diff -Nru cloud-initramfs-tools-0.31ubuntu1/debian/changelog cloud-initramfs-tools-0.32ubuntu1/debian/changelog --- cloud-initramfs-tools-0.31ubuntu1/debian/changelog 2016-11-02 19:55:39.000000000 +0000 +++ cloud-initramfs-tools-0.32ubuntu1/debian/changelog 2016-11-14 17:25:10.000000000 +0000 @@ -1,3 +1,12 @@ +cloud-initramfs-tools (0.32ubuntu1) zesty; urgency=medium + + * overlayroot: fix overlayroot=crypt with newer initramfs-tools + (LP: #1634310) + * overlayroot: support random seed from systemd + systemd-random-seed.service + + -- Scott Moser Mon, 14 Nov 2016 12:25:10 -0500 + cloud-initramfs-tools (0.31ubuntu1) zesty; urgency=medium * cloud-initramfs-dyn-netconf: Further adjustments to support diff -Nru cloud-initramfs-tools-0.31ubuntu1/overlayroot/scripts/init-bottom/overlayroot cloud-initramfs-tools-0.32ubuntu1/overlayroot/scripts/init-bottom/overlayroot --- cloud-initramfs-tools-0.31ubuntu1/overlayroot/scripts/init-bottom/overlayroot 2016-09-23 21:00:21.000000000 +0000 +++ cloud-initramfs-tools-0.32ubuntu1/overlayroot/scripts/init-bottom/overlayroot 2016-11-14 17:23:43.000000000 +0000 @@ -46,6 +46,17 @@ root_ro=/media/root-ro ROOTMNT=${rootmnt} # use global name to indicate created outside this OVERLAYROOT_DEBUG=0 +# PERSIST_DIR will persist after pivot-root. It is used for log file +# and for the mktemp-made password file in crypt. +PERSIST_DIR=/run/initramfs +if [ ! -d "$PERSIST_DIR" -a -d /dev/.initramfs ]; then + PERSIST_DIR="/dev/.initramfs" +fi +if [ ! -d "$PERSIST_DIR" ]; then + mkdir -p "$PERSIST_DIR" || + echo "WARNING: $MYTAG: failed to create ${PERSIST_DIR}" 1>&2 +fi +LOG_FILE="${PERSIST_DIR}/${MYTAG}.log" log() { "log_${1}_msg" "$MYTAG: $2"; @@ -67,16 +78,8 @@ echo "$MYTAG:" "$@" } _debug() { - local d - if [ -z "$DEBUG_DIR" ]; then - for d in /run/initramfs /dev/.initramfs; do - [ -d "$d" ] && DEBUG_DIR="$d" && break - done - [ -z "$DEBUG_DIR" ] && DEBUG_BUSTED=1 && DEBUG_DIR="busted" && - log_warn "debug is busted. no debug dir" - fi if [ "${DEBUG_BUSTED:-0}" ]; then - { echo "$@" >> "${DEBUG_DIR}/${MYTAG}.log"; } 2>/dev/null || + { echo "$@" >> "$LOG_FILE"; } 2>/dev/null || { DEBUG_BUSTED=1; log_warn "debug is busted"; } fi } @@ -153,11 +156,16 @@ local fstype="ext4" pass="" mapname="secure" mkfs="1" dev="" local timeout=0 local entropy_sources="/proc/sys/kernel/random/boot_id /proc/sys/kernel/random/uuid /dev/urandom" - local seed= + local seed="" rootseed="$ROOTMNT/var/lib/urandom/random-seed" + if [ ! -f "$rootseed" -a -f "$ROOTMNT/var/lib/systemd/random-seed" ]; then + rootseed="$ROOTMNT/var/lib/systemd/random-seed" + fi # Seed the psuedo random number generator with available seeds - for seed in "/.random-seed" "${ROOTMNT}/var/lib/urandom/random-seed"; do - [ -f "${seed}" ] && cat "${seed}" > /dev/urandom || - { debug "missing rng seed [${seed}]"; } + for seed in "/.random-seed" "$rootseed"; do + [ -f "${seed}" ] || + { debug "missing rng seed [${seed}]"; continue; } + cat "${seed}" > /dev/urandom || + debug "failed seeding /dev/urandom from $seed" done # this does necessary crypto setup and sets _RET # to the appropriate block device (ie /dev/mapper/secure) @@ -214,16 +222,17 @@ [ "$mkfs" = "0" ] && { log_fail "mkfs=0, but no password provided"; return 1; } entropy_sources="$entropy_sources $dev" - local pass_file=$(mktemp /dev/.initramfs/${MYTAG}.XXXXXX) || + local pass_file="" + pass_file=$(mktemp "${PERSIST_DIR}/${MYTAG}.XXXXXX") || { log_fail "failed creation of password file"; return 1; } - stat -L /dev/* /proc/* /sys/* >${pass_file} 2>&1 || + stat -L /dev/* /proc/* /sys/* >"${pass_file}" 2>&1 || { log_warn "could not seed with stat entropy [$entropy_sources]"; } - head -c 4096 $entropy_sources >> ${pass_file} || + head -c 4096 $entropy_sources >> "${pass_file}" || { log_fail "failed reading entropy [$entropy_sources]"; return 1; } - pass=$(sha512sum ${pass_file}) || + pass=$(sha512sum "${pass_file}") || { log_fail "failed generation of password"; return 1; } pass=${pass%% *} - printf "%s" "${pass}" > ${pass_file} + printf "%s" "${pass}" > "${pass_file}" fi log_warn "setting up new luks device at $dev" @@ -519,9 +528,9 @@ # assumes that name in /proc/filesystems and module name are the same. local m="" driver="" tab=' ' for m in "$@"; do - grep -q "${tab}$m$" /proc/filesystems && driver="$m" && + grep -q "${tab}$m$" /proc/filesystems && driver="$m" && { debug "/proc/filesystems support for '$m'"; break; } - done + done if [ -z "$driver" ]; then for m in "$@"; do if modprobe -qb "$m"; then