Hide Forgot
Created attachment 1594384 [details] Patch to remove network dependency from clevis-dracut Description of problem: Cannot use clevis-dracut to automatically decrypt the root volume without enabling network in the initrd generated by dracut/clevis-dracut. When using the TPM2 encryptor, there is no need for networking features, DHCP or otherwise. Not a duplicate of 1497566, since that relates to the configuration of early boot networking, while this is related to the removal of networking as a dracut dependency of clevis-dracut. Although most other usecases of clevis require network, the tpm2 encryptor does not, thus, the early-boot networking dependency should/could/in some fashion be removed from clevis-dracut. Attempted solutions: Creating a dracut conf file containing "omit_dracutmodules+="ifcfg network"" disables early boot network by removing it from the initrd. However, it also prevents the root volume from automatically unlocking. If /usr/lib/dracut/modules.d/60clevis/module-setup.sh (built from clevis-7-8.el7.src.rpm) is patched as attached and the aforementioned dracut conf file is created, the system works as expected. That is, the network is not configured during early-boot, and the system automatically unlocks the root volume. This is not a satisfactory solution, as later updates to clevis-dracut will overwrite this file and hang on start, since the automatic unlocking feature will cease to work. --- Technical Details --- Version-Release number of selected component (if applicable): clevis, clevis-dracut, clevis-luks, clevis-systemd 7-8.el7 tpm2-tools 3.0.4-2.el7 tpm2-tss, tpm2-tss-devel 1.4.0-2.el7 tpm2-abrmd 1.1.0-10.el7 Red Hat 7.7Beta Red Hat 7.6 How reproducible: Always Steps to Reproduce: 1. Encrypt Hard Drive 2. Use clevis-luks-bind with TPM2 chip binding "clevis luks bind -d <device> tpm2" 3. Install clevis-dracut to automatically decrypt hard drive 4. Run "dracut -fv --regenerate-all" to update initrd 5. Reboot and watch the system automatically decrypt/mount the LUKS-encrypted volume using clevis 6. Use "ip addr" to see that system has DHCP-assigned IP addresses Actual results: 1 - System boots and decrypts the root volume automatically, successfully during early boot. 2a - System configures networking and receives DHCP lease during early boot. 2b - Alternatively, clevis/dracut/clevis-dracut cannot be configured to not configure kernel networking. Expected results: 1 - System boots and decrypts the root volume automatically, successfully, during early boot. 2a - System does not configure kernel networking during early boot. 2b - Alternatively, clevis/dracut/clevis-dracut can be configured to not configure kernel networking during early boot. Additional info:
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.