Bug 1931847
| Summary: | [Regression] The RHEL8.3 is not capable of encryption with cipher aes-cbc-essiv:sha256 with DISA STIG or Non-DISA systems. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Parikshit Khedekar <pkhedeka> | |
| Component: | libblockdev | Assignee: | Vojtech Trefny <vtrefny> | |
| Status: | CLOSED ERRATA | QA Contact: | guazhang <guazhang> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.3 | CC: | guazhang, jstodola, mvanderw, rmetrich, vtrefny | |
| Target Milestone: | rc | Keywords: | TestCaseNeeded | |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | All | |||
| OS: | All | |||
| Whiteboard: | ||||
| Fixed In Version: | libblockdev-2.24-6.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1954005 (view as bug list) | Environment: | ||
| Last Closed: | 2021-11-09 18:13:48 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1954005 | |||
upstream PR: https://github.com/storaged-project/libblockdev/pull/620 updates image for 8.4: https://vtrefny.fedorapeople.org/img/rhbz1931847.img The provided updates image works fine. Hi
reproduce the bug with RHEL-8.5.0-20210421.n.1
Creating disklabel on /dev/sda
Creating luks on /dev/sda3
An unknown error has occured, look at the /tmp/anaconda-tb* file(s) for more details
File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 490, in start
self.run_task()
File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
item.start()
File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
item.start()
File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start
item.start()
File "/usr/lib64/python3.6/site-packages/pyanaconda/installation.py", line 403, in run_installation
queue.start()
File "/usr/lib64/python3.6/threading.py", line 864, in run
self._target(*self._args, **self._kwargs)
File "/usr/lib64/python3.6/site-packages/pyanaconda/threading.py", line 280, in run
threading.Thread.run(self)
dasbus.error.DBusError: Failed to format device: Invalid argument
Hi
Test pass with fixed package, so move to verified.
lv = b.new_lv(parents=[vg], size=blivet.size.Size("100 MiB"), grow=True, fmt_type="luks",
fmt_args={"passphrase": LUKS_PASSPHRASE,
"cipher":"aes-cbc-essiv:sha256",
"key_size":int(256),
"luks_version":"luks2", })
b.create_device(lv)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (libblockdev bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4206 |
Description of problem: The installation will fail with a traceback while we add the encryption type for cipher as "aes-cbc-essiv:sha256" The traceback we get as, ------------------------------------ ------------------------------------ 11:33:32,562 INF progress: Creating disklabel on /dev/vda 11:33:35,563 INF progress: Creating luks on /dev/vda2 11:33:36,595 INF threading: Thread Failed: AnaInstallThread (140194223806208) 11:33:36,595 DBG exception: running handleException 11:33:36,599 CRT exception: Traceback (most recent call last): File "/usr/lib64/python3.6/site-packages/pyanaconda/threading.py", line 280, in run threading.Thread.run(self) File "/usr/lib64/python3.6/threading.py", line 864, in run self._target(*self._args, **self._kwargs) File "/usr/lib64/python3.6/site-packages/pyanaconda/installation.py", line 394, in run_installation queue.start() File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start item.start() File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start item.start() File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 311, in start item.start() File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 490, in start self.run_task() File "/usr/lib64/python3.6/site-packages/pyanaconda/installation_tasks.py", line 521, in run_task sync_run_task(self._task_proxy) File "/usr/lib64/python3.6/site-packages/pyanaconda/modules/common/task/__init__.py", line 46, in sync_run_task task_proxy.Finish() File "/usr/lib/python3.6/site-packages/dasbus/client/handler.py", line 447, in _call_method **kwargs, File "/usr/lib/python3.6/site-packages/dasbus/client/handler.py", line 477, in _get_method_reply return self._handle_method_error(error) File "/usr/lib/python3.6/site-packages/dasbus/client/handler.py", line 497, in _handle_method_error raise exception from None dasbus.error.DBusError: Failed to format device: Invalid argument ------------------------------------ ------------------------------------ It doesn't matter whether we choose the profiles or remove them, even with simple installation I see this. If I remove the cypher text and use line as below then installation works fine. ~~~~~ part pv.01 --grow --size=1 --encrypted --passphrase="helloDolly@123456" ~~~~~ The older release 8.2,8.1 work fine with above kickstart but again sometimes errors while executing oscap to check the compliance in post section which I feel resolved to 8.3 but issue remains with uses of cipher. Version-Release number of selected component (if applicable): 8.3 How reproducible: Every time installation of 8.3 for encryption with cipher. Steps to Reproduce: 1. Create an installation env with 8.3 ISO and kickstart. 2. Use the following kickstart, ------------------------------------ ------------------------------------ install cdrom lang en_US.UTF-8 keyboard us network --onboot yes --bootproto dhcp text #root password server rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 #admin password is admin123 user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted firewall --enabled --ssh authconfig --enableshadow --passalgo=sha512 selinux --enforcing timezone --utc America/New_York bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" #This partitioning is for 20GB or higher disk. zerombr clearpart --all --initlabel part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 --encrypted --passphrase="helloDolly@123456" --cipher=aes-cbc-essiv:sha256 volgroup VolGroup --pesize=4096 pv.01 logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" logvol swap --name=swap --vgname=VolGroup --size=2016 %packages @Base %end %addon org_fedora_oscap content-type = scap-security-guide profile = xccdf_org.ssgproject.content_profile_stig %end ------------------------------------ ------------------------------------ The addon is optional, reproducible without it as well. 3. Check the console to see tracebacks. Actual results: Results to a traceback Expected results: Shouldn't give traceback and add the cipher to encryption. Additional info: RHEL 8.1,8.2 work fine with it, I don't see issue due to DISA as even after removing it from kickstart the issue occurs. I believe this is around the missed cipher for ecnryption with 8.3