| 1 |
On Sat, Sep 25, 2021 at 1:48 PM antlists <antlists@××××××××××××.uk> wrote: |
| 2 |
[...] |
| 3 |
|
| 4 |
> Bear in mind, integritysetup is not in my initrd, so ... |
| 5 |
> |
| 6 |
|
| 7 |
I think you would need to put it in your initrd. |
| 8 |
|
| 9 |
|
| 10 |
> It looks to me like grub switches to the real root partition read-only |
| 11 |
> before firing stuff off, so if I tell my integritysetup.service to run |
| 12 |
> before local-fs.target, does that mean everything should be working |
| 13 |
> before systemd runs fstab? |
| 14 |
> |
| 15 |
> Bear in mind dm-integrity is on my raw partitions, and I'm running lvm |
| 16 |
> and md-raid, I'm guessing they're part of local-fs-pre.target? So I |
| 17 |
> really need to run dm-integrity before that? Or preferably add |
| 18 |
> dm-integrity TO that - how do I do that? |
| 19 |
> |
| 20 |
> The problem is this isn't all that discoverable - even digging around |
| 21 |
> /etc/systemd, it's hard to find clues ... |
| 22 |
> |
| 23 |
|
| 24 |
As Rich already mentioned it, noauto != remove mount point from fstab. |
| 25 |
That's the first thing. |
| 26 |
|
| 27 |
Then you need to specify that home.mount should run *after* md/LVM, which |
| 28 |
in turn runs after your integrity setup service. The problem is: you have |
| 29 |
root (/) on md/LVM too; I know they are different RAIDs/volumes, but there |
| 30 |
is one *service* for RAID and LVM, at least out-of-the-box, in systemd. You |
| 31 |
could try to split different instances using templates (the units with @ in |
| 32 |
their names), but the simplest solution is to put your integrity logic in |
| 33 |
the initrd (with the added benefit that you can mount it in emergencies if |
| 34 |
something goes wrong with root). |
| 35 |
|
| 36 |
If you have the integrity logic in early boot, then your integrity setup |
| 37 |
service should have: |
| 38 |
|
| 39 |
Before=mdmonitor.service lvm2-lvmetad.service |
| 40 |
|
| 41 |
And I think that should be enough? The home.mount unit depends on the |
| 42 |
underlying device being available, and that will happen only after md and |
| 43 |
LVM have done it's thing. |
| 44 |
|
| 45 |
Regards. |
| 46 |
-- |
| 47 |
Dr. Canek Peláez Valdés |
| 48 |
Profesor de Carrera Asociado C |
| 49 |
Departamento de Matemáticas |
| 50 |
Facultad de Ciencias |
| 51 |
Universidad Nacional Autónoma de México |
Archives