[How-To] Wait for LUKS unlock before start Docker containers

    Problem

    I have my hard drives encrypted with LUKS. Passphrase to unlock drives can be only typed in in the OMV WebUI. I don't want to use auto unlock. Encrypted hard drives have directories that are in use by some of mine Docker containers (nextcloud, transmission). I don't want let those containers to start before the unlock. It will fail, produce some garbage on the filesystem and then I will have manually restart those containers.

    Fix

    We need script that will wait for the unlock and only then start Docker service

    Script

    You can copy the code from my GitHub (wait-for-unlock.sh) and put it to /usr/local/bin/ or just download it directly from your device:

    Code
    sudo wget -P /usr/local/bin/ https://raw.githubusercontent.com/Virusmater/OdroidXU4-Cloudshell2-OMV/master/usr/local/bin/wait-for-unlock.sh
sudo chmod a+x /usr/local/bin/wait-for-unlock.sh

    Docker Service

    Make an override of an existing configuration

    Code
    sudo systemctl edit docker

    and add the script execution before the start

    Code
    [Service]
ExecStartPre=/usr/local/bin/wait-for-unlock.sh

    that will create file /etc/systemd/system/docker.service.d/override.conf with that configuration. You can also check it on GitHub (override.conf)

    Final

    Script wait-for-unlock.sh is quite dummy and checks only for "/dev/mapper/sda-crypt" device. Any other ideas and PRs are welome!

    From now on Docker service will wait for the unlock before starting any containers.

    2 Mal editiert, zuletzt von DimaKompot () aus folgendem Grund: Add chmod +x from comment

    Danke 1

  • geaves

    Hat das Thema freigeschaltet.

  • geaves

    Hat das Thema freigeschaltet.

    Perhaps obvious to proficient Linux users - easy to miss when it's not mentioned, but don't forget to chmod a+x /usr/local/bin/wait-for-unlock.sh, or else the Docker service will lock up and refuse to start (if your service is in this state, run systemctl reset-failed docker followed by systemctl restart docker).

    And, thank you for the script :)

    Server: Codename Oven (ASRock J5040-ITX with 4-core Pentium Silver J5040, 2x 8TB Seagate IronWolf HDD, inside Coolermaster Elite 110 case, powered by OMV 6)

    Gefällt mir 1

    Just in case anyone is wondering, so far this works perfectly on OMV6 still.

    Not sure if this is just my device or an OMV6 change (as I didn't use this on OMV5) but I did need to edit the wait-for-unlock.sh script to change my device name to vda-crypt instead of sda-crypt

    But Docker doesn't f*** itself up now by trying to boot before my LUKS drive is unlocked!

    ------
    Crowley:
    Xeon X5670
    22GB DDR3 RAM
    1x 16TB Exos 1x 240gb Kingston A400 SSD, 1x 480gb Kingston A400 SSD
    OMV6 on top of Proxmox 7.1


    Aziraphale:
    QNAP TS-431
    2x WD 3TB, 2x WD 2TB - basically a backup server for Odin

    Do you guys run into a problem with mergerfs because of luks? I have to keep redefining my pool after I unlock the drives because I have shared folders that get mounted while the drives are still encrypted.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden