Package: guix-patches;
Reported by: 45mg <45mg.writes <at> gmail.com>
Date: Thu, 3 Apr 2025 17:48:01 UTC
Severity: normal
Tags: patch
To reply to this bug, email your comments to 77499 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org
:bug#77499
; Package guix-patches
.
(Thu, 03 Apr 2025 17:48:02 GMT) Full text and rfc822 format available.45mg <45mg.writes <at> gmail.com>
:ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org
.
(Thu, 03 Apr 2025 17:48:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: 45mg <45mg.writes <at> gmail.com> To: guix-patches <at> gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, soeren <at> soeren-tempel.net, Sisiutl <sisiutl <at> egregore.fun>, Ludovic Courtès <ludo <at> gnu.org>, 45mg <45mg.writes <at> gmail.com>, Hilton Chain <hako <at> ultrarare.space>, Tomas Volf <~@wolfsden.cz> Subject: [PATCH] mapped-devices/luks: Support extra options. Date: Thu, 3 Apr 2025 23:13:57 +0530
Allow passing extra options to the 'cryptsetup open' command. * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): [#:extra-options]: New argument. (open-luks-device): Use it. * doc/guix.texi (Mapped Devices): Document it. * gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New test for it, as well as the previously untested #:allow-discards? option. (%encrypted-root-extra-options-os): New os declaration for the test. Change-Id: Ia9fd129d1c66cbf27abdd3064d59188083465247 --- CCing everyone who worked on the allow-discards option - this change is very similar. %encrypted-root-extra-options-os is copied from %encrypted-root-os; only the mapped-devices field is changed. I wish I could avoid this code duplication by having `(inherit %encrypted-root-os)` in the os definition, but when I do that, the test fails with this error in the build log: /mnt/etc/config.scm:1:100: error: %encrypted-root-os: unbound variable Any chance you Guile wizards know how to make this work? doc/guix.texi | 20 ++++++++++- gnu/system/mapped-devices.scm | 25 ++++++++----- gnu/tests/install.scm | 68 +++++++++++++++++++++++++++++++++++ 3 files changed, 104 insertions(+), 9 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index bcb1f9d9cf..9cd1304522 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18461,7 +18461,7 @@ Mapped Devices @code{dm-crypt} Linux kernel module. @end defvar -@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards?] +@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards? #:extra-options] Return a @code{luks-device-mapping} object, which defines LUKS block device encryption using the @command{cryptsetup} command from the package with the same name. It relies on the @code{dm-crypt} Linux @@ -18492,6 +18492,24 @@ Mapped Devices information, refer to the description of the @code{--allow-discards} option in the @code{cryptsetup-open(8)} man page. +@code{extra-options} may be used to specify a list of additional +command-line options for the @code{cryptsetup open} command. See the +@code{cryptsetup-open(8)} man page for a list of supported options. + +For example, here is how you could specify the +@code{--perf-no_read_workqueue} and @code{--perf-no_write_workqueue} +options, along with @code{--allow-discards}: + +@lisp +(mapped-device + (source "/dev/sdb1) + (target "data) + (type (luks-device-mapping-with-options + #:allow-discards? #t + #:extra-options '("--perf-no_read_workqueue" + "--perf-no_write_workqueue")))) +@end lisp + @end deffn @defvar raid-device-mapping diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index 667a495570..520ade9ef8 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -194,10 +194,12 @@ (define (check-device-initrd-modules device linux-modules location) ;;; Common device mappings. ;;; -(define* (open-luks-device source targets #:key key-file allow-discards?) +(define* (open-luks-device source targets + #:key key-file allow-discards? extra-options) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'. When ALLOW-DISCARDS? is true, the use of discard (TRIM) -requests is allowed for the underlying device." +requests is allowed for the underlying device. EXTRA-OPTIONS is a list of +additional options to be passed to the 'cryptsetup open' command." (with-imported-modules (source-module-closure '((gnu build file-systems) (guix build utils))) ;; For mkdir-p @@ -238,10 +240,15 @@ (define* (open-luks-device source targets #:key key-file allow-discards?) (let ((cryptsetup #$(file-append cryptsetup-static "/sbin/cryptsetup")) (cryptsetup-flags (cons* - "open" "--type" "luks" partition #$target - (if #$allow-discards? - '("--allow-discards") - '())))) + "open" "--type" "luks" + (append + (if #$allow-discards? + '("--allow-discards") + '()) + (if (pair? '#$extra-options) + '#$extra-options + '()) + (list partition #$target))))) ;; We want to fallback to the password unlock if the keyfile ;; fails. (or (and keyfile @@ -290,7 +297,8 @@ (define luks-device-mapping ((gnu build file-systems) #:select (find-partition-by-luks-uuid system*/tty)))))) -(define* (luks-device-mapping-with-options #:key key-file allow-discards?) +(define* (luks-device-mapping-with-options + #:key key-file allow-discards? extra-options) "Return a luks-device-mapping object with open modified to pass the arguments into the open-luks-device procedure." (mapped-device-kind @@ -298,7 +306,8 @@ (define* (luks-device-mapping-with-options #:key key-file allow-discards?) (open (λ (source targets) (open-luks-device source targets #:key-file key-file - #:allow-discards? allow-discards?))))) + #:allow-discards? allow-discards? + #:extra-options extra-options))))) (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index a837637b18..fd9f17eb4d 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -68,6 +68,7 @@ (define-module (gnu tests install) %test-separate-home-os %test-raid-root-os %test-encrypted-root-os + %test-encrypted-root-extra-options-os %test-encrypted-home-os %test-encrypted-home-os-key-file %test-encrypted-root-not-boot-os @@ -843,6 +844,73 @@ (define %test-encrypted-root-os (run-basic-test %encrypted-root-os command "encrypted-root-os" #:initialization enter-luks-passphrase))))) + +;;; +;;; LUKS-encrypted root with extra options: --allow-discards, +;;; --perf-no_read_workqueue and --perf-no_write_workqueue +;;; + +;; Except for the 'mapped-devices' field, this is exactly the same as +;; %encrypted-root-os. +(define-os-with-source (%encrypted-root-extra-options-os + %encrypted-root-extra-options-os-source) + ;; The OS we want to install. + (use-modules (gnu) (gnu tests) (srfi srfi-1)) + + (operating-system + (host-name "liberigilo") + (timezone "Europe/Paris") + (locale "en_US.UTF-8") + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (targets '("/dev/vdb")))) + + ;; Note: Do not pass "console=ttyS0" so we can use our passphrase prompt + ;; detection logic in 'enter-luks-passphrase'. + + (mapped-devices (list (mapped-device + (source (uuid "12345678-1234-1234-1234-123456789abc")) + (target "the-root-device") + (type (luks-device-mapping-with-options + #:allow-discards? #t + #:extra-options + '("--perf-no_read_workqueue" + "--perf-no_write_workqueue")))))) + (file-systems (cons (file-system + (device "/dev/mapper/the-root-device") + (mount-point "/") + (type "ext4")) + %base-file-systems)) + (users (cons (user-account + (name "charlie") + (group "users") + (supplementary-groups '("wheel" "audio" "video"))) + %base-user-accounts)) + (services (cons (service marionette-service-type + (marionette-configuration + (imported-modules '((gnu services herd) + (guix combinators))))) + %base-services)))) + +(define %test-encrypted-root-extra-options-os + (system-test + (name "encrypted-root-extra-options-os") + (description + "Test basic functionality of an OS installed like one would do by hand, +with an LUKS-encrypted root partition opened with extra options +(--allow-discards, --perf-no_read_workqueue and --perf-no_write_workqueue). +This test is expensive in terms of CPU and storage usage since we need to +build (current-guix) and then store a couple of full system images.") + (value + (mlet* %store-monad ((images (run-install %encrypted-root-extra-options-os + %encrypted-root-extra-options-os-source + #:script + %encrypted-root-installation-script)) + (command (qemu-command* images))) + (run-basic-test %encrypted-root-os command "encrypted-root-extra-options-os" + #:initialization enter-luks-passphrase))))) + ;;; ;;; Separate /home on LVM base-commit: 4ea012fc6ddcb32574fbd4a854b11808c34fbca8 -- 2.49.0
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.