Bug 1759015 - [downstream clone - 4.3.7] Add clevis RPMs to RHV-H image / repo
Summary: [downstream clone - 4.3.7] Add clevis RPMs to RHV-H image / repo
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-host
Version: 4.3.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.3.7
: 4.3.7
Assignee: Yuval Turgeman
QA Contact: shiyi lei
URL:
Whiteboard:
Depends On: 1741792
Blocks: 1750302
TreeView+ depends on / blocked
 
Reported: 2019-10-07 08:04 UTC by RHV bug bot
Modified: 2023-09-14 05:44 UTC (History)
19 users (show)

Fixed In Version: ovirt-host-4.3.5-1.el7ev
Doc Type: Bug Fix
Doc Text:
Previously, using LUKS alone was a problem because the Red Hat Virtualization Manager could reboot a node using Power Management commands. However, the node would not reboot because it was waiting for the user to enter a decrypt/open/unlock passphrase. This release fixes the issue by adding clevis RPMs to the Red Hat Virtualization Host (RHVH) image. As a result, a Manager can automatically unlock/decrypt/open an RHVH using TPM or NBDE.
Clone Of: 1741792
Environment:
Last Closed: 2019-12-12 10:36:52 UTC
oVirt Team: Node
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:4230 0 None None None 2019-12-12 10:37:13 UTC
oVirt gerrit 103764 0 'None' MERGED spec: require clevis-dracut for ovirt-host 2021-01-14 15:02:17 UTC

Description RHV bug bot 2019-10-07 08:04:23 UTC 
+++ This bug is a downstream clone. The original bug is: +++
+++   bug 1741792 +++
======================================================================

###Description of problem:###
The rhel-7-server-rhvh-4-rpms repo should have the clevis RPMs and dependencies available (or pre-installed in the image.)  Customers are requesting at-rest encryption for their RHHI and RHV deployments.  Using LUKS alone is a problem because RHVM can use Power Management commands to reboot a node.  The node will never reboot because it is waiting forever for the user to type in the decrypt/open/unlock passphrase.  The clevis RPMs will allow for automatic unlock/decrypt/open via TPM or NBDE.


###Additional info:###
Using LUKS - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index#sec-Using_LUKS_Disk_Encryption

Auto-unlock via Network (or TPM) - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index#sec-Policy-Based_Decryption

The required RPMs (and their dependencies) are available in the rhel-7-server-rpms repo like this:

# yum history info clevis
Return-Code    : Success
Command Line   : install clevis*
Transaction performed with:
    Installed     rpm-4.11.3-40.el7.x86_64                    installed
    Installed     subscription-manager-1.24.13-1.el7.x86_64   installed
    Installed     yum-3.4.3-163.el7.noarch                    installed
    Installed     yum-plugin-versionlock-1.1.31-52.el7.noarch installed
Packages Altered:
    Install     clevis-7-8.el7.x86_64          @rhel-7-server-rpms
    Install     clevis-dracut-7-8.el7.x86_64   @rhel-7-server-rpms
    Install     clevis-luks-7-8.el7.x86_64     @rhel-7-server-rpms
    Install     clevis-systemd-7-8.el7.x86_64  @rhel-7-server-rpms
    Dep-Install jose-10-1.el7.x86_64           @rhel-7-server-rpms
    Dep-Install libjose-10-1.el7.x86_64        @rhel-7-server-rpms
    Dep-Install libluksmeta-8-2.el7.x86_64     @rhel-7-server-rpms
    Dep-Install luksmeta-8-2.el7.x86_64        @rhel-7-server-rpms
    Dep-Install tpm2-abrmd-1.1.0-11.el7.x86_64 @rhel-7-server-rpms
    Dep-Install tpm2-tools-3.0.4-3.el7.x86_64  @rhel-7-server-rpms
    Dep-Install tpm2-tss-1.4.0-3.el7.x86_64    @rhel-7-server-rpms


I can provide kickstart examples and simplified luks/clevis/tang instructions if that would help...

(Originally by John Call)
Comment 1 RHV bug bot 2019-10-07 08:04:26 UTC 
Here is my simplified steps to test Clevis.

1. Install the Tang server...
[root@tang-srv ~]# yum -y install tang
[root@tang-srv ~]# systemctl enable tangd.socket --now
[root@tang-srv ~]# firewall-cmd --add-port 80/tcp --permanent
[root@tang-srv ~]# firewall-cmd --reload

2. Install RHV-H with encryption.  See attached kickstart file, or check the encryption box via the Anaconda GUI)

3. Configure the Clevis client, and rebuild the initramfs.
   (change /dev/sda3 to whatever is appropriate)
# curl -o /etc/yum.repos.d/clevis.repo http://people.redhat.com/jcall/clevis.repo
# yum -y install 'clevis*'

# lsblk -o +VENDOR,MODEL
# clevis bind luks -d /dev/sda3 tang '{"url":"http://192.168.0.99:300"}'

# echo 'kernel_cmdline="ip=dhcp"' > /etc/dracut.conf.d/clevis-nbde.conf
# dracut -fv

# systemctl enable clevis-luks-askpass.path
# reboot

(Originally by John Call)
Comment 2 RHV bug bot 2019-10-07 08:04:27 UTC 
Created attachment 1604298 [details]
kickstart to deploy RHV-H via PXE (including cleanup from previous installs)

kickstart to deploy RHV-H via PXE (including cleanup from previous installs)

(Originally by John Call)
Comment 3 RHV bug bot 2019-10-07 08:04:29 UTC 
(In reply to John Call from comment #1)
> # clevis bind luks -d /dev/sda3 tang '{"url":"http://192.168.0.99:300"}'

Oops, I co-located Tang on a server of mine that was already using port 80, so I changed it to use port 300 (with some systemd and SElinux foo)

The line above should be simplified to just this...
# clevis bind luks -d /dev/sda3 tang '{"url":"http://192.168.0.99"}'

(Originally by John Call)
Comment 12 Marina Kalinin 2019-10-24 19:03:59 UTC 
To clarify, this BZ is here to include clevis rpms in RHVH image only. This bz does not imply any testing on RHV side of clevis-tang functionality on RHV.
The test of this functionality in RHHI-V is covered in this bz#1750302.

John, fyi and correct me if I am wrong.
Comment 13 John Call 2019-10-24 23:10:31 UTC 
(In reply to Marina Kalinin from comment #12)
> To clarify, this BZ is here to include clevis rpms in RHVH image only. This
> bz does not imply any testing on RHV side of clevis-tang functionality on
> RHV.
> The test of this functionality in RHHI-V is covered in this bz#1750302.
> 
> John, fyi and correct me if I am wrong.

Yes, you are correct.
Comment 21 errata-xmlrpc 2019-12-12 10:36:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:4230
Comment 22 Red Hat Bugzilla 2023-09-14 05:44:10 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.