Ubuntu
mountall package

Bug #431040
Comment #15

Comment 15 for bug 431040

Revision history for this message

Luke (lukekuhn) wrote on 2009-09-22: Re: /var/tmp in fstab hangs boot

#15

BIND MOUNTS OK-even on /var/tmp:

Var/tmp as a bind mount doesn't seem to cause a problem. I use directories in /home, mounted with -o bind, for these things to allow use of full home directory space (unlike a separate LUKS volume) while sealing leaks of encrypted data.

Some time back I worked up the "Bootcrypt" method of using bind mounts on an encrypted home partition to close data leaks in /tmp, var/timp ,etc. Currently /home and swap are LUKS partitions, other "sensitive" directories are subdirectories on /home, bind mounted to the filesystem.

As of September 18 I have been able to use mountall with this-even with usplash, which I rolled back and pinned when the splash packages broke. I also use a custom splash theme based on ubuntustudio, with added armed penguins warning that all data is encrypted. In initramfs-tools/scripts/top , I had to substitute an older framebuffer script or usplash would freeze on usplash_write.

Can't use fsck yet(set 0 in fstab), due to another reported bug causing mountall to refuse to deal properly with a failed fsck run.

The partitions are specified by UUID, the bind mounts by file names in /home. Here if my fstab:

# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# / was on /dev/sda1 during installation
UUID=c6ecb774-1add-408f-95b2-16d263cadec1 / ext4 relatime,errors=remount-ro 0 0#TEMP
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0
#
####### CHANGES ADDED BY BOOTCRYPT V 1.1 #######
#
UUID=8213ad0a-269b-492a-8d30-94b5bac12942 /home ext3 rw,relatime,nofail 0 0#TEMP
#
/home/TMP /tmp ext3 rw,bind,relatime,nofail 0 0
/home/VAR_TMP /var/tmp ext3 rw,bind,relatime,nofail 0 0
/home/VAR_SPOOL /var/spool ext3 rw,bind,relatime,nofail 0 0
/home/VAR_MAIL /var/mail ext3 rw,bind,relatime,nofail 0 0
/home/VAR_CACHE_CUPS /var/cache/cups ext3 rw,bind,relatime,nofail 0 0
UUID=5d09cd8b-61a7-4e86-94f8-c85a406217d7 none swap swap 0 0

Here is the crypttab that goes with it:

# <target name> <source device> <key file> <options>

vgbase UUID=5b9711af-64fa-4cda-89b1-ffc637e6359c none luks,tries=1000

BIND MOUNTS OK-even on /var/tmp:

Var/tmp as a bind mount doesn't seem to cause a problem.  I use directories in /home, mounted with -o bind, for these things to allow use of full home directory space (unlike a separate LUKS volume) while sealing leaks of encrypted data.

Some time back I worked up the "Bootcrypt" method of using bind mounts on an encrypted home partition to close data leaks in /tmp, var/timp ,etc.  Currently /home and swap are LUKS partitions, other "sensitive" directories are subdirectories on /home, bind mounted to the filesystem.

As of September 18 I have been able to use mountall with this-even with usplash, which I rolled back and pinned  when the splash packages broke. I also use a custom splash theme based on ubuntustudio, with added armed penguins warning that all data is encrypted. In initramfs-tools/scripts/top , I had to substitute an older framebuffer script or usplash would freeze on usplash_write.

Can't use fsck yet(set 0 in fstab), due to another reported bug causing mountall to refuse to deal properly with a failed fsck run.

The partitions are specified by UUID, the bind mounts by file names in /home. Here if my fstab:

# /etc/fstab: static file system information.
#
# Use 'vol_id --uuid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=c6ecb774-1add-408f-95b2-16d263cadec1 /       ext4    relatime,errors=remount-ro 0       0#TEMP
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec,utf8 0       0
#
####### CHANGES ADDED BY BOOTCRYPT V 1.1 #######
#
UUID=8213ad0a-269b-492a-8d30-94b5bac12942  /home ext3  rw,relatime,nofail  0      0#TEMP
# 
/home/TMP      /tmp             ext3      rw,bind,relatime,nofail        0       0
/home/VAR_TMP  /var/tmp         ext3      rw,bind,relatime,nofail        0       0
/home/VAR_SPOOL /var/spool      ext3      rw,bind,relatime,nofail        0       0
/home/VAR_MAIL  /var/mail       ext3      rw,bind,relatime,nofail        0       0
/home/VAR_CACHE_CUPS /var/cache/cups ext3 rw,bind,relatime,nofail        0       0
UUID=5d09cd8b-61a7-4e86-94f8-c85a406217d7   none  swap    swap           0       0

Here is the crypttab that goes with it:

# <target name>	<source device>		<key file>	<options>

vgbase    UUID=5b9711af-64fa-4cda-89b1-ffc637e6359c         none          luks,tries=1000

Ubuntumountall package

Comment 15 for bug 431040

Ubuntu
mountall package