-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
initrd ssh: cp: cannot stat '/etc/secrets/initrd/ssh_host_ed25519_key': No such file or directory #84976
Comments
I see an error in the code:
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix#L148 But even fixing it to:
won't make the error go away. Also the mismatch in the examples:
vs.
didn't fix the problem. |
Thanks for the report, and sorry for the broken code; I'll take a look at this. Note that this code path is only triggered when you use a bootloader without native initrd secrets support (which also exposes your host keys to the global Nix store), so using systemd-boot would probably avoid it. This should definitely still work though, so I'll poke at it; the tests are meant to exercise this code path but I guess not well enough. |
The ECDA key with Dropbear worked just fine. I fail to see how systemd-boot could be integrated into the initrd to provide early ssh access - which is needed to remote unlock encrypted zfs root. |
I meant that the SSH host key copying code that is breaking triggers only when the bootloader you're using doesn't support initrd secrets natively in NixOS, which systemd-boot does but GRUB doesn't. I'm looking into fixing this, but I suspect setting |
So I commented out the hostKeys entries and tried to rebuild: # Remote ZFS Unlock
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
# hostECDSAKey = /root/initrd-ssh-key;
# hostKeys = [
# "/etc/secrets/initrd/ssh_host_rsa_key"
# "/etc/secrets/initrd/ssh_host_ed_25519_key"
# "/root/initrd-openssh-key"
# ];
authorizedKeys = [ "${mySecrets.auth_ssh_key1}" "${mySecrets.auth_ssh_key2}" ];
};
postCommands = ''
echo "zfs load-key -a; killall zfs" >> /root.profile
'';
}; Which ended up in:
|
Try |
You were right about the quotes. Using:
and the above fix:
made it build successfully. |
can't reboot now because I'm in the middle of a resilver and then scrub process. |
Okay, so there are two issues here: the typo and #85000. The former is easy to resolve, but I'm not sure about the latter; there's basically nothing that can be done with a bare path only accessible by root inside a sandboxed Nix build. So I think this would probably require a rework of the initrd secrets implementation to fix properly, and in the meantime the best thing that could be done would be to give a more useful error message at NixOS evaluation time if you use a string path when initrd secrets support is disabled; I'll work on the latter. Edit: there's actually no typo; |
Thanks for your hard work. I'll give feedback about initrd ssh boot once resilver and scrub have completed. |
Looks better now. Thanks :) |
Fixes NixOS#84976. (cherry picked from commit 91c6809)
@sjau Could you explain, how to work around that problem? I think I am missing something. # I have to use a system without efi support
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = false;
...
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
hostKeys = [
./boot_ssh_host_ed25519_key
./boot_ssh_host_rsa_key
];
...
}; when running
Edit: I installed 20.03 first, then updated to unstable and was able to build it, placing a copy of the keys everywhere it complained about, eg |
I use:
and on non-EFI
|
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/early-boot-remote-decryption/16146/1 |
this does indeed seem to be important, according to numerous discussions. NixOS/nixpkgs#84976 https://discourse.nixos.org/t/early-boot-remote-decryption/16146
Describe the bug
Nixos changed from Dropbear to OpenSSH in the initrd. While doing so it requires new keys and new options were add.
However following the instructions still fails to build.
To Reproduce
Steps to reproduce the behavior:
/root/initrd-openssh-key
and added the following to the configuration.nix:So I created the /etc/secrets/initrd folder and run the two commands, which resulted in:
and rebuild again. This time it failed:
Expected behavior
It should properly detect the file provided in the hostKeys.
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result."x86_64-linux"
Linux 5.5.13, NixOS, 20.09pre218613.ae6bdcc5358 (Nightingale)
yes
yes
nix-env (Nix) 2.3.3
"nixos-19.09pre185402.5eac339829b"
"nixos-20.09pre220429.9b0d2f3fd15"
/nix/var/nix/profiles/per-user/root/channels/nixos
Maintainer information:
The text was updated successfully, but these errors were encountered: