Difference between revisions of "Linux/Services/Automount"

From Iveze
Jump to: navigation, search
(Selinux)
Line 58: Line 58:
 
If autofs is not started yet, the directory to be watched does not exist yet. There will be only /mnt/root/. /mnt/root/crypt/ is created from the definition in auto.master.
 
If autofs is not started yet, the directory to be watched does not exist yet. There will be only /mnt/root/. /mnt/root/crypt/ is created from the definition in auto.master.
  
To ensure this order at boot time, the startup script for incrontab can be altered. In /usr/lib/systemd/system/incrond.service add to the section [Unit] the following.
+
To ensure this order at boot time, the startup script for incrontab can be altered. In Centos 7 in file /usr/lib/systemd/system/incrond.service add to the section [Unit] the following.
 
  After=autofs.service
 
  After=autofs.service
  

Revision as of 11:05, 24 June 2015

Automatically mount a partition when usage starts, and unmount it after it is not used for a while.

Use case

Every harddisk outside the machine itself has the chance to loose connection for a while. External USB harddisks can be pulled off the machine, and mappings to shares on other machines can be lost when such other machine reboots. In these cases there is no clean unmount, and remount often does not happen.

Autofs

Autofs unmounts a mount point after it is not used for a few minutes. So a disk that is barely used, like an external backup disk, can be pulled off the machine safely at almost any time. And the new disk will be mounted automatically when the mount point starts being used.

Install

yum install autofs

Also start the service and make it start at reboot.

Configure

Configuration files are called /etc/auto.*. The leading file is auto.master. From there the files with the actual configurations are called.

auto.master

In auto master there are several automounts active at install (/misc and /net). We prefer our own automounts, so we disable them and add our own.

/mnt/data /etc/auto.data
/mnt/root/crypt /etc/auto.crypt

This creates the mount point directory /mnt/data and the mount points are defined in /etc/auto.data.

The backup disk should be protected against users, so an extra subdirectory root is inserted and chmod to 700.

auto.data

Here are the mount specifications.

archive -fstype=ext4 :/dev/disk/by-label/Archive
server1 -fstype=cifs,noperm,username=user,password=passwd ://192.168.1.1/data

Archive is an external USB disk mounted by label, rather than /dev/sdb1 or so, because we can not be sure it will be named this way every time it is plugged in.

Server1 is another server on the network of which the samba share "data" is mounted to "server1" here.

Initially /mnt/data is empty. But if someone uses /mnt/data/archive or /mnt/data/server1, these mount points will get into existence.

auto.crypt

Encrypted partitions need some extra treatment. A decrypted device has to be created first, so that it can be mounted by autofs.

If a configuration file is made executable, autofs will treat it as a normal shell script and use the output string as the mount definition. The input parameter is the requested mount point, i.e. "backup"

If there are only encrypted backup disks expected to be plugged in, then auto.crypt script can look like this. Assuming someone starts using /mnt/root/crypt/backup.

  1. Check if there is an encrypted disk currently plugged in
  2. if so, create the decrypted device /dev/mapper/backup with luksOpen
  3. return the mount options for mounting /dev/maper/backup to autofs
#!/bin/sh
KEY="/var/scripts/${1}key"
CRYPT="/dev/mapper/${1}"
BYPATH=`/sbin/blkid -s TYPE | grep TYPE=\"crypto_LUKS\"`
BYPATH="${BYPATH%%\:\ TYPE=\"crypto_LUKS\"*}"

ACTION=1

if [ "${1}" == "" ]; then
ACTION=0
fi

if [ "${BYPATH}" == "" ]; then
ACTION=0
fi

ls "${KEY}" > /dev/null 2> /dev/null
if [ $? != 0 ]; then
ACTION=0
fi

ls "${CRYPT}" > /dev/null 2> /dev/null
if [ $? == 0 ]; then
ACTION=0
fi

if [ $ACTION == 1 ]; then
cryptsetup -d "$KEY" luksOpen "${BYPATH}" "${1}"
fi

echo -n "-fstype=ext4,acl :${CRYPT}"

Incrontab

For the encrypted backup USB disk there is a decrypted device created /dev/mapper/backup. This will not go away by itself when /mnt/root/crypt/backup is automatically unmounted. Therefore we need to detect when /mnt/root/crypt/backup disppears. This can be done with incrontab. It can watch any directory for changes and run a script to handle the changes.

We make an incrontab entry.

/mnt/root/crypt IN_DELETE /var/scripts/auto.incron $#

Watch /mnt/root/crypt for deletions and report what has been deleted to the script /var/scripts/auto.incron.

The script auto.incron checks if an equivalent directory exists in /dev/mapper/ and if so, it closes the device with luksClose.

ls "/dev/mapper/${1}" > /dev/null 2> /dev/null
if [ $? == 0 ]; then
cryptsetup luksClose "${1}"
fi

Now the encrypted USB disk is completely free to be pulled off the machine when it has been automatically unmounted.

Start autofs before incron

If autofs is not started yet, the directory to be watched does not exist yet. There will be only /mnt/root/. /mnt/root/crypt/ is created from the definition in auto.master.

To ensure this order at boot time, the startup script for incrontab can be altered. In Centos 7 in file /usr/lib/systemd/system/incrond.service add to the section [Unit] the following.

After=autofs.service

Selinux

Selinux may block some activities of autofs. Specifically executing the scripts. It is always best is to solve these issues. But if you think autofs is not a great liability to the system, you may make it permissive.

semanage permissive -a automount_t