Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1741792

Summary: Add clevis RPMs to RHV-H image / repo
Product: Red Hat Enterprise Virtualization Manager Reporter: John Call <jcall>
Component: ovirt-hostAssignee: Yuval Turgeman <yturgema>
Status: CLOSED ERRATA QA Contact: Wei Wang <weiwang>
Severity: high Docs Contact:
Priority: high    
Version: 4.3.6CC: bkunal, cshao, dholler, dwhitley, godas, lsurette, lsvaty, mavital, mburman, mflanner, michal.skrivanek, nlevy, pelauter, qiyuan, sbonazzo, weiwang, yaniwang, ycui, yturgema
Target Milestone: ovirt-4.4.0Keywords: ZStream
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-host-4.4.0-0.2.alpha Doc Type: Bug Fix
Doc Text:
Previously, using LUKS alone was a problem because the RHV Manager could reboot a node using Power Management commands. However, the node would not reboot because it was waiting for the user to enter a decrypt/open/unlock passphrase. This release fixes the issue by adding clevis RPMs to the Red Hat Virtualization Host (RHVH) image. As a result, a Manager can automatically unlock/decrypt/open an RHVH using TPM or NBDE.
 Story Points: ---
Clone Of:
: 1759015 (view as bug list) Environment:
Last Closed: 2020-08-04 13:27:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1781184    
Bug Blocks: 1759015, 1760262    
Attachments:
Description Flags
kickstart to deploy RHV-H via PXE (including cleanup from previous installs) none

Description John Call 2019-08-16 06:36:33 UTC 
###Description of problem:###
The rhel-7-server-rhvh-4-rpms repo should have the clevis RPMs and dependencies available (or pre-installed in the image.)  Customers are requesting at-rest encryption for their RHHI and RHV deployments.  Using LUKS alone is a problem because RHVM can use Power Management commands to reboot a node.  The node will never reboot because it is waiting forever for the user to type in the decrypt/open/unlock passphrase.  The clevis RPMs will allow for automatic unlock/decrypt/open via TPM or NBDE.


###Additional info:###
Using LUKS - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index#sec-Using_LUKS_Disk_Encryption

Auto-unlock via Network (or TPM) - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index#sec-Policy-Based_Decryption

The required RPMs (and their dependencies) are available in the rhel-7-server-rpms repo like this:

# yum history info clevis
Return-Code    : Success
Command Line   : install clevis*
Transaction performed with:
    Installed     rpm-4.11.3-40.el7.x86_64                    installed
    Installed     subscription-manager-1.24.13-1.el7.x86_64   installed
    Installed     yum-3.4.3-163.el7.noarch                    installed
    Installed     yum-plugin-versionlock-1.1.31-52.el7.noarch installed
Packages Altered:
    Install     clevis-7-8.el7.x86_64          @rhel-7-server-rpms
    Install     clevis-dracut-7-8.el7.x86_64   @rhel-7-server-rpms
    Install     clevis-luks-7-8.el7.x86_64     @rhel-7-server-rpms
    Install     clevis-systemd-7-8.el7.x86_64  @rhel-7-server-rpms
    Dep-Install jose-10-1.el7.x86_64           @rhel-7-server-rpms
    Dep-Install libjose-10-1.el7.x86_64        @rhel-7-server-rpms
    Dep-Install libluksmeta-8-2.el7.x86_64     @rhel-7-server-rpms
    Dep-Install luksmeta-8-2.el7.x86_64        @rhel-7-server-rpms
    Dep-Install tpm2-abrmd-1.1.0-11.el7.x86_64 @rhel-7-server-rpms
    Dep-Install tpm2-tools-3.0.4-3.el7.x86_64  @rhel-7-server-rpms
    Dep-Install tpm2-tss-1.4.0-3.el7.x86_64    @rhel-7-server-rpms


I can provide kickstart examples and simplified luks/clevis/tang instructions if that would help...
Comment 1 John Call 2019-08-16 06:50:51 UTC 
Here is my simplified steps to test Clevis.

1. Install the Tang server...
[root@tang-srv ~]# yum -y install tang
[root@tang-srv ~]# systemctl enable tangd.socket --now
[root@tang-srv ~]# firewall-cmd --add-port 80/tcp --permanent
[root@tang-srv ~]# firewall-cmd --reload

2. Install RHV-H with encryption.  See attached kickstart file, or check the encryption box via the Anaconda GUI)

3. Configure the Clevis client, and rebuild the initramfs.
   (change /dev/sda3 to whatever is appropriate)
# curl -o /etc/yum.repos.d/clevis.repo http://people.redhat.com/jcall/clevis.repo
# yum -y install 'clevis*'

# lsblk -o +VENDOR,MODEL
# clevis bind luks -d /dev/sda3 tang '{"url":"http://192.168.0.99:300"}'

# echo 'kernel_cmdline="ip=dhcp"' > /etc/dracut.conf.d/clevis-nbde.conf
# dracut -fv

# systemctl enable clevis-luks-askpass.path
# reboot
Comment 2 John Call 2019-08-16 06:52:51 UTC 
Created attachment 1604298 [details]
kickstart to deploy RHV-H via PXE (including cleanup from previous installs)

kickstart to deploy RHV-H via PXE (including cleanup from previous installs)
Comment 3 John Call 2019-08-16 06:56:05 UTC 
(In reply to John Call from comment #1)
> # clevis bind luks -d /dev/sda3 tang '{"url":"http://192.168.0.99:300"}'

Oops, I co-located Tang on a server of mine that was already using port 80, so I changed it to use port 300 (with some systemd and SElinux foo)

The line above should be simplified to just this...
# clevis bind luks -d /dev/sda3 tang '{"url":"http://192.168.0.99"}'
Comment 24 John Call 2019-10-29 14:42:11 UTC 
(In reply to John Call from comment #1)
> Here is my simplified steps to test Clevis.
> # echo 'kernel_cmdline="ip=dhcp"' > /etc/dracut.conf.d/clevis-nbde.conf
> # dracut -fv

I realized at some point that I also had to ask dracut to omit the creation of ifcfg files.  Add one more line to the dracut drop-in configuration file like this...
# cat /etc/dracut.conf.d/clevis-nbde.conf
### Use DHCP on a specific interface, and don't create /etc/sysconfig/network-scripts/ifcfg-* files during boot
kernel_cmdline="ip=eno1:dhcp"
omit_dracutmodules+="ifcfg"
Comment 32 shiyi lei 2019-12-02 03:46:19 UTC 
Test Version:
redhat-release-virtualization-host-4.4.0-9.el8ev.x86_64
ovirt-host-4.4.0-0.2.alpha.el8ev.x86_64

Steps:
1. install rhvh-4.4.0.9-0.20191201.0
2. check clevis packages:
   #rpm -qa | grep clevis
3. the query result is:
clevis-systemd-11-2.el8.x86_64
clevis-11-2.el8.x86_64
clevis-luks-11-2.el8.x86_64
clevis-dracut-11-2.el8.x86_64

Test result:
the clevis packages were pre-installed in rhvh image without subscription to RHSM.
This bug has been fixed in the latest version of RHVH-4.4.0, move the status to "VERIFIED".
Comment 36 errata-xmlrpc 2020-08-04 13:27:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV RHEL Host (ovirt-host) 4.4), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:3246
Comment 37 Red Hat Bugzilla 2023-09-15 00:18:12 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days