Bug 1465208

Summary: Unlocking disk from dracut is broken
Product: [Fedora] Fedora Reporter: Nathaniel McCallum <npmccallum>
Component: clevisAssignee: Nathaniel McCallum <npmccallum>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 26CC: awilliam, mattdm, npmccallum
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedFreezeException
Fixed In Version: clevis-6-1.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-06 22:50:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1349189    

Description Nathaniel McCallum 2017-06-27 00:48:48 UTC
This is fixes in clevis v5. We need to rebase.

Comment 1 Fedora Blocker Bugs Application 2017-06-27 00:54:52 UTC
Proposed as a Freeze Exception for 26-final by Fedora user npmccallum using the blocker tracking app because:

 Currently, F26 will ship with Clevis v4. Clevis provides unlocking during early boot. However, we discovered an issue where Clevis doesn't work in dracut. This was fixed in v5. Additionally, in v5 we offload processing of untrusted data to an unprivileged user. These are the only two changes in this release.

Normally, I would be fine with being in the first batch of updates. However, if clevis-dracut is installed during initial installation an initramfs will be generated with the broken code and users will have to follow a manual process to fix this. However, if we land Clevis v5 in the initial release, the installer will generate a working initramfs.

An update already exists which fixes this problem (we just missed the cut off): https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6

Comment 2 Fedora Update System 2017-06-27 12:03:05 UTC
clevis-6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6

Comment 3 Fedora Update System 2017-06-27 12:03:13 UTC
clevis-6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6

Comment 4 Nathaniel McCallum 2017-06-27 12:04:27 UTC
We discovered an unrelated security issue upstream and released v6. Everything else still applies.

Comment 5 Fedora Update System 2017-06-27 20:24:34 UTC
clevis-6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6

Comment 6 Adam Williamson 2017-06-29 19:29:26 UTC
Discussed at 2017-06-29 freeze exception review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-06-29/f26-blocker-review.2017-06-29-16.00.html . We accepted this as a freeze exception; usually installs will include the stable 'updates' repository so just shipping this as a regular update would be OK, but it's possible someone might use a kickstart without the updates repo enabled, and clevis isn't on any install media so far as we know so pushing it stable should be quite safe.

Comment 7 Adam Williamson 2017-06-29 19:30:17 UTC
Note, the update still won't get into the final compose unless it is submitted for stable.

Comment 8 Matthew Miller 2017-07-02 15:00:37 UTC
> Normally, I would be fine with being in the first batch of updates. However,
> if clevis-dracut is installed during initial installation an initramfs will
> be generated with the broken code and users will have to follow a manual
> process to fix this. However, if we land Clevis v5 in the initial release,

Is this manual process documented somewhere? I don't see it in Common Bugs. I know the release notes are in non-ideal state, but if this doesn't get in we should document it there. Or, actually, we should document it for anyone who installed during the beta period.

How does this affect people who are upgrading from older releases?

Comment 9 Nathaniel McCallum 2017-07-02 18:58:24 UTC
The manual step is dracut -f.

However, this should only be required if no new kernel or dracut was shipped after beta. Otherwise, the initramfs will be rebuilt anyway.

Comment 10 Nathaniel McCallum 2017-07-02 19:01:39 UTC
Beta shipped with kernel-4.11.0-2.fc26 and it appears the final release will ship with kernel-4.11.7-300.fc26. So the initramfs will be regenerated automatically during updates to the latest packages.

In short, no problem.

Comment 11 Fedora Update System 2017-07-06 22:50:09 UTC
clevis-6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.