1384014 – RFE: Possibility to boot from encrypted non-iSCSI disks and mount encrypted iSCSI disks on the same machine

Bug 1384014 - RFE: Possibility to boot from encrypted non-iSCSI disks and mount encrypted iSCSI disks on the same machine

Summary: RFE: Possibility to boot from encrypted non-iSCSI disks and mount encrypted i...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	systemd
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukáš Nykrýn
QA Contact:	Frantisek Sumsal
Docs Contact:	Marek Suchánek
URL:
Whiteboard:
Depends On:
Blocks:	1298243 1420851 1466365
TreeView+	depends on / blocked

Reported:	2016-10-12 11:21 UTC by Ondrej Benes
Modified:	2021-06-10 11:35 UTC (History)
CC List:	10 users (show)
Fixed In Version:	systemd-219-45.el7
Doc Type:	Enhancement
Doc Text:	The boot process can now unlock encrypted devices connected by network Previously, the boot process attempted to unlock block devices connected by network before starting network services. Because the network was not activated, it was not possible to connect and decrypt these devices. With this update, the `remote-cryptsetup.target` unit and other patches have been added to `systemd` packages. As a result, it is now possible to unlock encrypted block devices that are connected by network during system boot and to mount file systems on such block devices. To ensure correct ordering between services during system boot, you must mark the network device with the `_netdev` option in the `/etc/crypttab` configuration file. A common use case for this feature is together with network-bound disk encryption. For more information on network-bound disk encryption, see the following chapter in the Red Hat Enterprise Linux Security Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_network-bound_disk_encryption
Clone Of:
Environment:
Last Closed:	2018-04-10 11:16:36 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1477757	0	unspecified	CLOSED	[RFE] allow cryptsetup block device units to appear after networking comes up	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2018:0711	0	None	None	None	2018-04-10 11:18:53 UTC

Internal Links: 1477757

Description Ondrej Benes 2016-10-12 11:21:39 UTC

Description of problem:
If we use an encrypted PV to boot from and at the same time want to mount an ecrypted iSCSI disk, we add both these entries to /etc/crypttab. Now while non-iSCSI disk is available for cryptsetup in very early booting stages, iSCSI is only available after network starts (later than /etc/crypttab is processed). This introduces a delay in boot. 

Is an option similar to fstab's _netdev available? This would tell cryptsetup to process this concrete line later, when iSCSI is ready

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. enter both boot disk / LV and an iSCSI disk in /etc/crypttab
2. boot

Actual results:
cryptsetup will start (and process /etc/crypttab) before iSCSI has established connection with the target (network is not ready). This introduces delay in boot and the volume is not mounted.


Expected results:
Have cryptsetup distinguish between items it needs to process in early stages of boot (rootfs) and those that will be mounted later via iSCSI. The desired effect is similar to _netdev parameter in fstab.

Comment 2 Ondrej Kozina 2016-10-12 11:37:41 UTC

Reassigning to more appropriate component. A crypttab file is managed and interpreted solely in systemd as of now. cryptsetup has currently no means to perform any auto-activation on device discovery

Comment 10 Lukáš Nykrýn 2017-09-13 08:08:16 UTC

https://github.com/systemd/systemd/pull/6747

Comment 14 Lukáš Nykrýn 2017-09-25 10:33:38 UTC

fix merged to upstream staging branch -> https://github.com/lnykryn/systemd-rhel/pull/141 -> post

Comment 22 errata-xmlrpc 2018-04-10 11:16:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0711

Note You need to log in before you can comment on or make changes to this bug.