Description of problem: We need to enable clevis so that RHEL-H can reboot unattended (local disk encryption configured) Version-Release number of selected component (if applicable): RHV 4.4.3 How reproducible: Always Steps to Reproduce: 1. Configure a RHEL8 host to be used for RHV, with local disk encryption 2. Install and configure tang/clevis, ensure that system can reboot without intervention 3. add to RHV 4. reboot Actual results: Host does not attempt to talk to tang server during reboot, so user must type passphrase at the console Expected results: Host to reboot successfully without intervention (automatic decryption of local disk via tang server) Additional info: From what I understand, vdsm adds the following file: # cat /lib/dracut/dracut.conf.d/99-vdsm_protect_ifcfg.conf omit_dracutmodules+="ifcfg clevis" This removes clevis and ifcfg from initrd file, which prevents NBDE (clevis/tang) from working
The omit_dracutmodules+="ifcfg clevis" has been added in 4.4 as a part of BZ1760262. The solution is suggested in https://access.redhat.com/solutions/3017441 So we probably can't revert the fix from BZ1760262, but we should write a KCS specific for RHV when local storage with luks encryption is used. What do you think?
Hi, just to confirm that I understand it right. Marking it as config file in rpm would be sufficient right? That would prevent dnf/rpm to overwrite if the file is changed on every upgrade.
Files in '/usr/lib/dracut.conf.d' should not be edited. From 'man dracut.conf': *.conf files are read from /usr/lib/dracut/dracut.conf.d and /etc/dracut.conf.d. Files with the same name in /etc/dracut.conf.d will replace files in /usr/lib/dracut/dracut.conf.d. Please copy the file to '/etc/dracut.conf.d' and strip the contents.
I agree with Marcin, this bug should be closed as not a bug.
I did some tests locally: 1) Check current initramfs (does not contain clevis and ifcfg modules) [root@localhost ~]# lsinitrd -m /boot/initramfs-$(uname -r).img Image: initramfs-4.18.0-277.el8.x86_64.img: 26M ======================================================================== Early CPIO image ======================================================================== drwxr-xr-x 3 root root 0 Jan 15 04:01 . -rw-r--r-- 1 root root 2 Jan 15 04:01 early_cpio drwxr-xr-x 3 root root 0 Jan 15 04:01 kernel drwxr-xr-x 3 root root 0 Jan 15 04:01 kernel/x86 drwxr-xr-x 2 root root 0 Jan 15 04:01 kernel/x86/microcode -rw-r--r-- 1 root root 101376 Jan 15 04:01 kernel/x86/microcode/GenuineIntel.bin ======================================================================== Version: dracut-049-133.git20210112.el8 dracut modules: bash systemd systemd-initrd nss-softokn rngd i18n drm plymouth prefixdevname dm kernel-modules kernel-modules-extra lvm qemu qemu-net resume rootfs-block terminfo udev-rules biosdevname dracut-systemd usrmount base fs-lib memstrack microcode_ctl-fw_dir_override shutdown ======================================================================== 2) Copy the original config into /etc/dracut.conf.d and remove content so the file in /etc/dracut.conf.d remains empty. 3) Generate new initramfs: dracut --force /boot/initramfs-$(uname -r).img 4) Check the new image [root@localhost ~]# lsinitrd -m initramfs-$(uname -r).img Image: initramfs-4.18.0-277.el8.x86_64.img: 34M ======================================================================== Early CPIO image ======================================================================== drwxr-xr-x 3 root root 0 Jan 15 04:01 . -rw-r--r-- 1 root root 2 Jan 15 04:01 early_cpio drwxr-xr-x 3 root root 0 Jan 15 04:01 kernel drwxr-xr-x 3 root root 0 Jan 15 04:01 kernel/x86 drwxr-xr-x 2 root root 0 Jan 15 04:01 kernel/x86/microcode -rw-r--r-- 1 root root 101376 Jan 15 04:01 kernel/x86/microcode/GenuineIntel.bin ======================================================================== Version: dracut-049-133.git20210112.el8 dracut modules: bash systemd systemd-initrd nss-softokn rngd i18n network-manager network ifcfg <----------------------- drm plymouth clevis <--------------------- clevis-pin-sss clevis-pin-tang clevis-pin-tpm2 prefixdevname crypt dm kernel-modules kernel-modules-extra kernel-network-modules lvm qemu qemu-net resume rootfs-block terminfo udev-rules biosdevname dracut-systemd usrmount base fs-lib memstrack microcode_ctl-fw_dir_override shutdown ======================================================================== Both modules are here, so the proposed solution should work with some extra steps.
Closing this bug as WONTFIX, proper solution with steps is in c#12.