Bug 1465208 - Unlocking disk from dracut is broken
Unlocking disk from dracut is broken
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: clevis (Show other bugs)
26
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Nathaniel McCallum
Fedora Extras Quality Assurance
AcceptedFreezeException
:
Depends On:
Blocks: F26FinalFreezeException
  Show dependency treegraph
 
Reported: 2017-06-26 20:48 EDT by Nathaniel McCallum
Modified: 2017-07-06 18:50 EDT (History)
3 users (show)

See Also:
Fixed In Version: clevis-6-1.fc26
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-06 18:50:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nathaniel McCallum 2017-06-26 20:48:48 EDT
This is fixes in clevis v5. We need to rebase.
Comment 1 Fedora Blocker Bugs Application 2017-06-26 20:54:52 EDT
Proposed as a Freeze Exception for 26-final by Fedora user npmccallum using the blocker tracking app because:

 Currently, F26 will ship with Clevis v4. Clevis provides unlocking during early boot. However, we discovered an issue where Clevis doesn't work in dracut. This was fixed in v5. Additionally, in v5 we offload processing of untrusted data to an unprivileged user. These are the only two changes in this release.

Normally, I would be fine with being in the first batch of updates. However, if clevis-dracut is installed during initial installation an initramfs will be generated with the broken code and users will have to follow a manual process to fix this. However, if we land Clevis v5 in the initial release, the installer will generate a working initramfs.

An update already exists which fixes this problem (we just missed the cut off): https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6
Comment 2 Fedora Update System 2017-06-27 08:03:05 EDT
clevis-6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6
Comment 3 Fedora Update System 2017-06-27 08:03:13 EDT
clevis-6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6
Comment 4 Nathaniel McCallum 2017-06-27 08:04:27 EDT
We discovered an unrelated security issue upstream and released v6. Everything else still applies.
Comment 5 Fedora Update System 2017-06-27 16:24:34 EDT
clevis-6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6
Comment 6 Adam Williamson 2017-06-29 15:29:26 EDT
Discussed at 2017-06-29 freeze exception review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-06-29/f26-blocker-review.2017-06-29-16.00.html . We accepted this as a freeze exception; usually installs will include the stable 'updates' repository so just shipping this as a regular update would be OK, but it's possible someone might use a kickstart without the updates repo enabled, and clevis isn't on any install media so far as we know so pushing it stable should be quite safe.
Comment 7 Adam Williamson 2017-06-29 15:30:17 EDT
Note, the update still won't get into the final compose unless it is submitted for stable.
Comment 8 Matthew Miller 2017-07-02 11:00:37 EDT
> Normally, I would be fine with being in the first batch of updates. However,
> if clevis-dracut is installed during initial installation an initramfs will
> be generated with the broken code and users will have to follow a manual
> process to fix this. However, if we land Clevis v5 in the initial release,

Is this manual process documented somewhere? I don't see it in Common Bugs. I know the release notes are in non-ideal state, but if this doesn't get in we should document it there. Or, actually, we should document it for anyone who installed during the beta period.

How does this affect people who are upgrading from older releases?
Comment 9 Nathaniel McCallum 2017-07-02 14:58:24 EDT
The manual step is dracut -f.

However, this should only be required if no new kernel or dracut was shipped after beta. Otherwise, the initramfs will be rebuilt anyway.
Comment 10 Nathaniel McCallum 2017-07-02 15:01:39 EDT
Beta shipped with kernel-4.11.0-2.fc26 and it appears the final release will ship with kernel-4.11.7-300.fc26. So the initramfs will be regenerated automatically during updates to the latest packages.

In short, no problem.
Comment 11 Fedora Update System 2017-07-06 18:50:09 EDT
clevis-6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.