View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017953 | CentOS-8 | general | public | 2020-12-17 04:11 | 2021-06-17 14:13 |
Reporter | armonica | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
Summary | 0017953: Centos 8 Streams, clevis and disk encryption. | ||||
Description | Clevis no longer works with streams on a system that was upgraded from 8 to streams. Streams boot disk if you specify you want to customize a disk, the crypt option goes away. If you select automatic clevis doesn't work as it always has. | ||||
Steps To Reproduce | Update a current Centos 8 VM to centos 8 streams. Reboot. It'll ask you for the password to your encrypted drive where it should be using clevis to boot. If you enter in the password it seems to be fine. Boot up centos 8 streams. Configure disk. Notice that when you click on customize the disk encryption check box area goes away. Allow automatic. Use the normal way to set up encryption: yum -y install clevis clevis-luks clevis-dracut blkid -t TYPE=crypto_LUKS -o device cryptsetup luksDump /dev/vda2 clevis luks bind -d /dev/vda2 tang '{"url":"192.168.x.x"}' {confirm, enter in password} dracut -f You should be able to reboot and it work. | ||||
Tags | No tags attached. | ||||
Narrowed this down to /usr/lib/dracut/modules.d/60clevis-pin-tang/module-setup.sh I reverted this file. Did a dracut -f. Works. Here's the diffs: diff -r 60clevis-pin-tang/module-setup.sh /usr/lib/dracut/modules.d/60clevis-pin-tang/module-setup.sh 21,31d20 < has_devices_bound_to_tang() { < local dev < for dev in $(lsblk -p -n -s -r \ < | awk '$6 == "crypt" { getline; print $1 }' | sort -u); do < if clevis luks list -d "${dev}" 2>/dev/null | grep -q tang; then < return 0 < fi < done < return 1 < } < 33,37c22 < local deps="clevis" < if has_devices_bound_to_tang; then < deps=$(printf "%s network" "${deps}") < fi < echo "${deps}" --- > echo clevis network 41,42c26,34 < cmdline() { < echo "rd.neednet=1" --- > have_tang_bindings() { > . clevis-luks-common-functions > local dev > for dev in $(clevis_devices_to_unlock "list-open-devices"); do > if clevis luks list -d "${dev}" | grep -q tang; then > return 0 > fi > done > return 1 46,47c38,39 < if has_devices_bound_to_tang; then < cmdline > "${initdir}/etc/cmdline.d/99clevis-pin-tang.conf" --- > if [ "${hostonly_cmdline}" = "yes" ] && have_tang_bindings; then > echo "rd.neednet=1" > "${initdir}/etc/cmdline.d/99clevis-pin-tang.conf" |
|
It's this line: if clevis luks list -d "${dev}" | grep -q tang; then The problem is, grep -q terminates as soon as it has a match, the pipe is closed, but the clevis balks because of it, and actually exists with exit code 141. Suggestion: clevis luks list -d "${dev}" | grep -q tang if [ "${PIPESTATUS[1]}" -eq 0 ]; then |
|