1

I have a Linux Arch system running on a VPS. The rootfs is installed on a LVM partition. I would like to overlay an encrypted container on this partition, then reinstall the rootfs on it and enable ssh unlock at boot via ssh. I am happy to discard all content of the existing rootfs and create a new one from scratch.

I am proceeding as follows:

  1. create a new temporary rootfs in /tmp/newroot (I use the Linux Arch boostrappig image in the Arch wiki)
  2. chroot to it and set up pacman, install a few things define authorized_keys, enable but not start sshd
  3. exit back to the original root
  4. switch permanently to the new root: following recommendations in this great post, I run the code below.
  5. At this point I would like to restart sshd and all other services still hanging on to the old root, which is on the lvm partition
  6. create an encrypted partition on the lvm partition
  7. install arch Linux on it and modify intrafms appropriately

Steps 6 and 7 are well documented (for instance here).

Here are the details of step 4, which works fine:

# we start after step 2, so that /tmp/newroot contains a minimal temporary root fs 
# with network, sshd and pacman, and the command prompt is from the original root

# move the new root fs to a newly create /tmproot, as per the referenced post
# (perhaps this is redundant, I could have used newroot directly, but it should not harm)
mkdir /tmp/tmproot
mount -t tmpfs none /tmp/tmproot
mv /tmp/newroot/* /tmp/tmproot

# switch to new root
mount -a
mount --make-rprivate / # necessary for pivot_root to work
pivot_root /tmp/tmproot /tmp/tmproot/oldroot

# move some directories to newroot
for i in dev proc sys run; do mount --move /oldroot/$i /$i; done

I am stuck with step 5. Using fuser -vm /oldroot I can see there are lot of processes still hanging to the old root partition. If I try and restart them from the newroot using systemctl, I get an error:

# systemctl restart sshd
Failed to restart sshd service: Failed to activate service 'org.freedesktop.systemd1': timed out

I can kill them manually, but then I am left with just the init process systemd, and there seems to be no way to kill that. systemctl daemon-reexec won't work.

Perhaps I forgot to configure something in my newroot filesystem? Perhaps I should use switch_root instead of pivot_root?

Any suggestion? Thanks

Community
  • 1
Fabio
  • 271

1 Answers1

0

Take a look at https://wiki.archlinux.org/index.php/Dm-crypt/Specialties. You can switch the mkninitcpio encrypt hook for encryptssh and then add some things to your kernel bootline. I'm using the dropbear hook and it works pretty well.

DarkFeather
  • 1