[Bug 2031179] Re: systemd-cryptsetup-generator does not understand :timeout parameter used with "passdev"

Nick Rosbrook 2031179 at bugs.launchpad.net
Fri Aug 11 18:44:24 UTC 2023 

systemd has it's own crypttab format/implementation [1], and the
documentation you cite is Debian's implementation for sysv and initrafms
scripts[2].

But, you should be able to achieve the desired behavior by appending
keyfile-timeout=5s to the options. See [3][4] for more information and
examples.

[1] https://www.freedesktop.org/software/systemd/man/crypttab.html
[2] https://manpages.debian.org/unstable/cryptsetup/crypttab.5.en.html#ON_DIFFERENT_CRYPTTAB_FORMATS
[3] https://www.freedesktop.org/software/systemd/man/crypttab.html#keyfile-timeout=
[4] https://www.freedesktop.org/software/systemd/man/crypttab.html#Examples

** Changed in: systemd (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2031179

Title:
  systemd-cryptsetup-generator does not understand :timeout parameter
  used with "passdev"

Status in systemd package in Ubuntu:
  Invalid

Bug description:
  I have the following line in my /etc/crypttab file (UUID & volume
  names obfuscated):

  sdxx_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /dev/disk/by-
  label/XXXXXXX16GB:/desktop_Linux.key:5
  luks,discard,noauto,keyscript=/lib/cryptsetup/scripts/passdev

  This decrypts the LUKS volume containing my /, /home & swap
  partitions, and is correctly handled by initramfs since my PC boots
  fine.

  But since upgrading from kernel 5.19.0-50-generic to 6.2.0-26-generic,
  I've noticed a 90 second booting delay, with the following messages
  (extracted from the journal) visible during the delay:

  Aug 11 07:24:58 xxxx systemd[1]: dev-disk-by\x2dlabel-XXXXXXX16GB:-desktop_Linux.key:5.device: Job dev-disk-by\x2dlabel-XXXXXXX16GB:-desktop_Linux.key:5.device/start timed out.
  Aug 11 07:24:58 xxxx systemd[1]: Timed out waiting for device /dev/disk/by-label/XXXXXXX16GB:/desktop_Linux.key:5.
  Aug 11 07:24:58 xxxx systemd[1]: Dependency failed for Cryptography Setup for sdxx_crypt.
  Aug 11 07:24:58 xxxx systemd[1]: systemd-cryptsetup at sdxx_crypt.service: Job systemd-cryptsetup at sdxx_crypt.service/start failed with result 'dependency'.
  Aug 11 07:24:58 xxxx systemd[1]: dev-disk-by\x2dlabel-XXXXXXX16GB:-desktop_Linux.key:5.device: Job dev-disk-by\x2dlabel-XXXXXXX16GB:-desktop_Linux.key:5.device/start failed with result 'timeout'.
  Aug 11 07:24:58 xxxx systemd[1]: Reached target Block Device Preparation for /dev/mapper/sdxx_crypt.
  Aug 11 07:24:58 xxxx systemd[1]: Reached target Local Encrypted Volumes.

  It turns out that I also had these messages before the upgrade, but until now they weren't causing SystemD to wait for 90 seconds before continuing.  
  My bug report is NOT about SystemD's sudden 90 second delay (which may be reasonable), but rather the underlying problem pointed to by these messages.

  I have been able to get rid these messages (and the 90 second delay)
  by removing the optional ":5" timeout parameter after my keyfile path:

  sdxx_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /dev/disk/by-
  label/XXXXXXX16GB:/desktop_Linux.key
  luks,discard,noauto,keyscript=/lib/cryptsetup/scripts/passdev

  I believe this indicates that "systemd-cryptsetup-generator" doesn't understand the optional timeout parameter, even though it is legal & documented: 
  https://cryptsetup-team.pages.debian.net/cryptsetup/README.initramfs.html#the-passdev-keyscript

  When the timeout parameter is present, I think it misinterprets the device:volume:timeout as just a device name. (If it is treating the second colon as if it was the first/only one then the fix may be trivially easy.)
   
   
  Here is what the problematic mount file (/run/systemd/generator/systemd-cryptsetup at sdxx_crypt.service) generated by it looks like:

  # Automatically generated by systemd-cryptsetup-generator

  [Unit]
  Description=Cryptography Setup for %I
  Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup at .service(8)
  SourcePath=/etc/crypttab
  DefaultDependencies=no
  IgnoreOnIsolate=true
  After=cryptsetup-pre.target systemd-udevd-kernel.socket
  Before=blockdev at dev-mapper-%i.target
  Wants=blockdev at dev-mapper-%i.target
  Conflicts=umount.target
  Before=cryptsetup.target
  After=dev-disk-by\x2dlabel-XXXXXXX16GB:-desktop_Linux.key:5.device
  Requires=dev-disk-by\x2dlabel-XXXXXXX16GB:-desktop_Linux.key:5.device
  BindsTo=dev-disk-by\x2duuid-xxxxxxxx\x2dxxxx\x2dxxxx\x2dxxxx\x2dxxxxxxxxxxxx.device
  After=dev-disk-by\x2duuid-xxxxxxxx\x2dxxxx\x2dxxxx\x2dxxxx\x2dxxxxxxxxxxxx.device
  Before=umount.target

  [Service]
  Type=oneshot
  RemainAfterExit=yes
  TimeoutSec=0
  KeyringMode=shared
  OOMScoreAdjust=500
  ExecStart=/lib/systemd/systemd-cryptsetup attach 'sdxx_crypt' '/dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' '/dev/disk/by-label/XXXXXXX16GB:/desktop_Linux.key:5' 'luks,discard,noauto,keyscript=/lib/cryptsetup/scripts/passdev'
  ExecStop=/lib/systemd/systemd-cryptsetup detach 'sdxx_crypt'
   
   
  And here is what the same file looks like after the :5 timeout has been removed:

  # Automatically generated by systemd-cryptsetup-generator

  [Unit]
  Description=Cryptography Setup for %I
  Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup at .service(8)
  SourcePath=/etc/crypttab
  DefaultDependencies=no
  IgnoreOnIsolate=true
  After=cryptsetup-pre.target systemd-udevd-kernel.socket
  Before=blockdev at dev-mapper-%i.target
  Wants=blockdev at dev-mapper-%i.target
  Conflicts=umount.target
  After=run-systemd-cryptsetup-keydev\x2dsdxx_crypt.mount
  Requires=run-systemd-cryptsetup-keydev\x2dsdxx_crypt.mount
  Wants=keydev-sdxx_crypt-umount.service
  Before=keydev-sdxx_crypt-umount.service
  Before=cryptsetup.target
  BindsTo=dev-disk-by\x2duuid-xxxxxxxx\x2dxxxx\x2dxxxx\x2dxxxx\x2dxxxxxxxxxxxx.device
  After=dev-disk-by\x2duuid-xxxxxxxx\x2dxxxx\x2dxxxx\x2dxxxx\x2dxxxxxxxxxxxx.device
  Before=umount.target

  [Service]
  Type=oneshot
  RemainAfterExit=yes
  TimeoutSec=0
  KeyringMode=shared
  OOMScoreAdjust=500
  ExecStart=/lib/systemd/systemd-cryptsetup attach 'sdxx_crypt' '/dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' '/run/systemd/cryptsetup/keydev-sdxx_crypt/dev/disk/by-label/XXXXXXX16GB' 'luks,discard,noauto,keyscript=/lib/cryptsetup/scripts/passdev'
  ExecStop=/lib/systemd/systemd-cryptsetup detach 'sdxx_crypt'

  I am using Ubuntu 22.04.3 LTS.

  ~$ apt-cache policy systemd
  systemd:
    Installed: 249.11-0ubuntu3.9
    Candidate: 249.11-0ubuntu3.9
    Version table:
   *** 249.11-0ubuntu3.9 500
          500 http://gb.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       249.11-0ubuntu3.7 500
          500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
       249.11-0ubuntu3 500
          500 http://gb.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2031179/+subscriptions

More information about the foundations-bugs mailing list