tag:blogger.com,1999:blog-8257268696459320708.post1405267383397176542..comments2023-08-11T22:59:06.544-07:00Comments on RoosBertl's Blog: CentOS6 Disk encryption with remote password enteringUnknownnoreply@blogger.comBlogger47125tag:blogger.com,1999:blog-8257268696459320708.post-86504900104762740042015-07-25T05:57:23.558-07:002015-07-25T05:57:23.558-07:00same issue heresame issue hereShakihttps://www.blogger.com/profile/13427954550490461718noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-88278548259599246942015-06-24T11:14:25.980-07:002015-06-24T11:14:25.980-07:00Tried modifying installkernal to
instmods eth0
i...Tried modifying <b>installkernal</b> to <br /><br />instmods eth0<br />instmods e1000<br /><br />Rebooted, still getting "Cannot find device eth0".<br /><br /><b>ethtool -i eth0</b> returns:<br /><br />driver: e1000<br />version: 7.3.21-k8-NAPI<br />firmware-version: <br />bus-info: 0000:00:09.0<br />supports-statistics: yes<br />supports-test: yes<br />supports-eeprom-access: yes<br />supports-register-dump: yes<br />supports-priv-flags: no<br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-85486688483218820052015-06-24T10:47:43.496-07:002015-06-24T10:47:43.496-07:00I'm getting the "Cannot find device '...I'm getting the "Cannot find device 'eth0'" error on boot (immediately following dracut --force). As I know this points to a misconfiguration, could someone clarify where I am to add/edit the driver name as taken from this line? <br /><br />> <i>Use "ethtool -i eth0" to get the driver name</i><br /><br />Assuming this goes in installkernel, but do I add a new line or change the existing line(s)? <br /><br />instmods eth0<br />instmods vmxnet3<br /><br />My output from "ethtool -i eth0" is "e0001".Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-81854307232408150712015-06-24T10:47:19.909-07:002015-06-24T10:47:19.909-07:00I'm getting the "Cannot find device '...I'm getting the "Cannot find device 'eth0'" error on boot (immediately following dracut --force). As I know this points to a misconfiguration, could someone clarify where I am to add/edit the driver name as taken from this line? <br /><br />> <i>Use "ethtool -i eth0" to get the driver name</i><br /><br />Assuming this goes in installkernel, but do I add a new line or change the existing line(s)? <br /><br />instmods eth0<br />instmods vmxnet3<br /><br />My output from "ethtool -i eth0" is "e0001". Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-10491477490875089452015-02-04T11:11:34.404-08:002015-02-04T11:11:34.404-08:00I'm not the author. The original code is taken...I'm not the author. The original code is taken from the RH bug report on https://bugzilla.redhat.com/show_bug.cgi?id=524727<br />as stated in the article.<br />Bertlhttps://www.blogger.com/profile/11924413138574360699noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-86312265483568544672015-02-04T10:40:09.982-08:002015-02-04T10:40:09.982-08:00Hi Robert,
I couldn't find your email-address...Hi Robert,<br /><br />I couldn't find your email-address,<br />I want to take https://github.com/mdcurtis/dracut-earlyssh , to cleanup it a bit and to create a merge request to the dracut upstream. There is one issue, there is no license so far(so its public domain). The auth.c you have in this post is included there as well, <br />- are you the author of it?<br />- if yes, is it ok to license it with GPL-2 like dracut?<br />- if not, do you know the original author of this file?artem.sidorenkohttps://www.blogger.com/profile/16617281364835712921noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-44616543641523471792014-11-04T02:20:43.629-08:002014-11-04T02:20:43.629-08:00Note: If you get a corrupt RAMDISK message during ...Note: If you get a corrupt RAMDISK message during boot, it might be that your ramdisk img file gets to big to fit the max ramdisk size. <br /><br />In this case, add "ramdisk_size=32768" to the kernel options (tab key in grub). When booting, add "ramdisk_size=32768" to /boot/grub/grub.conf kernel options, like<br /><b><br /> kernel /vmlinuz-2.6.32-504.el6.x86_64 ro root=/dev/mapper/vg_root rd_LVM_LV= vg_root/lv_root ... rd_LVM_LV=vg_root/lv_swap rd_NO_DM rhgb quiet ramdisk_size=32768<br /></b>Bertlhttps://www.blogger.com/profile/11924413138574360699noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-25894801421867821082014-10-20T02:06:19.610-07:002014-10-20T02:06:19.610-07:00Updated main post:
Added forgotten pkill which is...Updated main post:<br /><br />Added forgotten pkill which is needed to kill ssh on port to get the IP address freed after decryption.Bertlhttps://www.blogger.com/profile/11924413138574360699noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-85941993773592616202014-08-15T21:34:03.829-07:002014-08-15T21:34:03.829-07:00Just to follow up, I figured out how to use DHCP a...Just to follow up, I figured out how to use DHCP and fixed-host, etc. The problem w/relying on dhclient to call dhclient-script is that the latter has LOADS of dependencies (e.g., /etc/sysconfig/network-scripts/network-functions, /etc/init.d/functions, etc.). It also required /bin/bash rather than /bin/sh so you have to grow the install file quite a bit.<br /><br />In case anyone also wants to use DHCP, here's my remote-ssh.sh:<br /><br />/sbin/modprobe eth0 <br />/sbin/ip link set dev eth0 up<br />/sbin/dhclient -d -w eth0 -lf /dev/null -lf /tmp/leases &<br />/bin/sleep 15<br /><br />mkdir -p /var/log<br />> /var/log/lastlog<br /><br />IPADDR=`/bin/grep "fixed-address" /tmp/leases|awk '{print $2}'|sed -e 's/;//'`<br />echo "ip address is $IPADDR"<br />SUBNET=`/bin/grep "subnet-mask" /tmp/leases|/bin/awk '{print $3}'|/bin/sed -e 's/;//'`<br />echo "subnet mask is $SUBNET"<br />GATEWAY=`/bin/grep "option routers" /tmp/leases|/bin/awk '{print $3}'|/bin/sed -e 's/;//'`<br />echo "gateway is $GATEWAY"<br /><br />/sbin/ip addr add $IPADDR/$SUBNET broadcast + dev eth0<br />/sbin/ip link set dev eth0 up<br />/sbin/ip route add default via $GATEWAY<br />/bin/sleep 10<br /><br />/usr/sbin/dropbear -E -m -s -p 222 -a -K 600<br /><br /><br />The sleeps were leftover from debugging but I'm too lazy to remove and check if they work without. Basically what this does is capture the inbound DHCP info to a file, grab the necessary info, and then call /sbin/ip as Robert did for a static setup.<br /><br />The only other change I needed to make was to 'install'; here is my updated dracut_install line:<br /><br /> dracut_install -o ps find lsof grep egrep sed less more cat tac head tail true false mkdir rmdir rm strace touch vi ip ping ping6 traceroute ssh scp dhclient sleep awk<br /><br />Note that addition of dhclient, sleep, and awk.Patrick R. Donahuehttps://www.blogger.com/profile/08667685641112369599noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-55180642757225432992014-08-15T15:29:31.548-07:002014-08-15T15:29:31.548-07:00Robert,
Absolutely terrific blog post! This is ex...Robert,<br /><br />Absolutely terrific blog post! This is exactly what I was looking for. However, I'm trying to automate the deployment of this to all of my servers (using Kickstart) and thus have to use DHCP/dhclient instead of hardcoding the addresses in. My DHCP server gives out the appropriate IP via static leases, but for some reason the changes I made don't seem to fire up dhclient (I've packet captured on dhcpd-hosted server and there's no DHCPDISCOVER from the machine running this setup).<br /><br />I tried replacing:<br />/sbin/ip link set dev lo up<br />/sbin/modprobe eth0<br />/sbin/ip addr add 192.168.3.10/24 broadcast + dev eth0<br />/sbin/ip link set dev eth0 up<br />/sbin/ip route add default via 192.168.3.1<br /><br />with:<br />/sbin/ip link set dev lo up<br />/sbin/modprobe eth0<br />/sbin/dhclient<br /><br />Additionally, I added "dhclient" to the end of the long string in installkernel() (i.e., the one that begins "dracut_install -o ps find ..."). Note that upon running dracut --force there were no (additional) errors reported.<br /><br />Any ideas what I'm missing? Thanks again!Patrick R. Donahuehttps://www.blogger.com/profile/08667685641112369599noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-67821624158753838662014-06-30T05:12:37.536-07:002014-06-30T05:12:37.536-07:00I have installed centos 6, which I want to be full...I have installed centos 6, which I want to be fully encrypted. I have there /dev/sda1 - /boot partition, and /dev/sda2 - lvm partition with root, home and swap. I have created full copy of /dev/sda1 on /dev/sdb1, and created encrypted partition on /dev/sdb2, there created lvm with root, home, swap, then created dracut module like you write, but system at boot goes to kernel panic, it is looking for VolGroup, which is not activated yet because I can not encrypt it quickly ( I mean, dropbear is starting, but system goes to kernel panic to quickly). Sorry, can you help me?oppahttps://www.blogger.com/profile/16375408623241835827noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-73322605828843817382014-04-30T10:42:51.106-07:002014-04-30T10:42:51.106-07:00Wow, I had not heard of earlyssh before. I'll...Wow, I had not heard of earlyssh before. I'll have to try it. I have been using a password keyfile in /etc/crypttab which already has its security issues, but at least it mounts automatically on reboot instead of waiting for a password. Trade-off I suppose of security vs automated mount on reboot. <br /><br />Great article!Anonymoushttps://www.blogger.com/profile/15186273856934334018noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-46398783253783567402014-04-16T08:45:14.735-07:002014-04-16T08:45:14.735-07:00I am stuck on the following dracut error when buil...I am stuck on the following dracut error when building initramfs (last step really):<br /><br /><br />E: Cannot install a hook (/remote-ssh.sh) that does not exist.<br />E: Aborting initrd creation.<br /><br /><br />The permissions are<br /><br />-rwxr-xr-x 1 root root 388 Apr 14 00:36 remote-ssh.sh<br /><br />and the file clearly exists. I checked the Dracut function source and it seems to fail on a simple, BASH-like [ -f FILE ], which makes even less sense. I am sure it is something very trivial that I am missing (or the error message is not reflecting the underlying problem).<br /><br />Anyone has seen this error and can point me in the right direction?Uhmhttps://www.blogger.com/profile/00971263129685028320noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-41217275404429029782014-02-26T17:11:55.263-08:002014-02-26T17:11:55.263-08:00if anyone is having the same problem: it's abo...if anyone is having the same problem: it's about the port. just use different ports for the different services (dropbear and sshd). although they aren't running in parallel they still interfere somehow.<br />this fixed my issue.tuxwarehttps://www.blogger.com/profile/06312222378868685976noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-36475604176420960252014-02-26T17:08:23.271-08:002014-02-26T17:08:23.271-08:00This comment has been removed by the author.Anonymoushttps://www.blogger.com/profile/06015424436608611001noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-32409349723074000662014-02-20T06:00:07.896-08:002014-02-20T06:00:07.896-08:00edit: "sudo service sshd restart" is not...edit: "sudo service sshd restart" is not working. sorry for the mistake.<br /><br />is it possible that dropbear and sshd are interfering somehow?<br />maybe it's important: dropbear and sshd listen on the same port but have different users being able to login.<br /><br />any help greatly appreciated!tuxwarehttps://www.blogger.com/profile/06312222378868685976noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-79785966956027413402014-02-19T18:48:04.907-08:002014-02-19T18:48:04.907-08:00I managed to get dropbear working thanks to kabust...I managed to get dropbear working thanks to kabustalek's workaround! So entering my passphrase via ssh is no problem anymore. But now openssh (sshd) is not starting correctly anymore. When I use the original initrd (with underscore), sshd works as expected (service running after boot), so I guess it isn't about the config files.<br />When using the modified initrd, there is no error shown while startup, it even says "sshd starting: [OK]".<br />But when I try to login via ssh I get the following error messages:<br />client: ssh -p 2345 user@host<br />client: ssh_exchange_identification: Connection closed by remote host<br />server: Early exit: Failure reading random device /dev/urandom<br />When I try again, the error changes:<br />client: ssh: connect to host xpush port 2114: Connection refused<br />server: (no output)<br />After logging in directly, "sudo service sshd status" tells me the daemon isn't running. After restarting manually with "sudo service sshd restart" it's working.<br />Any ideas?<br />Thanks for the great tutorial and the helpful comments above!tuxwarehttps://www.blogger.com/profile/06312222378868685976noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-12613944511357864322013-10-04T14:44:08.671-07:002013-10-04T14:44:08.671-07:00got it working after some time... the problem is t...got it working after some time... the problem is that with kvm there is somehow problems with udev.<br /><br />the "workaround" at the moment is:<br />in file install:<br />- add somewhere:<br />inst_simple "${moddir}/mysleep" "/bin/mysleep"<br /><br />now move the file "remote-ssh.sh" to "mysleep" and create a new "remote-ssh.sh" file with the content:<br />#!/bin/sh<br />/bin/mysleep &<br /><br />last but not least, add somewhere in the pretty beginning of /bin/mysleep the line:<br />sleep 10 #should be enough<br /><br />dracut --force && reboot, thats it<br /><br />the problem is somehow based on how udev and kvm works together. the device is not up and cannot be accessed when 01remote-ssh.sh gets executed.<br /><br />thanks for that great tutorial! kabustalekhttps://www.blogger.com/profile/17473221237807554134noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-27141880661833316772013-09-20T09:34:48.184-07:002013-09-20T09:34:48.184-07:00moving on.. for everybody who's nucking futs: ...moving on.. for everybody who's nucking futs: add the parameter "rdshell" to the kernel params, hit ctrl+c when prompted for the password two times and et voila, get a interactive dracut shell, just like busybox. perfect for debugging. when i execute 01remote-ssh.sh in pre-trigger, i have network access and can authenticate against dropbear. when i find a solution i will post it here.kabustalekhttps://www.blogger.com/profile/17473221237807554134noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-75219650727505029432013-09-18T03:15:58.369-07:002013-09-18T03:15:58.369-07:00Thats what i know too, as it says "eth0 not f...Thats what i know too, as it says "eth0 not found" on the screenshots. The quesiton is: why?<br />Configuration is exactly as on the guide, except the drivers which are replaced by virtio drivers.kabustalekhttps://www.blogger.com/profile/17473221237807554134noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-34469405952978218692013-09-17T23:09:18.569-07:002013-09-17T23:09:18.569-07:00Ethernet device was not loaded. Please check your ...Ethernet device was not loaded. Please check your configuration.Bertlhttps://www.blogger.com/profile/11924413138574360699noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-10110494321465270072013-09-17T21:49:02.486-07:002013-09-17T21:49:02.486-07:00Short update: debugging is working with echo only....Short update: debugging is working with echo only.<br />Also, when using output pipes in the scripts, probably not such good idea as the scripts get executed when dracut --force is executed.<br /><br />http://www.imagebanana.com/view/w9o4jdm2/asdf2.png<br />http://www.imagebanana.com/view/u1omk2bs/asdf.png<br /><br />only virtio modules have been loaded, i dont know if something like any net driver from the kernel must be loaded in this stage too?<br /><br />also, there is no such dev like eth(n) nor em(n) - now i am stuck.kabustalekhttps://www.blogger.com/profile/17473221237807554134noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-38181256808934573452013-09-17T11:17:29.506-07:002013-09-17T11:17:29.506-07:00changed the device to netdev-eth0 but its still no...changed the device to netdev-eth0 but its still not working. The message is gone. Thats really nucking me futs :E<br /><br />/boot/wtf.txt was somehow accidently created by myself when i probably tested the .sh scripts, also output with echo does not work.kabustalekhttps://www.blogger.com/profile/17473221237807554134noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-12200185246101213362013-09-17T10:51:05.470-07:002013-09-17T10:51:05.470-07:00Just got some new output:
/pre-trigger/01remote-s...Just got some new output:<br /><br />/pre-trigger/01remote-ssh.sh: 5: cannot create /boot/wtf.txt: Directory nonexistent<br />udev: starting version 147<br />Loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-eth0 instead.<br />Cannot find device "eth0"<br />RTNETLINK: No such process<br /><br />Any idea?kabustalekhttps://www.blogger.com/profile/17473221237807554134noreply@blogger.comtag:blogger.com,1999:blog-8257268696459320708.post-9020193390333480442013-09-16T23:00:29.760-07:002013-09-16T23:00:29.760-07:00Maybe a firewall in front of the machine?
Maybe a firewall in front of the machine?<br />Bertlhttps://www.blogger.com/profile/11924413138574360699noreply@blogger.com