Red Hat Bugzilla – Bug 1477757
[RFE] allow cryptsetup block device units to appear after networking comes up
Last modified: 2017-12-06 09:20:36 EST
Currently, systemd generates cryptsetup unit files directly from /etc/crypttab. Due to dependencies, these unit files are always started before networking comes up.
In some cases, clevis can answer the systemd-ask-password prompts for these block devices automatically. But in most of those cases, network access is required. In attempting to properly order this setup, a circular dependency arises.
We have a few options.
First, we could try to auto-detect the clevis policy dependencies from the disk. This is doable via udev. The problem is that units are generated from /etc/crypttab whether the disks or present or not. This creates a race-condition when devices aren't connected to the system before the generation of unit files. This solution would be more comprehensive, but would also be more work.
Second, we could implement a _netdev like option in /etc/crypttab. This would be less featureful and less dynamic, but would also help iSCSI people. For an existing RFE, see: https://github.com/systemd/systemd/issues/4642
This is also related: https://github.com/systemd/systemd/issues/5182
fix merged to upstream staging branch -> https://github.com/lnykryn/systemd-rhel/pull/141 -> post
This is apparently an incomplete fix. See this for more detail:
fix merged to staging branch -> https://github.com/lnykryn/systemd-rhel/pull/166 -> post
fix merged to staging branch -> https://github.com/lnykryn/systemd-rhel/pull/167 -> post