Temporarily halt boot process to enter encryption keys?

Modulok modulok at gmail.com
Thu Dec 10 04:01:40 UTC 2009


Corey,

Umm...write a script perhaps?

Nobody else has taken a shot at this one yet, so I'll try. This is
just what I'd do. That said, it's probably not the best solution. It's
an idea. You may have to work out some bugs along the way.

In regards to interrupting the boot process, I don't think this is
what you're after, unless you have console access. In which case you'd
use geli to set the boot flag on your providers. The boot process will
stop, ask for a password and then continue. The problem is that this
occurs before daemons like sshd are started; Unless you have console
access, you're screwed. Thus, your problem...

You want the system to boot as usual, it's just you don't want it to
start any third party daemons such as samba ...yet!

(This is why runlevels on SysV style startups are useful. It would be
a matter of switching to a custom runlevel.)

You would first disable the various daemons by not having them in your
'rc.conf' file. You'd then write a wrapper script, in your language of
choice. The wrapper simply calls the various '/usr/local/etc/rc.d'
scripts to start all of your third party daemons as usual. ...and
whatever else you need to do. Remember to pass the 'onestart'
argument, because the rc scripts are no longer listed in /etc/rc.conf.
With all that in place you'd ssh in and execute the wrapper as the
root user.

(root)> engage

Poof done. You can put the wrapper script anywhere you want. Name it
anything you like. Just make sure it's executable by the root user.
(Thus be careful when writing it!) An example of a python wrapper
might look something like the one below. Change to fit your needs,
obviously. Admittedly it's not he most pythonic code ever written. It
also probably has bugs to work out, but again, it's an idea.

#!/usr/local/bin/python
""" Wrapper which executes a bunch of files."""

import os
import sys
import subprocess as sp

# Change this to suit your needs:
SCRIPTS_TO_CALL = [
    '/usr/local/etc/rc.d/apache22',
    '/usr/local/etc/rc.d/samba',
    '/etc/rc.d/ntpd'
    ]

if os.geteuid() != 0:
    sys.stderr.write("This script must be executed as the root user.
Aborting.\n")

for script in SCRIPTS_TO_CALL:
    if os.path.exists(script):
        command = script + " onestart"
        p = sp.Popen(command, shell=True, stdout=sp.PIPE, stderr=sp.PIPE)

        # Now write out any errors/output to their usual places:
        sys.stdout.write(p.stdout.read()+"\n")
        sys.stderr.write(p.stderr.read()+"\n")
    else:
        sys.stderr.write("File, '%s' does not exist. Skipping...\n" % script)


Hacky, perhaps buggy, but perhaps useful. Unless anyone has a better
idea? With a little more refinement you could probably even convert
your FreeBSD box into a sysV equivalent, making complex custom
startups easier in the future. Blasphemy, I know!

-Modulok-

On 12/9/09, Corey J. Bukolt <0.23 at mail.ru> wrote:
> Corey J. Bukolt wrote:
>> Hello list,
>>
>> I have a FreeNAS box with a CF card for root, and 3 drives (soon to
>> be 4) set up with encryption and raidz on top of them. A less than
>> excellent detailed report of what I did is here:
>> http://bit.ly/5BeZq8 This setup is a bit hackish as after the
>> system boots I need to attach each drive using geli, run "zpool
>> import -f primary", and then restart all my services (nfs, samba,
>> etc).
>>
>> It's become a bit of a chore (especially when doing it all from a
>> N810), so I'm looking for a way to temporary halt the boot process
>> so that I can ssh in, attach the drives, and then allow the system
>> to continue to boot.
>>
>> A few ideas come to mind, such as meddling with rc scripts, but I'd
>>  like to get some suggestions from the more experienced FreeBSD
>> hackers before I go off breaking my system.
>>
>> Thanks, ~Corey
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions To
>> unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>>
>>
>
> Anybody at all?
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>


More information about the freebsd-questions mailing list