Red Hat Bugzilla – Bug 1465208
Unlocking disk from dracut is broken
Last modified: 2017-07-06 18:50:09 EDT
This is fixes in clevis v5. We need to rebase.
Proposed as a Freeze Exception for 26-final by Fedora user npmccallum using the blocker tracking app because:
Currently, F26 will ship with Clevis v4. Clevis provides unlocking during early boot. However, we discovered an issue where Clevis doesn't work in dracut. This was fixed in v5. Additionally, in v5 we offload processing of untrusted data to an unprivileged user. These are the only two changes in this release.
Normally, I would be fine with being in the first batch of updates. However, if clevis-dracut is installed during initial installation an initramfs will be generated with the broken code and users will have to follow a manual process to fix this. However, if we land Clevis v5 in the initial release, the installer will generate a working initramfs.
An update already exists which fixes this problem (we just missed the cut off): https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6
clevis-6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6
We discovered an unrelated security issue upstream and released v6. Everything else still applies.
clevis-6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-eba47499b6
Discussed at 2017-06-29 freeze exception review meeting: https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2017-06-29/f26-blocker-review.2017-06-29-16.00.html . We accepted this as a freeze exception; usually installs will include the stable 'updates' repository so just shipping this as a regular update would be OK, but it's possible someone might use a kickstart without the updates repo enabled, and clevis isn't on any install media so far as we know so pushing it stable should be quite safe.
Note, the update still won't get into the final compose unless it is submitted for stable.
> Normally, I would be fine with being in the first batch of updates. However,
> if clevis-dracut is installed during initial installation an initramfs will
> be generated with the broken code and users will have to follow a manual
> process to fix this. However, if we land Clevis v5 in the initial release,
Is this manual process documented somewhere? I don't see it in Common Bugs. I know the release notes are in non-ideal state, but if this doesn't get in we should document it there. Or, actually, we should document it for anyone who installed during the beta period.
How does this affect people who are upgrading from older releases?
The manual step is dracut -f.
However, this should only be required if no new kernel or dracut was shipped after beta. Otherwise, the initramfs will be rebuilt anyway.
Beta shipped with kernel-4.11.0-2.fc26 and it appears the final release will ship with kernel-4.11.7-300.fc26. So the initramfs will be regenerated automatically during updates to the latest packages.
In short, no problem.
clevis-6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.