# [SOLVED] unbootable dracut initramfs w/ root btrfs+luks

## konoyo777

hey, i kind of need some help generating sane init ramdisks using dracut! i have an unencrypted /boot partition as vfat and my root is a btrfs filesystem w/ luks encryption:

```
NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS

nvme0n1     259:0    0 238.5G  0 disk  

├─nvme0n1p1 259:1    0   300M  0 part  /boot

└─nvme0n1p2 259:2    0 238.2G  0 part  

  └─root    253:0    0 238.2G  0 crypt /home

                                       /.snapshots

                                       /
```

currently when attempting to boot an initramfs generated by dracut (no extra cli flags), the console just freezes/hangs and doesn't seem to give any useful output. i'm not sure if it's just missing some kernel modules or if something is somehow going wrong when handing off to the root partition. here's my current /etc/dracut.conf:

```
dracutmodules+=" crypt btrfs "

add_device+=" /dev/mapper/root "
```

kernel commandline:

```
GRUB_CMDLINE_LINUX="init=/lib/systemd/systemd crypt_root=/dev/nvme0n1p2 root=/dev/mapper/root rootflags=subvol=@ i915.enable_psr=0"
```

and /etc/crypttab:

```
root /dev/mapper/root none luks
```

ideally i would like for it to ask me for my luks passphrase then continue with the boot process; init ramdisks created using genkernel do this perfectly and i have no issues booting using them, so i'm not sure what i need to configure differently to get dracut ramdisks to work properly on my machine. advice would be greatly appreciated, thank you in advance!Last edited by konoyo777 on Sun Oct 24, 2021 5:06 pm; edited 1 time in total

----------

## alamahant

 *Quote:*   

> 
> 
> crypt_root=/dev/nvme0n1p2
> 
> 

 

dracut does not understand this.

It DOES however understand

```

cryptdevice=/dev/nvme0n1p2:root

```

In the same file you also need

```

GRUB_ENABLE_CRYPTODISK=y

and

GRUB_PRELOAD_MODULES="luks"

```

and make sure that boot partition was encrypted with

```

luks1 

```

NOT "luks".

Also let dracut load all modules except the

```

omit_dracutmodules+=" plymouth dmraid nfs iscsi cifs dracut-systemd "

```

for example.

Better to specify which modules to exclude than which modules to include.

I feel.

Ah and

Welcome to Gentoo Forums!

----------

## konoyo777

this all helped!! the console no longer seems to "hang" (i have a blinking cursor!) but the process seems to freeze after the dracut initqueue hook starts

re: luks1 v. just luks; my boot partition is entirely unencrypted but my root appears to be encrypted using luks2, is this problematic?

----------

## alamahant

Not at all

You already correctly mentioned it in the beginning of your post.

So probably you do NOT need

```

GRUB_ENABLE_CRYPTODISK=y

```

in /etc/default/gub

And yes luks1 is only intended for encrypted /boot partitions.

----------

## alamahant

Your crypttab is wrong

```

root </ecrypted/luks/partition>

ie

root /dev/nvme0n1p2

```

(or preferably use PARTUUID)

would be correct.

NOT

the DE-crypted luks volume

FURTHERMORE

you need

```

rc-update add dmcrypt boot

```

After all this plz remember to rebuild dracut.

----------

## konoyo777

crypttab is now fixed, but that doesn't seem to help unfortunately

 *Quote:*   

> 
> 
> ```
> rc-update add dmcrypt boot
> ```
> ...

 

hmm, is there a parallel to this for systemd? should have specified that i was using it in the op, apologies!

----------

## alamahant

Apparently for systemd you dont need to enable any service for this to work.

In /etc/default/grub try

```

GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p2:root root=/dev/mapper/root rootfstype=btrfs i915.enable_psr=0"

GRUB_PRELOAD_MODULES="part_gpt part_msdos luks"

```

Your crypttab is now correct.

All that remains is

```

dracut --force --kver <kernel-version>

grub-mkconfig -o /boot/grub/grub.cfg

```

It should work.

You should be greeted by a prompt asking for the luks password.

----------

## konoyo777

hmm, i added that to my grub config, and while it also didn't seem to work, while i was googling things trying to figure out the problem the initqueue hook actually timed out and gave me some output and a log file!

```
Warning: /dev/mapper/root does not exist

Generating "/run/initramfs/rsdosreport.txt"
```

i uploaded the file in question here, it should be noted that i do still have the "crypt_root" kernel parameter in my commandline in this log so i can still boot using my genkernel initramfs if needed, booting without it still yields the same result w/ dracut

looking at dracut's output, it does still seem to include the btrfs and crypt modules so i'm not quite sure why it isn't prompting for a password..

----------

## alamahant

Try

```

USE="device-mapper" emerge -1av grub

also from chroot

systemctl list-unit-files | grep systemd-cryptsetup

```

and enable any service that will show up--if any.Maybe after all there IS a systemd service you have to enable for this to work.

You have a ton of these

```

Warning: dracut-initqueue: starting timeout scripts

[  153.717454] localhost dracut-initqueue[292]: Warning: dracut-initqueue: timeout, still waiting for following initqueue hooks:

[  153.722998] localhost dracut-initqueue[292]: Warning: /lib/dracut/hooks/initqueue/finished/devexists-\x2fdev\x2fmapper\x2froot.sh: "if ! grep -q After=remote-fs-pre.target /run/systemd/generator/systemd-cryptsetup@*.service 2>/dev/null; then

```

so specifically maybe try

```

systemctl enable systemd-cryptsetup@*.service

```

EDIT:i think this is it.plz see

https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup@.service.html

You might also wish to try a different format for the linux cmd line like this

```

GRUB_CMDLINE_LINUX="rd.luks.name=<replace-with-UUID-of-/dev/nvme0n1p2>=root root=/dev/mapper/root rootfstype=btrfs i915.enable_psr=0"

```

This will ONLY work with dracut though.

 *Quote:*   

> 
> 
>  while i was googling things trying to figure out the problem the initqueue hook actually timed out and gave me some output and a log file!
> 
> 

 

so you were in a dracut shell no?

What would happen if you manually unecrypted the device

```

cryptsetup luksOpen /dev/nvme0n1p2 root

CTRL+D or CTRL+X

```

?

maybe try it.

does it boot?

----------

## konoyo777

this worked!! i'll add device-mapper to my use flags for grub permanently and keep that parameter in my kernel cmdline, thank you so much!  is marking this thread as solved just accomplished by adding "[SOLVED]" to the title of the post?

----------

## Hu

 *konoyo777 wrote:*   

> is marking this thread as solved just accomplished by adding "[SOLVED]" to the title of the post?

 Yes.  Edit the opening post and modify its subject.  (It seems someone has already done that in this case, but I am responding to note that there is nothing further required, and to clarify that it must be done to the opening post, not to a response posted within the thread.)

----------

## cyberbrain

 *konoyo777 wrote:*   

> this worked!! i'll add device-mapper to my use flags for grub permanently and keep that parameter in my kernel cmdline, thank you so much!  is marking this thread as solved just accomplished by adding "[SOLVED]" to the title of the post?

 

Can you please post the used settings?

I'm having a hard time to set it up with systemd.

I'm missing something ... here. The method explained in this post https://blog.tapiocanation.xyz/post/gentoo-installation-encryption-btrfs-subvolume-multi-boot/ does not use the file /etc/crypttab.

So please just post a cat of your settings to understand the whole process....may be I will write a wiki entry based on my and your installation.

Files needed:

 /etc/crypttab

 /etc/default/grub

 /etc/fstab

 /etc/dracut.conf

 And the output of blkid command

Thank you for your time.

----------

