From 3acb27df403c9e5772eb1d81aba1c65b6c7acc08 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

Date: Tue, 5 Sep 2017 09:14:51 +0200

Subject: [PATCH 1/3] units: order cryptsetup-pre.target before

 cryptsetup.target

Normally this happens automatically, but if it happened that both targets were

pulled in, even though there were no cryptsetup units, they could be started

in reverse order, which would be somewhat confusing. Add an explicit ordering

to avoid this potential issue.

---

 units/cryptsetup-pre.target | 1 +

 1 file changed, 1 insertion(+)

diff --git a/units/cryptsetup-pre.target b/units/cryptsetup-pre.target

index 65353419f..42e35dd4e 100644

--- a/units/cryptsetup-pre.target

+++ b/units/cryptsetup-pre.target

@@ -9,3 +9,4 @@

 Description=Encrypted Volumes (Pre)

 Documentation=man:systemd.special(7)

 RefuseManualStart=yes

+Before=cryptsetup.target

-- 

2.14.1

From 51a012da40e8d0d4d8df931b3bc56ea913c3856a Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

Date: Tue, 5 Sep 2017 10:15:13 +0200

Subject: [PATCH 2/3] units: add remote-cryptsetup.target and

 remote-cryptsetup-pre.target

The pair is similar to remote-fs.target and remote-fs-pre.target. Any

cryptsetup devices which require network shall be ordered after

remote-cryptsetup-pre.target and before remote-cryptsetup.target.

---

 man/systemd.special.xml            | 23 +++++++++++++++++++++++

 units/cryptsetup-pre.target        |  2 +-

 units/cryptsetup.target            |  2 +-

 units/meson.build                  |  3 +++

 units/remote-cryptsetup-pre.target | 15 +++++++++++++++

 units/remote-cryptsetup.target     | 10 ++++++++++

 6 files changed, 53 insertions(+), 2 deletions(-)

 create mode 100644 units/remote-cryptsetup-pre.target

 create mode 100644 units/remote-cryptsetup.target

diff --git a/man/systemd.special.xml b/man/systemd.special.xml

index 66c45e39a..7107b8a92 100644

--- a/man/systemd.special.xml

+++ b/man/systemd.special.xml

@@ -81,6 +81,8 @@

     <filename>poweroff.target</filename>,

     <filename>printer.target</filename>,

     <filename>reboot.target</filename>,

+    <filename>remote-cryptsetup-pre.target</filename>,

+    <filename>remote-cryptsetup.target</filename>,

     <filename>remote-fs-pre.target</filename>,

     <filename>remote-fs.target</filename>,

     <filename>rescue.target</filename>,

@@ -450,6 +452,27 @@

           this target unit, for compatibility with SysV.</para>

         </listitem>

       </varlistentry>

+      <varlistentry>

+        <term><filename>remote-cryptsetup-pre.target</filename></term>

+        <listitem>

+          <para>This target unit is automatically ordered before all cryptsetup devices

+          marked with the <option>_netdev</option>. It can be used to execute additional

+          units before such devices are set up.</para>

+

+          <para>It is ordered after <filename>network.target</filename> and

+          <filename>network-online.target</filename>, and also pulls the latter in as a

+          <varname>Wants=</varname> dependency.</para>

+        </listitem>

+      </varlistentry>

+      <varlistentry>

+        <term><filename>remote-cryptsetup.target</filename></term>

+        <listitem>

+          <para>Similar to <filename>cryptsetup.target</filename>, but for encrypted

+          devices which are accessed over the network. It is used for

+          <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>8</manvolnum></citerefentry>

+          entries marked with <option>_netdev</option>.</para>

+        </listitem>

+      </varlistentry>

       <varlistentry>

         <term><filename>remote-fs.target</filename></term>

         <listitem>

diff --git a/units/cryptsetup-pre.target b/units/cryptsetup-pre.target

index 42e35dd4e..6cb28a61a 100644

--- a/units/cryptsetup-pre.target

+++ b/units/cryptsetup-pre.target

@@ -6,7 +6,7 @@

 #  (at your option) any later version.

 [Unit]

-Description=Encrypted Volumes (Pre)

+Description=Local Encrypted Volumes (Pre)

 Documentation=man:systemd.special(7)

 RefuseManualStart=yes

 Before=cryptsetup.target

diff --git a/units/cryptsetup.target b/units/cryptsetup.target

index 25d3e33f6..10b17fd38 100644

--- a/units/cryptsetup.target

+++ b/units/cryptsetup.target

@@ -6,5 +6,5 @@

 #  (at your option) any later version.

 [Unit]

-Description=Encrypted Volumes

+Description=Local Encrypted Volumes

 Documentation=man:systemd.special(7)

diff --git a/units/meson.build b/units/meson.build

index e94add6a6..e6351c7a2 100644

--- a/units/meson.build

+++ b/units/meson.build

@@ -47,6 +47,9 @@ units = [

         ['proc-sys-fs-binfmt_misc.mount',       'ENABLE_BINFMT'],

         ['reboot.target',                       '',

          'runlevel6.target ctrl-alt-del.target'],

+        ['remote-cryptsetup-pre.target',        'HAVE_LIBCRYPTSETUP'],

+        ['remote-cryptsetup.target',            'HAVE_LIBCRYPTSETUP',

+         join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],

         ['remote-fs-pre.target',                ''],

         ['remote-fs.target',                    '',

          join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],

diff --git a/units/remote-cryptsetup-pre.target b/units/remote-cryptsetup-pre.target

new file mode 100644

index 000000000..a375e6188

--- /dev/null

+++ b/units/remote-cryptsetup-pre.target

@@ -0,0 +1,15 @@

+#  This file is part of systemd.

+#

+#  systemd is free software; you can redistribute it and/or modify it

+#  under the terms of the GNU Lesser General Public License as published by

+#  the Free Software Foundation; either version 2.1 of the License, or

+#  (at your option) any later version.

+

+[Unit]

+Description=Remote Encrypted Volumes (Pre)

+Documentation=man:systemd.special(7)

+RefuseManualStart=yes

+Before=remote-cryptsetup.target

+

+After=network.target network-online.target

+Wants=network-online.target

diff --git a/units/remote-cryptsetup.target b/units/remote-cryptsetup.target

new file mode 100644

index 000000000..60943bd1c

--- /dev/null

+++ b/units/remote-cryptsetup.target

@@ -0,0 +1,10 @@

+#  This file is part of systemd.

+#

+#  systemd is free software; you can redistribute it and/or modify it

+#  under the terms of the GNU Lesser General Public License as published by

+#  the Free Software Foundation; either version 2.1 of the License, or

+#  (at your option) any later version.

+

+[Unit]

+Description=Remote Encrypted Volumes

+Documentation=man:systemd.special(7)

-- 

2.14.1

From 543a62336565c840bbda22df0eb2a1c19180a8d5 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>

Date: Tue, 5 Sep 2017 11:30:33 +0200

Subject: [PATCH 3/3] cryptsetup-generator: use remote-cryptsetup.target when

 _netdev is present

This allows such devices to depend on the network. Their startup will

be delayed similarly to network mount units.

Fixes #4642.

---

 man/crypttab.xml                      | 13 +++++++++++++

 src/cryptsetup/cryptsetup-generator.c | 36 ++++++++++++++++++-----------------

 2 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/man/crypttab.xml b/man/crypttab.xml

index 17976f370..162377ebc 100644

--- a/man/crypttab.xml

+++ b/man/crypttab.xml

@@ -213,6 +213,19 @@

         <option>size=</option>.</para></listitem>

       </varlistentry>

+      <varlistentry>

+        <term><option>_netdev</option></term>

+

+        <listitem><para>Marks this cryptsetup device as requiring network. It will be

+        started after the network is available, similarly to

+        <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>

+        units marked with <option>_netdev</option>. The service unit to set up this device

+        will be ordered between <filename>remote-cryptsetup-pre.target</filename> and

+        <filename>remote-cryptsetup.target</filename>, instead of

+        <filename>cryptsetup-pre.target</filename> and

+        <filename>cryptsetup.target</filename>.</para></listitem>

+      </varlistentry>

+

       <varlistentry>

         <term><option>noauto</option></term>

diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c

index b58b6db7c..8571ab06e 100644

--- a/src/cryptsetup/cryptsetup-generator.c

+++ b/src/cryptsetup/cryptsetup-generator.c

@@ -61,7 +61,7 @@ static int create_disk(

         _cleanup_free_ char *p = NULL, *n = NULL, *d = NULL, *u = NULL, *to = NULL, *e = NULL,

                 *filtered = NULL;

         _cleanup_fclose_ FILE *f = NULL;

-        bool noauto, nofail, tmp, swap;

+        bool noauto, nofail, tmp, swap, netdev;

         char *from;

         int r;

@@ -72,6 +72,7 @@ static int create_disk(

         nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0");

         tmp = fstab_test_option(options, "tmp\0");

         swap = fstab_test_option(options, "swap\0");

+        netdev = fstab_test_option(options, "_netdev\0");

         if (tmp && swap) {

                 log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);

@@ -102,21 +103,22 @@ static int create_disk(

         if (!f)

                 return log_error_errno(errno, "Failed to create unit file %s: %m", p);

-        fputs("# Automatically generated by systemd-cryptsetup-generator\n\n"

-              "[Unit]\n"

-              "Description=Cryptography Setup for %I\n"

-              "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"

-              "SourcePath=/etc/crypttab\n"

-              "DefaultDependencies=no\n"

-              "Conflicts=umount.target\n"

-              "BindsTo=dev-mapper-%i.device\n"

-              "IgnoreOnIsolate=true\n"

-              "After=cryptsetup-pre.target\n",

-              f);

+        fprintf(f,

+                "# Automatically generated by systemd-cryptsetup-generator\n\n"

+                "[Unit]\n"

+                "Description=Cryptography Setup for %%I\n"

+                "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"

+                "SourcePath=/etc/crypttab\n"

+                "DefaultDependencies=no\n"

+                "Conflicts=umount.target\n"

+                "IgnoreOnIsolate=true\n"

+                "After=%s\n",

+                netdev ? "remote-cryptsetup-pre.target" : "cryptsetup-pre.target");

         if (!nofail)

                 fprintf(f,

-                        "Before=cryptsetup.target\n");

+                        "Before=%s\n",

+                        netdev ? "remote-cryptsetup.target" : "cryptsetup.target");

         if (password) {

                 if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))

@@ -200,10 +202,10 @@ static int create_disk(

                         return log_error_errno(errno, "Failed to create symlink %s: %m", to);

                 free(to);

-                if (!nofail)

-                        to = strjoin(arg_dest, "/cryptsetup.target.requires/", n);

-                else

-                        to = strjoin(arg_dest, "/cryptsetup.target.wants/", n);

+                to = strjoin(arg_dest,

+                             netdev ? "/remote-cryptsetup" : "/cryptsetup",

+                             ".target.",

+                             nofail ? "wants/" : "requires/", n);

                 if (!to)

                         return log_oom();

-- 

2.14.1