Bug 1976641 - dbus-broker-29-1 update breaks automated unlocking of encrypted volumes at boot time via clevis
Summary: dbus-broker-29-1 update breaks automated unlocking of encrypted volumes at bo...
Keywords:
Status: CLOSED DUPLICATE of bug 1976653
Alias: None
Product: Fedora
Classification: Fedora
Component: dracut
Version: 34
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: dracut-maint-list
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1979051 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-27 19:37 UTC by Lennert Buytenhek
Modified: 2021-08-17 13:46 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-17 13:46:04 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Workaround patch to remove offending line - not safe (993 bytes, patch)
2021-07-05 14:36 UTC, alex.j.kerzner
no flags Details | Diff

Description Lennert Buytenhek 2021-06-27 19:37:17 UTC
With dbus-broker-28-3, a test VM configured to automatically unlock its LUKS-encrypted root volume over the network by way of clevis boots thusly:

[    2.493782] Console: switching to colour frame buffer device 128x48
[    2.623650] cirrus 0000:00:01.0: [drm] fb0: cirrusdrmfb frame buffer device
<info>  [1624821873.8459] NetworkManager (version 1.30.4-1.fc34) is starting... (for the first time)
<info>  [1624821873.8494] Read config: /etc/NetworkManager/NetworkManager.conf (lib: initrd-no-auto-default.conf)
<info>  [1624821873.8650] bus-manager: acquired D-Bus service "org.freedesktop.NetworkManager"
<info>  [1624821873.8691] manager[0x55627f74c0c0]: monitoring kernel firmware directory '/lib/firmware'.
<info>  [1624821873.8772] hostname: hostname: couldn't get property from hostnamed
<info>  [1624821873.8780] hostname: hostname changed from (none) to "test"
[...]

And everything proceeds as expected.  But with dbus-broker-29-1 instead of -28-3 in the initramfs, there is no output after "Read config: /etc/NetworkManager/NetworkManager.conf (lib: initrd-no-auto-default.conf)", and the root volume fails to automatically unlock.

Some digging identifies this change as causing the change in behavior:

diff -urN 1/usr/lib/systemd/system/dbus-broker.service 2/usr/lib/systemd/system/dbus-broker.service
--- 1/usr/lib/systemd/system/dbus-broker.service        2021-06-27 22:00:09.989634783 +0300
+++ 2/usr/lib/systemd/system/dbus-broker.service        2021-06-27 22:00:12.057650724 +0300
@@ -2,6 +2,7 @@
 Description=D-Bus System Message Bus
 Documentation=man:dbus-broker-launch(1)
 DefaultDependencies=false
+After=dbus.socket sysinit.target
 Before=basic.target shutdown.target
 Requires=dbus.socket
 Conflicts=shutdown.target

Specifically, the After dependency on sysinit.target is what seems to cause NetworkManager to not set up the network device anymore and clevis to not be able to do its thing, and reverting that part of the dependency makes remote unlocking work again.

Relevant bug seems to be https://bugzilla.redhat.com/show_bug.cgi?id=1948042

Comment 1 David Rheinsberg 2021-06-28 11:00:36 UTC
(In reply to Lennert Buytenhek from comment #0)
> And everything proceeds as expected.  But with dbus-broker-29-1 instead of
> -28-3 in the initramfs, there is no output after "Read config:
> /etc/NetworkManager/NetworkManager.conf (lib: initrd-no-auto-default.conf)",
> and the root volume fails to automatically unlock.
> 
> Some digging identifies this change as causing the change in behavior:
> 
> diff -urN 1/usr/lib/systemd/system/dbus-broker.service
> 2/usr/lib/systemd/system/dbus-broker.service
> --- 1/usr/lib/systemd/system/dbus-broker.service        2021-06-27
> 22:00:09.989634783 +0300
> +++ 2/usr/lib/systemd/system/dbus-broker.service        2021-06-27
> 22:00:12.057650724 +0300
> @@ -2,6 +2,7 @@
>  Description=D-Bus System Message Bus
>  Documentation=man:dbus-broker-launch(1)
>  DefaultDependencies=false
> +After=dbus.socket sysinit.target
>  Before=basic.target shutdown.target
>  Requires=dbus.socket
>  Conflicts=shutdown.target

The service file we ship is not intended for the initrd. I wasn't even aware people put D-Bus in the initrd, I don't think this was ever really supported. Maybe I am wrong?

Can you just switch out the service file in your initrd with the desired one?

Comment 2 Lennert Buytenhek 2021-06-28 12:02:28 UTC
> I wasn't even aware people put D-Bus in the initrd, I don't think this was ever really supported. Maybe I am wrong?

This seems to have been added in February:

    https://github.com/dracutdevs/dracut/commit/38cd8125f63e7f8d6ca7287bee0b2497f5f753db

> Can you just switch out the service file in your initrd with the desired one?

Cc'ing johannbg@ and setting Component to dracut.

Comment 3 alex.j.kerzner 2021-07-05 14:36:11 UTC
Created attachment 1798195 [details]
Workaround patch to remove offending line - not safe

(In reply to David Rheinsberg from comment #1)
> *snip*
> Can you just switch out the service file in your initrd with the desired one?

Made a patch to remove the offending line from one of the files, dbus-broker.service (introduced in commit 28af5ac, dracut upstream). It's definitely workaround-material only - I wouldn't want it merged in (very easy to break if upstream changes the line, doesn't actually fix the real issue, etc.), but it's a start at least.

This works in my environment (clevis with tang bind on root partition). I won't guarantee anything beyond that.

Comment 4 Klaas Demter 2021-07-14 14:26:43 UTC
*** Bug 1979051 has been marked as a duplicate of this bug. ***

Comment 5 Marius Hoch 2021-07-22 13:38:47 UTC
This seems to be a duplicate of bug#1976653.

Comment 7 Lennert Buytenhek 2021-08-17 13:46:04 UTC
Somewhat reluctantly (since I found it and debugged it first! :P) marking this as a duplicate of bug#1976653 as per Marius's comment #5.

*** This bug has been marked as a duplicate of bug 1976653 ***


Note You need to log in before you can comment on or make changes to this bug.