How to set up services depending on encrypted filesystems with systemd (was Re: How to do this ?)
Jonathan Dowland: > Next step, adjust the daemon to depend on this. In my example, > transmission-daemon supplies a .service file in the package. Copy this to > /etc/systemd/system, and add a line (the line prefixed +): > > > [Unit] > > Description=Transmission BitTorrent Daemon > > After=network.target > > +Requires=torrents.mount > > > > [Service] > > User=debian-transmission That's certainly the case for Debian 7, but in Debian 8 I believe that the systemd package will have this later growth of the mechanism: cat > /etc/systemd/system/transmission-daemon.service.d/requires-mount.conf << EOT [Unit] Requires=torrents.mount EOT systemctl daemon-reload Obvious intended advantage: If the transmission-daemon changes its service unit, you'll get the change in your next package upgrade without further explicit work updating your private local copy of the unit file. * https://wiki.archlinux.org/index.php/systemd#Editing_provided_unit_files * https://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F * ... and, of course, the (up-to-date) manual page for systemd.unit . -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CACF=bdvdowfghwv4z2l2iub5au9n9kxmfss76m-we52fdhr...@mail.gmail.com
How to set up services depending on encrypted filesystems with systemd (was Re: How to do this ?)
Hi Erwan, Firstly I've changed the subject for this thread because the original was not terribly descriptive. On Mon, Oct 13, 2014 at 07:57:00AM +0100, Jonathan Dowland wrote: > On Sun, Oct 12, 2014 at 09:40:44PM +0200, Erwan David wrote: > > And how to do this is a big problem. There are many mans but to use them > > you must know what you are looking for. > > I plan to come back and fill this in with the specifics as I have a similar > problem to solve. I'm confident it's not hard. OK, I have 90% of the problem solved, here's the solution, first, let's ignore luks disks for a the time being and instead outline the solution with a simple mount. Imagine you have a simple mount at /torrents that you want to be there before the transmission-daemon service is started. You must write a systemd unit file of the "mount" type, named "torrents.mount"[1] containing something like the following. In this example, the source filesystem has a label "torrents", but you could use a hard path (/dev/mapper/cryptdisk_front) instead. > [Mount] > What=LABEL=torrents > Where=/torrents Drop that in /etc/systemd/system, possibly run "systemctl daemon-reload", and you can do "systemctl start /torrents", "systemctl stop /torrents". Next step, adjust the daemon to depend on this. In my example, transmission-daemon supplies a .service file in the package. Copy this to /etc/systemd/system, and add a line (the line prefixed +): > [Unit] > Description=Transmission BitTorrent Daemon > After=network.target > +Requires=torrents.mount > > [Service] > User=debian-transmission After another "systemctl daemon-reload", you should find that starting that daemon with the filesystem unmounted will first mount it. Great. So the other part of the puzzle for you was the LUKS filesystem. I got this working but there may be some improvements that can be made to the below. I created a test luks filesystem using "luksformat", the backing device in my case is /dev/qusp_vg/cryptback, I wrote the following line into /etc/crypttab: > front /dev/qusp_vg/cryptback none luks,noauto I now ran (by hand) /lib/systemd/system-generators/systemd-cryptsetup-generator This is run by systemd in the early boot phase, and might possibly be run by "daemon-reload". It's supposed to generate systemd unit files corresponding to the entries in /etc/crypttab. And indeed, when ran by hand like that, it has done so for me, into /tmp/systemd-cryptsetup@front.service If I drop that into /etc/systemd/system and use "systemctl status systemd-cryptsetup@front.service", I can see it is recognised, and a "systemctl start systemd-cryptsetup@front.service" results in /dev/mapper/front appearing, after prompting me for the password (and they have a fairly intelligent password prompt it would appear) I'm going to stop here for tonight, but I don't think it will be much work to clean up this last service file (it looks like some of the stuff that has been included by systemd-cryptsetup-generator can be stripped out) and then set up the chain of dependencies so transmission-daemon -> /torrents -> /dev/mapper/front, and after that, starting transmission-daemon will cause the luks FS to be mounted after prompting for the password. [1] the naming convention is to replace any slashes in the path with dashes, after removing any prefixed or suffixed slashes. So, /torrents -> torrents, but /home/jon would be home-jon. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141013212704.ga2...@chew.redmars.org
Re: How to do this ?
Le 13/10/2014 21:21, Andrei POPESCU a écrit :
> On Lu, 13 oct 14, 12:16:25, Erwan David wrote:
>> That's a server, and the daemons & mount must survive logout.
>
> Your ~/.profile could contain commands like
>
> sudo service my-daemon start
>
> (used 'service' on purpose, since it will work with both sysv-rc and
> systemd)
>
> How about that policy-rc.d I asked for?
>
> Kind regards,
> Andrei
Here it is
#!/bin/sh
# /usr/sbin/policy-rc.d [options] []
# /usr/sbin/policy-rc.d [options] --list [ ...]
# See /usr/share/doc/sysv-rc/README.policy-rc.d for documentation.
# Live example scraped from ps:
# /bin/sh /usr/sbin/policy-rc.d x11-common stop unknown
###
if [ ! -r /etc/secure_services ]; then
# No secure service -> Ok for everything
exit 0
fi
##
# Defines the secure mount point and the services which must be started
after
. /etc/secure_services
do_check(){
for test in $SECURE_SERVICES;do
if [ $1 = $test ];then
case $2 in
*start*)
if mountpoint -q $SECURE_MOUNTPOINT; then
exit 0
else
exit 101
fi;;
*rotate*)
if mountpoint -q $SECURE_MOUNTPOINT; then
exit 0
else
exit 101
fi;;
*)
exit 0
esac
fi
done
exit 0
}
if [ "X$SECURE_MOUNTPOINT" = "X" -o "X$SECURE_SERVICES" = "X" ];then
# no secure mount point or no secure service defined -> Ok for
everything
exit 0
fi
while [ $# -gt 0 ]; do
case $1 in
--list) exit 101 ;;
--quiet) shift ;;
-*) shift ;;
*) service=$1
actions=$2
do_check $service $actions
esac
done
###
# default
exit 101
And /etc/secure_services is
#
# Mount point of encrypted file system
SECURE_MOUNTPOINT=/secure
# Services which need the encrypted file system
# space separated, they will be started in the order of the variable
SECURE_SERVICES="postgresql dspam slapd dovecot postfix apache2"
signature.asc
Description: OpenPGP digital signature
Re: How to do this ?
On Lu, 13 oct 14, 12:16:25, Erwan David wrote: > > > That's a server, and the daemons & mount must survive logout. Your ~/.profile could contain commands like sudo service my-daemon start (used 'service' on purpose, since it will work with both sysv-rc and systemd) How about that policy-rc.d I asked for? Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt signature.asc Description: Digital signature
Re: How to do this ?
Le 13/10/2014 12:12, Darac Marjal a écrit : > On Fri, Oct 10, 2014 at 07:51:50PM +0200, Erwan David wrote: >> I want to have a system which boots, and starts a subset of daemons. >> >> Then afterward I ssh to it, do something which 1) mount an encrypted >> disk, 2) start other daemons (which depends on the encrypted disk). > Personally, I'd look at using libpam-mount to mount the encrypted disk > upon login (it's typically used to do this for /home/$USER, but there's > no reason it shouldn't work for an arbitrary mount point) and then use > your shell's login scripting (.profile or similar) to launch the > daemons. > > That's a server, and the daemons & mount must survive logout. signature.asc Description: OpenPGP digital signature
Re: How to do this ?
On Fri, Oct 10, 2014 at 07:51:50PM +0200, Erwan David wrote: > I want to have a system which boots, and starts a subset of daemons. > > Then afterward I ssh to it, do something which 1) mount an encrypted > disk, 2) start other daemons (which depends on the encrypted disk). Personally, I'd look at using libpam-mount to mount the encrypted disk upon login (it's typically used to do this for /home/$USER, but there's no reason it shouldn't work for an arbitrary mount point) and then use your shell's login scripting (.profile or similar) to launch the daemons. > > I know how to do this with policy-rc.d, how can I do this with systemd ? > > I know this list may not be the best place to ask, feel free to point me > to another way to get help. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: https://lists.debian.org/54381cb6.4090...@rail.eu.org > signature.asc Description: Digital signature
Re: How to do this ?
On Sun, Oct 12, 2014 at 09:40:44PM +0200, Erwan David wrote: > The mount unit requires the device to mount. How to do this with a luks > disk ? And how to mount hen, with the password entered in the ssh > session and not on the console ? It would be something like 'sudo systemctl start my-mount-service'. Is your disk labelled with a unique name? Does it have a unique UUID? > And how to do this is a big problem. There are many mans but to use them > you must know what you are looking for. I plan to come back and fill this in with the specifics as I have a similar problem to solve. I'm confident it's not hard. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141013065700.gb14...@chew.redmars.org
Re: How to do this ?
Le 11/10/2014 18:45, Steve Litt a écrit : > On Sat, 11 Oct 2014 13:38:05 +0300 > Andrei POPESCU wrote: > >> On Vi, 10 oct 14, 19:51:50, Erwan David wrote: >>> I want to have a system which boots, and starts a subset of daemons. >>> >>> Then afterward I ssh to it, do something which 1) mount an encrypted >>> disk, 2) start other daemons (which depends on the encrypted disk). >>> >>> I know how to do this with policy-rc.d, how can I do this with >>> systemd ? >> My first though on doing this with sysv-rc would have been runlevels, >> why do you even need policy-rc.d? > LOL, when I read the original question, I didn't answer because I > thought he was inisting on a policy-rc solution. > > If policy-rc.d weren't required, and if it were me, the solution would > be totally obvious, because I'm a daemontools type of guy... > > I'd put all the services to be started secondarily under daemontools. > I'd have a directory somewhere, with empty filenames corresponding to > the services I want to bring up secondarily: /home/slitt/servicelist or > whatever. > > Then I'd make these shellscripts: > > # > #!/bin/sh > # this is uppp.sh > > if bring_up_encrypted_filesystem.sh; then > for f in /home/slitt/servicelist; do > rm -f /service/$f/down > svc -u /service/$f > done > else > handle_encrypt_up_error.sh > fi > # > > # > #!/bin/sh > # this is downnn.sh > > for f in /home/slitt/servicelist; do > touch /service/$f/down > svc -d /service/$f > done > if bring_down_encrypted_filesystem.sh; then > poweroff > else > handle_encrypt_down_error.sh > fi > # > > Obviously I haven't tech-edited these, and also obvious I left a lot of > stuff for the encrypted disk as an exercise for the reader, but > basically: > > To boot up, you boot up, ssh in, and run uppp.sh > > To shut down, you ssh in, run downnn.sh. > > If you sometimes need to reboot instead of powering off, you could > remove the shutdown from downnn.sh and just do it manually while you're > ssh'ed in. > > HTH, > > SteveT > > Steve Litt* http://www.troubleshooters.com/ > Troubleshooting Training * Human Performance > > The problem is not today setting, which may not be perfect, but is functionnal, but the solution for when systemd is not avoidable. However I retain the daemontools solution. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/543ad92b.2000...@rail.eu.org
Re: How to do this ?
Le 11/10/2014 20:20, Jonathan Dowland a écrit : >> On 10 Oct 2014, at 18:51, Erwan David wrote: >> >> how can I do this with systemd ? > You'd write a systemd unit for the mount operation (there's a mount type) > which wasn't hooked into the default multiuser target. The mount unit requires the device to mount. How to do this with a luks disk ? And how to mount hen, with the password entered in the ssh session and not on the console ? > You'd then make the depending daemons have service files which depended on > that mount unit (as oppose to multilevel). Specifics left as an exercise for > now (on phone not laptop) > And how to do this is a big problem. There are many mans but to use them you must know what you are looking for. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/543ad93c.6090...@rail.eu.org
Re: How to do this ?
> On 10 Oct 2014, at 18:51, Erwan David wrote: > > how can I do this with systemd ? You'd write a systemd unit for the mount operation (there's a mount type) which wasn't hooked into the default multiuser target. You'd then make the depending daemons have service files which depended on that mount unit (as oppose to multilevel). Specifics left as an exercise for now (on phone not laptop) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/470de002-6c7f-430c-8ad5-13e2fe564...@debian.org
Re: How to do this ?
On Sat, 11 Oct 2014 13:38:05 +0300 Andrei POPESCU wrote: > On Vi, 10 oct 14, 19:51:50, Erwan David wrote: > > I want to have a system which boots, and starts a subset of daemons. > > > > Then afterward I ssh to it, do something which 1) mount an encrypted > > disk, 2) start other daemons (which depends on the encrypted disk). > > > > I know how to do this with policy-rc.d, how can I do this with > > systemd ? > > My first though on doing this with sysv-rc would have been runlevels, > why do you even need policy-rc.d? LOL, when I read the original question, I didn't answer because I thought he was inisting on a policy-rc solution. If policy-rc.d weren't required, and if it were me, the solution would be totally obvious, because I'm a daemontools type of guy... I'd put all the services to be started secondarily under daemontools. I'd have a directory somewhere, with empty filenames corresponding to the services I want to bring up secondarily: /home/slitt/servicelist or whatever. Then I'd make these shellscripts: # #!/bin/sh # this is uppp.sh if bring_up_encrypted_filesystem.sh; then for f in /home/slitt/servicelist; do rm -f /service/$f/down svc -u /service/$f done else handle_encrypt_up_error.sh fi # # #!/bin/sh # this is downnn.sh for f in /home/slitt/servicelist; do touch /service/$f/down svc -d /service/$f done if bring_down_encrypted_filesystem.sh; then poweroff else handle_encrypt_down_error.sh fi # Obviously I haven't tech-edited these, and also obvious I left a lot of stuff for the encrypted disk as an exercise for the reader, but basically: To boot up, you boot up, ssh in, and run uppp.sh To shut down, you ssh in, run downnn.sh. If you sometimes need to reboot instead of powering off, you could remove the shutdown from downnn.sh and just do it manually while you're ssh'ed in. HTH, SteveT Steve Litt* http://www.troubleshooters.com/ Troubleshooting Training * Human Performance -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141011124548.15d40...@mydesq2.domain.cxm
Re: How to do this ?
On Vi, 10 oct 14, 19:51:50, Erwan David wrote: > I want to have a system which boots, and starts a subset of daemons. > > Then afterward I ssh to it, do something which 1) mount an encrypted > disk, 2) start other daemons (which depends on the encrypted disk). > > I know how to do this with policy-rc.d, how can I do this with systemd ? My first though on doing this with sysv-rc would have been runlevels, why do you even need policy-rc.d? My first though would be targets, but it would be better if you would show us your policy-rc.d, because you might have dismissed runlevels for reasons you are not telling us. > I know this list may not be the best place to ask, feel free to point me > to another way to get help. This is definitely the correct list for such a question. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic http://nuvreauspam.ro/gpg-transition.txt signature.asc Description: Digital signature
Re: How to do this, fold + split
>> On Fri, 30 Dec 2011 15:09:13 + (UTC), >> T o n g said: T> I want to split a file every ### of chars. Is it possible not to split T> on the word but word boundaries? Yup, for certain meanings of "split". GNU fmt is part of "coreutils". Here's sample.txt (rulers added for readability): me% cat sample.txt *1*2*3*4*5*6*7* Here is what I normally do. Here is a skeleton script that creates a temporary file, redirects all output there, then if there is output it emails it off. There are many ways to do this and I tinker it as needed. me% gfmt -65 sample.txt *1*2*3*4*5*6*7* Here is what I normally do. Here is a skeleton script that creates a temporary file, redirects all output there, then if there is output it emails it off. There are many ways to do this and I tinker it as needed. me% gfmt -75 sample.txt *1*2*3*4*5*6*7* Here is what I normally do. Here is a skeleton script that creates a temporary file, redirects all output there, then if there is output it emails it off. There are many ways to do this and I tinker it as needed. If you want one word per line, which can be very handy: me% gfmt -1 sample.txt Here is what [...] as needed. -- Karl Vogel I don't speak for the USAF or my company A map with a bullet hole in it is still a map. A computer with a bullet hole in it is a paper-weight. --why soldiers tend to like paper -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120106201008.13767b...@kev.msw.wpafb.af.mil
Re: How to do this, fold + split
T o n g wrote: > I want to split a file every ### of chars. Is it possible not to split on > the word but word boundaries? Use Awk or Sed. -- John Hasler -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87aa68q2jc@thumper.dhh.gt.org
Re: How to do this, fold + split
On Fri, 30 Dec 2011 15:09:13 +, T o n g wrote: > I want to split a file every ### of chars. Is it possible not to split > on the word but word boundaries? I was first thought in "awk" but Google suggested "fold": sm01@stt008:~$ cat Desktop/text.txt thisis a sample text file to seehow thescript work s... sm01@stt008:~$ fold -s -w 10 Desktop/text.txt thisis a sample text file to seehow thescript work s... Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.12.31.12.59...@gmail.com
Re: How to do this, fold + split
On Fri, Dec 30, 2011 at 10:12 PM, Christofer C. Bell wrote: > On Fri, Dec 30, 2011 at 12:03 PM, Kleber Fortaleza > wrote: >> On Friday 30 December 2011 13:09:13 T o n g wrote: >>> Hi, >>> >>> I want to split a file every ### of chars. Is it possible not to split on >>> the word but word boundaries? >>> >>> Thanks >> this shoud be what you want >> >> split -b > > I can't say I know the answer to the question, but I think he's > asking, "How can I split a file on the nearest whitespace every X > number of characters?" I don't think split -b does this (and I'm not > aware of any simple tool that can). I think this will require > development of a script to accomplish. Maybe some regex magic with > split -p can do it. Ignore that split -b. I was looking at the wrong system's man page. That's a BSD option (in this case, the system was Mac OS X, i.e.; Darwin). -- Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caoevnysbja_rmu8-siiufwyfqjybl6l8hc_visgc6uzjv0z...@mail.gmail.com
Re: How to do this, fold + split
On Fri, Dec 30, 2011 at 12:03 PM, Kleber Fortaleza wrote: > On Friday 30 December 2011 13:09:13 T o n g wrote: >> Hi, >> >> I want to split a file every ### of chars. Is it possible not to split on >> the word but word boundaries? >> >> Thanks > this shoud be what you want > > split -b I can't say I know the answer to the question, but I think he's asking, "How can I split a file on the nearest whitespace every X number of characters?" I don't think split -b does this (and I'm not aware of any simple tool that can). I think this will require development of a script to accomplish. Maybe some regex magic with split -p can do it. -- Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caoevnyvjp0m-od8qbv5bytrnozlgbkmmv2gpau-mesyq3if...@mail.gmail.com
Re: How to do this, fold + split
On Friday 30 December 2011 13:09:13 T o n g wrote: > Hi, > > I want to split a file every ### of chars. Is it possible not to split on > the word but word boundaries? > > Thanks this shoud be what you want split -b -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201112301603.38400.kleberfortal...@gmx.com
