Red Hat Bugzilla – Bug 1270335
Anaconda offers encrypted root, but target Atomic Host content set doesn't include cryptsetup
Last modified: 2016-02-02 09:02:32 EST
Description of problem:
Fedora 23 atomic iso used to install. After install, boot is normal, and dracut asks for passphrase. However, once you do an rpm-ostree update (23.30 specifically), it will no longer prompt for passphrase. Editing grub to remove "rhgb quiet" options does not have any effect. Bare metal or virtualbox both fail.
Version-Release number of selected component (if applicable):
Beta 23 - update ostree to 23.30
Install Beta 23 from iso. make luks encrypted disk. perform an rpm-ostree upgrade.
Steps to Reproduce:
1.Install Beta 23 Atomic from iso
2.Choose to have luks encrypted disks
3.After install, perform rpm-ostree update
No passphrase promp. Dracut times out (the mapper partition does not exist)
Prompt for passphrase as base install does.
Workaround: after dracut timeout, manually open and map disk with cryptsetup
Actually nevermind on the workarou, cryptsetup isnt installed in dracut. Perhaps dracut needs to be updated to include that by default (I will try to manually build a dracut after booting into the 23.1 (default) branch). The 23.1 continues to prompt for passphrase.
This is still impacting people. Let's make this the Fedora version of bug 1267905.
This is tricky to make generic, as one could create custom trees. We can't know what's included in the remote tree without fetching from it.
(Note, it is possible with ostree to just fetch /usr/share/rpm from the remote tree, then we could introspect it).
That all said, I think the simplest and lowest risk change here would be a way to disable partitioning options inside fedora-productimg-atomic.
Doesn't help people using the generic install ISO with a custom tree, but that's something to address later I'd say.
...which now that I look what https://bugzilla.redhat.com/attachment.cgi?id=1082613&action=diff does, so that's good =)
I can't view the bug linked, access denied. However, while I agree removing the option from an iso install will prevent issues, on the commercial side we have new requirements in the health care industry mandating encryption at rest (whether something like Luks/dmcrypt, or hardware level). While we use only the rhel side commercially, fedora is the upstream, and they would then have to do all the hard work.
How's does the rpmostree method generate the initrams with dracut? It doesn't seem like adding that one module to a default dracut would be a huge deal, its very tiny, and used more and more commercially, and home use.
I ran into this bug the other day, and am going down the rpm-ostree-toolbox route to get around it. If there is some rationale for Atomic Host not supporting LUKS on bare-metal, however, I would like to know about it before experimenting further.
David touched on industry requirements for disk crypto (PCI-DSS, HIPAA, etc.). Disk crypto is also important for people who operate labs in shared environments (or homes without rottweilers).