###Description of problem:### The rhel-7-server-rhvh-4-rpms repo should have the clevis RPMs and dependencies available (or pre-installed in the image.) Customers are requesting at-rest encryption for their RHHI and RHV deployments. Using LUKS alone is a problem because RHVM can use Power Management commands to reboot a node. The node will never reboot because it is waiting forever for the user to type in the decrypt/open/unlock passphrase. The clevis RPMs will allow for automatic unlock/decrypt/open via TPM or NBDE. ###Additional info:### Using LUKS - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index#sec-Using_LUKS_Disk_Encryption Auto-unlock via Network (or TPM) - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index#sec-Policy-Based_Decryption The required RPMs (and their dependencies) are available in the rhel-7-server-rpms repo like this: # yum history info clevis Return-Code : Success Command Line : install clevis* Transaction performed with: Installed rpm-4.11.3-40.el7.x86_64 installed Installed subscription-manager-1.24.13-1.el7.x86_64 installed Installed yum-3.4.3-163.el7.noarch installed Installed yum-plugin-versionlock-1.1.31-52.el7.noarch installed Packages Altered: Install clevis-7-8.el7.x86_64 @rhel-7-server-rpms Install clevis-dracut-7-8.el7.x86_64 @rhel-7-server-rpms Install clevis-luks-7-8.el7.x86_64 @rhel-7-server-rpms Install clevis-systemd-7-8.el7.x86_64 @rhel-7-server-rpms Dep-Install jose-10-1.el7.x86_64 @rhel-7-server-rpms Dep-Install libjose-10-1.el7.x86_64 @rhel-7-server-rpms Dep-Install libluksmeta-8-2.el7.x86_64 @rhel-7-server-rpms Dep-Install luksmeta-8-2.el7.x86_64 @rhel-7-server-rpms Dep-Install tpm2-abrmd-1.1.0-11.el7.x86_64 @rhel-7-server-rpms Dep-Install tpm2-tools-3.0.4-3.el7.x86_64 @rhel-7-server-rpms Dep-Install tpm2-tss-1.4.0-3.el7.x86_64 @rhel-7-server-rpms I can provide kickstart examples and simplified luks/clevis/tang instructions if that would help...
Here is my simplified steps to test Clevis. 1. Install the Tang server... [root@tang-srv ~]# yum -y install tang [root@tang-srv ~]# systemctl enable tangd.socket --now [root@tang-srv ~]# firewall-cmd --add-port 80/tcp --permanent [root@tang-srv ~]# firewall-cmd --reload 2. Install RHV-H with encryption. See attached kickstart file, or check the encryption box via the Anaconda GUI) 3. Configure the Clevis client, and rebuild the initramfs. (change /dev/sda3 to whatever is appropriate) # curl -o /etc/yum.repos.d/clevis.repo http://people.redhat.com/jcall/clevis.repo # yum -y install 'clevis*' # lsblk -o +VENDOR,MODEL # clevis bind luks -d /dev/sda3 tang '{"url":"http://192.168.0.99:300"}' # echo 'kernel_cmdline="ip=dhcp"' > /etc/dracut.conf.d/clevis-nbde.conf # dracut -fv # systemctl enable clevis-luks-askpass.path # reboot
Created attachment 1604298 [details] kickstart to deploy RHV-H via PXE (including cleanup from previous installs) kickstart to deploy RHV-H via PXE (including cleanup from previous installs)
(In reply to John Call from comment #1) > # clevis bind luks -d /dev/sda3 tang '{"url":"http://192.168.0.99:300"}' Oops, I co-located Tang on a server of mine that was already using port 80, so I changed it to use port 300 (with some systemd and SElinux foo) The line above should be simplified to just this... # clevis bind luks -d /dev/sda3 tang '{"url":"http://192.168.0.99"}'
(In reply to John Call from comment #1) > Here is my simplified steps to test Clevis. > # echo 'kernel_cmdline="ip=dhcp"' > /etc/dracut.conf.d/clevis-nbde.conf > # dracut -fv I realized at some point that I also had to ask dracut to omit the creation of ifcfg files. Add one more line to the dracut drop-in configuration file like this... # cat /etc/dracut.conf.d/clevis-nbde.conf ### Use DHCP on a specific interface, and don't create /etc/sysconfig/network-scripts/ifcfg-* files during boot kernel_cmdline="ip=eno1:dhcp" omit_dracutmodules+="ifcfg"
Test Version: redhat-release-virtualization-host-4.4.0-9.el8ev.x86_64 ovirt-host-4.4.0-0.2.alpha.el8ev.x86_64 Steps: 1. install rhvh-4.4.0.9-0.20191201.0 2. check clevis packages: #rpm -qa | grep clevis 3. the query result is: clevis-systemd-11-2.el8.x86_64 clevis-11-2.el8.x86_64 clevis-luks-11-2.el8.x86_64 clevis-dracut-11-2.el8.x86_64 Test result: the clevis packages were pre-installed in rhvh image without subscription to RHSM. This bug has been fixed in the latest version of RHVH-4.4.0, move the status to "VERIFIED".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHV RHEL Host (ovirt-host) 4.4), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:3246
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days