Bug 1934557
| Summary: | RHCOS boot image bump for LUKS fixes | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Micah Abbott <miabbott> | |
| Component: | RHCOS | Assignee: | Micah Abbott <miabbott> | |
| Status: | CLOSED ERRATA | QA Contact: | Michael Nguyen <mnguyen> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.7 | CC: | bbreard, bgilbert, imcleod, jlebon, jligon, keyoung, miabbott, nstielau, wking | |
| Target Milestone: | --- | |||
| Target Release: | 4.8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1935174 (view as bug list) | Environment: | ||
| Last Closed: | 2021-07-27 22:49:27 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1934174, 1939661, 1940704 | |||
| Bug Blocks: | 1935174, 1942706, 1971038 | |||
|
Description
Micah Abbott
2021-03-03 13:39:10 UTC
The bump updated the AMI but the luks issue we needed the bump for still exists and is currently being investigated. Per https://bugzilla.redhat.com/show_bug.cgi?id=1934174#c4, we will need another boot image bump to gain additional fixes for the LUKS problem. Setting back to ASSIGNED We'll need to fix https://bugzilla.redhat.com/show_bug.cgi?id=1940704 in 4.7 so let's make sure it's in 4.8 too. Will clone RHBZ. Verified on 4.8.0-0.nightly-2021-03-25-063034. Boot image is updated and the fixes are working.
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.8.0-0.nightly-2021-03-25-063034 True False 7m30s Cluster version is 4.8.0-0.nightly-2021-03-25-063034
$ oc -n openshift-machine-api get machineset
NAME DESIRED CURRENT READY AVAILABLE AGE
mnguyen48bootimage-z926b-worker-us-west-2a 1 1 1 1 40m
mnguyen48bootimage-z926b-worker-us-west-2b 1 1 1 1 40m
mnguyen48bootimage-z926b-worker-us-west-2c 1 1 1 1 40m
mnguyen48bootimage-z926b-worker-us-west-2d 0 0 40m
$ oc -n openshift-machine-api get machineset/mnguyen48bootimage-z926b-worker-us-west-2a -o yaml | grep ami
f:ami: {}
ami:
id: ami-0c6da162537298ad6
$ oc get nodes
NAME STATUS ROLES AGE VERSION
ip-10-0-134-208.us-west-2.compute.internal Ready worker 21m v1.20.0+39c0afe
ip-10-0-143-75.us-west-2.compute.internal Ready master 31m v1.20.0+39c0afe
ip-10-0-164-207.us-west-2.compute.internal Ready worker 21m v1.20.0+39c0afe
ip-10-0-184-86.us-west-2.compute.internal Ready master 32m v1.20.0+39c0afe
ip-10-0-205-239.us-west-2.compute.internal Ready master 32m v1.20.0+39c0afe
ip-10-0-214-4.us-west-2.compute.internal Ready worker 21m v1.20.0+39c0afe
$ oc debug node/ip-10-0-143-75.us-west-2.compute.internal
Starting pod/ip-10-0-143-75us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 120G 0 disk
|-nvme0n1p1 259:1 0 1M 0 part
|-nvme0n1p2 259:2 0 127M 0 part
|-nvme0n1p3 259:3 0 384M 0 part /boot
`-nvme0n1p4 259:4 0 119.5G 0 part
`-root 253:0 0 119.5G 0 crypt /sysroot
sh-4.4# clevis luks list -d /dev/disk/by-partlabel/root
1: sss '{"t":1,"pins":{"tang":[{"url":"http://18.237.82.232"}]}}'
sh-4.4# cryptsetup luksDump /dev/disk/by-partlabel/root
LUKS header information
Version: 2
Epoch: 6
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 32631113-dd5e-4a69-8897-18f2fcb77199
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-cbc-essiv:sha256
sector: 512 [bytes]
Keyslots:
1: luks2
Key: 256 bits
Priority: normal
Cipher: aes-cbc-essiv:sha256
Cipher key: 256 bits
PBKDF: argon2i
Time cost: 5
Memory: 1048576
Threads: 4
Salt: 91 16 15 e3 47 64 e0 81 61 e6 ca 56 f9 9f 5e c6
5b 76 83 a4 c1 25 0f c5 eb fb 82 ba f8 a2 5c b1
AF stripes: 4000
AF hash: sha256
Area offset:163840 [bytes]
Area length:131072 [bytes]
Digest ID: 0
Tokens:
0: clevis
Keyslot: 1
Digests:
0: pbkdf2
Hash: sha256
Iterations: 217366
Salt: 80 f3 5b 7d 00 0e 21 9e 11 8e aa 7c cf ca 95 d8
34 d1 c4 8c c1 36 6b a0 ae 99 6f 60 f2 34 d8 aa
Digest: 6e d5 24 0b 0c 5f 9a ae 21 76 10 af c7 b7 ca a2
56 a0 7c f3 a4 84 2a 05 7a d5 35 c5 84 05 25 25
sh-4.4# findmnt /var | more
TARGET SOURCE FSTYPE OPTIONS
/var /dev/mapper/root[/ostree/deploy/rhcos/var] xfs rw,relatime,seclabel,attr2,inode64,logbufs=8,log
bsize=32k,prjquota
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3f0c628ec5d669a574ad114c89f4af9e669e7da89e7a2705c95fe83e98eaf570
CustomOrigin: Managed by machine-config-operator
Version: 48.83.202103221318-0 (2021-03-22T13:22:02Z)
ostree://328a44d7c259ca1e3ed31ae020f09d922f460be998657a92f684f6760443077b
Version: 48.83.202103221318-0 (2021-03-22T13:22:02Z)
sh-4.4# exit
exit
sh-4.2# exit
exit
Removing debug pod ...
$ oc debug node/ip-10-0-134-208.us-west-2.compute.internal
Starting pod/ip-10-0-134-208us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 120G 0 disk
|-nvme0n1p1 259:1 0 1M 0 part
|-nvme0n1p2 259:2 0 127M 0 part
|-nvme0n1p3 259:3 0 384M 0 part /boot
`-nvme0n1p4 259:4 0 119.5G 0 part
`-root 253:0 0 119.5G 0 crypt /sysroot
sh-4.4# clevis luks list -d /dev/disk/by-partlabel/root
1: sss '{"t":1,"pins":{"tang":[{"url":"http://18.237.82.232"}]}}'
sh-4.4# cryptsetup luksDump /dev/disk/by-partlabel/root
LUKS header information
Version: 2
Epoch: 6
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: e83863d3-0e80-4bfd-a58f-4d26dace2d9c
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-cbc-essiv:sha256
sector: 512 [bytes]
Keyslots:
1: luks2
Key: 256 bits
Priority: normal
Cipher: aes-cbc-essiv:sha256
Cipher key: 256 bits
PBKDF: argon2i
Time cost: 4
Memory: 849082
Threads: 2
Salt: 8d f9 a9 2b 0e 2b 48 37 06 b8 06 bf 6d 9f 28 0b
88 6c 9b b2 93 91 0d 72 b9 3a 71 71 fa 13 ec 7c
AF stripes: 4000
AF hash: sha256
Area offset:163840 [bytes]
Area length:131072 [bytes]
Digest ID: 0
Tokens:
0: clevis
Keyslot: 1
Digests:
0: pbkdf2
Hash: sha256
Iterations: 217366
Salt: 75 b6 39 b5 63 5b 17 87 ac 4a 19 e3 5c 47 e7 95
81 be 07 d0 df 0d d2 0e 67 fe cc 4f 62 73 52 4f
Digest: 73 75 23 80 e4 e4 99 82 4a 1f 4e cf 64 68 c0 b6
ba a7 3b b9 de fe e7 67 39 af 2d 54 3d 84 cb c0
sh-4.4# findmnt /var | more
TARGET SOURCE FSTYPE OPTIONS
/var /dev/mapper/root[/ostree/deploy/rhcos/var] xfs rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota
sh-4.4# exit
exit
sh-4.2# exit
exit
Removing debug pod ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |