oxy

I've been tinkering with the automatic unlock of encrypted zfs datasets on login (at the console) which works great but when the user logs out they get the following errors:

login[65695]: zfs_unmount failed for zroot/home/$homedir with: -1
login[65695]: unmount_dataset failed with: -1

2 questions:
- Where do I configure the unmounting of datasets on logout?
- Where do I look to figure out why its not unmounting? The user has the mount zfs permission (and they can mount fine)

What am I getting wrong?

#FreeBSD #OpenZFS

Mar 23 at 12:17pmWeb
Show thread♿ 🏳️‍🌈 La pantera roja6d ago
@oxyhyxo at first glance it seems that the unmounting is attempted after the user logged out.
Show threadanparker6d ago
@beckermatic @oxyhyxo Or before. And some processes, say login shell, are still running and fs is busy.
Show threadTim Chase6d ago

@anparker

this feels more accurate to me, like something is still holding file-descriptors open on the mount-point. If the unmount-script is in that home-directory, it might be the culprit (so you might try moving the script to something outside the /home mount-point like /opt/bin and run it from there. It might also be that something still has that mounted-location as its $CWD, so your script might need to do something like `cd /` at the top to move out of the directory.

You might be able to use something like lsof(1) or fstat(1) right before you unmount, dumping the open file-descriptors to some user-writable location like /tmp and see if there are any obvious culprits holding things open in $HOME

@beckermatic @oxyhyxo

Show threadoxy6d ago

@gumnos @anparker @beckermatic it seems to be a feature of the pam module

https://mastodon.bsd.cafe/@oxyhyxo/116281157760797989

Show threaddch  6d ago
@oxyhyxo try using umount -f and do a pslist-ilU $USER prior to see what’s still running?
Show threadoxy6d ago

@dch til about the existence of pslist 🧐

I havent implemented any scripts to fire on logout and yet **something** is calling unmount. All I did was update pam to add pam_zfs_key.

Show threaddch  6d ago
@oxyhyxo oh is it a thing already built into pam?
Show threadoxy6d ago
@dch I guess? I’ll continue digging
Show threadTom6d ago
@oxyhyxo @dch I'd be interested to know if you get it working. I have a similar setup on my laptop.
Show threadoxy6d ago

@pertho @dch hmmm

https://github.com/openzfs/zfs/issues/11222#issuecomment-756051810

pam_zfs_key failures lead to password prompts for root su · Issue #11222 · openzfs/zfs

System information Type Version/Name Distribution Name Debian Distribution Version unstable Linux Kernel 5.9 Architecture amd64 ZFS Version 2.0-release (813185d) Describe the problem you're observi...

GitHub
Show threadoxy6d ago

@pertho @dch okay so digging through pam_zfs_key.c tells me there is a "nounmount" flag.

updating /etc/pam.d/login as per https://codeberg.org/oxyhyxo/gists/src/branch/main/OpenZFS%20Encrypted%20Homedir%20Config.md mounts the dataset on login but does not attempt to unmount it on logout.

I tried passing the "force_unmount" option but I still get the error.

*shrugs* this is beyond my ken

gists/OpenZFS Encrypted Homedir Config.md at main

gists

Codeberg.org
Show threadoxy6d ago

@pertho @dch duh an update on the above

The option name is actually "forceunmount" and it seems to work - I'm not heaps keen on doing a zfs umount -f though 😔

Show threaddch  6d ago
@oxyhyxo aah I meant specifically umount -f it aeema to work with even the most stubborn of mount points that zfs unmount won’t and yes you want to know what processes are still running @pertho
Show threadoxy6d ago

@dch @pertho yeah I still dont know who or what is holding the mount open.

open a console as root, switch to a new virtual terminal, login as user.
Logout as user, unmount failed.
lsof as root - no open files in the users home directory
zfs unmount $home_dataset as root unmounts the dataset without issue

**scratches head**

its like login is tripping over itself