Bug 1824416

Summary: NBDE cleanup playbook when run prematurely removes the keyslot on root disk
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: SATHEESARAN <sasundar>
Component: gluster-ansibleAssignee: Gobinda Das <godas>
Status: CLOSED ERRATA QA Contact: SATHEESARAN <sasundar>
Severity: high Docs Contact:
Priority: unspecified    
Version: rhgs-3.5CC: godas, pprakash, puebele, rhs-bugs, sabose, sasundar
Target Milestone: ---Keywords: ZStream
Target Release: RHGS 3.5.z Batch Update 2   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: gluster-ansible-roles-1.0.5-10.el8rhgs Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1824414 Environment:
rhhiv, rhel8
Last Closed: 2020-06-16 05:57:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1824414    

Description SATHEESARAN 2020-04-16 07:39:07 UTC 
+++ This bug was initially created as a clone of Bug #1824414 +++

Description
-------------
Before the NBDE playbook completes the binding to tang server procedure,
if any failures occurs, then users prefers to run cleanup to fix previously
created setup. But this procedure, also removes the keyslot 0, where the
initial passphrase is removed

Version
-------
RHHI-V 1.8
RHVH 4.4
gluster-ansible-infra-1.0.4-8

How reproducible
-----------------
Always

Steps to reproduce
-------------------
1. Update the ansible inventory file for NBDE
2. Run the playbook with incorrect disks
3. Run the cleanup playbook

Actual results
---------------
keyslot 0 is getting removed, as part of clevis-luks-unbind

Expected results
-----------------
clevis-luks-unbind should be used on root disk only when clevis-luks-list returns values

--- Additional comment from RHEL Program Management on 2020-04-16 07:35:47 UTC ---

This bug is automatically being proposed for RHHI-V 1.8 release at Red Hat Hyperconverged Infrastructure for Virtualization product, by setting the release flag 'rhiv‑1.8' to '?'.

If this bug should be proposed for a different release, please manually change the proposed release flag.
Comment 1 SATHEESARAN 2020-04-16 08:12:34 UTC 
Only the slots containing the Clevis needs to be removed.
This information can be obtained from clevis-luks-list command

[root@ ~]# clevis-luks-list -d /dev/sda2
2: tang '{"url":"http://dhcp35-220.lab.eng.blr.redhat.com:7500"}'
3: tang '{"url":"http://dhcp35-114.lab.eng.blr.redhat.com"}'

In this case, the values that needs to used are 2 and 3.

clevis-luks-unbind -d /dev/sda2 -s 2
clevis-luks-unbind -d /dev/sda2 -s 3

No other slots should be used, because, the other keyslots may have key information pertaining to 
other keys
Comment 3 SATHEESARAN 2020-06-08 15:22:23 UTC 
Tested with gluster-ansible-roles-1.0.5-12.el8rhgs

1. Start NBDE playbook with incorrect disks
2. When the NBDE setup fails, perform cleanup
3. Check for the keyslots on the root disk.

Root disk has that slot0 preserved.
Comment 5 errata-xmlrpc 2020-06-16 05:57:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:2575