Package: guix-patches;
Reported by: 45mg <45mg.writes <at> gmail.com>
Date: Thu, 3 Apr 2025 17:48:01 UTC
Severity: normal
Tags: patch
To reply to this bug, email your comments to 77499 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#77499; Package guix-patches.
(Thu, 03 Apr 2025 17:48:02 GMT) Full text and rfc822 format available.45mg <45mg.writes <at> gmail.com>:ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org.
(Thu, 03 Apr 2025 17:48:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: 45mg <45mg.writes <at> gmail.com> To: guix-patches <at> gnu.org Cc: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, soeren <at> soeren-tempel.net, Sisiutl <sisiutl <at> egregore.fun>, Ludovic Courtès <ludo <at> gnu.org>, 45mg <45mg.writes <at> gmail.com>, Hilton Chain <hako <at> ultrarare.space>, Tomas Volf <~@wolfsden.cz> Subject: [PATCH] mapped-devices/luks: Support extra options. Date: Thu, 3 Apr 2025 23:13:57 +0530
Allow passing extra options to the 'cryptsetup open' command.
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options):
[#:extra-options]: New argument.
(open-luks-device): Use it.
* doc/guix.texi (Mapped Devices): Document it.
* gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New
test for it, as well as the previously untested #:allow-discards?
option.
(%encrypted-root-extra-options-os): New os declaration for the test.
Change-Id: Ia9fd129d1c66cbf27abdd3064d59188083465247
---
CCing everyone who worked on the allow-discards option - this change is very
similar.
%encrypted-root-extra-options-os is copied from %encrypted-root-os; only
the mapped-devices field is changed. I wish I could avoid this code
duplication by having `(inherit %encrypted-root-os)` in the os
definition, but when I do that, the test fails with this error in the
build log:
/mnt/etc/config.scm:1:100: error: %encrypted-root-os: unbound variable
Any chance you Guile wizards know how to make this work?
doc/guix.texi | 20 ++++++++++-
gnu/system/mapped-devices.scm | 25 ++++++++-----
gnu/tests/install.scm | 68 +++++++++++++++++++++++++++++++++++
3 files changed, 104 insertions(+), 9 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index bcb1f9d9cf..9cd1304522 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -18461,7 +18461,7 @@ Mapped Devices
@code{dm-crypt} Linux kernel module.
@end defvar
-@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards?]
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards? #:extra-options]
Return a @code{luks-device-mapping} object, which defines LUKS block
device encryption using the @command{cryptsetup} command from the
package with the same name. It relies on the @code{dm-crypt} Linux
@@ -18492,6 +18492,24 @@ Mapped Devices
information, refer to the description of the @code{--allow-discards}
option in the @code{cryptsetup-open(8)} man page.
+@code{extra-options} may be used to specify a list of additional
+command-line options for the @code{cryptsetup open} command. See the
+@code{cryptsetup-open(8)} man page for a list of supported options.
+
+For example, here is how you could specify the
+@code{--perf-no_read_workqueue} and @code{--perf-no_write_workqueue}
+options, along with @code{--allow-discards}:
+
+@lisp
+(mapped-device
+ (source "/dev/sdb1)
+ (target "data)
+ (type (luks-device-mapping-with-options
+ #:allow-discards? #t
+ #:extra-options '("--perf-no_read_workqueue"
+ "--perf-no_write_workqueue"))))
+@end lisp
+
@end deffn
@defvar raid-device-mapping
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index 667a495570..520ade9ef8 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -194,10 +194,12 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define* (open-luks-device source targets #:key key-file allow-discards?)
+(define* (open-luks-device source targets
+ #:key key-file allow-discards? extra-options)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'. When ALLOW-DISCARDS? is true, the use of discard (TRIM)
-requests is allowed for the underlying device."
+requests is allowed for the underlying device. EXTRA-OPTIONS is a list of
+additional options to be passed to the 'cryptsetup open' command."
(with-imported-modules (source-module-closure
'((gnu build file-systems)
(guix build utils))) ;; For mkdir-p
@@ -238,10 +240,15 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
(let ((cryptsetup #$(file-append cryptsetup-static
"/sbin/cryptsetup"))
(cryptsetup-flags (cons*
- "open" "--type" "luks" partition #$target
- (if #$allow-discards?
- '("--allow-discards")
- '()))))
+ "open" "--type" "luks"
+ (append
+ (if #$allow-discards?
+ '("--allow-discards")
+ '())
+ (if (pair? '#$extra-options)
+ '#$extra-options
+ '())
+ (list partition #$target)))))
;; We want to fallback to the password unlock if the keyfile
;; fails.
(or (and keyfile
@@ -290,7 +297,8 @@ (define luks-device-mapping
((gnu build file-systems)
#:select (find-partition-by-luks-uuid system*/tty))))))
-(define* (luks-device-mapping-with-options #:key key-file allow-discards?)
+(define* (luks-device-mapping-with-options
+ #:key key-file allow-discards? extra-options)
"Return a luks-device-mapping object with open modified to pass the arguments
into the open-luks-device procedure."
(mapped-device-kind
@@ -298,7 +306,8 @@ (define* (luks-device-mapping-with-options #:key key-file allow-discards?)
(open (λ (source targets)
(open-luks-device source targets
#:key-file key-file
- #:allow-discards? allow-discards?)))))
+ #:allow-discards? allow-discards?
+ #:extra-options extra-options)))))
(define (open-raid-device sources targets)
"Return a gexp that assembles SOURCES (a list of devices) to the RAID device
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index a837637b18..fd9f17eb4d 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -68,6 +68,7 @@ (define-module (gnu tests install)
%test-separate-home-os
%test-raid-root-os
%test-encrypted-root-os
+ %test-encrypted-root-extra-options-os
%test-encrypted-home-os
%test-encrypted-home-os-key-file
%test-encrypted-root-not-boot-os
@@ -843,6 +844,73 @@ (define %test-encrypted-root-os
(run-basic-test %encrypted-root-os command "encrypted-root-os"
#:initialization enter-luks-passphrase)))))
+
+;;;
+;;; LUKS-encrypted root with extra options: --allow-discards,
+;;; --perf-no_read_workqueue and --perf-no_write_workqueue
+;;;
+
+;; Except for the 'mapped-devices' field, this is exactly the same as
+;; %encrypted-root-os.
+(define-os-with-source (%encrypted-root-extra-options-os
+ %encrypted-root-extra-options-os-source)
+ ;; The OS we want to install.
+ (use-modules (gnu) (gnu tests) (srfi srfi-1))
+
+ (operating-system
+ (host-name "liberigilo")
+ (timezone "Europe/Paris")
+ (locale "en_US.UTF-8")
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (targets '("/dev/vdb"))))
+
+ ;; Note: Do not pass "console=ttyS0" so we can use our passphrase prompt
+ ;; detection logic in 'enter-luks-passphrase'.
+
+ (mapped-devices (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "the-root-device")
+ (type (luks-device-mapping-with-options
+ #:allow-discards? #t
+ #:extra-options
+ '("--perf-no_read_workqueue"
+ "--perf-no_write_workqueue"))))))
+ (file-systems (cons (file-system
+ (device "/dev/mapper/the-root-device")
+ (mount-point "/")
+ (type "ext4"))
+ %base-file-systems))
+ (users (cons (user-account
+ (name "charlie")
+ (group "users")
+ (supplementary-groups '("wheel" "audio" "video")))
+ %base-user-accounts))
+ (services (cons (service marionette-service-type
+ (marionette-configuration
+ (imported-modules '((gnu services herd)
+ (guix combinators)))))
+ %base-services))))
+
+(define %test-encrypted-root-extra-options-os
+ (system-test
+ (name "encrypted-root-extra-options-os")
+ (description
+ "Test basic functionality of an OS installed like one would do by hand,
+with an LUKS-encrypted root partition opened with extra options
+(--allow-discards, --perf-no_read_workqueue and --perf-no_write_workqueue).
+This test is expensive in terms of CPU and storage usage since we need to
+build (current-guix) and then store a couple of full system images.")
+ (value
+ (mlet* %store-monad ((images (run-install %encrypted-root-extra-options-os
+ %encrypted-root-extra-options-os-source
+ #:script
+ %encrypted-root-installation-script))
+ (command (qemu-command* images)))
+ (run-basic-test %encrypted-root-os command "encrypted-root-extra-options-os"
+ #:initialization enter-luks-passphrase)))))
+
;;;
;;; Separate /home on LVM
base-commit: 4ea012fc6ddcb32574fbd4a854b11808c34fbca8
--
2.49.0
guix-patches <at> gnu.org:bug#77499; Package guix-patches.
(Sat, 26 Apr 2025 13:17:02 GMT) Full text and rfc822 format available.Message #8 received at 77499 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: 45mg <45mg.writes <at> gmail.com> Cc: soeren <at> soeren-tempel.net, Sisiutl <sisiutl <at> egregore.fun>, Ludovic Courtès <ludo <at> gnu.org>, 77499 <at> debbugs.gnu.org, Hilton Chain <hako <at> ultrarare.space>, Tomas Volf <~@wolfsden.cz> Subject: Re: [bug#77499] [PATCH] mapped-devices/luks: Support extra options. Date: Sat, 26 Apr 2025 22:16:43 +0900
Hi,
45mg <45mg.writes <at> gmail.com> writes:
> Allow passing extra options to the 'cryptsetup open' command.
>
> * gnu/system/mapped-devices.scm (luks-device-mapping-with-options):
> [#:extra-options]: New argument.
> (open-luks-device): Use it.
> * doc/guix.texi (Mapped Devices): Document it.
> * gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New
> test for it, as well as the previously untested #:allow-discards?
> option.
> (%encrypted-root-extra-options-os): New os declaration for the test.
Sounds good.
> Change-Id: Ia9fd129d1c66cbf27abdd3064d59188083465247
> ---
> CCing everyone who worked on the allow-discards option - this change is very
> similar.
>
> %encrypted-root-extra-options-os is copied from %encrypted-root-os; only
> the mapped-devices field is changed. I wish I could avoid this code
> duplication by having `(inherit %encrypted-root-os)` in the os
> definition, but when I do that, the test fails with this error in the
> build log:
>
> /mnt/etc/config.scm:1:100: error: %encrypted-root-os: unbound variable
>
> Any chance you Guile wizards know how to make this work?
I think I've probably banged my head on this at some point but don't
have an immediate idea.
>
> doc/guix.texi | 20 ++++++++++-
> gnu/system/mapped-devices.scm | 25 ++++++++-----
> gnu/tests/install.scm | 68 +++++++++++++++++++++++++++++++++++
> 3 files changed, 104 insertions(+), 9 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index bcb1f9d9cf..9cd1304522 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -18461,7 +18461,7 @@ Mapped Devices
> @code{dm-crypt} Linux kernel module.
> @end defvar
>
> -@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards?]
> +@deffn {Procedure} luks-device-mapping-with-options [#:key-file #:allow-discards? #:extra-options]
Was there a way to break a line in Texinfo?
> Return a @code{luks-device-mapping} object, which defines LUKS block
> device encryption using the @command{cryptsetup} command from the
> package with the same name. It relies on the @code{dm-crypt} Linux
> @@ -18492,6 +18492,24 @@ Mapped Devices
> information, refer to the description of the @code{--allow-discards}
> option in the @code{cryptsetup-open(8)} man page.
>
> +@code{extra-options} may be used to specify a list of additional
> +command-line options for the @code{cryptsetup open} command. See the
> +@code{cryptsetup-open(8)} man page for a list of supported options.
> +
> +For example, here is how you could specify the
> +@code{--perf-no_read_workqueue} and @code{--perf-no_write_workqueue}
> +options, along with @code{--allow-discards}:
For the command-line options, you can use @option{...}
(see: (info "(texinfo) @option")).
> +
> +@lisp
> +(mapped-device
> + (source "/dev/sdb1)
> + (target "data)
Your strings are double quoted only on the left side.
> + (type (luks-device-mapping-with-options
> + #:allow-discards? #t
> + #:extra-options '("--perf-no_read_workqueue"
> + "--perf-no_write_workqueue"))))
> +@end lisp
> +
> @end deffn
>
> @defvar raid-device-mapping
> diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
> index 667a495570..520ade9ef8 100644
> --- a/gnu/system/mapped-devices.scm
> +++ b/gnu/system/mapped-devices.scm
> @@ -194,10 +194,12 @@ (define (check-device-initrd-modules device linux-modules location)
> ;;; Common device mappings.
> ;;;
>
> -(define* (open-luks-device source targets #:key key-file allow-discards?)
> +(define* (open-luks-device source targets
> + #:key key-file allow-discards? extra-options)
> "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
> 'cryptsetup'. When ALLOW-DISCARDS? is true, the use of discard (TRIM)
> -requests is allowed for the underlying device."
> +requests is allowed for the underlying device. EXTRA-OPTIONS is a list of
> +additional options to be passed to the 'cryptsetup open' command."
> (with-imported-modules (source-module-closure
> '((gnu build file-systems)
> (guix build utils))) ;; For mkdir-p
> @@ -238,10 +240,15 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
> (let ((cryptsetup #$(file-append cryptsetup-static
> "/sbin/cryptsetup"))
> (cryptsetup-flags (cons*
> - "open" "--type" "luks" partition #$target
> - (if #$allow-discards?
> - '("--allow-discards")
> - '()))))
> + "open" "--type" "luks"
> + (append
> + (if #$allow-discards?
> + '("--allow-discards")
> + '())
> + (if (pair? '#$extra-options)
> + '#$extra-options
> + '())
> + (list partition #$target)))))
> ;; We want to fallback to the password unlock if the keyfile
> ;; fails.
> (or (and keyfile
> @@ -290,7 +297,8 @@ (define luks-device-mapping
> ((gnu build file-systems)
> #:select (find-partition-by-luks-uuid system*/tty))))))
>
> -(define* (luks-device-mapping-with-options #:key key-file allow-discards?)
> +(define* (luks-device-mapping-with-options
> + #:key key-file allow-discards? extra-options)
> "Return a luks-device-mapping object with open modified to pass the arguments
> into the open-luks-device procedure."
> (mapped-device-kind
> @@ -298,7 +306,8 @@ (define* (luks-device-mapping-with-options #:key key-file allow-discards?)
> (open (λ (source targets)
> (open-luks-device source targets
> #:key-file key-file
> - #:allow-discards? allow-discards?)))))
> + #:allow-discards? allow-discards?
> + #:extra-options extra-options)))))
>
> (define (open-raid-device sources targets)
> "Return a gexp that assembles SOURCES (a list of devices) to the RAID device
> diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
> index a837637b18..fd9f17eb4d 100644
> --- a/gnu/tests/install.scm
> +++ b/gnu/tests/install.scm
> @@ -68,6 +68,7 @@ (define-module (gnu tests install)
> %test-separate-home-os
> %test-raid-root-os
> %test-encrypted-root-os
> + %test-encrypted-root-extra-options-os
> %test-encrypted-home-os
> %test-encrypted-home-os-key-file
> %test-encrypted-root-not-boot-os
> @@ -843,6 +844,73 @@ (define %test-encrypted-root-os
> (run-basic-test %encrypted-root-os command "encrypted-root-os"
> #:initialization enter-luks-passphrase)))))
>
> +
> +;;;
> +;;; LUKS-encrypted root with extra options: --allow-discards,
> +;;; --perf-no_read_workqueue and --perf-no_write_workqueue
> +;;;
> +
> +;; Except for the 'mapped-devices' field, this is exactly the same as
> +;; %encrypted-root-os.
> +(define-os-with-source (%encrypted-root-extra-options-os
> + %encrypted-root-extra-options-os-source)
> + ;; The OS we want to install.
> + (use-modules (gnu) (gnu tests) (srfi srfi-1))
> +
> + (operating-system
> + (host-name "liberigilo")
> + (timezone "Europe/Paris")
> + (locale "en_US.UTF-8")
> +
> + (bootloader (bootloader-configuration
> + (bootloader grub-bootloader)
> + (targets '("/dev/vdb"))))
> +
> + ;; Note: Do not pass "console=ttyS0" so we can use our passphrase prompt
> + ;; detection logic in 'enter-luks-passphrase'.
> +
> + (mapped-devices (list (mapped-device
> + (source (uuid "12345678-1234-1234-1234-123456789abc"))
> + (target "the-root-device")
> + (type (luks-device-mapping-with-options
> + #:allow-discards? #t
> + #:extra-options
> + '("--perf-no_read_workqueue"
> + "--perf-no_write_workqueue"))))))
> + (file-systems (cons (file-system
> + (device "/dev/mapper/the-root-device")
> + (mount-point "/")
> + (type "ext4"))
> + %base-file-systems))
> + (users (cons (user-account
> + (name "charlie")
> + (group "users")
> + (supplementary-groups '("wheel" "audio" "video")))
> + %base-user-accounts))
> + (services (cons (service marionette-service-type
> + (marionette-configuration
> + (imported-modules '((gnu services herd)
> + (guix combinators)))))
> + %base-services))))
> +
> +(define %test-encrypted-root-extra-options-os
> + (system-test
> + (name "encrypted-root-extra-options-os")
> + (description
> + "Test basic functionality of an OS installed like one would do by hand,
> +with an LUKS-encrypted root partition opened with extra options
> +(--allow-discards, --perf-no_read_workqueue and --perf-no_write_workqueue).
> +This test is expensive in terms of CPU and storage usage since we need to
> +build (current-guix) and then store a couple of full system images.")
> + (value
> + (mlet* %store-monad ((images (run-install %encrypted-root-extra-options-os
> + %encrypted-root-extra-options-os-source
> + #:script
> + %encrypted-root-installation-script))
> + (command (qemu-command* images)))
> + (run-basic-test %encrypted-root-os command "encrypted-root-extra-options-os"
> + #:initialization enter-luks-passphrase)))))
Looks good to me. I haven't tried running it yet; if you send a v2 with
the small problem I've seen above I'll happily try it and if it passes
merge it.
--
Thanks,
Maxim
gabriel <at> erlikon.ch, ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#77499; Package guix-patches.
(Sat, 09 Aug 2025 12:18:03 GMT) Full text and rfc822 format available.Message #11 received at 77499 <at> debbugs.gnu.org (full text, mbox):
From: 45mg <45mg.writes <at> gmail.com> To: 70826 <at> debbugs.gnu.org, 45mg <45mg.writes <at> gmail.com> Cc: , soeren <at> soeren-tempel.net, Tadhg McDonald-Jensen <tadhgmister <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, 77499 <at> debbugs.gnu.org, Sisiutl <sisiutl <at> egregore.fun>, Hilton Chain <hako <at> ultrarare.space>, gmail.com, Tomas Volf <~@wolfsden.cz> Subject: [PATCH] mapped-devices/luks: Support extra options. Date: Sat, 9 Aug 2025 17:40:33 +0530
Allow passing extra options to the 'cryptsetup open' command.
* gnu/system/mapped-devices.scm (open-luks-device)
[#:extra-options]: New argument.
* doc/guix.texi (Mapped Devices): Document it.
* gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New
test for it, as well as the previously untested #:allow-discards?
option.
(%encrypted-root-extra-options-os): New os declaration for the test.
Change-Id: Ia9fd129d1c66cbf27abdd3064d59188083465247
---
Took into account Maxim's review. Also, luks-device-mapping-with-options is
now deprecated [1], so instead use the 'arguments' field of
luks-device-mapping.
[1] https://codeberg.org/guix/guix/pulls/1048
doc/guix.texi | 21 +++++++++++
gnu/system/mapped-devices.scm | 19 ++++++----
gnu/tests/install.scm | 68 +++++++++++++++++++++++++++++++++++
3 files changed, 102 insertions(+), 6 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index bffaeb5bbc..4bb4f50200 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -18731,6 +18731,27 @@ Mapped Devices
file system level operations visible on the physical device. For more
information, refer to the description of the @code{--allow-discards}
option in the @code{cryptsetup-open(8)} man page.
+
+@item #:extra-options
+@code{extra-options} may be used to specify a list of additional
+command-line options for the @code{cryptsetup open} command. See the
+@code{cryptsetup-open(8)} man page for a list of supported options.
+
+For example, here is how you could specify the
+@option{--perf-no_read_workqueue} and @option{--perf-no_write_workqueue}
+options, along with @option{--allow-discards}:
+
+@lisp
+(mapped-device
+(source "/dev/sdb1")
+(target "data")
+(type (type luks-device-mapping)
+ (arguments '(#:allow-discards? #t
+ #:extra-options
+ ("--perf-no_read_workqueue"
+ "--perf-no_write_workqueue")))))
+@end lisp
+
@end table
@end defvar
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index b0a6beef28..034956c616 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -200,10 +200,12 @@ (define (check-device-initrd-modules device linux-modules location)
;;; Common device mappings.
;;;
-(define* (open-luks-device source targets #:key key-file allow-discards?)
+(define* (open-luks-device source targets
+ #:key key-file allow-discards? extra-options)
"Return a gexp that maps SOURCE to TARGET as a LUKS device, using
'cryptsetup'. When ALLOW-DISCARDS? is true, the use of discard (TRIM)
-requests is allowed for the underlying device."
+requests is allowed for the underlying device. EXTRA-OPTIONS is a list of
+additional options to be passed to the 'cryptsetup open' command."
(with-imported-modules (source-module-closure
'((gnu build file-systems)
(guix build utils))) ;; For mkdir-p
@@ -244,10 +246,15 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
(let ((cryptsetup #$(file-append cryptsetup-static
"/sbin/cryptsetup"))
(cryptsetup-flags (cons*
- "open" "--type" "luks" partition #$target
- (if #$allow-discards?
- '("--allow-discards")
- '()))))
+ "open" "--type" "luks"
+ (append
+ (if #$allow-discards?
+ '("--allow-discards")
+ '())
+ (if (pair? '#$extra-options)
+ '#$extra-options
+ '())
+ (list partition #$target)))))
;; We want to fallback to the password unlock if the keyfile
;; fails.
(or (and keyfile
diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index ec31cf2bdf..c6715484cf 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -68,6 +68,7 @@ (define-module (gnu tests install)
%test-separate-home-os
%test-raid-root-os
%test-encrypted-root-os
+ %test-encrypted-root-extra-options-os
%test-encrypted-home-os
%test-encrypted-home-os-key-file
%test-encrypted-root-not-boot-os
@@ -843,6 +844,73 @@ (define %test-encrypted-root-os
(run-basic-test %encrypted-root-os command "encrypted-root-os"
#:initialization enter-luks-passphrase)))))
+
+;;;
+;;; LUKS-encrypted root with extra options: --allow-discards,
+;;; --perf-no_read_workqueue and --perf-no_write_workqueue
+;;;
+
+;; Except for the 'mapped-devices' field, this is exactly the same as
+;; %encrypted-root-os.
+(define-os-with-source (%encrypted-root-extra-options-os
+ %encrypted-root-extra-options-os-source)
+ ;; The OS we want to install.
+ (use-modules (gnu) (gnu tests) (srfi srfi-1))
+
+ (operating-system
+ (host-name "liberigilo")
+ (timezone "Europe/Paris")
+ (locale "en_US.UTF-8")
+
+ (bootloader (bootloader-configuration
+ (bootloader grub-bootloader)
+ (targets '("/dev/vdb"))))
+
+ ;; Note: Do not pass "console=ttyS0" so we can use our passphrase prompt
+ ;; detection logic in 'enter-luks-passphrase'.
+
+ (mapped-devices (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "the-root-device")
+ (type luks-device-mapping)
+ (arguments '(#:allow-discards? #t
+ #:extra-options
+ ("--perf-no_read_workqueue"
+ "--perf-no_write_workqueue"))))))
+ (file-systems (cons (file-system
+ (device "/dev/mapper/the-root-device")
+ (mount-point "/")
+ (type "ext4"))
+ %base-file-systems))
+ (users (cons (user-account
+ (name "charlie")
+ (group "users")
+ (supplementary-groups '("wheel" "audio" "video")))
+ %base-user-accounts))
+ (services (cons (service marionette-service-type
+ (marionette-configuration
+ (imported-modules '((gnu services herd)
+ (guix combinators)))))
+ %base-services))))
+
+(define %test-encrypted-root-extra-options-os
+ (system-test
+ (name "encrypted-root-extra-options-os")
+ (description
+ "Test basic functionality of an OS installed like one would do by hand,
+with an LUKS-encrypted root partition opened with extra options
+(--allow-discards, --perf-no_read_workqueue and --perf-no_write_workqueue).
+This test is expensive in terms of CPU and storage usage since we need to
+build (current-guix) and then store a couple of full system images.")
+ (value
+ (mlet* %store-monad ((images (run-install %encrypted-root-extra-options-os
+ %encrypted-root-extra-options-os-source
+ #:script
+ %encrypted-root-installation-script))
+ (command (qemu-command* images)))
+ (run-basic-test %encrypted-root-os command "encrypted-root-extra-options-os"
+ #:initialization enter-luks-passphrase)))))
+
;;;
;;; Separate /home on LVM
base-commit: 0697809d64d525b5b9146a57f824641f6f9f81ca
--
2.50.1
guix-patches <at> gnu.org:bug#77499; Package guix-patches.
(Thu, 14 Aug 2025 01:27:03 GMT) Full text and rfc822 format available.Message #14 received at 77499 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim <at> guixotic.coop> To: 45mg <45mg.writes <at> gmail.com> Cc: Gabriel Wicki <gabriel <at> erlikon.ch>, soeren <at> soeren-tempel.net, Tadhg McDonald-Jensen <tadhgmister <at> gmail.com>, Ludovic Courtès <ludo <at> gnu.org>, 77499 <at> debbugs.gnu.org, gmail.com <at> debbugs.gnu.org, Sisiutl <sisiutl <at> egregore.fun>, 70826 <at> debbugs.gnu.org, Hilton Chain <hako <at> ultrarare.space>, Tomas Volf <~@wolfsden.cz> Subject: Re: [bug#77499] [PATCH] mapped-devices/luks: Support extra options. Date: Thu, 14 Aug 2025 10:26:15 +0900
Hi,
45mg <45mg.writes <at> gmail.com> writes:
> Allow passing extra options to the 'cryptsetup open' command.
>
> * gnu/system/mapped-devices.scm (open-luks-device)
> [#:extra-options]: New argument.
> * doc/guix.texi (Mapped Devices): Document it.
> * gnu/tests/install.scm (%test-encrypted-root-extra-options-os): New
> test for it, as well as the previously untested #:allow-discards?
> option.
> (%encrypted-root-extra-options-os): New os declaration for the test.
>
> Change-Id: Ia9fd129d1c66cbf27abdd3064d59188083465247
> ---
>
> Took into account Maxim's review. Also, luks-device-mapping-with-options is
> now deprecated [1], so instead use the 'arguments' field of
> luks-device-mapping.
>
> [1] https://codeberg.org/guix/guix/pulls/1048
>
> doc/guix.texi | 21 +++++++++++
> gnu/system/mapped-devices.scm | 19 ++++++----
> gnu/tests/install.scm | 68 +++++++++++++++++++++++++++++++++++
> 3 files changed, 102 insertions(+), 6 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index bffaeb5bbc..4bb4f50200 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -18731,6 +18731,27 @@ Mapped Devices
> file system level operations visible on the physical device. For more
> information, refer to the description of the @code{--allow-discards}
> option in the @code{cryptsetup-open(8)} man page.
> +
> +@item #:extra-options
> +@code{extra-options} may be used to specify a list of additional
> +command-line options for the @code{cryptsetup open} command. See the
> +@code{cryptsetup-open(8)} man page for a list of supported options.
> +
> +For example, here is how you could specify the
> +@option{--perf-no_read_workqueue} and @option{--perf-no_write_workqueue}
> +options, along with @option{--allow-discards}:
> +
> +@lisp
> +(mapped-device
> +(source "/dev/sdb1")
> +(target "data")
> +(type (type luks-device-mapping)
> + (arguments '(#:allow-discards? #t
> + #:extra-options
> + ("--perf-no_read_workqueue"
> + "--perf-no_write_workqueue")))))
> +@end lisp
> +
> @end table
> @end defvar
>
> diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
> index b0a6beef28..034956c616 100644
> --- a/gnu/system/mapped-devices.scm
> +++ b/gnu/system/mapped-devices.scm
> @@ -200,10 +200,12 @@ (define (check-device-initrd-modules device linux-modules location)
> ;;; Common device mappings.
> ;;;
>
> -(define* (open-luks-device source targets #:key key-file allow-discards?)
> +(define* (open-luks-device source targets
> + #:key key-file allow-discards? extra-options)
I guess it'd be nicer if the default was '() for extra-options, then you
don't need to check its value later (unless if you want to validate the
inputs).
> "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
> 'cryptsetup'. When ALLOW-DISCARDS? is true, the use of discard (TRIM)
> -requests is allowed for the underlying device."
> +requests is allowed for the underlying device. EXTRA-OPTIONS is a list of
> +additional options to be passed to the 'cryptsetup open' command."
> (with-imported-modules (source-module-closure
> '((gnu build file-systems)
> (guix build utils))) ;; For mkdir-p
> @@ -244,10 +246,15 @@ (define* (open-luks-device source targets #:key key-file allow-discards?)
> (let ((cryptsetup #$(file-append cryptsetup-static
> "/sbin/cryptsetup"))
> (cryptsetup-flags (cons*
> - "open" "--type" "luks" partition #$target
> - (if #$allow-discards?
> - '("--allow-discards")
> - '()))))
> + "open" "--type" "luks"
> + (append
> + (if #$allow-discards?
> + '("--allow-discards")
> + '())
> + (if (pair? '#$extra-options)
> + '#$extra-options
> + '())
Then the if can be removed, else turned into some input validation like:
--8<---------------cut here---------------start------------->8---
(unless (pair? '#$extra-options)
(error "invalid value for #:extra-options argument of `open-luks-device'"))
--8<---------------cut here---------------end--------------->8---
I haven't reviewed where this gets used (I assume in the early boot);
perhaps it could be possible to use (guix diagnostics) as well if it's
already imported there to produce a nicer error message.
Could you send a revised version doing the above?
--
Thanks,
Maxim
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.