RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1419222 - tmp option of crypttab unusable
Summary: tmp option of crypttab unusable
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: initscripts
Version: 6.8
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: David Kaspar // Dee'Kej
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-04 00:23 UTC by Leon Fauster
Modified: 2017-02-13 10:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-13 10:47:15 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Leon Fauster 2017-02-04 00:23:25 UTC
Description of problem:

I have successfully used the swap option of crypttab (# man crypttab)
to encrypt the swap partition dynamically. rc.sysinit enables that 
swap partition successfully at the right point (after encryption). 

The same doesn't work for the tmp option of crypttab (# man crypttab).
The encrypted partition is present after booting the system. Manually   
mounting it works but adding "/dev/mapper/luks-tmp" into fstab shows that 
the boot process tries to mount it too early (not encrypted yet). 

This is confusing because other encrypted volumes (not dynamically) 
in fstab are successfully mounted. 

Okay, I see (line 842 /etc/rc.d/init.d/functions). It seems that 
volumes with random keys are skipped at that stage.


Version-Release number of selected component (if applicable):

initscripts-9.03.53-1.el6.1


How reproducible:

echo "luks-tmp /dev/device /dev/urandom tmp" >> /etc/crypttab
echo "/dev/mapper/luks-tmp /tmp	ext4	defaults 1 2" >> /etc/fstab  


Actual results:
Failure while booting respectively while mounting general fstab entries
 

Expected results:
mounting /tmp after encryption


Solution info:
rc.sysinit should skip volumes and memorize them that have key_is_random() 
while in the general mounting loop.

after mounting / rw and feeding random device, the line 563 in rc.sysinit will
generate the tmp enc fs. Therefore after this the mount loop must be called 
again but just for the memorized (skipped) volumes.

Comment 2 David Kaspar // Dee'Kej 2017-02-13 10:47:15 UTC
Hello Leon,

thank you for you bug report.

Unfortunately, making changes to encryption might potentially negatively affect many other customers, who require stability of RHEL-6, because we are in phase 2 of its lifecycle. FOr more info, please, visit:

https://access.redhat.com/support/policy/updates/errata

I would suggest you to upgrade to RHEL-7, if possible. As far as I know, the encryption process for partitions has been changed there, and initscripts no longer take care of that.

Best regards,

David


Note You need to log in before you can comment on or make changes to this bug.