Red Hat Bugzilla – Bug 1029790
dracut cannot handle encrypted partitions with a key file on the root file system
Last modified: 2014-11-10 07:27:53 EST
Created attachment 823292 [details]
Description of problem:
I have upgraded a system with fedup from F19 to F20 and I cannot boot with the generated initramfs.
I have a ext4 /boot, a unencrypted btrfs root partition, and the rest of partitions including swap are on Luks and LVM. In F19 it booted perfectly without asking for a Luks password (I have the keyfiles in /etc), but now, it reaches the target basic system and hangs for about 5 minutes and after that I get the dracut emergency shell. If I choose in grub a F19 kernel to boot, it boots ok.
In the emergency shell it says it cannot find my LVM volume group (it is inside a luks partition, which is closed).
dracut-initqueue: Warning: Could not boot.
dracut-initqueue: Warning: /dev/mapper/vg_raid0-swap does not exist
I have extracted the initramfs and compared them with the ones generated by F19. In F20, the initramfs has this /etc/crypttab:
luks-0f938c6d-4be4-486d-9f09-d04898e90e88 /dev/disk/by-uuid/0f938c6d-4be4-486d-9f09-d04898e90e88 /etc/luks_keys/keyfile
In F19, the initramfs has no /etc/crypttab file
In the real root partition I have this:
luks-e959dcb0-4bff-4d4b-9efc-2f729e7e2a1e UUID=e959dcb0-4bff-4d4b-9efc-2f729e7e2a1e /etc/luks_keys/keyfile
luks-24562ce1-cac4-44aa-a3ab-52d2c46d6925 UUID=24562ce1-cac4-44aa-a3ab-52d2c46d6925 /etc/luks_keys/keyfile
luks-0f938c6d-4be4-486d-9f09-d04898e90e88 UUID=0f938c6d-4be4-486d-9f09-d04898e90e88 /etc/luks_keys/keyfile
The kernel commandline is:
root=UUID=5094ab56-5ea8-40c3-8e2c-d3a09a6fd537 ro rootflags=subvol=root rd.md=0 rd.lvm=0 rd.dm=0 vconsole.keymap=es rd.luks=0 vconsole.font=latarcyrheb-sun16 crashkernel=128M radeon.audio=1 rhgb quiet
Version-Release number of selected component (if applicable):
Proposed as a Blocker for 20-final by Fedora user jorti using the blocker tracking app because:
After upgrading a perfectly working F19 system with "fedup --network 20", I get an unbootable system because dracut cannot figure out how to mount my Luks partitions.
dracut wants to open all swap devices, to be able to resume from suspend.
If the swap partition is decrypted with a key file, the boot fails, because dracut does not copy the key file to the initramfs.
After removing the swap partition and rebuilding the dracut image, it boots fine.
Something has changed in the dracut logic, because this setup worked in F19.
Discussed at 2013-11-13 blocker review meeting - http://meetbot.fedoraproject.org/fedora-blocker-review/2013-11-13/f20-final-blocker-review-1.2013-11-13-17.01.log.txt . Agreed to delay determination while we ask Harald for clarification as to whether he considers this intended behaviour or a bug, and if it's a bug, how serious it is. Harald?
Well, it would affect everybody with a keyfile for /usr or swap devices and that are not very many.
But I will do the following:
a) do not wait for crypt devices, which cannot be decrypted
b) relax the conditions in the initramfs to continue, even if a swap device could not be found
Discussed in 2013-11-14 Blocker Review Meeting . This was voted as a RejectedBlocker as this does not affect a large enough user base to guarantee a blocker. We still would like to see this fixed before release. If the fix is ready during freeze period, please propose for a freeze exception.
dracut-037-10.git20140402.fc20 has been submitted as an update for Fedora 20.
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing dracut-037-10.git20140402.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
dracut-037-10.git20140402.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Status: ON_QA → CLOSED