Bug 2159446

Summary: systemd-cryptsetup@ instances depend on systemd-udevd, hence must start AFTER systemd-udevd
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: systemdAssignee: systemd maint <systemd-maint>
Status: CLOSED MIGRATED QA Contact: Frantisek Sumsal <fsumsal>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.7CC: dtardon, herbert.van.den.bergh, lherbolt, scorreia, systemd-maint-list
Target Milestone: rcKeywords: Bugfix, MigratedToJIRA, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-21 12:19:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2023-01-09 15:56:18 UTC 
Description of problem:

/usr/lib/systemd/systemd-cryptsetup relies on the libcryptsetup.so library, which itself makes use of the libdevmapper.so library.

Inside libdevmapper, there is code to detect the presence/usage of *udev*.
In such case, the code makes sure to rely on udev to create the symlinks /dev/mapper/luks-XXX back to "../dm-Y" devices.

It appears that during a small window, the code can believe udev is not in use, because /run/udev/control is not present "yet".
This causes the libdevmapper library to create the /dev/mapper/luks-XXX node, causing systemd-udevd rule in charge of creating the symlink to fail, e.g.:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
systemd-udevd[XXX]: conflicting device node '/dev/mapper/luks-7b4618b9-6a49-4ee1-838a-7691839dde78' found, link to '/dev/dm-13' will not be created
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The reason for not detecting udev is systemd-udevd and systemd-cryptsetup@ instances start concurrently, systemd-cryptsetup@ can even start a few clock ticks before systemd-udevd (column 22 is start time in clock ticks):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# cat /proc/$(pgrep systemd-udevd)/stat | awk '{ print $22 }'
795

# ps -eaf | grep cryptsetup
root        1576       1  4 15:40 ?        00:00:01 /usr/lib/systemd/systemd-cryptsetup attach luksvdb8 /dev/disk/by-uuid/7b4618b9-6a49-4ee1-838a-7691839dde78 none discard
...

# cat /proc/1576/stat | awk '{ print $22 }'
763
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

To close this window, we need to generate a "After=systemd-udevd" stanza in systemd-cryptsetup@ excerpts.

Version-Release number of selected component (if applicable):

systemd-239

How reproducible:

Often

Steps to Reproduce:
1. Install a system, then add a disk with 8 Luks devices, no need to create a file system on those
2. Make sure to unlock them automatically (using a key file or Clevis) and add those to /etc/crypttab for automatic decryption

    Adding _netdev facilitates troubleshooting because we can then log in using sshd while unlocking happens.
    In such case, don't forget to enable "remote-cryptsetup.target"...

3. Boot until the issue occurs or delay startup of systemd-udevd as a hack

    -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
    # mkdir -p /etc/systemd/system/systemd-udevd.service.d
    # cat > /etc/systemd/system/systemd-udevd.service.d/delay.conf << EOF
    [Service]
    ExecStartPre=/bin/sleep 30
    -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results:

Journal shows "conflicting device node" and some /dev/mapper/luks-XXX devices are not symlinks:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# ll /dev/mapper/
total 0
...
lrwxrwxrwx 1 root root        8 Jan  9 16:53 luksvdb1 -> ../dm-10
lrwxrwxrwx 1 root root        7 Jan  9 16:53 luksvdb2 -> ../dm-7
brw-rw---- 1 root disk 253,   6 Jan  9 16:52 luksvdb3
lrwxrwxrwx 1 root root        7 Jan  9 16:53 luksvdb5 -> ../dm-3
lrwxrwxrwx 1 root root        7 Jan  9 16:53 luksvdb6 -> ../dm-8
brw-rw---- 1 root disk 253,   4 Jan  9 16:52 luksvdb7
lrwxrwxrwx 1 root root        7 Jan  9 16:53 luksvdb8 -> ../dm-5
...

# systemctl status systemd-udevd
...
Jan 09 16:53:06 vm-clevis86 systemd-udevd[6542]: conflicting device node '/dev/mapper/luksvdb3' found, link to '/dev/>
Jan 09 16:53:06 vm-clevis86 systemd-udevd[6530]: conflicting device node '/dev/mapper/luksvdb7' found, link to '/dev/>
...
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Expected results:

Always getting symlinks created by udevd
Comment 1 David Tardon 2023-01-10 13:46:28 UTC 
Interesting... I assume you're using kernel disk names (like /dev/sd*) in your reproducer, right? Because if symlinks (like /dev/disk/by-uuid/*) are used, the dependency on systemd-udevd is implicit: systemd-cryptsetup@.service does have BindsTo= and After= to the underlying device, which only becames active after udevd has created the symlink. That may be the reason nobody has noticed this earlier...
Comment 2 Renaud Métrich 2023-02-01 13:06:11 UTC 
*** Bug 2162676 has been marked as a duplicate of this bug. ***
Comment 3 Renaud Métrich 2023-02-01 13:14:23 UTC 
Hi David,

As explained, there is a race for creating the /dev/mapper/<node> path between libdevmapper and systemd-udevd.
If libdevmapper executes before systemd-udevd is there, it will create the node as a device.

Apparently the BindTo on the "by-uuid" path doesn't work somehow, if it's systemd-udevd that creates this link.
Comment 6 RHEL Program Management 2023-09-21 12:16:31 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 7 RHEL Program Management 2023-09-21 12:19:59 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.