Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1384014 - RFE: Possibility to boot from encrypted non-iSCSI disks and mount encrypted iSCSI disks on the same machine
RFE: Possibility to boot from encrypted non-iSCSI disks and mount encrypted i...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukáš Nykrýn
Frantisek Sumsal
Marek Suchanek
: FutureFeature
Depends On:
Blocks: 1298243 1420851 1466365
  Show dependency treegraph
 
Reported: 2016-10-12 07:21 EDT by Ondrej Benes
Modified: 2018-04-10 07:18 EDT (History)
10 users (show)

See Also:
Fixed In Version: systemd-219-45.el7
Doc Type: Enhancement
Doc Text:
The boot process can now unlock encrypted devices connected by network Previously, the boot process attempted to unlock block devices connected by network before starting network services. Because the network was not activated, it was not possible to connect and decrypt these devices. With this update, the `remote-cryptsetup.target` unit and other patches have been added to `systemd` packages. As a result, it is now possible to unlock encrypted block devices that are connected by network during system boot and to mount file systems on such block devices. To ensure correct ordering between services during system boot, you must mark the network device with the `_netdev` option in the `/etc/crypttab` configuration file. A common use case for this feature is together with network-bound disk encryption. For more information on network-bound disk encryption, see the following chapter in the Red Hat Enterprise Linux Security Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_network-bound_disk_encryption
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 07:16:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0711 None None None 2018-04-10 07:18 EDT

  None (edit)
Description Ondrej Benes 2016-10-12 07:21:39 EDT 
Description of problem:
If we use an encrypted PV to boot from and at the same time want to mount an ecrypted iSCSI disk, we add both these entries to /etc/crypttab. Now while non-iSCSI disk is available for cryptsetup in very early booting stages, iSCSI is only available after network starts (later than /etc/crypttab is processed). This introduces a delay in boot. 

Is an option similar to fstab's _netdev available? This would tell cryptsetup to process this concrete line later, when iSCSI is ready

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. enter both boot disk / LV and an iSCSI disk in /etc/crypttab
2. boot

Actual results:
cryptsetup will start (and process /etc/crypttab) before iSCSI has established connection with the target (network is not ready). This introduces delay in boot and the volume is not mounted.


Expected results:
Have cryptsetup distinguish between items it needs to process in early stages of boot (rootfs) and those that will be mounted later via iSCSI. The desired effect is similar to _netdev parameter in fstab.
Comment 2 Ondrej Kozina 2016-10-12 07:37:41 EDT 
Reassigning to more appropriate component. A crypttab file is managed and interpreted solely in systemd as of now. cryptsetup has currently no means to perform any auto-activation on device discovery
Comment 10 Lukáš Nykrýn 2017-09-13 04:08:16 EDT 
https://github.com/systemd/systemd/pull/6747
Comment 14 Lukáš Nykrýn 2017-09-25 06:33:38 EDT 
fix merged to upstream staging branch -> https://github.com/lnykryn/systemd-rhel/pull/141 -> post
Comment 22 errata-xmlrpc 2018-04-10 07:16:36 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0711
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.