On Fri, Nov 16, 2018 at 12:15 PM Andrew Udvare <audv...@gmail.com> wrote: > > I am not sure if there is a way to move the systemd-cryptsetup@home.service > up the dependency tree once it's working, which would then remove the > mnt-chuan.mount dependency. >
Ok, I did a bit more reading. You're using the cryptsetup generator most likely. It sets up units to be oneshot+remainafterexit, which means they're "active" whenever the LUKS device is mounted (without any processes - but they show as active so that you can stop them and unmount the device). It sets the RequiresMountsFor parameter for the device the key file is contained on, which makes that mount service a Required dependency. That means that it can't be unmounted while the cryptsetup device is in use, and in theory attempting to unmount the key file should make systemd attempt to unmount the cryptsetup device (though busy filesystems could interfere with that). I'm not sure if there is a cleaner solution for this without adding some kind of new dependency type to systemd. You really do want that mountpoint to be considered "Required" when the service starts as that file is essential, but you don't need it to stick around after the unit starts. Of course, you don't want it to automatically stop right away either (that would create a race condition between unmounting the key and reading it). This is built-in systemd behavior. I wouldn't be surprised if the folks on the #systemd IRC channel would be interested in talking about this use case and ways to improve it. The fact that they anticipate the key being on a removable mount makes me think it is something they want to support, but it would clearly be more secure to not leave that file mounted all the time. I'd encourage you to ask about it on IRC. If that isn't something you want to do I might inquire about it myself, but I don't want to steal your thunder. -- Rich
