Bug 1644876 - Automatic unlock of LUKS device with clevis fails on boot
Summary: Automatic unlock of LUKS device with clevis fails on boot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: clevis
Version: 29
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nathaniel McCallum
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1634063 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-31 19:14 UTC by Martin Welk
Modified: 2018-11-18 03:55 UTC (History)
6 users (show)

Fixed In Version: clevis-11-2.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-18 03:55:36 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Martin Welk 2018-10-31 19:14:08 UTC
Description of problem:
I had a running server with Fedora 28. I configured clevis to unlock an encrypted root disk via network, tested it. Afterwards, I ran an upgrade to Fedora 29.
Automatic unlock of the disk didn't work anymore after the upgrade

BTW, thank you for publishing F29 on my birthday, nice present.
And, again, so far two flawless upgrades, one mostly flawless :)

Version-Release number of selected component (if applicable):
29, "as of today" ;)

How reproducible:
Configure clevis to unlock a LUKS device

Steps to Reproduce:
1. Reboot server, wait for the automatic unlock
2. Rebuild initial RAM disk using dracut -f 

Actual results:
1. Automatic unlock fails with an error that clevis-decrypt-http and cryptsetup were not found.
2. dracut -f complains dracut-install: ERROR: installing 'clevis-decrypt-http'

Expected results:
1. System starts with automatic unlock of LUKS root disk
2. dracut runs without errors

Additional info:
I was able to fix it in /usr/lib/dracut/modules.d/60clevis/module-setup.sh: in the install shell function, add cryptsetup, remove clevis-decrypt-http.

Here's the place:

    inst_hook initqueue/online 60 "$moddir/clevis-hook.sh"
    inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh"

    inst_multiple /etc/services \
        cryptsetup \
        clevis-decrypt-tang \
        clevis-decrypt-sss \
        /usr/libexec/clevis-luks-askpass \
        clevis-decrypt \
        luksmeta \
        clevis \
        mktemp \
        curl \
        jose \
        nc

    for cmd in clevis-decrypt-tpm2 \

Comment 1 Javier Martinez Canillas 2018-11-07 16:11:29 UTC
These issues were already reported in upstream clevis:

https://github.com/latchset/clevis/issues/73
https://github.com/latchset/clevis/issues/74

A pull-request was not proposed though, so I did it now:

https://github.com/latchset/clevis/pull/81

I'll coordinate with Nathaniel to get these fixes into Fedora 29.

Comment 2 Travis Michette 2018-11-08 00:25:14 UTC
I have this problem too, although I never configured Clevis to mess with the root disk. I have since uninstalled Clevis as it was just for a demo and the system still will not boot up ... complaining about:

/var/log/messages:

Nov  7 09:15:51 p50 dracut-initqueue[509]: Failed to start systemd-cryptsetup: Unit systemd-cryptsetup not found.
Nov  7 09:16:59 p50 systemd[1]: systemd-cryptsetup@luks\x2d810cedba\x2d4eab\x2d42d6\x2da266\x2d9da16726319d.service: Failed with result 'exit-code'.


/var/log/boot:

[    3.511920] dracut-initqueue[504]: Failed to start systemd-cryptsetup: Unit systemd-cryptsetup not found.


It prompts me to unlock with the password like always, but freezes at reach target stage. The rescue boots up fine. 

As a work-around, I've found that when plugged into a network connection and the NIC is *live* the system will boot into FC29.

At this point, Clevis/Tang are not installed on the system, however, it is still attempting to use Clevis to decrypt the LUKS volumes even though none of them are setup with Clevis and the /etc/crypttab doesn't have any of the volumes referenced which would have been LUKS with Clevis.

--- Travis

Comment 3 Javier Martinez Canillas 2018-11-08 17:29:23 UTC
(In reply to Travis Michette from comment #2)
> 
> As a work-around, I've found that when plugged into a network connection and
> the NIC is *live* the system will boot into FC29.
>

This seems to be bug #1574413.
 
> At this point, Clevis/Tang are not installed on the system, however, it is
> still attempting to use Clevis to decrypt the LUKS volumes even though none
> of them are setup with Clevis and the /etc/crypttab doesn't have any of the
> volumes referenced which would have been LUKS with Clevis.
> 
> --- Travis

Did you re-generate your initramfs after uninstalling clevis?

Comment 4 Javier Martinez Canillas 2018-11-09 11:57:27 UTC
*** Bug 1634063 has been marked as a duplicate of this bug. ***

Comment 5 Fedora Update System 2018-11-09 12:32:15 UTC
clevis-11-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-cf82a4a9d9

Comment 6 Travis Michette 2018-11-09 14:22:25 UTC
(In reply to Javier Martinez Canillas from comment #3)
> (In reply to Travis Michette from comment #2)
> > 
> > As a work-around, I've found that when plugged into a network connection and
> > the NIC is *live* the system will boot into FC29.
> >
> 
> This seems to be bug #1574413.
>  

This is a very close description to the bug listed above. However, I never configured Clevis after it was installed. I mainly used it to build some documentation for a demo so I didn't need to fire up my VM. So I only used man pages and some of the features for the CLI to copy/paste output. At no point in time were Clevis or Tang even running on this laptop.

I have my entire disk encrypted, and the system *did* prompt me for a password to unlock it.

[root@p50 ~]# cat /etc/crypttab 
luks-810cedba-4eab-42d6-a266-9da16726319d UUID=810cedba-4eab-42d6-a266-9da16726319d none discard
VM_Crypt UUID=f9ea1ae5-c917-45c7-aefe-936467371415  /root/VM_Keyfile luks
VM_Crypt2 UUID=d6071dcd-63af-4b3a-89a7-a9728235030c     /root/VM_Keyfile2 luks

[root@p50 ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Mon Mar 26 16:54:34 2018
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/fedora_p50-root     /       xfs     defaults,x-systemd.device-timeout=0     0       0
UUID=a2dc36b0-eb8f-4261-9fa0-3e6d833c7c5a       /boot   ext4    defaults        1       2
/dev/mapper/fedora_p50-home     /home   xfs     defaults,x-systemd.device-timeout=0     0       0
/dev/mapper/fedora_p50-swap     swap    swap    defaults,x-systemd.device-timeout=0     0       0
/dev/mapper/VM_Crypt    /VirtualMachines        xfs     noatime,nodiratime      0       0
/dev/mapper/VM_Crypt2   /VirtualMachines2       xfs     noatime,nodiratime      0       0
/dev/nvme0n1p3  /VirtualMachines_Fast   xfs     noatime,nodiratime      0       0



> > At this point, Clevis/Tang are not installed on the system, however, it is
> > still attempting to use Clevis to decrypt the LUKS volumes even though none
> > of them are setup with Clevis and the /etc/crypttab doesn't have any of the
> > volumes referenced which would have been LUKS with Clevis.
> > 
> > --- Travis
> 
> Did you re-generate your initramfs after uninstalling clevis?

I did not regenerate initramfs after uninstalling clevis as I didn't generate the initramfs after installing Clevis. I saw no point in messing with the initramfs as I wasn't actually using Clevis.

Comment 7 Travis Michette 2018-11-09 14:26:13 UTC
(In reply to Travis Michette from comment #6)
> (In reply to Javier Martinez Canillas from comment #3)
> > (In reply to Travis Michette from comment #2)
> > > 
> > > As a work-around, I've found that when plugged into a network connection and
> > > the NIC is *live* the system will boot into FC29.
> > >
> > 
> > This seems to be bug #1574413.
> >  
> 
> This is a very close description to the bug listed above. However, I never
> configured Clevis after it was installed. I mainly used it to build some
> documentation for a demo so I didn't need to fire up my VM. So I only used
> man pages and some of the features for the CLI to copy/paste output. At no
> point in time were Clevis or Tang even running on this laptop.
> 
> I have my entire disk encrypted, and the system *did* prompt me for a
> password to unlock it.
> 
> [root@p50 ~]# cat /etc/crypttab 
> luks-810cedba-4eab-42d6-a266-9da16726319d
> UUID=810cedba-4eab-42d6-a266-9da16726319d none discard
> VM_Crypt UUID=f9ea1ae5-c917-45c7-aefe-936467371415  /root/VM_Keyfile luks
> VM_Crypt2 UUID=d6071dcd-63af-4b3a-89a7-a9728235030c     /root/VM_Keyfile2
> luks
> 
> [root@p50 ~]# cat /etc/fstab
> 
> #
> # /etc/fstab
> # Created by anaconda on Mon Mar 26 16:54:34 2018
> #
> # Accessible filesystems, by reference, are maintained under '/dev/disk'
> # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
> #
> /dev/mapper/fedora_p50-root     /       xfs    
> defaults,x-systemd.device-timeout=0     0       0
> UUID=a2dc36b0-eb8f-4261-9fa0-3e6d833c7c5a       /boot   ext4    defaults    
> 1       2
> /dev/mapper/fedora_p50-home     /home   xfs    
> defaults,x-systemd.device-timeout=0     0       0
> /dev/mapper/fedora_p50-swap     swap    swap   
> defaults,x-systemd.device-timeout=0     0       0
> /dev/mapper/VM_Crypt    /VirtualMachines        xfs     noatime,nodiratime  
> 0       0
> /dev/mapper/VM_Crypt2   /VirtualMachines2       xfs     noatime,nodiratime  
> 0       0
> /dev/nvme0n1p3  /VirtualMachines_Fast   xfs     noatime,nodiratime      0   
> 0
> 
> 
> 
> > > At this point, Clevis/Tang are not installed on the system, however, it is
> > > still attempting to use Clevis to decrypt the LUKS volumes even though none
> > > of them are setup with Clevis and the /etc/crypttab doesn't have any of the
> > > volumes referenced which would have been LUKS with Clevis.
> > > 
> > > --- Travis
> > 
> > Did you re-generate your initramfs after uninstalling clevis?
> 
> I did not regenerate initramfs after uninstalling clevis as I didn't
> generate the initramfs after installing Clevis. I saw no point in messing
> with the initramfs as I wasn't actually using Clevis.

To note, the crypttab file and the fstab file are not waiting for network, and were never configured to, so not sure if the race condition would apply.

Comment 8 Fedora Update System 2018-11-10 05:00:50 UTC
clevis-11-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-cf82a4a9d9

Comment 9 Fedora Update System 2018-11-18 03:55:36 UTC
clevis-11-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.