Bug#967921: marked as done (dracut-core: Missing tmpfiles.d/cryptsetup.conf triggers cryptsetup "WARNING: Locking directory /run/cryptsetup is missing!" warning)

Sat, 03 Jun 2023 08:24:14 -0700 

Your message dated Sat, 3 Jun 2023 17:13:47 +0200
with message-id <[email protected]>
and subject line Bug#967921: dracut-core: cryptsetups tmpfile
has caused the Debian Bug report #967921,
regarding dracut-core: Missing tmpfiles.d/cryptsetup.conf triggers cryptsetup 
"WARNING: Locking directory /run/cryptsetup is missing!" warning
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
967921: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967921
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: dracut-core
Version: 050+65-1
Severity: important
X-Debbugs-Cc: [email protected]

It seems like dracut is forgetting to include
/usr/lib/tmpfiles.d/cryptsetup.conf in the initrd image, which in turn
means that cryptsetup has to create its locking directory on the fly:

```
systemd[1]: Starting Cryptography Setup for sda5_crypt...
systemd[403]: systemd-cryptsetup@sda5_crypt.service: Executing: 
/lib/systemd/systemd-cryptsetup attach sda5_crypt /dev/dis
systemd-cryptsetup[403]: Allocating context for crypt device 
/dev/disk/by-uuid/abce6225-09ba-4b57-93b8-dda42635eafd.
systemd-cryptsetup[403]: Trying to open and read device 
/dev/disk/by-uuid/abce6225-09ba-4b57-93b8-dda42635eafd with direct
systemd-cryptsetup[403]: Initialising device-mapper backend library.
systemd-cryptsetup[403]: dm version   [ opencount flush ]   [16384] (*1)
systemd-cryptsetup[403]: dm versions   [ opencount flush ]   [16384] (*1)
systemd-cryptsetup[403]: Detected dm-ioctl version 4.42.0.
systemd-cryptsetup[403]: Device-mapper backend running with UDEV support 
enabled.
systemd-cryptsetup[403]: dm status sda5_crypt  [ opencount noflush ]   [16384] 
(*1)
systemd-cryptsetup[403]: Trying to load any crypt type from device 
/dev/disk/by-uuid/abce6225-09ba-4b57-93b8-dda42635eafd.
systemd-cryptsetup[403]: Crypto backend (OpenSSL 1.1.1g  21 Apr 2020) 
initialized in cryptsetup library version 2.3.3.
systemd-cryptsetup[403]: Detected kernel Linux 5.7.0-2-amd64 x86_64.
systemd-cryptsetup[403]: Loading LUKS2 header (repair disabled).
systemd-cryptsetup[403]: Acquiring read lock for device 
/dev/disk/by-uuid/abce6225-09ba-4b57-93b8-dda42635eafd.
systemd-cryptsetup[403]: WARNING: Locking directory /run/cryptsetup is missing!
systemd-cryptsetup[403]: Opening lock resource file /run/cryptsetup/L_8:5
systemd-cryptsetup[403]: Verifying lock handle for 
/dev/disk/by-uuid/abce6225-09ba-4b57-93b8-dda42635eafd.
systemd-cryptsetup[403]: Device 
/dev/disk/by-uuid/abce6225-09ba-4b57-93b8-dda42635eafd READ lock taken.
systemd-cryptsetup[403]: Trying to read primary LUKS2 header at offset 0x0.
systemd-cryptsetup[403]: Opening locked device 
/dev/disk/by-uuid/abce6225-09ba-4b57-93b8-dda42635eafd
systemd-cryptsetup[403]: Veryfing locked device handle (bdev)
systemd-cryptsetup[403]: LUKS2 header version 2 of size 16384 bytes, checksum 
sha256.
```

According to upstream, this should in fact be fatal, but as a
work-around they create the directory with default permissions anyway:
  https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/99#note_390506222

This does not happen with `initramfs-tools`, but apparently because they
just bite the bullet and manually create it (perhaps that should be a
bug too):

```
/usr/share/initramfs-tools /scripts/local-top/cryptroot:
    # Create locking directory before invoking cryptsetup(8) to avoid warnings
    mkdir -pm0700 /run/cryptsetup
```

`dracut` does something similar in its scripts, but apparently in my
system systemd takes over and said script is never run, or ran too late?

```
/usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh:
    mkdir -p -m 0700 /run/cryptsetup
```

So, I believe perhaps the above directory might follow upstream
recommendation and be created in a tmpfiles.d configuration file.

Note that /usr/lib/tmpfiles.d/cryptsetup.conf is installed by
`cryptsetup-bin`.

I'll report a similar bug in initramfs-tools.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.7.0-2-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dracut-core depends on:
ii  bash        5.0-6
ii  cpio        2.13+dfsg-2
ii  e2fsprogs   1.45.6-1
ii  kmod        27+20200310-2
ii  kpartx      0.8.4-3
ii  libc6       2.31-2
ii  libkmod2    27+20200310-2
ii  pkg-config  0.29.2-1
ii  udev        246-2
ii  util-linux  2.36-2

Versions of packages dracut-core recommends:
ii  binutils       2.35-1
ii  console-setup  1.196
ii  cryptsetup     2:2.3.3-1+b1
pn  dmraid         <none>
ii  dmsetup        2:1.02.171-2
ii  lvm2           2.03.09-2
pn  mdadm          <none>
ii  pigz           2.4-1+b1
ii  systemd        246-2

dracut-core suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Package: dracut-core
Version: 055-1

The fix was included in 055 upstream.

--

--- End Message ---

Reply via email to