks in /etc/mkinitcpio.conf:

HOOKS=(base ... systemd systemd-tool)

configure, override and enable/disable provided units, for example:
for remote unlocking of luks root with cryptsetup and tinysshd use:

edit /etc/mkinitcpio-systemd-tool/config/crypttab
edit /etc/mkinitcpio-systemd-tool/config/fstab
systemctl enable initrd-cryptsetup.path
systemctl enable initrd-tinysshd.service
systemctl enable initrd-debug-progs.service
systemctl enable initrd-sysroot-mount.service

build image, review content and finally reboot:

mkinitcpio -v -p linux > /tmp/initrd.log
lsinitcpio -l /boot/initramfs-linux.img | grep initrd
systemctl reboot

Install Details

pacman install actions:

take a look in arch repo and make file
provision user config and vendor systemd units into:
/etc/mkinitcpio-systemd-tool (with backup)
/usr/lib/systemd/system (with silent overwrite)

mkinitcpio install hook actions:

look for enabled units in the /etc/systemd/system
include in initrd units containing marker /etc/initrd-release
activate transitively in initrd any discovered systemd service units
auto provision into initramfs resources declared inside initrd service units

Provisioning Questions and Answers

what is the mkinitcpio hook entry provided by this package?

hook name: systemd-tool
required hooks are: base systemd systemd-tool
recommended hooks are: base autodetect modconf block filesystems keyboard fsck systemd systemd-tool

how can I customize installed service units?

follow regular approaches to editing provided units
create service unit override with systemctl edit $unit_name
enable/disable with systemctl enable $unit_name / systemctl disable $unit_name

how can I review generated /boot/initramfs-linux.img?

to review initramfs.img after mkinitcpio but before reboot, use:
visually, with midnight commander or scripted, with mkinitcpio lsinitcpio

how systemd unit transitive dependency provisioning works?

see mkinitcpio-install.sh/add_systemd_unit_X()
units found in [Unit]/Requires|OnFailure are recursively installed

what is the purpose of [X-SystemdTool] section in service unit files?

see systemd/systemd#3340
this section provides configuration interface for mkinitcpio provisioning actions
directives: InitrdPath InitrdLink InitrdBinary InitrdBuild InitrdCall InitrdUnit

how can I auto-provision my custom service unit binaries into initramfs?

use InitrdBinary=/path/target-exec to provision service binary
also will be provisioned all Exec* entries such as ExecStart=/usr/bin/program

how can I auto-provision my custom service unit resources into initramfs?

use InitrdPath=/path/to/host/folder-or-file

how can I relocate folder during provisioning?

not implemented, source and target folder must use the same location

how can I relocate file and/or change file mode during provisioning?

use InitrdPath=/target-file source=/source-file mode=NNN

how can I filter directory content during provisioning?

use InitrdPath=/target-folder glob=*.example

how can I provision optional folder or file?

use InitrdPath=/target-file source=/source-file optional=yes

is there a way to create empty folder or file?

for empty dir, use InitrdPath=/path/target-dir/ create=yes note trailing SLASH
for empty file, use InitrdPath=/path/target-file create=yes note NO trailing slash

how can I provision a symbolic link?

use InitrdLink=/path-to-link/link-name target=/path-to-target/target-name
note that link target /path-to-target/target-name must be provisioned separately

can I invoke a provisioning script related to my service during mkinitcpio build time?

use InitrdBuild=/path-to/script.sh command=function_name

can I call a little provisioning script snippet during mkinitcpio build time?

check for available mkinitcpio functions in /usr/lib/initcpio/functions.sh
use InitrdCall=inline-bash-code-here to call these functions

how can I provide custom interactive user shell for ssh client

change sample shell file located in /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh

which ssh user keys are used by initramfs sshd server(s)?

they come from host /etc/mkinitcpio-systemd-tool/config/authorized_keys

Shell Script Questions and Answers

there is a initrd-shell.sh script provided, what does it do?

it is used as both interactive login shell and as a systemd service
when crypto disks are present, it acts as password agent
when in ssh console, it offers simple interactive menu
when in systemd service mode, it acts as service

how can I review initrd-shell.sh actions during last boot?

use journalctl -b -t shell

what does CTRL-C do to initrd-shell.sh in different modes?

initrd-shell.sh provides appropriate reaction to interrupt, depending on the context
while in ssh terminal password agent prompt, it will start a menu form initrd-shell.sh
while in /dev/tty local debug console, it will exit from initrd-shell.sh
while in /dev/console password agent prompt, it will restart the initrd-shell.sh service

is there a silent or no-echo mode during password entry in initrd-shell.sh?

there are two ways to enter silent mode (see systemd-ask-password.c):
either by pressing BACKSPACE as first key or by pressing TAB at any time
then the prompt will show extra text: (no echo)

mkinitcpio-systemd-tool's People

Contributors

Stargazers

Watchers

mkinitcpio-systemd-tool's Issues

Bridge creation in initramfs?

Hi,

It looks like the systemd-tool hook only reads the file initrd-network.network, but not the full *.netdev *.network, which makes it pretty hard to create bridge device.

Is it possible to create bridges at initramfs? Or is there any special config grammar that I can put all the bridge setup into the same file?

Raspberry Pi kernel modules directory

Unhelpful error on systemd-cryptsetup "Failed to activate: Invalid argument"

I've been taking the last few hours trying to set this up so I can have a Full Disk Encryption on my Raspberry PI and be able to remotely decrypt. I now have this error and I don't know why. Attached is a photo of the logs from my raspberry pi 3b+

ci: repo install

replace manual-setup.sh with better approximation to pacman -S

device stopped after timeout

I'm using systemd-tool to remotely unlock my disk crypto via SSH and it works fine so far. But after a timeout of 90 seconds with no password entered, dropbear and the whole network is stopped so I can't enter the password remotely if I miss this time frame.

My setup in detail: Two disks are in a MDADM RAID1, on top of which is a LUKS encrypted volume (to be unlocked at /dev/mapper/crypt_system) which contains the only volume for the LVM VG 'system' providing a LV 'root' with the actual rootfs. So in short: LVM in LUKS in MDADM.

Jan 21 00:47:35 localhost systemd[1]: systemd 232 running in system mode. (+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BL
Jan 21 00:47:35 localhost systemd[1]: Detected architecture x86-64.
Jan 21 00:47:35 localhost systemd[1]: Running in initial RAM disk.
[...]
Jan 21 00:47:35 localhost systemd[1]: Started Initrd Dropbear Service.
Jan 21 00:47:35 localhost dropbear[139]: Not backgrounding
Jan 21 00:47:35 localhost systemd[1]: Started udev Kernel Device Manager.
[...]
Jan 21 00:47:35 localhost systemd[1]: Starting Network Service...
Jan 21 00:47:35 localhost systemd-networkd[187]: Enumeration completed
Jan 21 00:47:35 localhost systemd-networkd[187]: eth1: IPv6 enabled for interface: Success
Jan 21 00:47:35 localhost systemd[1]: Started Network Service.
Jan 21 00:47:36 localhost systemd-networkd[187]: eth0: IPv6 enabled for interface: Success
[...]
Jan 21 00:47:37 localhost systemd[1]: Found device /dev/disk/by-uuid/[...].
Jan 21 00:47:37 localhost systemd[1]: Starting Cryptography Setup for crypt_system...
Jan 21 00:47:37 localhost systemd[1]: Started Initrd Cryptsetup Service.
Jan 21 00:47:37 localhost systemd[1]: Started Dispatch Password Requests to Console.
Jan 21 00:47:37 localhost kernel: device-mapper: uevent: version 1.0.3
Jan 21 00:47:37 localhost kernel: device-mapper: ioctl: 4.35.0-ioctl (2016-06-23) initialised: [email protected]
Jan 21 00:47:37 localhost shell[223]: service/loc info : init
Jan 21 00:47:37 localhost shell[226]: service/loc info : cryptsetup service
Jan 21 00:47:37 localhost shell[230]: service/loc info : crypt jobs
Jan 21 00:47:37 localhost shell[233]: service/loc info : custom agent try #1
Jan 21 00:47:37 localhost kernel: tg3 0000:01:00.1 eth1: Link is up at 100 Mbps, full duplex
Jan 21 00:47:37 localhost kernel: tg3 0000:01:00.1 eth1: Flow control is on for TX and on for RX
Jan 21 00:47:37 localhost kernel: tg3 0000:01:00.1 eth1: EEE is disabled
Jan 21 00:47:37 localhost kernel: IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Jan 21 00:47:37 localhost systemd-networkd[187]: eth1: Gained carrier
Jan 21 00:47:37 localhost shell[242]: service/loc info : query start
Jan 21 00:47:38 localhost systemd-networkd[187]: eth1: Gained IPv6LL
Jan 21 00:47:39 localhost kernel: tg3 0000:01:00.0 eth0: Link is up at 1000 Mbps, full duplex
Jan 21 00:47:39 localhost kernel: tg3 0000:01:00.0 eth0: Flow control is off for TX and off for RX
Jan 21 00:47:39 localhost kernel: tg3 0000:01:00.0 eth0: EEE is enabled
Jan 21 00:47:39 localhost kernel: IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Jan 21 00:47:39 localhost systemd-networkd[187]: eth0: Gained carrier
Jan 21 00:47:40 localhost systemd-networkd[187]: eth1: DHCPv4 address [...]/26
Jan 21 00:47:41 localhost systemd-networkd[187]: eth0: Gained IPv6LL
Jan 21 00:47:42 localhost systemd-networkd[187]: eth0: DHCPv4 address [...]/24 via [...]
Jan 21 00:47:42 localhost systemd-networkd[187]: eth0: Configured
Jan 21 00:47:51 localhost systemd-networkd[187]: eth1: Configured
Jan 21 00:49:05 localhost systemd[1]: dev-system-root.device: Job dev-system-root.device/start timed out.
Jan 21 00:49:05 localhost systemd[1]: Timed out waiting for device dev-system-root.device.
Jan 21 00:49:05 localhost systemd[1]: Dependency failed for Initrd Root Device.
Jan 21 00:49:05 localhost systemd[1]: initrd-root-device.target: Job initrd-root-device.target/start failed with result 'dependency'.
Jan 21 00:49:05 localhost systemd[1]: initrd-root-device.target: Triggering OnFailure= dependencies.
Jan 21 00:49:05 localhost systemd[1]: Dependency failed for /sysroot.
Jan 21 00:49:05 localhost systemd[1]: Dependency failed for Initrd Root File System.
Jan 21 00:49:05 localhost dropbear[139]: Early exit: Terminated by signal
Jan 21 00:49:05 localhost systemd[1]: Dependency failed for Reload Configuration from the Real Root.
Jan 21 00:49:05 localhost systemd[1]: initrd-parse-etc.service: Job initrd-parse-etc.service/start failed with result 'dependency'.
Jan 21 00:49:05 localhost systemd[1]: initrd-parse-etc.service: Triggering OnFailure= dependencies.
Jan 21 00:49:05 localhost systemd[1]: initrd-root-fs.target: Job initrd-root-fs.target/start failed with result 'dependency'.
Jan 21 00:49:05 localhost systemd[1]: initrd-root-fs.target: Triggering OnFailure= dependencies.
Jan 21 00:49:05 localhost systemd[1]: sysroot.mount: Job sysroot.mount/start failed with result 'dependency'.
Jan 21 00:49:05 localhost systemd[1]: Dependency failed for File System Check on /dev/system/root.
Jan 21 00:49:05 localhost systemd[1]: systemd-fsck-root.service: Job systemd-fsck-root.service/start failed with result 'dependency'.
Jan 21 00:49:05 localhost systemd[1]: dev-system-root.device: Job dev-system-root.device/start failed with result 'timeout'.
Jan 21 00:49:05 localhost systemd[1]: Reached target Initrd File Systems.
Jan 21 00:49:05 localhost systemd[1]: Started Emergency Shell.
Jan 21 00:49:05 localhost systemd[1]: Reached target Emergency Mode.
Jan 21 00:49:05 localhost sh[251]: initrd-network: disable network devices
Jan 21 00:49:05 localhost systemd[1]: Stopping Initrd Dropbear Service...
Jan 21 00:49:05 localhost systemd[1]: Stopped Initrd Dropbear Service.
Jan 21 00:49:05 localhost systemd[1]: Stopping Initrd Network Service...
Jan 21 00:49:05 localhost systemd-networkd[187]: eth0: Lost carrier
Jan 21 00:49:05 localhost systemd-networkd[187]: eth0: DHCP lease lost
Jan 21 00:49:05 localhost systemd[1]: Stopped Initrd Network Service.
Jan 21 00:49:05 localhost systemd-networkd[187]: eth1: Lost carrier
Jan 21 00:49:05 localhost systemd-networkd[187]: eth1: DHCP lease lost
Jan 21 00:49:05 localhost systemd-networkd[187]: lo: Lost carrier

firewall inside initramfs

I think it will be usefull to add nftables support to initrd-network.service
Just add binary (if it's not already in) and /etc/nftables.conf to initrd. It can add full firewall functional to initrd - like knock, filter rules, etc.
Any ideas what need to do that?

GPG encrypted keyfile with smartcard

Hi,

https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Using_GPG,_LUKS,_or_OpenSSL_Encrypted_Keyfiles

What would be the appropriate way to do the above with this hook?

Is the encrypt-hook required when used for root partition?

Bit confused; is it needed to set the encrypt hook before filesystems to unlock a root filesystem?
I've got troubles in the past when not using the udev hook, is it required to remove this hook?

What does the a function do? Because now I had to use s, run cryptsetup luksOpen .. to get a working boot process. Or should the / be added to /etc/crypttab?

Thanks. :)

Raspberry Pi is missing /etc/initrd-release

It's not clear what to do if '/etc/initrd-release' is non-existent

Is '/etc/initrd-release' required? I'm trying to set this up on a Raspberry Pi so I can remotely decrypt my file systems. It seems like it's not really required but I just made a blank file anyways to satisfy the requirement. Is this correct? What should I be doing if '/etc/initrd-release' doesn't exist?

Can someone please update the README explaining the proper way to fix a missing '/etc/initrd-release' file and whether or not it's actually required.

Wi-fi interface doesn't exist

When using systemd-tool hook my laptop does not detect its internal wi-fi card. There's wi-fi no interface in ip a at all, ethernet works.

Plugging in a USB wi-fi adapter works fine. FN+wifi button combo does nothing besides enabling/disabling bluetooth which is also present on the chip.

Only the first line exists in dmesg if initramfs is generated with systemd-tool included:

[   11.865321] iwlwifi 0000:08:00.0: loaded firmware version 17.3216344376.0 op_mode iwlmvm
[   12.023498] iwlwifi 0000:08:00.0: Detected Intel(R) Dual Band Wireless AC 3160, REV=0x164
[   12.042434] iwlwifi 0000:08:00.0: base HW address: 2c:6e:aa:aa:aa:aa
[   12.154954] ieee80211 phy0: Selected rate control algorithm 'iwl-mvm-rs'
[   12.157350] iwlwifi 0000:08:00.0 wlp8s0: renamed from wlan0

System info:

systemd 242.32-3
Linux test 5.2.0-arch2-1-ARCH #1 SMP PREEMPT Mon Jul 8 18:18:54 UTC 2019 x86_64 GNU/Linux
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt sd-lvm2 filesystems fsck systemd-tool)

[0] # cat /proc/cmdline
initrd=\intel-ucode.img initrd=\initramfs-linux.img rd.luks.name=5054b30f-5441-4052-853b-3be38e4a9a33=cryptlvm root=/dev/ArchVol/root rw

Do not error out on disabled services

I do not use dropbear, yet mkinitcpio will try to look for it and end up throwing an error code, which means I have to work around error codes in my script.

Ideally if the dropbear(or tinyssh) service is disabled, mkinitcpio should not error out on the files not being available.

==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 5.2.0-arch2-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [autodetect]
  -> Running build hook: [keyboard]
  -> Running build hook: [sd-vconsole]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [sd-encrypt]
  -> Running build hook: [sd-lvm2]
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
  -> Running build hook: [systemd-tool]
==> ERROR: file not found: `/bin/dropbear'
==> ERROR: invalid source path /etc/dropbear
    convert openssh to tinysshd host key ed25519
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> WARNING: errors were encountered during the build. The image may not be complete.
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 5.2.0-arch2-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [keyboard]
  -> Running build hook: [sd-vconsole]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: wd719x
==> WARNING: Possibly missing firmware for module: aic94xx
  -> Running build hook: [sd-encrypt]
  -> Running build hook: [sd-lvm2]
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
  -> Running build hook: [systemd-tool]
==> WARNING: Possibly missing firmware for module: ipw2200
==> WARNING: Possibly missing firmware for module: ipw2100
==> WARNING: Possibly missing firmware for module: rsi_sdio
==> WARNING: Possibly missing firmware for module: rsi_usb
==> WARNING: Possibly missing firmware for module: rtl8723ae
==> WARNING: Possibly missing firmware for module: b43
==> WARNING: Possibly missing firmware for module: b43legacy
==> WARNING: Possibly missing firmware for module: prism54
==> WARNING: Possibly missing firmware for module: p54spi
==> WARNING: Possibly missing firmware for module: p54usb
==> WARNING: Possibly missing firmware for module: p54pci
==> WARNING: Possibly missing firmware for module: orinoco_usb
==> WARNING: Possibly missing firmware for module: at76c50x_usb
==> WARNING: Possibly missing firmware for module: atmel
==> WARNING: Possibly missing firmware for module: zd1201
==> WARNING: Possibly missing firmware for module: zd1211rw
==> WARNING: Possibly missing firmware for module: mt7615e
==> WARNING: Possibly missing firmware for module: mt7603e
==> WARNING: Possibly missing firmware for module: wcn36xx
==> WARNING: Possibly missing firmware for module: lantiq_gswip
==> WARNING: Possibly missing firmware for module: softing_cs
==> ERROR: file not found: `/bin/dropbear'
==> ERROR: invalid source path /etc/dropbear
    convert openssh to tinysshd host key ed25519
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> WARNING: errors were encountered during the build. The image may not be complete.

initrd-cryptsetup luks2 incompatible

If disk have luks2 format, hook asks password (secret> ... ), but exit with error

libgcc_s.so.1 must be installed for pthread_cancel to work

Error describbed in this topic, but for another hook.

mysterious path resolution in initrd

If i do enable initrd-tinysshd.service, it boots up fine but complains "Error: No such file or directory" about 13-15 times in a row, then complains two more times later.The logs in journalctl don't seem to show any of this, though. I'm also booting with plymouth.
I have these initrd-* units enabled: (I didn't edit any of them)
initrd-plymouth.path
initrd-shell.service
initrd-sysroot-mount.service
initrd-tinysshd.service

I can post more info than this but I don't really know what you guys would need to see.

Arch Linux removed 'dss' and 'dsa' from Dropbear. Results in error generating keys.

When setting up mkinitcpio-systemd-tool on a new Arch Linux system I get the below error with generating keys. I see an error with dropbear when mkinitcpio triggers a new key generation. It would seem that the maintainer of the Dropbear ssh package in Arch Linux has removed the option for generating 'dss' and 'dsa' keys. You can see the change for 'dss' at https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/dropbear&id=76850552f9eea2289d2c016fe574ededfa9222bf near the bottom. I'm not 100% sure where 'dsa' got disabled and if that was a upstream change or if Arch Linux maintainers did that.

[root@archiso /]# mkinitcpio -p linux
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 4.18.14-arch1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
  -> Running build hook: [systemd]
  -> Running build hook: [systemd-tool]
    generate brand new dropbear host key: /etc/dropbear/dropbear_dss_host_key
==> ERROR: command failure (1): dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key 
Unknown key type 'dss'
Usage: dropbearkey -t <type> -f <filename> [-s bits]
-t type	Type of key to generate. One of:
		rsa
		ecdsa
-f filename    Use filename for the secret key.
               ~/.ssh/id_dropbear is recommended for client keys.
-s bits	Key size in bits, should be a multiple of 8 (optional)
           ECDSA has sizes 256 384 521 
-y		Just print the publickey and fingerprint for the
		private key in <filename>.

==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 4.18.14-arch1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: aic94xx
==> WARNING: Possibly missing firmware for module: wd719x
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
  -> Running build hook: [systemd]
  -> Running build hook: [systemd-tool]
==> WARNING: Possibly missing firmware for module: softing_cs
==> WARNING: Possibly missing firmware for module: wcn36xx
==> WARNING: Possibly missing firmware for module: at76c50x_usb
==> WARNING: Possibly missing firmware for module: atmel
==> WARNING: Possibly missing firmware for module: b43
==> WARNING: Possibly missing firmware for module: b43legacy
==> WARNING: Possibly missing firmware for module: ipw2100
==> WARNING: Possibly missing firmware for module: ipw2200
==> WARNING: Possibly missing firmware for module: orinoco_usb
==> WARNING: Possibly missing firmware for module: p54pci
==> WARNING: Possibly missing firmware for module: p54spi
==> WARNING: Possibly missing firmware for module: p54usb
==> WARNING: Possibly missing firmware for module: prism54
==> WARNING: Possibly missing firmware for module: rtl8723ae
==> WARNING: Possibly missing firmware for module: rsi_sdio
==> WARNING: Possibly missing firmware for module: rsi_usb
==> WARNING: Possibly missing firmware for module: zd1201
==> WARNING: Possibly missing firmware for module: zd1211rw
    generate brand new dropbear host key: /etc/dropbear/dropbear_dss_host_key
==> ERROR: command failure (1): dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key 
Unknown key type 'dss'
Usage: dropbearkey -t <type> -f <filename> [-s bits]
-t type	Type of key to generate. One of:
		rsa
		ecdsa
-f filename    Use filename for the secret key.
               ~/.ssh/id_dropbear is recommended for client keys.
-s bits	Key size in bits, should be a multiple of 8 (optional)
           ECDSA has sizes 256 384 521 
-y		Just print the publickey and fingerprint for the
		private key in <filename>.

==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successful
[root@archiso /]#

How to disable timeout?

Hello, I just installed your tool to decrypt my root partition via SSH.
It works fine but only for 90 seconds. Then an emergency shell gets started and I can no longer connect via SSH.
Where can I disable this timeout?

Message:
A start job is running for dev-mapper-main\x2droot.device (10s / 1min 30s)

After Timeout:

[DEPEND] Dependency failed for Initrd Root Device.
[DEPEND] Dependency failed for File System Check on /dev/mapper/main-root.
[...]

then all services stop and the emergency shell gets started.

I enabled these services:

systemctl enable initrd-cryptsetup.path
systemctl enable initrd-network.service
systemctl enable initrd-dropbear.service
systemctl enable initrd-shell.service

$ lsblk
NAME            MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda               8:0    0 931,5G  0 disk  
├─sda1            8:1    0   500M  0 part  /boot
└─sda2            8:2    0   931G  0 part  
  └─main        254:0    0   931G  0 crypt 
    ├─main-swap 254:1    0     8G  0 lvm   [SWAP]
    └─main-root 254:2    0   923G  0 lvm   /

initrd-dropbear.service active in real-root

I tried to making cryptroot booting possible with this tool. Unfortunately I got into the problem of a missing file.

This is the output:

hooks:
HOOKS=(base autodetect modconf block filesystems keyboard systemd systemd-tool)

I executed:

systemctl enable initrd-cryptsetup.path
systemctl enable initrd-tinysshd.service
systemctl enable initrd-debug-progs.service
systemctl enable initrd-sysroot-mount.service

/etc/mkinitcpio-systemd-tool/config/crypttab:

# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool

# crypttab: mappings for encrypted partitions in initramfs
# * file location in initramfs: /etc/crypttab
# * file location in real-root: /etc/mkinitcpio-systemd-tool/config/crypttab

# crypttab format:
# https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#crypttab

# how crypttab is used by systemd:
# https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html
# https://github.com/systemd/systemd/blob/master/src/cryptsetup/cryptsetup-generator.c

# note: 
# * provide here mapper partition UUID (instead of kernel command line)
# * use password/keyfile=none to force cryptsetup password agent prompt
# * ensure that mapper-path in fstab corresponds to mapper-name in crypttab
# * for x-mount options see: https://www.freedesktop.org/software/systemd/man/systemd.mount.html

# <mapper-name>   <block-device>       <password/keyfile>   <crypto-options>
root              UUID=fad4a476-832c-4f4d-ad87-32c6f5ed02d6       none                luks
#  swap           UUID={{UUID_SWAP}}       none                luks

/etc/mkinitcpio-systemd-tool/config/fstab:

# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool

# fstab: mappings for direct partitions in initramfs:
# * file location in initramfs: /etc/fstab
# * file location in real-root: /etc/mkinitcpio-systemd-tool/config/fstab

# fstab format:
# https://wiki.archlinux.org/index.php/Fstab

# how fstab is used by systemd:
# https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html
# https://github.com/systemd/systemd/blob/master/src/fstab-generator/fstab-generator.c

# note: 
# * ensure /sysroot mount folder inside initramfs disk image
# * remove "root=/dev/mapper/root" stanza from kernel command line
# * provide here root partition mapping (instead of kernel command line)
# * ensure that mapper-path in fstab corresponds to mapper-name in crypttab
# * for x-mount options see: https://www.freedesktop.org/software/systemd/man/systemd.mount.html

#  <block-device>       <mount-point>    <fs-type>    <mount-options>                   <dump>  <fsck>
  /dev/mapper/root      /sysroot         auto         x-systemd.device-timeout=9999h     0       1
#  /dev/mapper/swap      none             swap         x-systemd.device-timeout=9999h     0       0

Any help to resolve this issue will be welcomed!

Systemd 247 support

Since updating to systemd 247.1-1, my mkinitcpio became completely unusable.

I'm running mkinitcpio-systemd-tool in a cloud server to remotely unlock the LUKS encrypted disk via a dropbear SSH server. Previously, with up to systemd 246.6-1, I was able to SSH into the mkinitcpio environment to provide my passphrase, and I could also interact with the environment through the web console of my server.

Since systemd 247.1-1, SSH connections became impossible, the server does not respond to connection attempts (both ssh and netcat just hangs when trying to connect). The web console is also unusable: while I am able to interact with the server when it's still in the GRUB menu, once the initramfs is loaded, it's not responding to key presses (hence it's impossible to provide the LUKS passphrase even over the web console). However, the server is not frozen: the cursor is still blinking, and after the password prompt times out, it tries to start the recovery shell (which fails, because root login is disabled).

Downgrading to systemd 246.6-1 solved the issue for now, but it would be better if mkinitcpio-systemd-tool could be fixed. However, debugging the problem is extremely hard (since I have no way to interact with the server in the failed state).

use initrd.target instead of custom conditions

https://github.com/systemd/systemd/blob/v245/NEWS#L91

    * When systemd/PID 1 detects it is used in the initrd it will now boot
      into initrd.target rather than default.target by default. This should
      make it simpler to build initrds with systemd as for many cases the
      only difference between a host OS image and an initrd image now is
      the presence of the /etc/initrd-release file.

Can't unlock partition with LUKS2

I set up a new Arch Linux system with root disk encryption using an unencrypted boot partition and a root partition with LUKS2 encryption. After the successful installation of the base system, I started to setup remote unlocking using mkinitcpio-systemd-tool.
The problem is, that the device does not get unlocked and then the switch root fails. In the emergency console I was able to run the systemd-cryptsetup command manually, which aborted with the error:
libgcc_s.so.1 must be installed for pthread_cancel to work

I found a discussion about a similar problem on the Arch Linux bug tracker.
After adding "FILES=(/usr/lib/libgcc_s.so.1)" to /etc/mkinitcpio.conf, the unlocking works and the boot process finishes without errors.

Could you have a look, if this can be solved without the workaround?
Thank you for this cool and very handy tool!

Failed to start Switch Root

systemd 237 changed mount behavior

now it will unmount the sysroot.mount before initrd-switch-root.target

this produces boot error in journalctl -e:

Feb 27 10:22:32 work3 systemd[1]: Starting Switch Root...
Feb 27 10:22:32 work3 systemctl[974]: Failed to switch root: Specified switch root path '/sysroot' does not seem to be an OS tree. os-release file is missing.
Feb 27 10:22:32 work3 systemd[1]: initrd-switch-root.service: Main process exited, code=exited, status=1/FAILURE
Feb 27 10:22:32 work3 systemd[1]: initrd-switch-root.service: Failed with result 'exit-code'.
Feb 27 10:22:32 work3 systemd[1]: Failed to start Switch Root.

the immediate work around is:

provide secret> as usual
observe boot error message
switch to debug console: CTRL+ALT+F8
provide manual mount via: mount /dev/mapper/root /sysroot
continue boot process via: systemctl start initrd-switch-root.service

TinySSH instead of (as an optional alternative to) Dropbear?

I’m using TinySSH instead of Dropbear because of its much more tiny codebase and supports for Ed25519 keys. Could it be added as an optional replacement to Dropbear? The later only supports RSA keys AFAIK and has a way bigger footprint.

initrd-tinysshd: what installs authorized_keys?

I am trying to get remote-unlocking working with my encrypted root. I ran the commands given in the README Example section (except the debugging tools one, as I don't have mc installed).

When I inspect the generated initramfs, my authorized_keys file is nowhere to be found. When I try to log in to the tinyssh server, I get an error because my key is not authorized. I cannot find any references to copying the authorized_keys file anywhere in this repo.

mkinitcpio-hook is broken after move to "community"

Hi!
Thanks for this cool project! It worked really great until last update.

mkinitcpio -p linux completes with the following error:

==> ERROR: Missing any units in /etc/systemd/system with entry ConditionPathExists=/etc/initrd-release

After reboot sshd is not reachable from initrd and I have to wait to the timeout to be able to access the rescure shell.
From there I can unencrypt my root partition and via systemctl default continue the boot process as usual.

Something else I noticed besides the missing ability to access via ssh is that I am also unable to use ctrl+alt+Fx keys to get an other tty how I did before to be able to unlock the root partition during the timeout.

Do I need to change my config?
I could not see any *.pacnew config that would have pointed me to update my configs and also I could not see anything obvious in the last couple commits.

Regards!

Please take out "review image" command from README

I executed this like some idiot and overwrote my entire root filesystem with the contents of the initramfs. Now in the process of reinstalling because of it.

Sysroot on Btrfs on LVM on LUKS

I'm trying to setup systemd-tool to be able to remotely unlock my headless system via ssh. I am trying to achieve the simplest solution possible, and wish to add it to the wiki as this project is amazing, but a bit hard to figure out how to use.

The setup is as such:

NAME FS LABEL TYPE
/dev/sdX1 FAT32 boot ef00
/dev/sdX2 LUKS crypt 8308
- /dev/mapper/crypt LVM lvm
  - /dev/lvm/root BTRFS root
  - /dev/lvm/swap SWAP swap

[initramfs]/etc/crypttab
crypt UUID=<UUID of /dev/sdX2> none luks

[initramfs]/etc/fstab
/dev/lvm/root /sysroot auto x-systemd.device-timeout=9999h 0 1
/dev/lvm/swap none swap x-systemd.device-timeout=9999h 0 0

/etc/mkinitcpio.conf
HOOKS=(base keyboard autodetect modconf block filesystems fsck systemd systemd-tool)

Setup before mkinitcpio -P:

Install: mkinitcpio-systemd-tool, busybox, cryptsetup, openssh, tinyssh, tinyssh-convert, mc, lvm2, btrfs-progs
Run: ssh-keygen -A
Write ssh pubkey to /root/.ssh/authorized_keys

Enabled services:

initrd-cryptsetup.path
initrd-tinysshd
initrd-debug-progs
initrd-sysroot-mount

Bootloader: systemd-boot

title	Arch Linux
linux	/vmlinuz-linux
initrd	/intel-ucode.img
initrd	/initramfs-linux.img
options	resume=/dev/nodelvm/swap

I'm able to decrypt the disk via the console or via SSH without issues. However, below is the resulting log.

[    OK    ] Found device <MODEL> crypt
               Starting Cryptography setup for crypt...
secret> 
[    OK    ] Finished Cryptography Setup for crypt.
[    OK    ] Reached target Local Encrypted Volumes.
[  TIME  ] Timed out waiting for device /dev/gpt-auto-root.
[DEPEND] Dependency failed for Initrd Root Device.

Does anyone know why the lvm volumes are not being found/mounted successfully?

initrd-sysroot-mount.service doesn't mount /sysroot

Hi,

i got some problem with your workaround for the systemd update.

My initrd-sysroot-mount doesn't mount the /sysroot and throws an error.

Mär 19 12:18:41 archlinux kernel: BTRFS error (device dm-5): failed to read chunk tree: -22
Mär 19 12:18:41 archlinux kernel: BTRFS error (device dm-5): open_ctree failed
Mär 19 12:18:41 archlinux mount[422]: mount: /sysroot: wrong fs type, bad option, bad superblock on /dev/mapper/archroot-ROOT, missing codepage or helper program, or other err>
Mär 19 12:18:41 archlinux systemd[1]: initrd-sysroot-mount.service: Main process exited, code=exited, status=32/n/a
Mär 19 12:18:41 archlinux systemd[1]: initrd-sysroot-mount.service: Failed with result 'exit-code'.
Mär 19 12:18:41 archlinux systemd[1]: Failed to start Initrd SysRoot Mount.

Here is my /etc/mkinitcpio.d/fstab/crypttab

crypttab

#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# The Arch specific syntax has been deprecated, see crypttab(5) for the
# new supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
# home         UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37    /etc/mypassword1
# data1        /dev/sda3                                    /etc/mypassword2
# data2        /dev/sda5                                    /etc/cryptfs.key
# swap         /dev/sdx4                                    /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256
# vol          /dev/sdb7                                    none
cryptlvm       UUID=c0bbc682-770d-4dff-a083-46557c2ef042    none
cryptdatastore UUID=99997e7e-e9dd-4f15-979e-57e9cb2ccbd0    none                    luks

fstab:


# fstab: mappings for direct partitions

# fstab format:
# https://wiki.archlinux.org/index.php/Fstab

# how fstab is used by systemd
# https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html
# https://github.com/systemd/systemd/blob/master/src/fstab-generator/fstab-generator.c

# note: provide /sysroot/ folder inside initramfs disk image
# note: remove "root=/dev/mapper/root" stanza from kernel command line

# provide here root partition description (instead of kernel command line)

#  <file system>        <dir>      <type>    <option>                         <dump> <pass>
#  /dev/mapper/root     /sysroot    auto     x-systemd.device-timeout=9999h     0     1
/dev/mapper/archroot-ROOT     /sysroot    btrfs     x-systemd.device-timeout=30m     0     1

Interestingly... When i manually start the service file in the emergency console, it mounts, and can boot.

any hints? :/

sysroot on lvm+btrfs

I have the following setup:

/dev/sda2: ext4 on luks that contains key files to the sysXX partitions to be mapped to /dev/mapper/keys

/dev/sda3: luks sys00
/dev/sdb1: luks sys01
/dev/sdc1: luks sys02

I want the user to only give the password at bootup for the "keys" partition.

The cryptfstab looks like this:

keys              UUID=ed67ffb1-4bdb-434a-b011-4c9147f05ad7    none                         luks
sys00             UUID=ed5d6f31-8015-4904-8ca6-e4f0d952f025    /root/keys/luks00.keyfile    luks
sys01             UUID=f2a34e45-8bdd-433d-b73a-4dd3336be28a    /root/keys/luks01.keyfile    luks
sys02             UUID=5f81c88b-a5c7-471e-981e-3b5b5b406ee6    /root/keys/luks02.keyfile    luks

The fstab looks like this:

/dev/mapper/keys         /root/keys       auto         x-systemd.device-timeout=9999h 0 1

UUID=52a7433c-3914-422c-8d71-c016badb8c81     /sysroot    auto    x-systemd.device-timeout=9999h,noatime   0 2

I got that setup working before this project became FHS compliant with an ugly hack (a call to mount) in initrd-shell.sh.

That was evil.

Now I am trying to get it to work with systemv.

My idea is that I can achieve the same thing using a systemd service that looks like this:

[Unit]
Description=Initrd Key Mounter Service
ConditionPathExists=/etc/crypttab
ConditionPathExists=/etc/fstab
ConditionPathExists=/etc/initrd-release
DefaultDependencies=no
Before=initrd-sysroot-mount.service
Requires=dev-mapper-keys.device

[Service]
Type=oneshot
ExecStart=mount /dev/mapper/keys /root/keys

[Install]
WantedBy=sysinit.target

The problem however is that this fails to build with the following error

==> ERROR: unit not found: dev-mapper-keys.device

My question is:

is that a bug ?
or am I going in the wrong direction ?

Thanks

Raspberry Pi setup

Add support for multiple encrypted devices

I'm updating this issue. After messing around I can manually mount the extra drives using the shell mode but I'd like to see better support. I'm thinking any drives that need decrypting at boot could go into /etc/mkinitcpio.d/crypttab but let the system mount them later on in /etc/fstab since they are not the root drive which should be in /etc/mkinitcpio.d/fstab

Failed to switch root: os-release file is missing

So I'm noticing this error today. I get thrown into a emergency shell and the below is some output with errors. It's saying something about os-release missing but it is there. /etc/os-release which is a symlink to /usr/lib/os-release exists.

● initrd-switch-root.service - Switch Root                                     
   Loaded: loaded (/usr/local/lib/systemd/system/initrd-switch-root.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-07-05 20:20:11 UTC; 7min ago
  Process: 892 ExecStart=/usr/bin/systemctl --no-block switch-root /sysroot (code=exited, status=1/FAILURE)
 Main PID: 892 (code=exited, status=1/FAILURE)                                  
                                                                                
Jul 05 20:20:11 archlinux systemd[1]: Starting Switch Root...                   
Jul 05 20:20:11 archlinux systemctl[892]: Failed to switch root: Specified switch root path '/sysroot' does not seem to be an OS tree. os-release file is missing.
Jul 05 20:20:11 archlinux systemd[1]: initrd-switch-root.service: Main process exited, code=exited, status=1/FAILURE
Jul 05 20:20:11 archlinux systemd[1]: initrd-switch-root.service: Failed with result 'exit-code'.
Jul 05 20:20:11 archlinux systemd[1]: Failed to start Switch Root.              
Jul 05 20:20:11 archlinux systemd[1]: initrd-switch-root.service: Triggering OnFailure= dependencies.

And what my os-release file looks like below

NAME="Arch Linux ARM"
ID=archarm
ID_LIKE=arch
PRETTY_NAME="Arch Linux ARM"
ANSI_COLOR="0;36"
HOME_URL="http://archlinuxarm.org/"
SUPPORT_URL="https://archlinuxarm.org/forum"
BUG_REPORT_URL="https://github.com/archlinuxarm/PKGBUILDs/issues"

plymouth support

I'm trying to make mkinitcpio-systemd-tool work with plymouth.

I have confirmed that it can be unlocked locally and remotely without plymouth and remotely with plymouth, but not locally with plymouth.
When the plymouth splash screen appears, I am unable to enter my luks passphrase. Is there a good way?

lightdm with plymouth

systemctl enable lightdm-plymouth.service

/etc/mkinitcpio.conf

HOOKS=(base systemd sd-plymouth autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck btrfs systemd-tool)

/etc/mkinitcpio-systemd-tool/config/crypttab

cryptroot      UUID=e4e424bd-7a2a-49c6-9cdb-b79db1555c3a       none    luks,discard

/etc/mkinitcpio-systemd-tool/config/fstab is empty. All necessary mount information is in /etc/fstab.

Unit drop-in files are not honored (at least for dropbear)

I tried to make dropbear listen on a different port by placing a file with the following contents at /etc/systemd/system/initrd-dropbear.service.d/override.conf:

[Service]
ExecStart=/bin/dropbear -s -j -k -m -F -I ${IDLE_TIME} -p 1234

It is not even copied to the initramfs and thus dropbear will still listen on port 22.

Also, I would prefer to have a better way to configure the listening port.

systemd-resolved.service is active after initrd

In the network service, there is Requires=systemd-resolved.service and a lot of things around DNS resolution. This is an issue for me, as the service keep running even after initrd.

I don’t know a use case of having DNS resolution at that time, so I’m inclined to remove everything related to this. But at the very least can we make sure the service is stopped at the end of initrd?

remove InitrdService, /etc/xxx/

see:
#31
deal with /etc/xxx/ condition

Dropbear server v2018.76: `Invalid option -m`

Starting with dropbear v2018.76, there is an error:

Invalid option -m

initrds are much larger than usual

When using mkinitcpio-systemd-tool the initrd images are extremely large (~ 3x the size!) in comparison to when using mkinitcpio-netconf + mkinitcpio-dropbear.

When gzip compressing the images I still end up with 86Mb large initrds:

-rw-r--r--  1 root root  83M Jun 17 20:26 initramfs-linux-hardened.img

In comparison, the initrds created with mkinitcpio-netconf + mkinitcpio-dropbear are around 26Mb.

-rw-r--r--  1 root root  26M Jun 11 13:03 initramfs-linux-hardened.img

Are the mkinitcpio scripts somehow triggering a fallback style image being built?

This is way too big and really not ideal for systems where space matters and/or where the /boot partition size is constrained.

initrd-emergency.service doesn't seem to work correctly.

I tried enabling this service under the idea that this was supposed to allow me to continue to remotely access my system in the event that something went wrong. However if I enable this service and I fail to enter my encryption password quickly enough the ssh session dies. I am unable to access my system again until I manually reboot the system.

Does anyone have any ideas of what's going on here?

Improve README so it's clear how to add custom binaries or services

Hi,

Setting up systemd and systemd-tool hooks took quite some time already because of the lack of useful or understandable documentation (English!). Adding a custom service that uses systemd-tool is basically impossible due to very lacking documentation (README / wiki). This can be a great tool, but only if other devs actually understand how to use it.

In my case, I am looking to add bluetooth connectivity to initramfs.

Kind regards.

Systemd Assignment outside of section...

Hi there,

Problem

I noticed today while going through journalctl that there are these systemd warnings regarding not being able to parse some service/path/target files (most all are related to mkinitcpio-systemd-tool) in the initramfs.

At least that is what I though... I looked through the initramfs image file, but could not find these. There is nothing located under /usr/local/lib/systemd on the initramfs image. Below are the warnings:

Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/initrd-dropbear.service:1: Assignment outside of section. Ignoring.
Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/cryptsetup-pre.target:1: Assignment outside of section. Ignoring.
Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/initrd-network.service:1: Assignment outside of section. Ignoring.
Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/systemd-resolved.service:1: Assignment outside of section. Ignoring.
Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/systemd-networkd.service:1: Assignment outside of section. Ignoring.
Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/initrd-shell.service:1: Assignment outside of section. Ignoring.
Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/initrd-debug-progs.service:1: Assignment outside of section. Ignoring.
Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/initrd-cryptsetup.path:1: Assignment outside of section. Ignoring.
Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/initrd-cryptsetup.service:1: Assignment outside of section. Ignoring.
Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/cryptsetup.target:1: Assignment outside of section. Ignoring.
Jun 20 15:10:44 sys1 systemd[1]: /usr/local/lib/systemd/system/initrd-sysroot-mount.service:1: Assignment outside of section. Ignoring.

System Information and mkinitcpio-systemd-tool Configuration

I use Arch Linux (linux-lts kernel). My boot drive has two partitions on it, one for boot (EFI vFat) and the other is the root partition, setup as LVM on LUKs. I use systemd-boot as my bootloader.

Versions

$ systemctl --version
systemd 245 (245.6-7-arch)
+PAM +AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid
$ uname -a
Linux sys1 5.4.47-1-lts #1 SMP Wed, 17 Jun 2020 19:42:02 +0000 x86_64 GNU/Linux

systemd services

I have the following mkinitcpio-systemd-tool services enabled:

$ find /etc/systemd/system -type l -iname 'initrd*'
/etc/systemd/system/initrd-debug-shell.service.wants/initrd-debug-progs.service
/etc/systemd/system/initrd-root-fs.target.wants/initrd-sysroot-mount.service
/etc/systemd/system/sysinit.target.wants/initrd-cryptsetup.path
/etc/systemd/system/sysinit.target.wants/initrd-debug-progs.service
/etc/systemd/system/sysinit.target.wants/initrd-dropbear.service

lsinitcpio output

See initramfs.img.txt.

Are these files being auto-generated on boot within the temporary initramfs? I read somewhere that using utf-16 encoding on the systemd service files can cause this warning to be issued.

Any suggestions on this would be great, thanks!

Networking does not work with New Arch Installation

I have got a Problem with a new Arch Installation.
The Network does not start at boot.
The Solution for me was to add this users to /etc/passwd.
systemd-journal-gateway:x:191:191:systemd-journal-gateway:/:/usr/bin/nologin
systemd-timesync:x:192:192:systemd-timesync:/:/usr/bin/nologin
systemd-network:x:193:193:systemd-network:/:/usr/bin/nologin
systemd-bus-proxy:x:194:194:systemd-bus-proxy:/:/usr/bin/nologin
systemd-resolve:x:195:195:systemd-resolve:/:/usr/bin/nologin

and the depending group also to /etc/group.

Before this doing the users are Dynamic user.
systemd-resolve::61662:61662:Dynamic User:/:/sbin/nologin
systemd-network::63822:63822:Dynamic User:/:/sbin/nologin

I dont know where this users are defined.
I think we need to include the file were the dynamic user are defined into the Initialramdisk.

protect sshd host keys

The main systems ssh keys should not be exposed (thats the whole point in encrypting the root partition). A way to acomplish this should at least be documented. Maybe it should even be the default beahviour.

To currently do this you need to:

uninstall tinyssh-convert if already installed
remove /etc/tinyssh/sshkeydir/ if already existing
run tinysshd-makekey /etc/tinyssh/sshkeydir/ to generate unique keys
change tinysshd ssh port so ssh doesn't complain about changed host key. so create /etc/systemd/system/initrd-tinysshd.service.d/override.conf
containing:

[Service]
Environment=SSHD_PORT=1234

regenerate init image, mkinitcpio will complain about tinyssh-convert not exsiting but thats exacly what we want here
to unlock now remeber to use the changed port ssh -p 1234 root@server

The error message when generating the image should be removed or at least changed to a warning.

I think the most elegant solution would be to put the conversion into a seperate service and maybe provide a file in config for the port.

systemd-gpt-auto-generator settings (Dependency failed for Initrd Root Device)

Hi there,

Problem:

I keep experience a delay on system startup due to systemd not being able to load the root device (see journalctl output bellow). To be clear, the system does boot and eventually I reach a TTY to login to. Funnily though, my /boot partition does not get mounted, I suspect this is due to the dependency on the root device.

Jun 20 15:12:14 sys1 systemd[1]: dev-gpt\x2dauto\x2droot.device: Job dev-gpt\x2dauto\x2droot.device/start timed out.
Jun 20 15:12:14 sys1 systemd[1]: Timed out waiting for device /dev/gpt-auto-root.
Jun 20 15:12:14 sys1 systemd[1]: Dependency failed for Initrd Root Device.
Jun 20 15:12:14 sys1 systemd[1]: initrd-root-device.target: Job initrd-root-device.target/start failed with result 'dependency'.
Jun 20 15:12:14 sys1 systemd[1]: dev-gpt\x2dauto\x2droot.device: Job dev-gpt\x2dauto\x2droot.device/start failed with result 'timeout'.

System Information and mkinitcpio-systemd-tool Configuration

I use Arch Linux (linux-lts kernel). My boot drive has two partitions on it, one for boot (EFI vFat) and the other is the root partition, setup as LVM on LUKs. The LVM partition has two volume groups (VGs), one for the root filesystem (called vg-root) and one for the home directory (called vg-home). I use systemd-boot with the these kernel parameters:

ipv6.disable_ipv6=1 vsyscall=emulate intel_idle.max_cstate=1 quiet rw`

(notice that I omit root=).

Versions

$ systemctl --version
systemd 245 (245.6-7-arch)
+PAM +AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid
$ uname -a
Linux sys1 5.4.47-1-lts #1 SMP Wed, 17 Jun 2020 19:42:02 +0000 x86_64 GNU/Linux

systemd services

I have the following mkinitcpio-systemd-tool services enabled:

$ find /etc/systemd/system -type l -iname 'initrd*'
/etc/systemd/system/initrd-debug-shell.service.wants/initrd-debug-progs.service
/etc/systemd/system/initrd-root-fs.target.wants/initrd-sysroot-mount.service
/etc/systemd/system/sysinit.target.wants/initrd-cryptsetup.path
/etc/systemd/system/sysinit.target.wants/initrd-debug-progs.service
/etc/systemd/system/sysinit.target.wants/initrd-dropbear.service

Files

mkinitcpio-systemd-tool/config/crypttab has only this:

cryptlvm	UUID=3cdf6a91-1a36-4cdc-8eb4-fbd2d799d8d9

mkinitcpio-systemd-tool/config/fstab has only this (where vg-root is the name of the LVM VG containing the root filesystem):

/dev/mapper/vg-root	/sysroot         auto	x-systemd.device-timeout=9999h	0	1

crypttab has:

cryptlvm	UUID=3cdf6a91-1a36-4cdc-8eb4-fbd2d799d8d9

fstab has:

# /dev/mapper/vg-root
UUID=30803547-45e3-4905-b601-ecb92522c40c	/         	ext4      	rw,relatime,data=ordered	0 1

# /dev/mapper/vg-home
UUID=76d8381f-fc87-4f22-b32a-6c1873b12ad1	/home     	ext4      	rw,relatime,data=ordered	0 2

UUID=E361-10AD      	/boot     	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro	0 2

Is my setup of mkinitcpio-systemd-tool wrong? I followed the 'instructions' as outlined in #62.

Any suggestions are welcome 😸 !

proper handling of twin units: path + service

regarding:
#31 (comment)
https://github.com/random-archer/mkinitcpio-systemd-tool/blob/master/initrd-cryptsetup.path#L13

# require explicitly to include in initramfs image
Requires=initrd-cryptsetup.service

possible solutions:

explicit resource dependency, i.e.

# include peer service
InitrdPath=/usr/lib/systemd/system/initrd-cryptsetup.service

use special processing of *.path units in mkinitcpio-install.sh
do nothing till people start complaining

move code to /src

@dvzrv David:

Please let me know if "move code to /src" will interfere with
Makefike, packaging? I mean, things non-obvious? Any FHS guidelines for that? :-)

systemd-resolved fails to start

I'm currently trying to use this hook as mentioned in the wiki to get remote unlocking of my root drive. I added the appropriate hooks, and I've been running into issues with systemd-resolved.service. journalctl from the debug shell shows that the service is outputting the error Failed to run 'start' task: No such file or directory, and that it Failed with result 'resources'. It tries to start repeatedly with the same result.

I've done quite a bit of digging, but my understanding of systemd and the initramfs is still pretty superficial, so I probably just don't know where to look.

I have also just now realized that this particular service doesn't seem to be necessary for what I'm trying to do, however, it would be nice not to have the error showing up, so any insight you could provide would be helpful.

Where do I put my mount options?

It's a bit hard for me to follow the whole thing going on here. Should I be editing '/etc/mkinitcpio.d/fstab' and '/etc/mkinitcpio.d/crypttab' or will it pickup on edits to the normal '/etc/fstab' and '/etc/crypttab' locations?

Create wiki entries from recipes in closed issues

Some closed issues have recipes or suggestions for using encryption or ssh timeout.

These could be more readily available if transformed in wiki entries, or FAQS entries.

Fail to boot after upgrading to systemd 242.0-1

Symptom

After upgrading to systemd 242.0-1 (Arch x86_64), I stopped getting a prompt for the disk encryption secret, and instead would only see the prompt menu:

a) secret agent
s) sys shell
r) reboot
q) quit

Digging a bit into the code, it seems like this is caused by has_crypt_jobs returning false. Selecting sys shell and running systemctl list-jobs indeed returns no results.

Setup

My encryption config is specified as a kernel flag in /etc/default/grub:

GRUB_CMDLINE_LINUX="rd.luks.name=xxxx=cryptroot"

I was wondering if this was no longer working for some reason, and tried adding a corresponding line to /etc/mkinitcpio.d/crypttab:

root UUID=xxx none luks

Rebuilding the initramfs from the initramfs:

/usr/lib/systemd/systemd-cryptsetup attach cryptroot /dev/disk/by-uuid/xxx
mkdir /mnt
mount -t ext4 /dev/mapper/cryptroot /mnt
mount -t ext4 /dev/xxx /mnt/boot
mount -o bind /proc /mnt/proc
mount -o bind /sys /mnt/sys
mount -o bind /dev /mnt/dev
chroot /mnt
mkinitcpio -p linux

This did not work either. After a reboot, I still got the prompt menu and systemctl list-jobs still returned no results.

Mitigation

I realized I could get the system to boot by decrypting the root partition quickly from the shell, before the root file system systemd unit times out (90s):

/usr/lib/systemd/systemd-cryptsetup attach cryptroot /dev/disk/by-uuid/xxx

After booting into the normal system, I downgraded back to systemd 241.7-2:

sudo pacman -U /var/cache/pacman/pkg/systemd-241.7-2-x86_64.pkg.tar.xz
sudo pacman -U /var/cache/pacman/pkg/systemd-libs-241.7-2-x86_64.pkg.tar.xz
sudo pacman -U /var/cache/pacman/pkg/systemd-sysvcompat-241.7-2-x86_64.pkg.tar.xz
mkinitcpio -p linux

After a reboot, I'm now again greeted by the secret> prompt and am able to unlock normally as usual.

Wireguard tunnel using initrd-network.service

Hello!

Thanks for the awesome project!

I have a small question:
Is it possible to setup a wireguard tunnel from initrd using initrd-network.service ?

If it is, then may I have some hints on how to achieve it?
It it's not, then I'd like to know what exactly is missing, maybe I can help with implementation.

Thank you!

sysroot on btrfs/zfs/lvm

Does this package replace the sd-encrypt hook, or does it still need it?

The suggested hooks list on the Arch Wiki suggests it replaces it, but without it, I was just getting stuck at some error like:
"Start Job running for /dev/disk/by-uuid/$ROOT_UUID"
where the UUID given was the UUID of the decrypted root partition (/dev/mapper/root when the system is running).

chroot: use explicit checks via systemd-detect-virt

Hello!

~ # systemctl list-unit-files --state=enabled

UNIT FILE                              STATE
initrd-cryptsetup.path                 enabled
initrd-dropbear.service                enabled
initrd-network.service                 enabled
initrd-nftables.service                enabled
initrd-shell.service                   enabled
initrd-util-usb-hcd.service            enabled

When I build mkinitcpio-systemd-tool from real root:
mkinitcpio -Pvvv:

  -> Running build hook: [/usr/lib/initcpio/install/systemd-tool]
    provisioning initrd systemd units
    processing systemd unit initrd-nftables.service
    resolved service unit path: /usr/lib/systemd/system/initrd-nftables.service
    producing initramfs unit file: /usr/lib/systemd/system/initrd-nftables.service
    provision new binary /usr/bin/nft
    adding file: /usr/bin/nft
    adding file: /usr/lib/libnftables.so.1
    adding file: /usr/lib/libreadline.so.8
    adding file: /usr/lib/libmnl.so.0
    adding file: /usr/lib/libnftnl.so.11
    adding file: /usr/lib/libjansson.so.4
    adding file: /usr/lib/libgmp.so.10
    adding file: /usr/lib/libncursesw.so.6
    reuse present binary /usr/bin/nft
    reuse present binary /usr/bin/nft
    call in-line [add_all_modules /netfilter/nft_*] in unit /usr/lib/systemd/system/initrd-nftables.service
    adding module: nft_meta_bridge
    adding module: nf_tables
    adding module: nfnetlink
    adding module: bridge
    adding module: stp
    adding module: llc
    adding module: nft_reject_bridge
    adding module: nft_reject
    adding module: nf_reject_ipv4
    adding module: nf_reject_ipv6
    adding module: nft_dup_ipv4
    adding module: nf_dup_ipv4
    adding module: nft_fib_ipv4
    adding module: nft_fib
    adding module: nft_reject_ipv4
    adding module: nft_dup_ipv6
    adding module: nf_dup_ipv6
    adding module: nft_fib_ipv6
    adding module: nft_reject_ipv6
    adding module: nft_chain_nat
    adding module: nf_nat
    adding module: nf_conntrack
    adding module: nf_defrag_ipv6
    adding module: libcrc32c
    adding module: crc32c-intel
    adding module: crc32c_generic
    adding module: nf_defrag_ipv4
    adding module: nft_compat
    adding module: x_tables
    adding module: nft_connlimit
    adding module: nf_conncount
    adding module: nft_counter
    adding module: nft_ct
    adding module: nft_dup_netdev
    adding module: nf_dup_netdev
    adding module: nft_fib_inet
    adding module: nft_fib_netdev
    adding module: nft_flow_offload
    adding module: nf_flow_table
    adding module: nft_fwd_netdev
    adding module: nft_hash
    adding module: nft_limit
    adding module: nft_log
    adding module: nft_masq
    adding module: nft_nat
    adding module: nft_numgen
    adding module: nft_objref
    adding module: nft_osf
    adding module: nfnetlink_osf
    adding module: nft_queue
    adding module: nft_quota
    adding module: nft_redir
    adding module: nft_reject_inet
    adding module: nft_socket
    adding module: nf_socket_ipv4
    adding module: nf_socket_ipv6
    adding module: nft_synproxy
    adding module: nf_synproxy_core
    adding module: nft_tproxy
    adding module: nf_tproxy_ipv6
    adding module: nf_tproxy_ipv4
    adding module: nft_tunnel
    adding module: nft_xfrm
    call in-line [add_all_modules /netfilter/nf_tables*] in unit /usr/lib/systemd/system/initrd-nftables.service
    adding module: nf_tables_set
    replace path /etc/nftables.conf
    provision new file /etc/mkinitcpio-systemd-tool/config/initrd-nftables.conf -> /etc/nftables.conf 
    adding file: /etc/nftables.conf
    adding dir: /etc/systemd/system/initrd-network.service.wants
    adding symlink: /etc/systemd/system/initrd-network.service.wants/initrd-nftables.service -> /usr/lib/systemd/system/initrd-nftables.service
    processing systemd unit initrd-network.service
    resolved service unit path: /usr/lib/systemd/system/initrd-network.service
    producing initramfs unit file: /usr/lib/systemd/system/initrd-network.service
    processing systemd unit systemd-networkd.service
    resolved service unit path: /usr/lib/systemd/system/systemd-networkd.service
    producing initramfs unit file: /usr/lib/systemd/system/systemd-networkd.service
    provision new binary /usr/lib/systemd/systemd-networkd
    adding file: /usr/lib/systemd/systemd-networkd
    adding dir: /etc/systemd/system/multi-user.target.wants
    adding symlink: /etc/systemd/system/multi-user.target.wants/systemd-networkd.service -> /usr/lib/systemd/system/systemd-networkd.service
    processing systemd unit systemd-resolved.service
    resolved service unit path: /usr/lib/systemd/system/systemd-resolved.service
    producing initramfs unit file: /usr/lib/systemd/system/systemd-resolved.service
    provision new binary /usr/lib/systemd/systemd-resolved
    adding file: /usr/lib/systemd/systemd-resolved
    adding file: /usr/lib/libgnutls.so.30
    adding file: /usr/lib/libtasn1.so.6
    adding file: /usr/lib/libnettle.so.7
    adding file: /usr/lib/libhogweed.so.5
    adding symlink: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service -> /usr/lib/systemd/system/systemd-resolved.service
    reuse present binary /bin/true
    reuse present binary /bin/sh
    reuse present binary /bin/sh
    reuse present binary /bin/sh
    reuse present binary /bin/sh
    reuse present binary /bin/sh
    provision new file /etc/mkinitcpio-systemd-tool/network/initrd-network.network -> /etc/systemd/network/initrd-network.network 
    adding file: /etc/systemd/network/initrd-network.network
    call in-line [add_checked_modules /drivers/net/] in unit /usr/lib/systemd/system/initrd-network.service
    adding module: e1000e
    adding module: r8169
    adding module: realtek
    adding module: libphy
    adding file: /usr/lib/firmware/rtl_nic/rtl8125a-3.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8107e-2.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8107e-1.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168fp-3.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168h-2.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168h-1.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168g-3.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168g-2.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8106e-2.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8106e-1.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8411-2.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8411-1.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8402-1.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168f-2.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168f-1.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8105e-1.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168e-3.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168e-2.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168e-1.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168d-2.fw
    adding file: /usr/lib/firmware/rtl_nic/rtl8168d-1.fw
    adding module: fjes
    make symbolic link /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
    adding symlink: /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
    replace path /etc/hostname
    provision new file /etc/hostname -> /etc/hostname 
    adding file: /etc/hostname
    provision new file /usr/lib/systemd/resolv.conf -> /usr/lib/systemd/resolv.conf 
    adding file: /usr/lib/systemd/resolv.conf
    provision new binary /usr/lib/libnss_dns.so.2
    adding file: /usr/lib/libnss_dns.so.2
    adding file: /usr/lib/libresolv.so.2
    create empty dir /var/tmp/ 
    adding dir: /var/tmp/
    adding dir: /etc/systemd/system/sysinit.target.wants
    adding symlink: /etc/systemd/system/sysinit.target.wants/initrd-network.service -> /usr/lib/systemd/system/initrd-network.service
    processing systemd unit initrd-shell.service
    resolved service unit path: /usr/lib/systemd/system/initrd-shell.service
    producing initramfs unit file: /usr/lib/systemd/system/initrd-shell.service
    reuse present binary /bin/true
    provision new file /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh -> /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh 700
    adding file: /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh
    reuse present binary /usr/bin/sulogin
    reuse present binary /usr/bin/systemctl
    provision new binary /usr/bin/systemd-cat
    adding file: /usr/bin/systemd-cat
    reuse present binary /usr/bin/journalctl
    make symbolic link /root/.profile -> /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh
    adding dir: /root
    adding symlink: /root/.profile -> /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh
    replace path /etc/group
    provision new file /etc/group -> /etc/group 
    adding file: /etc/group
    replace path /etc/passwd
    provision new file /etc/passwd -> /etc/passwd 
    adding file: /etc/passwd
    replace path /etc/shadow
    provision new file /etc/shadow -> /etc/shadow 
    adding file: /etc/shadow
    invoke command [do_root_shell] for script /usr/lib/mkinitcpio-systemd-tool/initrd-build.sh in unit /usr/lib/systemd/system/initrd-shell.service
    command success: sed -i -r -e s|(root):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*)|::::::/bin/sh| /tmp/mkinitcpio.5Qf0NA/root/etc/passwd


    invoke command [do_secret_clean] for script /usr/lib/mkinitcpio-systemd-tool/initrd-build.sh in unit /usr/lib/systemd/system/initrd-shell.service
    command success: sed -i -r -e /^root:.*|^systemd-.*|^tty:.*|^uucp:.*|^kmem:.|^input:.*|^video:.*|^audio:.*|^lp:.*|^disk:.*|^optical:.*|^storage:.*/!d /tmp/mkinitcpio.5Qf0NA/root/etc/group


    command success: sed -i -r -e /^root:.*|^systemd-.*|^tty:.*|^uucp:.*|^kmem:.|^input:.*|^video:.*|^audio:.*|^lp:.*|^disk:.*|^optical:.*|^storage:.*/!d /tmp/mkinitcpio.5Qf0NA/root/etc/passwd


    command success: sed -i -r -e /^root:.*|^systemd-.*|^tty:.*|^uucp:.*|^kmem:.|^input:.*|^video:.*|^audio:.*|^lp:.*|^disk:.*|^optical:.*|^storage:.*/!d /tmp/mkinitcpio.5Qf0NA/root/etc/shadow


    provision new file /root/.ssh/authorized_keys -> /root/.ssh/authorized_keys 600
    adding file: /root/.ssh/authorized_keys
    make symbolic link /usr/bin/halt -> /usr/bin/systemctl
    overwriting symlink /usr/bin/halt -> /usr/bin/systemctl
    make symbolic link /usr/bin/reboot -> /usr/bin/systemctl
    overwriting symlink /usr/bin/reboot -> /usr/bin/systemctl
    make symbolic link /usr/bin/shutdown -> /usr/bin/systemctl
    adding symlink: /usr/bin/shutdown -> /usr/bin/systemctl
    provision new binary /usr/lib/libnss_compat.so
    adding file: /usr/lib/libnss_compat.so
    adding symlink: /etc/systemd/system/sysinit.target.wants/initrd-shell.service -> /usr/lib/systemd/system/initrd-shell.service
    processing systemd unit initrd-dropbear.service
    resolved service unit path: /usr/lib/systemd/system/initrd-dropbear.service
    producing initramfs unit file: /usr/lib/systemd/system/initrd-dropbear.service
    processing systemd unit initrd-shell.service
    resolved service unit path: /usr/lib/systemd/system/initrd-shell.service
    replacing initramfs unit file: /usr/lib/systemd/system/initrd-shell.service
    reuse present binary /bin/true
    reuse path /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh
    reuse present binary /usr/bin/sulogin
    reuse present binary /usr/bin/systemctl
    reuse present binary /usr/bin/systemd-cat
    reuse present binary /usr/bin/journalctl
    make symbolic link /root/.profile -> /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh
    overwriting symlink /root/.profile -> /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh
    replace path /etc/group
    provision new file /etc/group -> /etc/group 
    adding file: /etc/group
    replace path /etc/passwd
    provision new file /etc/passwd -> /etc/passwd 
    adding file: /etc/passwd
    replace path /etc/shadow
    provision new file /etc/shadow -> /etc/shadow 
    adding file: /etc/shadow
    invoke command [do_root_shell] for script /usr/lib/mkinitcpio-systemd-tool/initrd-build.sh in unit /usr/lib/systemd/system/initrd-shell.service
    command success: sed -i -r -e s|(root):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*)|::::::/bin/sh| /tmp/mkinitcpio.5Qf0NA/root/etc/passwd


    invoke command [do_secret_clean] for script /usr/lib/mkinitcpio-systemd-tool/initrd-build.sh in unit /usr/lib/systemd/system/initrd-shell.service
    command success: sed -i -r -e /^root:.*|^systemd-.*|^tty:.*|^uucp:.*|^kmem:.|^input:.*|^video:.*|^audio:.*|^lp:.*|^disk:.*|^optical:.*|^storage:.*/!d /tmp/mkinitcpio.5Qf0NA/root/etc/group


    command success: sed -i -r -e /^root:.*|^systemd-.*|^tty:.*|^uucp:.*|^kmem:.|^input:.*|^video:.*|^audio:.*|^lp:.*|^disk:.*|^optical:.*|^storage:.*/!d /tmp/mkinitcpio.5Qf0NA/root/etc/passwd


    command success: sed -i -r -e /^root:.*|^systemd-.*|^tty:.*|^uucp:.*|^kmem:.|^input:.*|^video:.*|^audio:.*|^lp:.*|^disk:.*|^optical:.*|^storage:.*/!d /tmp/mkinitcpio.5Qf0NA/root/etc/shadow


    reuse path /root/.ssh/authorized_keys
    make symbolic link /usr/bin/halt -> /usr/bin/systemctl
    overwriting symlink /usr/bin/halt -> /usr/bin/systemctl
    make symbolic link /usr/bin/reboot -> /usr/bin/systemctl
    overwriting symlink /usr/bin/reboot -> /usr/bin/systemctl
    make symbolic link /usr/bin/shutdown -> /usr/bin/systemctl
    overwriting symlink /usr/bin/shutdown -> /usr/bin/systemctl
    reuse present binary /usr/lib/libnss_compat.so
    overwriting symlink /etc/systemd/system/sysinit.target.wants/initrd-shell.service -> /usr/lib/systemd/system/initrd-shell.service
    processing systemd unit initrd-network.service
    resolved service unit path: /usr/lib/systemd/system/initrd-network.service
    replacing initramfs unit file: /usr/lib/systemd/system/initrd-network.service
    processing systemd unit systemd-networkd.service
    resolved service unit path: /usr/lib/systemd/system/systemd-networkd.service
    replacing initramfs unit file: /usr/lib/systemd/system/systemd-networkd.service
    reuse present binary /usr/lib/systemd/systemd-networkd
    overwriting symlink /etc/systemd/system/multi-user.target.wants/systemd-networkd.service -> /usr/lib/systemd/system/systemd-networkd.service
    processing systemd unit systemd-resolved.service
    resolved service unit path: /usr/lib/systemd/system/systemd-resolved.service
    replacing initramfs unit file: /usr/lib/systemd/system/systemd-resolved.service
    reuse present binary /usr/lib/systemd/systemd-resolved
    overwriting symlink /etc/systemd/system/multi-user.target.wants/systemd-resolved.service -> /usr/lib/systemd/system/systemd-resolved.service
    reuse present binary /bin/true
    reuse present binary /bin/sh
    reuse present binary /bin/sh
    reuse present binary /bin/sh
    reuse present binary /bin/sh
    reuse present binary /bin/sh
    reuse path /etc/systemd/network/initrd-network.network
    call in-line [add_checked_modules /drivers/net/] in unit /usr/lib/systemd/system/initrd-network.service
    make symbolic link /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
    overwriting symlink /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
    replace path /etc/hostname
    provision new file /etc/hostname -> /etc/hostname 
    adding file: /etc/hostname
    reuse path /usr/lib/systemd/resolv.conf
    reuse present binary /usr/lib/libnss_dns.so.2
    reuse path /var/tmp/
    overwriting symlink /etc/systemd/system/sysinit.target.wants/initrd-network.service -> /usr/lib/systemd/system/initrd-network.service
    provision new binary /bin/dropbear
    adding file: /bin/dropbear
    adding file: /usr/lib/libutil.so.1
    reuse present binary /bin/kill
    invoke command [do_dropbear_keys] for script /usr/lib/mkinitcpio-systemd-tool/initrd-build.sh in unit /usr/lib/systemd/system/initrd-dropbear.service
    provide host server ssh keys
    use existing dropbear host key: /etc/dropbear/dropbear_rsa_host_key
    use existing dropbear host key: /etc/dropbear/dropbear_ecdsa_host_key
    provision new dir /etc/dropbear 
    adding dir: /etc/dropbear
    adding file: /etc/dropbear/dropbear_ecdsa_host_key
    adding file: /etc/dropbear/dropbear_rsa_host_key
    adding file: /etc/dropbear/root_key
    reuse path /var/run/
    reuse path /var/run/utmp
    create empty dir /var/log/ 
    adding dir: /var/log/
    create empty file /var/log/btmp 
    adding file: /var/log/btmp
    create empty file /var/log/wtmp 
    adding file: /var/log/wtmp
    create empty file /var/log/lastlog 
    adding file: /var/log/lastlog
    adding symlink: /etc/systemd/system/sysinit.target.wants/initrd-dropbear.service -> /usr/lib/systemd/system/initrd-dropbear.service
    processing systemd unit initrd-util-usb-hcd.service
    resolved service unit path: /usr/lib/systemd/system/initrd-util-usb-hcd.service
    producing initramfs unit file: /usr/lib/systemd/system/initrd-util-usb-hcd.service
    reuse present binary /bin/true
    call in-line [add_module xhci_hcd] in unit /usr/lib/systemd/system/initrd-util-usb-hcd.service
    call in-line [add_module xhci_pci] in unit /usr/lib/systemd/system/initrd-util-usb-hcd.service
    call in-line [add_module ehci_hcd] in unit /usr/lib/systemd/system/initrd-util-usb-hcd.service
    call in-line [add_module ehci_pci] in unit /usr/lib/systemd/system/initrd-util-usb-hcd.service
    call in-line [add_module hid_generic] in unit /usr/lib/systemd/system/initrd-util-usb-hcd.service
    provision new file /etc/mkinitcpio-systemd-tool/config/initrd-util-usb-hcd.conf -> /etc/modprobe.d/initrd-util-usb-hcd.conf 
    adding file: /etc/modprobe.d/initrd-util-usb-hcd.conf
    adding symlink: /etc/systemd/system/sysinit.target.wants/initrd-util-usb-hcd.service -> /usr/lib/systemd/system/initrd-util-usb-hcd.service
    processing systemd unit initrd-cryptsetup.path
    resolved service unit path: /usr/lib/systemd/system/initrd-cryptsetup.path
    producing initramfs unit file: /usr/lib/systemd/system/initrd-cryptsetup.path
    processing systemd unit initrd-cryptsetup.service
    resolved service unit path: /usr/lib/systemd/system/initrd-cryptsetup.service
    producing initramfs unit file: /usr/lib/systemd/system/initrd-cryptsetup.service
    processing systemd unit initrd-shell.service
    resolved service unit path: /usr/lib/systemd/system/initrd-shell.service
    replacing initramfs unit file: /usr/lib/systemd/system/initrd-shell.service
    reuse present binary /bin/true
    reuse path /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh
    reuse present binary /usr/bin/sulogin
    reuse present binary /usr/bin/systemctl
    reuse present binary /usr/bin/systemd-cat
    reuse present binary /usr/bin/journalctl
    make symbolic link /root/.profile -> /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh
    overwriting symlink /root/.profile -> /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh
    replace path /etc/group
    provision new file /etc/group -> /etc/group 
    adding file: /etc/group
    replace path /etc/passwd
    provision new file /etc/passwd -> /etc/passwd 
    adding file: /etc/passwd
    replace path /etc/shadow
    provision new file /etc/shadow -> /etc/shadow 
    adding file: /etc/shadow
    invoke command [do_root_shell] for script /usr/lib/mkinitcpio-systemd-tool/initrd-build.sh in unit /usr/lib/systemd/system/initrd-shell.service
    command success: sed -i -r -e s|(root):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*):([^:]*)|::::::/bin/sh| /tmp/mkinitcpio.5Qf0NA/root/etc/passwd


    invoke command [do_secret_clean] for script /usr/lib/mkinitcpio-systemd-tool/initrd-build.sh in unit /usr/lib/systemd/system/initrd-shell.service
    command success: sed -i -r -e /^root:.*|^systemd-.*|^tty:.*|^uucp:.*|^kmem:.|^input:.*|^video:.*|^audio:.*|^lp:.*|^disk:.*|^optical:.*|^storage:.*/!d /tmp/mkinitcpio.5Qf0NA/root/etc/group


    command success: sed -i -r -e /^root:.*|^systemd-.*|^tty:.*|^uucp:.*|^kmem:.|^input:.*|^video:.*|^audio:.*|^lp:.*|^disk:.*|^optical:.*|^storage:.*/!d /tmp/mkinitcpio.5Qf0NA/root/etc/passwd


    command success: sed -i -r -e /^root:.*|^systemd-.*|^tty:.*|^uucp:.*|^kmem:.|^input:.*|^video:.*|^audio:.*|^lp:.*|^disk:.*|^optical:.*|^storage:.*/!d /tmp/mkinitcpio.5Qf0NA/root/etc/shadow


    reuse path /root/.ssh/authorized_keys
    make symbolic link /usr/bin/halt -> /usr/bin/systemctl
    overwriting symlink /usr/bin/halt -> /usr/bin/systemctl
    make symbolic link /usr/bin/reboot -> /usr/bin/systemctl
    overwriting symlink /usr/bin/reboot -> /usr/bin/systemctl
    make symbolic link /usr/bin/shutdown -> /usr/bin/systemctl
    overwriting symlink /usr/bin/shutdown -> /usr/bin/systemctl
    reuse present binary /usr/lib/libnss_compat.so
    overwriting symlink /etc/systemd/system/sysinit.target.wants/initrd-shell.service -> /usr/lib/systemd/system/initrd-shell.service
    reuse present binary /usr/lib/mkinitcpio-systemd-tool/initrd-shell.sh
    replace path /etc/crypttab
    provision new file /etc/mkinitcpio-systemd-tool/config/crypttab -> /etc/crypttab 
    adding file: /etc/crypttab
    replace path /etc/fstab
    provision new file /etc/mkinitcpio-systemd-tool/config/fstab -> /etc/fstab 
    adding file: /etc/fstab
    create empty dir /sysroot/ 
    adding dir: /sysroot/
    provision new binary /usr/bin/swapon
    adding file: /usr/bin/swapon
    adding file: /usr/lib/libsmartcols.so.1
    provision new binary /usr/bin/swapoff
    adding file: /usr/bin/swapoff
    provision new binary /usr/bin/dmsetup
    adding file: /usr/bin/dmsetup
    call in-line [add_module dm-crypt] in unit /usr/lib/systemd/system/initrd-cryptsetup.service
    adding module: dm-crypt
    adding module: dm-mod
    call in-line [add_all_modules /crypto/] in unit /usr/lib/systemd/system/initrd-cryptsetup.service
    adding module: aegis128-aesni
    adding module: crypto_simd
    adding module: cryptd
    adding module: aesni-intel
    adding module: glue_helper
    adding module: blake2s-x86_64
    adding module: libblake2s-generic
    adding module: blowfish-x86_64
    adding module: blowfish_common
    adding module: camellia-aesni-avx-x86_64
    adding module: camellia-x86_64
    adding module: camellia-aesni-avx2
    adding module: cast5-avx-x86_64
    adding module: cast_common
    adding module: cast5_generic
    adding module: cast6-avx-x86_64
    adding module: cast6_generic
    adding module: chacha-x86_64
    adding module: libchacha
    adding module: crc32-pclmul
    adding module: crct10dif-pclmul
    adding module: curve25519-x86_64
    adding module: libcurve25519-generic
    adding module: des3_ede-x86_64
    adding module: libdes
    adding module: ghash-clmulni-intel
    adding module: nhpoly1305-avx2
    adding module: nhpoly1305
    adding module: libpoly1305
    adding module: nhpoly1305-sse2
    adding module: poly1305-x86_64
    adding module: serpent-avx-x86_64
    adding module: serpent_generic
    adding module: serpent-avx2
    adding module: serpent-sse2-x86_64
    adding module: sha1-ssse3
    adding module: sha256-ssse3
    adding module: sha512-ssse3
    adding module: twofish-avx-x86_64
    adding module: twofish-x86_64
    adding module: twofish_common
    adding module: twofish-x86_64-3way
    adding module: 842
    adding module: 842_compress
    adding module: 842_decompress
    adding module: adiantum
    adding module: aegis128
    adding module: aes_ti
    adding module: af_alg
    adding module: algif_aead
    adding module: algif_hash
    adding module: algif_rng
    adding module: algif_skcipher
    adding module: ansi_cprng
    adding module: anubis
    adding module: arc4
    adding module: libarc4
    adding module: asym_tpm
    adding module: trusted
    adding module: tpm
    adding module: pkcs8_key_parser
    adding module: tpm_key_parser
    adding module: async_memcpy
    adding module: async_tx
    adding module: async_pq
    adding module: async_xor
    adding module: xor
    adding module: raid6_pq
    adding module: async_raid6_recov
    adding module: authenc
    adding module: authencesn
    adding module: blake2b_generic
    adding module: blake2s_generic
    adding module: blowfish_generic
    adding module: camellia_generic
    adding module: ccm
    adding module: cfb
    adding module: chacha20poly1305
    adding module: chacha_generic
    adding module: cmac
    adding module: crc32_generic
    adding module: crypto_engine
    adding module: crypto_user
    adding module: curve25519-generic
    adding module: deflate
    adding module: des_generic
    adding module: ecc
    adding module: ecdh_generic
    adding module: echainiv
    adding module: ecrdsa_generic
    adding module: essiv
    adding module: fcrypt
    adding module: keywrap
    adding module: khazad
    adding module: lrw
    adding module: lz4
    adding module: lz4hc
    adding module: lz4hc_compress
    adding module: md4
    adding module: michael_mic
    adding module: ofb
    adding module: pcbc
    adding module: pcrypt
    adding module: poly1305_generic
    adding module: rmd128
    adding module: rmd160
    adding module: rmd256
    adding module: rmd320
    adding module: salsa20_generic
    adding module: seed
    adding module: sha3_generic
    adding module: sm3_generic
    adding module: sm4_generic
    adding module: streebog_generic
    adding module: tcrypt
    adding module: tea
    adding module: tgr192
    adding module: twofish_generic
    adding module: vmac
    adding module: wp512
    adding module: xcbc
    adding module: xxhash_generic
    adding module: amlogic-gxl-crypto
    adding module: atmel-ecc
    adding module: atmel-i2c
    adding module: atmel-sha204a
    adding module: n5pf
    adding file: /usr/lib/firmware/cavium/cnn55xx_se.fw
    adding module: ccp-crypto
    adding module: ccp
    adding module: ccree
    adding module: chcr
    adding module: cxgb4
    adding file: /usr/lib/firmware/cxgb4/t6fw.bin
    adding file: /usr/lib/firmware/cxgb4/t5fw.bin
    adding file: /usr/lib/firmware/cxgb4/t4fw.bin
    adding module: crypto_safexcel
    adding module: padlock-aes
    adding module: padlock-sha
    adding module: qat_c3xxx
    adding module: intel_qat
    adding file: /usr/lib/firmware/qat_c3xxx_mmp.bin
    adding file: /usr/lib/firmware/qat_c3xxx.bin
    adding module: qat_c3xxxvf
    adding module: qat_c62x
    adding file: /usr/lib/firmware/qat_c62x_mmp.bin
    adding file: /usr/lib/firmware/qat_c62x.bin
    adding module: qat_c62xvf
    adding module: qat_dh895xcc
    adding file: /usr/lib/firmware/qat_895xcc_mmp.bin
    adding file: /usr/lib/firmware/qat_895xcc.bin
    adding module: qat_dh895xccvf
    adding module: virtio_crypto
    adding module: libblake2s
    adding module: libchacha20poly1305
    adding module: libcurve25519
    provision new file /usr/lib/udev/rules.d/10-dm.rules -> /usr/lib/udev/rules.d/10-dm.rules 
    adding file: /usr/lib/udev/rules.d/10-dm.rules
    provision new file /usr/lib/initcpio/udev/11-dm-initramfs.rules -> /usr/lib/udev/rules.d/11-dm-initramfs.rules 
    adding file: /usr/lib/udev/rules.d/11-dm-initramfs.rules
    provision new file /usr/lib/udev/rules.d/13-dm-disk.rules -> /usr/lib/udev/rules.d/13-dm-disk.rules 
    adding file: /usr/lib/udev/rules.d/13-dm-disk.rules
    provision new file /usr/lib/udev/rules.d/95-dm-notify.rules -> /usr/lib/udev/rules.d/95-dm-notify.rules 
    adding file: /usr/lib/udev/rules.d/95-dm-notify.rules
    provision new file /usr/lib/systemd/system/cryptsetup.target -> /usr/lib/systemd/system/cryptsetup.target 
    adding file: /usr/lib/systemd/system/cryptsetup.target
    provision new file /usr/lib/systemd/system/cryptsetup-pre.target -> /usr/lib/systemd/system/cryptsetup-pre.target 
    adding file: /usr/lib/systemd/system/cryptsetup-pre.target
    provision new binary /usr/lib/systemd/systemd-cryptsetup
    adding file: /usr/lib/systemd/systemd-cryptsetup
    provision new binary /usr/lib/systemd/system-generators/systemd-cryptsetup-generator
    adding file: /usr/lib/systemd/system-generators/systemd-cryptsetup-generator
    reuse present binary /usr/lib/systemd/system-generators/systemd-fstab-generator
    provision new binary /usr/bin/systemd-ask-password
    adding file: /usr/bin/systemd-ask-password
    provision new binary /usr/lib/systemd/systemd-reply-password
    adding file: /usr/lib/systemd/systemd-reply-password
    provision new binary /usr/bin/systemd-tty-ask-password-agent
    adding file: /usr/bin/systemd-tty-ask-password-agent
    provision new binary /usr/lib/libgcc_s.so.1
    adding file: /usr/lib/libgcc_s.so.1
    replace path /usr/lib/systemd/system/systemd-ask-password-console.path
    create empty file /usr/lib/systemd/system/systemd-ask-password-console.path 
    adding file: /usr/lib/systemd/system/systemd-ask-password-console.path
    replace path /usr/lib/systemd/system/systemd-ask-password-wall.path
    create empty file /usr/lib/systemd/system/systemd-ask-password-wall.path 
    adding file: /usr/lib/systemd/system/systemd-ask-password-wall.path
    adding symlink: /etc/systemd/system/sysinit.target.wants/initrd-cryptsetup.path -> /usr/lib/systemd/system/initrd-cryptsetup.path

When I try to build it from chroot (arch-chroot), log have only:


  -> Running build hook: [/usr/lib/initcpio/install/systemd-tool]
    provisioning initrd systemd units
    processing systemd unit initrd-network.service
    resolved service unit path: /usr/lib/systemd/system/initrd-network.service
    producing initramfs unit file: /usr/lib/systemd/system/initrd-network.service
    adding dir: /etc/systemd/system/sysinit.target.wants
    adding symlink: /etc/systemd/system/sysinit.target.wants/initrd-network.service -> /usr/lib/systemd/system/initrd-network.service
    processing systemd unit initrd-shell.service
    resolved service unit path: /usr/lib/systemd/system/initrd-shell.service
    producing initramfs unit file: /usr/lib/systemd/system/initrd-shell.service
    adding symlink: /etc/systemd/system/sysinit.target.wants/initrd-shell.service -> /usr/lib/systemd/system/initrd-shell.service
    processing systemd unit initrd-dropbear.service
    resolved service unit path: /usr/lib/systemd/system/initrd-dropbear.service
    producing initramfs unit file: /usr/lib/systemd/system/initrd-dropbear.service
    adding symlink: /etc/systemd/system/sysinit.target.wants/initrd-dropbear.service -> /usr/lib/systemd/system/initrd-dropbear.service
    processing systemd unit initrd-util-usb-hcd.service
    resolved service unit path: /usr/lib/systemd/system/initrd-util-usb-hcd.service
    producing initramfs unit file: /usr/lib/systemd/system/initrd-util-usb-hcd.service
    adding symlink: /etc/systemd/system/sysinit.target.wants/initrd-util-usb-hcd.service -> /usr/lib/systemd/system/initrd-util-usb-hcd.service
    processing systemd unit initrd-cryptsetup.path
    resolved service unit path: /usr/lib/systemd/system/initrd-cryptsetup.path
    producing initramfs unit file: /usr/lib/systemd/system/initrd-cryptsetup.path
    adding symlink: /etc/systemd/system/sysinit.target.wants/initrd-cryptsetup.path -> /usr/lib/systemd/system/initrd-cryptsetup.path

I have that problem on all machines, clear install too. In what way I should look?

Add openssh support

Tinyssh and dropbear are lightweight, but they're have no many needed preferences. Maybe it'll be usefull to add openssh support? With service, which copy system's openssh configuration to initramfs: ports, users, hostkeys (very important), ciphers, etc...

random-archer / mkinitcpio-systemd-tool Goto Github PK

mkinitcpio-systemd-tool's Introduction

This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool

mkinitcpio-systemd-tool

Summary

mkinitcpio hook name: systemd-tool

Issues

Example

Install Details

Provisioning Questions and Answers

Shell Script Questions and Answers

mkinitcpio-systemd-tool's People

Contributors

Stargazers

Watchers

Forkers

mkinitcpio-systemd-tool's Issues

Unhelpful error on systemd-cryptsetup "Failed to activate: Invalid argument"

It's not clear what to do if '/etc/initrd-release' is non-existent

Add support for multiple encrypted devices

Problem

System Information and mkinitcpio-systemd-tool Configuration

Versions

systemd services

lsinitcpio output

Problem:

System Information and mkinitcpio-systemd-tool Configuration

Versions

systemd services

Files

Symptom

Setup

Mitigation

Recommend Projects

Recommend Topics

Recommend Org

Jobs

mkinitcpio hook name: `systemd-tool`