Bug 1270335 - Anaconda offers encrypted root, but target Atomic Host content set doesn't include cryptsetup
Anaconda offers encrypted root, but target Atomic Host content set doesn't in...
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-10-09 12:42 EDT by David
Modified: 2016-02-02 09:02 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-02-02 09:02:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David 2015-10-09 12:42:10 EDT
Description of problem:
Fedora 23 atomic iso used to install. After install, boot is normal, and dracut asks for passphrase. However, once you do an rpm-ostree update (23.30 specifically), it will no longer prompt for passphrase. Editing grub to remove "rhgb quiet" options does not have any effect. Bare metal or virtualbox both fail.

Version-Release number of selected component (if applicable):
Beta 23 - update ostree to 23.30

How reproducible:
Install Beta 23 from iso. make luks encrypted disk. perform an rpm-ostree upgrade.

Steps to Reproduce:
1.Install Beta 23 Atomic from iso 
2.Choose to have luks encrypted disks
3.After install, perform rpm-ostree update

Actual results:
No passphrase promp. Dracut times out (the mapper partition does not exist)

Expected results:
Prompt for passphrase as base install does.

Additional info:
Workaround: after dracut timeout, manually open and map disk with cryptsetup
Comment 1 David 2015-10-09 12:46:27 EDT
Actually nevermind on the workarou, cryptsetup isnt installed in dracut. Perhaps dracut needs to be updated to include that by default (I will try to manually build a dracut after booting into the 23.1 (default) branch). The 23.1 continues to prompt for passphrase.
Comment 2 Colin Walters 2016-01-20 09:24:00 EST
This is still impacting people.  Let's make this the Fedora version of bug 1267905.
Comment 3 Colin Walters 2016-01-20 09:27:04 EST
This is tricky to make generic, as one could create custom trees.  We can't know what's included in the remote tree without fetching from it. 

(Note, it is possible with ostree to just fetch /usr/share/rpm from the remote tree, then we could introspect it).

That all said, I think the simplest and lowest risk  change here would be a way to disable partitioning options inside fedora-productimg-atomic.

Doesn't help people using the generic install ISO with a custom tree, but that's something to address later I'd say.
Comment 4 Colin Walters 2016-01-20 09:27:53 EST
...which now that I look what https://bugzilla.redhat.com/attachment.cgi?id=1082613&action=diff does, so that's good =)
Comment 5 David 2016-01-20 17:19:42 EST
I can't view the bug linked, access denied. However, while I agree removing the option from an iso install will prevent issues, on the commercial side we have new requirements in the health care industry mandating encryption at rest (whether something like Luks/dmcrypt, or hardware level). While we use only the rhel side commercially, fedora is the upstream, and they would then have to do all the hard work.

How's does the rpmostree method generate the initrams with dracut? It doesn't seem like adding that one module to a default dracut would be a huge deal, its very tiny, and used more and more commercially, and home use.
Comment 6 charles.paul 2016-01-21 07:08:36 EST
I ran into this bug the other day, and am going down the rpm-ostree-toolbox route to get around it.  If there is some rationale for Atomic Host not supporting LUKS on bare-metal, however, I would like to know about it before experimenting further.

David touched on industry requirements for disk crypto (PCI-DSS,  HIPAA, etc.). Disk crypto is also important for people who operate labs in shared environments (or homes without rottweilers).

Note You need to log in before you can comment on or make changes to this bug.