decrypt-root: Rework around a udev rule to fix slow PXE/ISO boots #98
Commits on Aug 22, 2024
-
decrypt-root: Rework around a udev rule to fix slow PXE/ISO boots
PXE and ISO boots were taking over 1m30s because decrypt-root.service was waiting for the ROOT partition to appear just in case it needed to be decrypted. Making this service conditional on non-PXE/ISO boots was considered, but users may well want an encrypted ROOT when booting using these methods. Adding conditions didn't avoid the delay caused by the `Wants` directive in any case. This change makes decrypt-root.service more reactive by having it triggered by a udev rule matching a LUKS-encrypted partition named ROOT. systemd knows to wait for `/dev/mapper/rootencrypted` to appear before attempting to switch root, making `Before=dracut-initqueue.service` (which concerns finding the real root) redundant. There is no guarantee that the rule will trigger before this service starts anyway. Removing `WantedBy=ignition-subsequent.target` is necessary because this directive would start the service unconditionally rather than only when triggered by the udev rule. Adding `After=ignition-disks.service` ensures that the service does not try to decrypt ROOT before Ignition wipes it again due to `flatcar.first_boot=1` being given. The service itself has been simplified. crypttab is just as happy with a block device path, so there is no need to determine the UUID. The udev rule only matches LUKS-encrypted partitions, so there is no need to check the header either. The rest is simple enough to include in the service unit directly, removing the need for a separate shell script. systemd-cryptsetup-generator can read the crypttab from stdin, avoiding the creation of a temporary file. It is also important to call daemon-reload before attempting to start the generated unit. Closes: flatcar/Flatcar#1514 Signed-off-by: James Le Cuirot <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.