0017953: Centos 8 Streams, clevis and disk encryption. - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0017953	CentOS-8	general	public	2020-12-17 04:11	2021-06-17 14:13

Reporter	armonica	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	new	Resolution	open

Summary	0017953: Centos 8 Streams, clevis and disk encryption.
Description	Clevis no longer works with streams on a system that was upgraded from 8 to streams. Streams boot disk if you specify you want to customize a disk, the crypt option goes away. If you select automatic clevis doesn't work as it always has.
Steps To Reproduce	Update a current Centos 8 VM to centos 8 streams. Reboot. It'll ask you for the password to your encrypted drive where it should be using clevis to boot. If you enter in the password it seems to be fine. Boot up centos 8 streams. Configure disk. Notice that when you click on customize the disk encryption check box area goes away. Allow automatic. Use the normal way to set up encryption: yum -y install clevis clevis-luks clevis-dracut blkid -t TYPE=crypto_LUKS -o device cryptsetup luksDump /dev/vda2 clevis luks bind -d /dev/vda2 tang '{"url":"192.168.x.x"}' {confirm, enter in password} dracut -f You should be able to reboot and it work.
Tags	No tags attached.

armonica 2020-12-31 00:05 reporter ~0038148	Narrowed this down to /usr/lib/dracut/modules.d/60clevis-pin-tang/module-setup.sh I reverted this file. Did a dracut -f. Works. Here's the diffs: diff -r 60clevis-pin-tang/module-setup.sh /usr/lib/dracut/modules.d/60clevis-pin-tang/module-setup.sh 21,31d20 < has_devices_bound_to_tang() { < local dev < for dev in $(lsblk -p -n -s -r \ < \| awk '$6 == "crypt" { getline; print $1 }' \| sort -u); do < if clevis luks list -d "${dev}" 2>/dev/null \| grep -q tang; then < return 0 < fi < done < return 1 < } < 33,37c22 < local deps="clevis" < if has_devices_bound_to_tang; then < deps=$(printf "%s network" "${deps}") < fi < echo "${deps}" --- > echo clevis network 41,42c26,34 < cmdline() { < echo "rd.neednet=1" --- > have_tang_bindings() { > . clevis-luks-common-functions > local dev > for dev in $(clevis_devices_to_unlock "list-open-devices"); do > if clevis luks list -d "${dev}" \| grep -q tang; then > return 0 > fi > done > return 1 46,47c38,39 < if has_devices_bound_to_tang; then < cmdline > "${initdir}/etc/cmdline.d/99clevis-pin-tang.conf" --- > if [ "${hostonly_cmdline}" = "yes" ] && have_tang_bindings; then > echo "rd.neednet=1" > "${initdir}/etc/cmdline.d/99clevis-pin-tang.conf"

vigiroux 2021-06-17 14:13 reporter ~0038501	It's this line: if clevis luks list -d "${dev}" \| grep -q tang; then The problem is, grep -q terminates as soon as it has a match, the pipe is closed, but the clevis balks because of it, and actually exists with exit code 141. Suggestion: clevis luks list -d "${dev}" \| grep -q tang if [ "${PIPESTATUS[1]}" -eq 0 ]; then

Date Modified	Username	Field	Change
2020-12-17 04:11	armonica	New Issue
2020-12-31 00:05	armonica	Note Added: 0038148
2021-06-17 14:13	vigiroux	Note Added: 0038501