Bug 1384014

Summary: RFE: Possibility to boot from encrypted non-iSCSI disks and mount encrypted iSCSI disks on the same machine
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej Benes <obenes>
Component: systemdAssignee: Lukáš Nykrýn <lnykryn>
Status: CLOSED ERRATA QA Contact: Frantisek Sumsal <fsumsal>
Severity: unspecified Docs Contact: Marek Suchánek <msuchane>
Priority: unspecified    
Version: 7.4CC: agk, fsumsal, lnykryn, mbroz, msekleta, mthacker, okozina, prajnoha, systemd-maint-list, systemd-maint
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: systemd-219-45.el7 Doc Type: Enhancement
Doc Text:
The boot process can now unlock encrypted devices connected by network Previously, the boot process attempted to unlock block devices connected by network before starting network services. Because the network was not activated, it was not possible to connect and decrypt these devices. With this update, the `remote-cryptsetup.target` unit and other patches have been added to `systemd` packages. As a result, it is now possible to unlock encrypted block devices that are connected by network during system boot and to mount file systems on such block devices. To ensure correct ordering between services during system boot, you must mark the network device with the `_netdev` option in the `/etc/crypttab` configuration file. A common use case for this feature is together with network-bound disk encryption. For more information on network-bound disk encryption, see the following chapter in the Red Hat Enterprise Linux Security Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_network-bound_disk_encryption
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 11:16:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1298243, 1420851, 1466365    

Description Ondrej Benes 2016-10-12 11:21:39 UTC
Description of problem:
If we use an encrypted PV to boot from and at the same time want to mount an ecrypted iSCSI disk, we add both these entries to /etc/crypttab. Now while non-iSCSI disk is available for cryptsetup in very early booting stages, iSCSI is only available after network starts (later than /etc/crypttab is processed). This introduces a delay in boot. 

Is an option similar to fstab's _netdev available? This would tell cryptsetup to process this concrete line later, when iSCSI is ready

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. enter both boot disk / LV and an iSCSI disk in /etc/crypttab
2. boot

Actual results:
cryptsetup will start (and process /etc/crypttab) before iSCSI has established connection with the target (network is not ready). This introduces delay in boot and the volume is not mounted.

Expected results:
Have cryptsetup distinguish between items it needs to process in early stages of boot (rootfs) and those that will be mounted later via iSCSI. The desired effect is similar to _netdev parameter in fstab.

Comment 2 Ondrej Kozina 2016-10-12 11:37:41 UTC
Reassigning to more appropriate component. A crypttab file is managed and interpreted solely in systemd as of now. cryptsetup has currently no means to perform any auto-activation on device discovery

Comment 10 Lukáš Nykrýn 2017-09-13 08:08:16 UTC

Comment 14 Lukáš Nykrýn 2017-09-25 10:33:38 UTC
fix merged to upstream staging branch -> https://github.com/lnykryn/systemd-rhel/pull/141 -> post

Comment 22 errata-xmlrpc 2018-04-10 11:16:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.