From d3d0e8ef4035b7a397ed623a97604679bfd00c47 Mon Sep 17 00:00:00 2001 From: Craig Jennings Date: Sun, 25 Jan 2026 07:36:24 -0600 Subject: Add LUKS testing infrastructure and documentation - Add setup_luks_testing_keyfile() for automated LUKS testing - Modify configure_crypttab() and configure_luks_initramfs() for keyfile support - Fix configure_btrfs_initramfs() to preserve encrypt hook when LUKS enabled - Add TESTING=yes to LUKS test configs - Create docs/TESTING-STRATEGY.org documenting testing approach LUKS automated reboot testing remains a work-in-progress due to complexity of sending passphrase to initramfs encrypt hook. Non-LUKS tests all pass: btrfs-single, btrfs-mirror, btrfs-stripe. --- docs/session-context.org | 193 +++++++++++++++++++++++------------------------ 1 file changed, 93 insertions(+), 100 deletions(-) (limited to 'docs/session-context.org') diff --git a/docs/session-context.org b/docs/session-context.org index ce2abd1..c547200 100644 --- a/docs/session-context.org +++ b/docs/session-context.org @@ -1,112 +1,105 @@ #+TITLE: Session Context - Active Session #+DATE: 2026-01-25 -* Session: Saturday 2026-01-24 @ 18:09 CST (continued to ~00:10 Sunday) +* Session: Sunday 2026-01-25 @ 00:15 CST (continued to ~05:45) -** Current Task: Phase 4.3 Validation Checks - Reboot Test Debugging +** Current Task: LUKS Automated Testing - Almost Working *** Summary -We're implementing automated reboot survival and rollback tests for btrfs -installations. The installation itself works, but the reboot test is failing -because GRUB drops to grub> prompt after reboot. - -*** Root Cause Identified -The grub.cfg file is EMPTY (0 bytes) after the VM is killed, even though it -was 5652 bytes when checked inside the running VM. This is a FAT32 filesystem -sync issue - data wasn't flushed before the VM was terminated. - -*** Fixes Applied (committed) -1. GRUB modules stored on EFI partition (FAT32) with --boot-directory=/efi -2. Symlink /boot/grub -> /efi/grub created BEFORE grub-mkconfig -3. Added sync after grub-mkconfig (ensure FAT32 write completes) -4. Added sync before unmounting EFI in cleanup -5. Test framework now uses correct password (ROOT_PASSWORD from config) for - post-reboot SSH instead of ISO password (archzfs) - -*** Commits Made This Session -- 7bb88b9 Fix GRUB boot for btrfs with subvolumes -- 36d429e Add reboot survival and rollback verification tests -- 79b4522 Update test config and documentation - -*** Files Modified -- custom/lib/btrfs.sh - GRUB on EFI, sync calls -- scripts/test-install.sh - reboot/rollback test infrastructure, password handling -- scripts/test-configs/btrfs-single.conf - added NO_ENCRYPT=yes -- custom/RESCUE-GUIDE.txt - offline Arch Wiki section -- todo.org - updated completed tasks - -*** Test Infrastructure Added to test-install.sh +Implementing automated LUKS passphrase handling for reboot tests. Using hybrid +approach: sendkey for GRUB prompt + keyfile for initramfs. + +*** What's Working +1. sendkey for GRUB passphrase - WORKING + - Monitor socket added to VM + - handle_luks_passphrase() detects prompt and sends keystrokes + - GRUB successfully decrypts (serial shows "Slot 0 opened") + - Kernel and initramfs load successfully + +2. Keyfile setup - WORKING + - setup_luks_testing_keyfile() creates keyfile + - Adds keyfile to LUKS slot 1 + - Embeds in initramfs via FILES= + - Updates crypttab to use keyfile + +*** Bug Just Fixed +configure_btrfs_initramfs() was overwriting HOOKS and removing the encrypt hook. +Just fixed by checking if LUKS is enabled and including encrypt hook. + +The fix (in btrfs.sh line ~815-825): #+begin_src bash -# New functions: -start_vm_from_disk() # Boot VM from installed disk (no ISO) -stop_vm() keep_vars # Optional param to preserve EFI boot entries -wait_for_ssh() password # Optional password param (for installed system) -ssh_cmd() # Uses INSTALLED_PASSWORD when set -verify_reboot_survival() # Checks system boots, filesystem healthy -verify_rollback() # Tests snapshot create/rollback - -# Flow in run_test(): -# 1. Boot ISO, install system -# 2. Verify installation -# 3. stop_vm with keep_vars=true (preserve OVMF_VARS) -# 4. start_vm_from_disk (no ISO, boot from disk) -# 5. wait_for_ssh using ROOT_PASSWORD from config -# 6. verify_reboot_survival -# 7. verify_rollback -# 8. Cleanup +local encrypt_hook="" +[[ "$NO_ENCRYPT" != "yes" && -n "$LUKS_PASSPHRASE" ]] && encrypt_hook="encrypt " +# Then include ${encrypt_hook} in HOOKS sed command #+end_src -*** Current Test Status -- Installation: PASSES (verified manually and in tests) -- Post-install verification: PASSES -- Reboot test: FAILS - grub.cfg is empty after VM killed - -The sync fix was just committed but NOT yet tested. Need to: -1. Rebuild ISO with the sync fixes -2. Run btrfs-single test -3. Verify grub.cfg is not empty after reboot - -*** Key Technical Details -- GRUB prefix is (,gpt1)/grub when using --boot-directory=/efi -- grub.cfg must be at /efi/grub/grub.cfg (EFI partition) -- Symlink /boot/grub -> /efi/grub makes grub-btrfs work -- FAT32 needs explicit sync before VM termination -- OVMF_VARS.fd stores EFI boot entries - must preserve between VM stop/start -- Test uses port 2222 for SSH forwarding - -*** Debug Commands Used -#+begin_src bash -# Check EFI partition from inside VM: -ls -la /mnt/efi/grub/ -cat /mnt/efi/grub/grub.cfg +*** Next Step +Run the test again to verify the fix works: +./scripts/test-install.sh btrfs-luks -# Mount installed disk from host: -sudo qemu-nbd -c /dev/nbd0 vm/disk.qcow2 -sudo mount /dev/nbd0p1 /tmp/efi-check -cat /tmp/efi-check/grub/grub.cfg +*** Files Modified This Session +- custom/lib/btrfs.sh + - Added setup_luks_testing_keyfile() function + - Modified configure_crypttab() for keyfile support + - Modified configure_luks_initramfs() for keyfile in FILES= + - Fixed configure_btrfs_initramfs() to preserve encrypt hook -# Check serial log for GRUB output: -cat test-logs/btrfs-single-reboot-serial.log -#+end_src +- custom/archangel + - Added call to setup_luks_testing_keyfile() in LUKS flow -** Remaining Btrfs Plan Phases -- Phase 4.3: Validation checks - IN PROGRESS (sync fix needs testing) -- Phase 5: CLI tools (archangel-snapshot, archangel-rollback, archangel-list) -- Phase 6: Documentation (README, RESCUE-GUIDE, BTRFS.org) - -** Test Status Before Reboot Test Additions -All btrfs tests were passing: -- btrfs-single, btrfs-luks, btrfs-mirror, btrfs-stripe, btrfs-mirror-luks -- ZFS: single-disk, mirror, raidz1 - -** Next Steps -1. Rebuild ISO (includes sync fixes) -2. Run: ./scripts/test-install.sh btrfs-single -3. If still failing, check serial log and verify grub.cfg has content -4. Once passing, run full btrfs test suite -5. Continue to Phase 5 or 6 - -** Open Questions / Potential Issues -- Multi-disk btrfs GRUB functions also updated but not tested after sync fix -- grub-btrfsd service might need config for non-standard grub.cfg location -- Rollback test not yet validated (system needs to boot first) +- scripts/test-install.sh + - Added monitor socket to start_vm_from_disk() + - Added handle_luks_passphrase() function + - Added send_key_to_monitor() function + - Integrated LUKS handling into reboot test flow + +- scripts/test-configs/btrfs-luks.conf - Added TESTING=yes +- scripts/test-configs/btrfs-mirror-luks.conf - Added TESTING=yes +- docs/TESTING-STRATEGY.org - New file documenting approach + +*** Commits Made This Session +- a099f50: Add ISO naming task, update session context + +*** Test Results Before Fix +- btrfs-single: PASS +- btrfs-mirror: PASS +- btrfs-stripe: PASS +- btrfs-luks: FAIL (encrypt hook missing - just fixed) +- btrfs-mirror-luks: FAIL (same issue) + +*** Technical Details + +LUKS Boot Flow: +1. GRUB decrypts /boot with GRUB_ENABLE_CRYPTODISK (sendkey provides passphrase) +2. GRUB loads kernel and initramfs +3. Initramfs encrypt hook decrypts root (keyfile provides passphrase) +4. Root mounted, boot continues + +sendkey Implementation: +- QEMU monitor socket: -monitor unix:$VM_DIR/monitor-${test_name}.sock,server,nowait +- Watch serial log for "Enter passphrase for" +- Send passphrase char-by-char via "sendkey" monitor command +- Character mapping (a-z, 0-9, special chars to QEMU key names) + +Keyfile Implementation: +- Random 2KB keyfile at /etc/cryptroot.key +- Added to LUKS slot 1 (passphrase stays in slot 0) +- Embedded in initramfs via mkinitcpio FILES=() +- crypttab uses keyfile path instead of "none" + +*** Decision Rationale +Chose hybrid approach (sendkey + keyfile) over: +- Option A (unencrypted /boot): Tests different code path than production +- Option B (accept limitation): Would miss integration bugs like empty grub.cfg + +Documented in docs/TESTING-STRATEGY.org. + +*** ISO on Ventoy +archzfs-vmlinuz-6.12.66-lts-2026-01-25-x86_64.iso (2.1G) +Updated on Ventoy flash drive. + +*** Remaining Work +1. Verify encrypt hook fix works +2. Run full btrfs test suite including LUKS configs +3. If passing, commit all changes +4. Continue to Phase 5 (CLI tools) or Phase 6 (documentation) -- cgit v1.2.3