1824416 – NBDE cleanup playbook when run prematurely removes the keyslot on root disk

Bug 1824416 - NBDE cleanup playbook when run prematurely removes the keyslot on root disk

Summary: NBDE cleanup playbook when run prematurely removes the keyslot on root disk

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	gluster-ansible
Sub Component:
Version:	rhgs-3.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	RHGS 3.5.z Batch Update 2
Assignee:	Gobinda Das
QA Contact:	SATHEESARAN
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1824414
TreeView+	depends on / blocked

Reported:	2020-04-16 07:39 UTC by SATHEESARAN
Modified:	2020-06-16 05:57 UTC (History)
CC List:	6 users (show)
Fixed In Version:	gluster-ansible-roles-1.0.5-10.el8rhgs
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1824414
Environment:	rhhiv, rhel8
Last Closed:	2020-06-16 05:57:32 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	gluster gluster-ansible pull 104	0	None	closed	Unbind tang server with proper key slots	2020-07-09 12:07:41 UTC
Red Hat Product Errata	RHEA-2020:2575	0	None	None	None	2020-06-16 05:57:50 UTC

Description SATHEESARAN 2020-04-16 07:39:07 UTC

+++ This bug was initially created as a clone of Bug #1824414 +++

Description
-------------
Before the NBDE playbook completes the binding to tang server procedure,
if any failures occurs, then users prefers to run cleanup to fix previously
created setup. But this procedure, also removes the keyslot 0, where the
initial passphrase is removed

Version
-------
RHHI-V 1.8
RHVH 4.4
gluster-ansible-infra-1.0.4-8

How reproducible
-----------------
Always

Steps to reproduce
-------------------
1. Update the ansible inventory file for NBDE
2. Run the playbook with incorrect disks
3. Run the cleanup playbook

Actual results
---------------
keyslot 0 is getting removed, as part of clevis-luks-unbind

Expected results
-----------------
clevis-luks-unbind should be used on root disk only when clevis-luks-list returns values

--- Additional comment from RHEL Program Management on 2020-04-16 07:35:47 UTC ---

This bug is automatically being proposed for RHHI-V 1.8 release at Red Hat Hyperconverged Infrastructure for Virtualization product, by setting the release flag 'rhiv‑1.8' to '?'.

If this bug should be proposed for a different release, please manually change the proposed release flag.

Comment 1 SATHEESARAN 2020-04-16 08:12:34 UTC

Only the slots containing the Clevis needs to be removed.
This information can be obtained from clevis-luks-list command

[root@ ~]# clevis-luks-list -d /dev/sda2
2: tang '{"url":"http://dhcp35-220.lab.eng.blr.redhat.com:7500"}'
3: tang '{"url":"http://dhcp35-114.lab.eng.blr.redhat.com"}'

In this case, the values that needs to used are 2 and 3.

clevis-luks-unbind -d /dev/sda2 -s 2
clevis-luks-unbind -d /dev/sda2 -s 3

No other slots should be used, because, the other keyslots may have key information pertaining to 
other keys

Comment 3 SATHEESARAN 2020-06-08 15:22:23 UTC

Tested with gluster-ansible-roles-1.0.5-12.el8rhgs

1. Start NBDE playbook with incorrect disks
2. When the NBDE setup fails, perform cleanup
3. Check for the keyslots on the root disk.

Root disk has that slot0 preserved.

Comment 5 errata-xmlrpc 2020-06-16 05:57:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:2575

Note You need to log in before you can comment on or make changes to this bug.