Support unlocking systems in dracut-sshd mode
The following code supports unlocking a system with multiple luks in dracut-sshd mode:
host = "1.2.3.4"
user = "root"
# how to find out?
# $ blkid /dev/md/*
# gives you the luks uuids
pwds = {
'luks-UUID-1' => 'meep',
'luks-UUID-2' => 'moop',
'luks-UUID-2' => 'maap',
}
class DracutSSHOpener
attr_reader :user, :host, :pwds
def initialize(user, host, pwds)
@user = user
@host = host
@pwds = pwds
end
def unlock
system_running?
stop_all
empty_list?
unlock_luks!
end
private
def stop_all
puts "Stopping all systemd-cryptsetup units"
pwds.keys.each do |luks|
print "Stopping #{luks} "
`#{ssh_cmd} 'systemctl stop systemd-cryptsetup@#{luks.gsub('-','\\\\\\x2d')}'`
puts "DONE"
end
end
def empty_list?
output = `#{ssh_cmd} systemd-tty-ask-password-agent --list`
unless output.chomp.empty?
puts "Systemd still waits for units we have no idea of..."
puts output.inspect
exit 1
end
end
def system_running?
if `#{ssh_cmd} 'systemctl is-system-running'`.chomp == 'running'
puts "System seems already running..."
puts "Aboort..."
exit 1
end
end
def unlock_luks!
pwds.each do |luks,pwd|
`#{ssh_cmd} test -b /dev/mapper/#{luks}`
next if $?.to_i == 0
puts "Starting #{luks}... "
`#{ssh_cmd} 'systemctl start --no-block systemd-cryptsetup@#{luks.gsub('-','\\\\\\x2d')}'`
output = `#{ssh_cmd} systemd-tty-ask-password-agent --list`
i = 0
while (output.split("\n").first !~ /#{luks}/) && i < 10 do
sleep 1
i+=1
output = `#{ssh_cmd} systemd-tty-ask-password-agent --list`
end
if i == 10
puts "Error while starting luks #{luks}"
else
`echo #{pwd} | #{ssh_cmd} -t systemd-tty-ask-password-agent`
end
end
end
def ssh_cmd
@ssh_cmd ||= "ssh #{user}@#{host}"
end
end
DracutSSHOpener.new(user,host,pwds).unlock
- disks should be registered using the luks-UUID schema.
- no scripts should be run before or afterwards
- all regular options should still be availble, so the luks devices can be managed
- it might be an idea to add a cli cmd like
--open-dracut-sshd
that then executes code like the above to unlock a system