Red Hat Bugzilla – Bug 437604
cannot upgrade encrypted system
Last modified: 2013-01-09 23:36:20 EST
Anaconda does not present the option to "upgrade" an encrypted system. This is
reasonable, since anaconda can't read the disk in order to tell that there is an
existing Fedora installation on it. There needs to be some way of providing the
LUKS key to anaconda so that it can read the filesystems and do the upgrade.
Upgrade support may not land for F9 given that this is the first release with
encrypted root support.
But Dave was looking at it and we'll decide based on how the patch ends up looking.
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
(In reply to comment #1)
> Upgrade support may not land for F9 given that this is the first release with
> encrypted root support.
I guess this didn't happen? Running the install/upgrade DVD, it unlocks my
encrypted partition ok, but doesn't offer the option of upgrading rather than
I have an encrypted PV with an F8 install on LVs within, created as per bug
#124789 comment #95.
It looks like this is the same layout as F9 creates for an encrypted install?
I can upgrade by migrating the LVs to an unencrypted PV, running upgrade, then
moving them back to the encrypted PV.
Once I've done this, will mkinitrd (on F9 LiveCD or the installation if need be)
correctly build to boot from the encrypted PV? Or do I need any explicit
addition config that anaconda might generate to flag stuff up to mkinitrd?
Nope, this was intended as more of a long-term TODO item rather than something
that had to be fixed prior to release. So no upgrade support in anaconda. Adding
to F10Blocker just so we don't lose sight of it.
(In reply to comment #3)
> Once I've done this, will mkinitrd (on F9 LiveCD or the installation if need be)
> correctly build to boot from the encrypted PV?
In case anyone else ends up in this situation, yes, by and large this works.
I've listed the steps I took in bug #124789 comment #122.
The only thing that might be of more general interest is that mkinitrd seens to
tie the encrypted PV to a specific disk device (e.g. /dev/sda) rather than
something invariant. So in step 5) when I removed the temporary external USB
drive the PV "moved" from sdb2 to sda2 as the drive ordering changed, and the
initrd I'd previously built failed to work (chrooting from the rescue disk and
running mkinitrd fixed this).
The F9 live installer does prompt to open all available LUKS partitions between
the root password step and the disk partitioning step. Would it work to simply
move the LUKS-opening step to the very beginning so the upgrade check sees
Fix will be in anaconda-184.108.40.206-1. This is in rawhide, and is intended to lead to support for upgrade of encrypted F9 systems to F10 using anaconda.
Upgrade still fails on 220.127.116.11. Not entirely sure why - it goes through the whole thing as though it's successful, but the resultant system won't boot (never prompts for the passphrase, therefore can't find the vg and switchroot out of the initrd).
I'll try and grab the initrd out of it and see if I can see something obviously wrong there.
Due to bug 462148, I can't get the initrd off this system :(
Ahh, I give up too easily sometimes :) The rescue mode from F9 was able to mount this installation fine, and I ripped apart the initrd and to my untrained eye, it looks fine. init indeed calls plymouth ask-for-password with a seemingly good looking cryptsetup.
I'll attach the initrd in case you can see something that I can't.
Created attachment 316639 [details]
initrd from failed system
There's no plymouth in the initrd!
My money says plymouth is indeed installed on your system and if you re-run mkinitrd it will create a (closer to) working initrd.
There's something about the order in which things actually land on the filesystem, and mkinitrd seems content to build broken initrds if plymouth isn't around when it's being run. Or at least this was my experience around the f10-alpha timeframe.
Can we get an updated test on this, given that Beta just went out?
I just tested upgrading, everything seemed to go fine, including the graphical plymouth to unlock. I'm going to close this bug, it can be re-opened if we find something else.