Bug 1465208
Summary: | Unlocking disk from dracut is broken | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nathaniel McCallum <npmccallum> |
Component: | clevis | Assignee: | Nathaniel McCallum <npmccallum> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 26 | CC: | awilliam, mattdm, npmccallum |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | AcceptedFreezeException | ||
Fixed In Version: | clevis-6-1.fc26 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-07-06 22:50:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1349189 |
Description
Nathaniel McCallum
2017-06-27 00:48:48 UTC
Proposed as a Freeze Exception for 26-final by Fedora user npmccallum using the blocker tracking app because: Currently, F26 will ship with Clevis v4. Clevis provides unlocking during early boot. However, we discovered an issue where Clevis doesn't work in dracut. This was fixed in v5. Additionally, in v5 we offload processing of untrusted data to an unprivileged user. These are the only two changes in this release. Normally, I would be fine with being in the first batch of updates. However, if clevis-dracut is installed during initial installation an initramfs will be generated with the broken code and users will have to follow a manual process to fix this. However, if we land Clevis v5 in the initial release, the installer will generate a working initramfs. An update already exists which fixes this problem (we just missed the cut off): https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6 clevis-6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6 clevis-6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6 We discovered an unrelated security issue upstream and released v6. Everything else still applies. clevis-6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6 Discussed at 2017-06-29 freeze exception review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-06-29/f26-blocker-review.2017-06-29-16.00.html . We accepted this as a freeze exception; usually installs will include the stable 'updates' repository so just shipping this as a regular update would be OK, but it's possible someone might use a kickstart without the updates repo enabled, and clevis isn't on any install media so far as we know so pushing it stable should be quite safe. Note, the update still won't get into the final compose unless it is submitted for stable. > Normally, I would be fine with being in the first batch of updates. However,
> if clevis-dracut is installed during initial installation an initramfs will
> be generated with the broken code and users will have to follow a manual
> process to fix this. However, if we land Clevis v5 in the initial release,
Is this manual process documented somewhere? I don't see it in Common Bugs. I know the release notes are in non-ideal state, but if this doesn't get in we should document it there. Or, actually, we should document it for anyone who installed during the beta period.
How does this affect people who are upgrading from older releases?
The manual step is dracut -f. However, this should only be required if no new kernel or dracut was shipped after beta. Otherwise, the initramfs will be rebuilt anyway. Beta shipped with kernel-4.11.0-2.fc26 and it appears the final release will ship with kernel-4.11.7-300.fc26. So the initramfs will be regenerated automatically during updates to the latest packages. In short, no problem. clevis-6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. |