ExternalVendorCode/balena-supervisor
1
0
Fork 0
mirror of https://github.com/balena-os/balena-supervisor.git synced 2025-01-31 08:25:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

mount-partitions.sh: Add support for encrypted partitions

Browse Source 
After a recent change enforcing all the partitions to be on the same
block device, encrypted partitions are no longer being detected
correctly. This is because the assumption that the parent block device
is a substring of the actually mounted block device does not work
for LUKS devices - the mount will either be /dev/mapper/luks-XXX
or /dev/dm-X while the parent device is still e.g. /dev/sda.

The usual balenaOS boot partition is also split in two - boot and efi.
The boot partition (mounted under /mnt/boot) is encrypted and the efi
partition (mounted under /mnt/efi) is not.

This patch generalizes the detection of the parent device so that
it works with both encrypted and unencrypted partitions.

Change-type: patch
Signed-off-by: Michal Toman <michalt@balena.io>
This commit is contained in:
Michal Toman 2023-04-28 07:41:22 +02:00
parent c8d7b28a7e
commit 0045928944
1 changed files with 38 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
mount-partitions.sh
View File

@ -9,25 +9,42 @@ export ROOT_MOUNTPOINT="/mnt/root"
# Set DBus system bus address for getting the current boot block device # Set DBus system bus address for getting the current boot block device
export DBUS_SYSTEM_BUS_ADDRESS="${DBUS_SYSTEM_BUS_ADDRESS:-unix:path="${ROOT_MOUNTPOINT}"/run/dbus/system_bus_socket}" export DBUS_SYSTEM_BUS_ADDRESS="${DBUS_SYSTEM_BUS_ADDRESS:-unix:path="${ROOT_MOUNTPOINT}"/run/dbus/system_bus_socket}"
# Get the block device from systemd
# The dbus-send command below should return something like:
# ```
# method return time=1680132905.878117 sender=:1.0 -> destination=:1.20155 serial=245193 reply_serial=2
# variant string "/dev/sda1"
# ```
# Usage: dbus_get_mount PARTITION
# Partition is only the label, e.g. boot, state, data
dbus_get_mount() {
part="$1"
result=$(dbus-send --system --print-reply \
--dest=org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/mnt_2d${part}_2emount org.freedesktop.DBus.Properties.Get \
string:"org.freedesktop.systemd1.Mount" string:"What" | grep "string" | cut -d'"' -f2 2>&1)
# If the output doesn't match the /dev/* device regex, exit with an error
if [ "$(echo "${result}" | grep -E '^/dev/')" = "" ]; then
echo "ERROR: Could not determine ${part} device from dbus. Please launch Supervisor as a privileged container with DBus socket access."
exit 1
fi
echo "${result}"
}
# Get the current boot block device in case there are duplicate partition labels # Get the current boot block device in case there are duplicate partition labels
# for `(balena|resin)-(boot|state|data)` found. # for `(balena|resin)-(boot|state|data)` found.
current_boot_block_device="" current_boot_block_device=""
if [ "${TEST}" != 1 ]; then if [ "${TEST}" != 1 ]; then
# Get the current boot block device from systemd mnt_boot_mount=$(dbus_get_mount "boot")
# The dbus-send command below should return something like: mnt_boot_type=$(lsblk -no type "${mnt_boot_mount}")
# ``` # If the (resin|balena)-boot partition is encrypted, we need to have a look at the efi partition
# method return time=1680132905.878117 sender=:1.0 -> destination=:1.20155 serial=245193 reply_serial=2 if [ "${mnt_boot_type}" = "crypt" ]; then
# variant string "/dev/sda1" boot_part=$(dbus_get_mount "efi")
# ``` else
mnt_boot_mount=$(dbus-send --system --print-reply \ boot_part="${mnt_boot_mount}"
--dest=org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/mnt_2dboot_2emount org.freedesktop.DBus.Properties.Get \
string:"org.freedesktop.systemd1.Mount" string:"What" | grep "string" | cut -d'"' -f2 2>&1)
# If the output doesn't match the /dev/* device regex, exit with an error
if [ "$(echo "${mnt_boot_mount}" | grep -E '^/dev/')" = "" ]; then
echo "ERROR: Could not determine boot device from dbus. Please launch Supervisor as a privileged container with DBus socket access."
exit 1
fi fi
current_boot_block_device=$(lsblk -no pkname "${mnt_boot_mount}") current_boot_block_device=$(lsblk -no pkname "${boot_part}")
if [ "${current_boot_block_device}" = "" ]; then if [ "${current_boot_block_device}" = "" ]; then
echo "ERROR: Could not determine boot device from lsblk. Please launch Supervisor as a privileged container." echo "ERROR: Could not determine boot device from lsblk. Please launch Supervisor as a privileged container."
exit 1 exit 1
@ -63,18 +80,13 @@ setup_then_mount() {
partition_label=$1 partition_label=$1
target_path=$2 target_path=$2
# Get one or more devices matching label, accounting for legacy partition labels. # Try FS label first and partition label as a fallback
device=$(blkid | grep -E "(resin|balena)-${partition_label}" | awk -F':' '{print $1}') for arg in label partlabel; do
kname=$(lsblk "/dev/${current_boot_block_device}" -nlo "kname,${arg}" | grep -E "(resin|balena)-${partition_label}" | awk '{print $1}')
# If multiple devices with the partition label are found, mount to the device device="/dev/${kname}"
# that's part of the current boot device, as this indicates a duplicate if [ -b "${device}" ]; then
# label somewhere created by a user or an inconsistency in the system. echo "INFO: Found device $device on current boot device $current_boot_block_device, using as mount for '(resin|balena)-${partition_label}'."
# We've been able to identify the current boot device, so use that do_mount "${device}" "${target_path}"
# to find the device with the correct label amongst 2+ devices.
for d in ${device}; do
if [ "$(echo "$d" | grep "$current_boot_block_device")" != "" ]; then
echo "INFO: Found device $d on current boot device $current_boot_block_device, using as mount for '(resin|balena)-${partition_label}'."
do_mount "${d}" "${target_path}"
return 0 return 0
fi fi
done done