470027 – Combination of encrypted and non-encrypted RAID devices not working

Bug 470027 - Combination of encrypted and non-encrypted RAID devices not working

Summary: Combination of encrypted and non-encrypted RAID devices not working

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	initscripts
Sub Component:
Version:	5.3
Hardware:	ia64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	initscripts Maintenance Team
QA Contact:	Alexander Todorov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-11-05 11:18 UTC by Alexander Todorov
Modified:	2009-01-20 22:16 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-01-20 22:16:13 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2009:0245	0	normal	SHIPPED_LIVE	initscripts bug fix update	2009-01-20 16:06:46 UTC

Description Alexander Todorov 2008-11-05 11:18:44 UTC

Description of problem:
/dev/md0 /    not encrypted
/dev/md1 /usr encrypted

Initial system boot fails and forces the user to type root password for maintenance:

Kernel command line: BOOT_IMAGE=scsi0:EFI\redhat\vmlinuz-2.6.18-121.el5 root=/dev/md0  rhgb quiet ro
Red Hat nash version 5.1.19.6 starting
                Welcome to Red Hat Enterprise Linux Server
                Press 'I' to enter interactive startup.
Setting clock  (utc): Wed Nov  5 06:03:45 EST 2008 [  OK  ]
Starting udev: [  OK  ]
Loading default keymap (us): [  OK  ]
Setting hostname localhost.localdomain:  [  OK  ]
Starting disk encryption:
Enter LUKS passphrase: 
Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda2 contains at least 133 sectors.
Failed to read from key storage


Version-Release number of selected component (if applicable):
initscripts-8.45.21-1

How reproducible:
Always on one particular machine

Steps to Reproduce:
1.Do an install with this disk layout:
/dev/sda1 vfat /boot/efi
/dev/sda2 software raid
/dev/sda3 software raid

/dev/sdb1 software raid
/dev/sdb2 software raid

/dev/md0, RAID0 (sda3, sdb2) /, ext3, plain
/dev/md1, RAID0 (sda2, sdb1) /usr, ext3, encrypted

sda2 and sdb1 are 5000MB, others are the rest of disk.

2. After reboot type the LUKS pass phrase

  
Actual results:
After several times trying to enter the pass phrase and the system not unlocking the RAID device it asks for maintenance:

Enter LUKS passphrase: 
Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda2 contains at least 133 sectors.
Failed to read from key storage
Command failed: No key available with this passphrase.

[FAILED]
Checking filesystems
Checking all file systems.
[/sbin/fsck.ext3 (1) -- /] fsck.ext3 -a /dev/md0 
/dev/md0: clean, 5066/69107712 files, 2331626/69101696 blocks
[/sbin/fsck.ext3 (1) -- /usr] fsck.ext3 -a /dev/mapper/luks-ac9dfd74-583d-4cb4-ba73-7770ca42f153 
fsck.ext3: No such file or directory while trying to open /dev/mapper/luks-ac9dfd74-583d-4cb4-ba73-7770ca42f153
/dev/mapper/luks-ac9dfd74-583d-4cb4-ba73-7770ca42f153: 
The superblock could not be read or does not describe a correct ext2
filesystem.  If the device is valid and it really contains an ext2
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
    e2fsck -b 8193 <device>

[FAILED]

*** An error occurred during the file system check.
*** Dropping you to a shell; the system will reboot
*** when you leave the shell.
*** Warning -- SELinux is active
*** Disabling security enforcement for system recovery.
*** Run 'setenforce 1' to reenable.
Give root password for maintenance
(or type Control-D to continue):


Expected results:
System will unlock /dev/md1 and boot 

Additional info:

Comment 1 Alexander Todorov 2008-11-05 11:53:46 UTC

running rescue mode on this system:

sh-3.2# blkid
/dev/mapper/luks-ac9dfd74-583d-4cb4-ba73-7770ca42f153: UUID="b096fb23-b971-4738-9dda-269df103c069" TYPE="ext3" 
/dev/sda1: SEC_TYPE="msdos" LABEL="/boot/efi" UUID="4911-72CC" TYPE="vfat" 
/dev/sda2: UUID="ac9dfd74-583d-4cb4-ba73-7770ca42f153" TYPE="crypt_LUKS" 
/dev/sda3: UUID="f5fa951e-67f7-4b1e-915c-df02d5bf6378" TYPE="ext3" 
/dev/md1: UUID="ac9dfd74-583d-4cb4-ba73-7770ca42f153" TYPE="crypt_LUKS" 
/dev/md0: UUID="f5fa951e-67f7-4b1e-915c-df02d5bf6378" TYPE="ext3"

Comment 2 Alexander Todorov 2008-11-05 15:15:23 UTC

A note I missed: 
the initial initrd.img didn't appear to have dm-crypt module included. Running mkinitrd --with=dm-crypt didn't fix the issue for me.

Comment 3 Bill Nottingham 2008-11-05 15:16:25 UTC

The raid components have the same UUID as the RAID itself. I'm assuming your /etc/crypttab is specifying the encrypted devices by UUID?

Comment 4 Bill Nottingham 2008-11-05 16:07:36 UTC

http://git.fedorahosted.org/git/?p=initscripts.git;a=commitdiff;h=dc6f9db8bdf6292ca303369d2f5bc2398fb2610f

is the upstream HEAD commit that fixes this. It should apply to RHEL 5 with minimal fuss.

Comment 5 Bill Nottingham 2008-11-06 16:27:08 UTC

To clarify - we should pull this in - it's going to affect any encrypted RAID0 installs.

Comment 8 Alexander Todorov 2008-11-14 10:08:04 UTC

worked like a charm with snap #3. moving to verified

Comment 10 errata-xmlrpc 2009-01-20 22:16:13 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0245.html

Note You need to log in before you can comment on or make changes to this bug.