Bug 1644876

These issues were already reported in upstream clevis:

https://github.com/latchset/clevis/issues/73
https://github.com/latchset/clevis/issues/74

A pull-request was not proposed though, so I did it now:

https://github.com/latchset/clevis/pull/81

I'll coordinate with Nathaniel to get these fixes into Fedora 29.

I have this problem too, although I never configured Clevis to mess with the root disk. I have since uninstalled Clevis as it was just for a demo and the system still will not boot up ... complaining about:

/var/log/messages:

Nov  7 09:15:51 p50 dracut-initqueue[509]: Failed to start systemd-cryptsetup: Unit systemd-cryptsetup not found.
Nov  7 09:16:59 p50 systemd[1]: systemd-cryptsetup@luks\x2d810cedba\x2d4eab\x2d42d6\x2da266\x2d9da16726319d.service: Failed with result 'exit-code'.


/var/log/boot:

[    3.511920] dracut-initqueue[504]: Failed to start systemd-cryptsetup: Unit systemd-cryptsetup not found.


It prompts me to unlock with the password like always, but freezes at reach target stage. The rescue boots up fine. 

As a work-around, I've found that when plugged into a network connection and the NIC is *live* the system will boot into FC29.

At this point, Clevis/Tang are not installed on the system, however, it is still attempting to use Clevis to decrypt the LUKS volumes even though none of them are setup with Clevis and the /etc/crypttab doesn't have any of the volumes referenced which would have been LUKS with Clevis.

--- Travis

(In reply to Travis Michette from comment #2)
> 
> As a work-around, I've found that when plugged into a network connection and
> the NIC is *live* the system will boot into FC29.
>

This seems to be bug #1574413.
 
> At this point, Clevis/Tang are not installed on the system, however, it is
> still attempting to use Clevis to decrypt the LUKS volumes even though none
> of them are setup with Clevis and the /etc/crypttab doesn't have any of the
> volumes referenced which would have been LUKS with Clevis.
> 
> --- Travis

Did you re-generate your initramfs after uninstalling clevis?

*** Bug 1634063 has been marked as a duplicate of this bug. ***

clevis-11-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-cf82a4a9d9

(In reply to Javier Martinez Canillas from comment #3)
> (In reply to Travis Michette from comment #2)
> > 
> > As a work-around, I've found that when plugged into a network connection and
> > the NIC is *live* the system will boot into FC29.
> >
> 
> This seems to be bug #1574413.
>  

This is a very close description to the bug listed above. However, I never configured Clevis after it was installed. I mainly used it to build some documentation for a demo so I didn't need to fire up my VM. So I only used man pages and some of the features for the CLI to copy/paste output. At no point in time were Clevis or Tang even running on this laptop.

I have my entire disk encrypted, and the system *did* prompt me for a password to unlock it.

[root@p50 ~]# cat /etc/crypttab 
luks-810cedba-4eab-42d6-a266-9da16726319d UUID=810cedba-4eab-42d6-a266-9da16726319d none discard
VM_Crypt UUID=f9ea1ae5-c917-45c7-aefe-936467371415  /root/VM_Keyfile luks
VM_Crypt2 UUID=d6071dcd-63af-4b3a-89a7-a9728235030c     /root/VM_Keyfile2 luks

[root@p50 ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Mon Mar 26 16:54:34 2018
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/fedora_p50-root     /       xfs     defaults,x-systemd.device-timeout=0     0       0
UUID=a2dc36b0-eb8f-4261-9fa0-3e6d833c7c5a       /boot   ext4    defaults        1       2
/dev/mapper/fedora_p50-home     /home   xfs     defaults,x-systemd.device-timeout=0     0       0
/dev/mapper/fedora_p50-swap     swap    swap    defaults,x-systemd.device-timeout=0     0       0
/dev/mapper/VM_Crypt    /VirtualMachines        xfs     noatime,nodiratime      0       0
/dev/mapper/VM_Crypt2   /VirtualMachines2       xfs     noatime,nodiratime      0       0
/dev/nvme0n1p3  /VirtualMachines_Fast   xfs     noatime,nodiratime      0       0



> > At this point, Clevis/Tang are not installed on the system, however, it is
> > still attempting to use Clevis to decrypt the LUKS volumes even though none
> > of them are setup with Clevis and the /etc/crypttab doesn't have any of the
> > volumes referenced which would have been LUKS with Clevis.
> > 
> > --- Travis
> 
> Did you re-generate your initramfs after uninstalling clevis?

I did not regenerate initramfs after uninstalling clevis as I didn't generate the initramfs after installing Clevis. I saw no point in messing with the initramfs as I wasn't actually using Clevis.

(In reply to Travis Michette from comment #6)
> (In reply to Javier Martinez Canillas from comment #3)
> > (In reply to Travis Michette from comment #2)
> > > 
> > > As a work-around, I've found that when plugged into a network connection and
> > > the NIC is *live* the system will boot into FC29.
> > >
> > 
> > This seems to be bug #1574413.
> >  
> 
> This is a very close description to the bug listed above. However, I never
> configured Clevis after it was installed. I mainly used it to build some
> documentation for a demo so I didn't need to fire up my VM. So I only used
> man pages and some of the features for the CLI to copy/paste output. At no
> point in time were Clevis or Tang even running on this laptop.
> 
> I have my entire disk encrypted, and the system *did* prompt me for a
> password to unlock it.
> 
> [root@p50 ~]# cat /etc/crypttab 
> luks-810cedba-4eab-42d6-a266-9da16726319d
> UUID=810cedba-4eab-42d6-a266-9da16726319d none discard
> VM_Crypt UUID=f9ea1ae5-c917-45c7-aefe-936467371415  /root/VM_Keyfile luks
> VM_Crypt2 UUID=d6071dcd-63af-4b3a-89a7-a9728235030c     /root/VM_Keyfile2
> luks
> 
> [root@p50 ~]# cat /etc/fstab
> 
> #
> # /etc/fstab
> # Created by anaconda on Mon Mar 26 16:54:34 2018
> #
> # Accessible filesystems, by reference, are maintained under '/dev/disk'
> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
> #
> /dev/mapper/fedora_p50-root     /       xfs    
> defaults,x-systemd.device-timeout=0     0       0
> UUID=a2dc36b0-eb8f-4261-9fa0-3e6d833c7c5a       /boot   ext4    defaults    
> 1       2
> /dev/mapper/fedora_p50-home     /home   xfs    
> defaults,x-systemd.device-timeout=0     0       0
> /dev/mapper/fedora_p50-swap     swap    swap   
> defaults,x-systemd.device-timeout=0     0       0
> /dev/mapper/VM_Crypt    /VirtualMachines        xfs     noatime,nodiratime  
> 0       0
> /dev/mapper/VM_Crypt2   /VirtualMachines2       xfs     noatime,nodiratime  
> 0       0
> /dev/nvme0n1p3  /VirtualMachines_Fast   xfs     noatime,nodiratime      0   
> 0
> 
> 
> 
> > > At this point, Clevis/Tang are not installed on the system, however, it is
> > > still attempting to use Clevis to decrypt the LUKS volumes even though none
> > > of them are setup with Clevis and the /etc/crypttab doesn't have any of the
> > > volumes referenced which would have been LUKS with Clevis.
> > > 
> > > --- Travis
> > 
> > Did you re-generate your initramfs after uninstalling clevis?
> 
> I did not regenerate initramfs after uninstalling clevis as I didn't
> generate the initramfs after installing Clevis. I saw no point in messing
> with the initramfs as I wasn't actually using Clevis.

To note, the crypttab file and the fstab file are not waiting for network, and were never configured to, so not sure if the race condition would apply.

clevis-11-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-cf82a4a9d9

clevis-11-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.