Bug 1976641

Summary: dbus-broker-29-1 update breaks automated unlocking of encrypted volumes at boot time via clevis
Product: [Fedora] Fedora Reporter: Lennert Buytenhek <buytenh>
Component: dracutAssignee: dracut-maint-list
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: alex.j.kerzner, daherrma, dracut-maint-list, frank, gmbnomis, howard-redhat, johannbg, jonathan, klaas, mail, scorreia, tgunders, yaneti, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-17 13:46:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Workaround patch to remove offending line - not safe none

Description Lennert Buytenhek 2021-06-27 19:37:17 UTC 
With dbus-broker-28-3, a test VM configured to automatically unlock its LUKS-encrypted root volume over the network by way of clevis boots thusly:

[    2.493782] Console: switching to colour frame buffer device 128x48
[    2.623650] cirrus 0000:00:01.0: [drm] fb0: cirrusdrmfb frame buffer device
<info>  [1624821873.8459] NetworkManager (version 1.30.4-1.fc34) is starting... (for the first time)
<info>  [1624821873.8494] Read config: /etc/NetworkManager/NetworkManager.conf (lib: initrd-no-auto-default.conf)
<info>  [1624821873.8650] bus-manager: acquired D-Bus service "org.freedesktop.NetworkManager"
<info>  [1624821873.8691] manager[0x55627f74c0c0]: monitoring kernel firmware directory '/lib/firmware'.
<info>  [1624821873.8772] hostname: hostname: couldn't get property from hostnamed
<info>  [1624821873.8780] hostname: hostname changed from (none) to "test"
[...]

And everything proceeds as expected.  But with dbus-broker-29-1 instead of -28-3 in the initramfs, there is no output after "Read config: /etc/NetworkManager/NetworkManager.conf (lib: initrd-no-auto-default.conf)", and the root volume fails to automatically unlock.

Some digging identifies this change as causing the change in behavior:

diff -urN 1/usr/lib/systemd/system/dbus-broker.service 2/usr/lib/systemd/system/dbus-broker.service
--- 1/usr/lib/systemd/system/dbus-broker.service        2021-06-27 22:00:09.989634783 +0300
+++ 2/usr/lib/systemd/system/dbus-broker.service        2021-06-27 22:00:12.057650724 +0300
@@ -2,6 +2,7 @@
 Description=D-Bus System Message Bus
 Documentation=man:dbus-broker-launch(1)
 DefaultDependencies=false
+After=dbus.socket sysinit.target
 Before=basic.target shutdown.target
 Requires=dbus.socket
 Conflicts=shutdown.target

Specifically, the After dependency on sysinit.target is what seems to cause NetworkManager to not set up the network device anymore and clevis to not be able to do its thing, and reverting that part of the dependency makes remote unlocking work again.

Relevant bug seems to be https://bugzilla.redhat.com/show_bug.cgi?id=1948042
Comment 1 David Rheinsberg 2021-06-28 11:00:36 UTC 
(In reply to Lennert Buytenhek from comment #0)
> And everything proceeds as expected.  But with dbus-broker-29-1 instead of
> -28-3 in the initramfs, there is no output after "Read config:
> /etc/NetworkManager/NetworkManager.conf (lib: initrd-no-auto-default.conf)",
> and the root volume fails to automatically unlock.
> 
> Some digging identifies this change as causing the change in behavior:
> 
> diff -urN 1/usr/lib/systemd/system/dbus-broker.service
> 2/usr/lib/systemd/system/dbus-broker.service
> --- 1/usr/lib/systemd/system/dbus-broker.service        2021-06-27
> 22:00:09.989634783 +0300
> +++ 2/usr/lib/systemd/system/dbus-broker.service        2021-06-27
> 22:00:12.057650724 +0300
> @@ -2,6 +2,7 @@
>  Description=D-Bus System Message Bus
>  Documentation=man:dbus-broker-launch(1)
>  DefaultDependencies=false
> +After=dbus.socket sysinit.target
>  Before=basic.target shutdown.target
>  Requires=dbus.socket
>  Conflicts=shutdown.target

The service file we ship is not intended for the initrd. I wasn't even aware people put D-Bus in the initrd, I don't think this was ever really supported. Maybe I am wrong?

Can you just switch out the service file in your initrd with the desired one?
Comment 2 Lennert Buytenhek 2021-06-28 12:02:28 UTC 
> I wasn't even aware people put D-Bus in the initrd, I don't think this was ever really supported. Maybe I am wrong?

This seems to have been added in February:

    https://github.com/dracutdevs/dracut/commit/38cd8125f63e7f8d6ca7287bee0b2497f5f753db

> Can you just switch out the service file in your initrd with the desired one?

Cc'ing johannbg@ and setting Component to dracut.
Comment 3 alex.j.kerzner 2021-07-05 14:36:11 UTC 
Created attachment 1798195 [details]
Workaround patch to remove offending line - not safe

(In reply to David Rheinsberg from comment #1)
> *snip*
> Can you just switch out the service file in your initrd with the desired one?

Made a patch to remove the offending line from one of the files, dbus-broker.service (introduced in commit 28af5ac, dracut upstream). It's definitely workaround-material only - I wouldn't want it merged in (very easy to break if upstream changes the line, doesn't actually fix the real issue, etc.), but it's a start at least.

This works in my environment (clevis with tang bind on root partition). I won't guarantee anything beyond that.
Comment 4 Klaas Demter 2021-07-14 14:26:43 UTC 
*** Bug 1979051 has been marked as a duplicate of this bug. ***
Comment 5 Marius Hoch 2021-07-22 13:38:47 UTC 
This seems to be a duplicate of bug#1976653.
Comment 6 Klaas Demter 2021-08-16 08:09:35 UTC 
This is fixed in 
Upstream: https://github.com/bus1/dbus-broker/pull/271
F34: dbus-broker-29-2.fc34.x86_64 https://src.fedoraproject.org/rpms/dbus-broker/c/ee7c2a1777a227c61ee7c2fa0ec7932a4a9b1360?branch=rawhide
Comment 7 Lennert Buytenhek 2021-08-17 13:46:04 UTC 
Somewhat reluctantly (since I found it and debugged it first! :P) marking this as a duplicate of bug#1976653 as per Marius's comment #5.

*** This bug has been marked as a duplicate of bug 1976653 ***