View Issue Details

IDProjectCategoryView StatusLast Update
0017953CentOS-8generalpublic2021-06-17 14:13
Reporterarmonica Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Summary0017953: Centos 8 Streams, clevis and disk encryption.
DescriptionClevis no longer works with streams on a system that was upgraded from 8 to streams. Streams boot disk if you specify you want to customize a disk, the crypt option goes away. If you select automatic clevis doesn't work as it always has.
Steps To ReproduceUpdate a current Centos 8 VM to centos 8 streams.
Reboot. It'll ask you for the password to your encrypted drive where it should be using clevis to boot. If you enter in the password it seems to be fine.

Boot up centos 8 streams. Configure disk. Notice that when you click on customize the disk encryption check box area goes away. Allow automatic. Use the normal way to set up encryption:

yum -y install clevis clevis-luks clevis-dracut
blkid -t TYPE=crypto_LUKS -o device
cryptsetup luksDump /dev/vda2
clevis luks bind -d /dev/vda2 tang '{"url":"192.168.x.x"}'
{confirm, enter in password}
dracut -f

You should be able to reboot and it work.
TagsNo tags attached.

Activities

armonica

armonica

2020-12-31 00:05

reporter   ~0038148

Narrowed this down to /usr/lib/dracut/modules.d/60clevis-pin-tang/module-setup.sh
I reverted this file. Did a dracut -f. Works. Here's the diffs:
diff -r 60clevis-pin-tang/module-setup.sh /usr/lib/dracut/modules.d/60clevis-pin-tang/module-setup.sh
21,31d20
< has_devices_bound_to_tang() {
< local dev
< for dev in $(lsblk -p -n -s -r \
< | awk '$6 == "crypt" { getline; print $1 }' | sort -u); do
< if clevis luks list -d "${dev}" 2>/dev/null | grep -q tang; then
< return 0
< fi
< done
< return 1
< }
<
33,37c22
< local deps="clevis"
< if has_devices_bound_to_tang; then
< deps=$(printf "%s network" "${deps}")
< fi
< echo "${deps}"
---
> echo clevis network
41,42c26,34
< cmdline() {
< echo "rd.neednet=1"
---
> have_tang_bindings() {
> . clevis-luks-common-functions
> local dev
> for dev in $(clevis_devices_to_unlock "list-open-devices"); do
> if clevis luks list -d "${dev}" | grep -q tang; then
> return 0
> fi
> done
> return 1
46,47c38,39
< if has_devices_bound_to_tang; then
< cmdline > "${initdir}/etc/cmdline.d/99clevis-pin-tang.conf"
---
> if [ "${hostonly_cmdline}" = "yes" ] && have_tang_bindings; then
> echo "rd.neednet=1" > "${initdir}/etc/cmdline.d/99clevis-pin-tang.conf"
vigiroux

vigiroux

2021-06-17 14:13

reporter   ~0038501

It's this line:

 if clevis luks list -d "${dev}" | grep -q tang; then


The problem is, grep -q terminates as soon as it has a match, the pipe is closed, but the clevis balks because of it, and actually exists with exit code 141.

Suggestion:

clevis luks list -d "${dev}" | grep -q tang
if [ "${PIPESTATUS[1]}" -eq 0 ]; then

Issue History

Date Modified Username Field Change
2020-12-17 04:11 armonica New Issue
2020-12-31 00:05 armonica Note Added: 0038148
2021-06-17 14:13 vigiroux Note Added: 0038501