[Bug 1948598] Re: Can't unlock multiple devices in initramfs
16-1ubuntu0.1 from hirsute-proposed tested in a VM running hirsute installed using the root on zfs guide (for focal). Tested by using the nbde_client ansible role to install clevis and bind two LUKS-encrypted disks to a tang server. It worked as expected. Both disks unlocked during early boot. ** Tags removed: verification-needed-hirsute ** Tags added: verification-done-hirsute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948598 Title: Can't unlock multiple devices in initramfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/1948598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948598] Re: Can't unlock multiple devices in initramfs
Hi Robie! 12-1ubuntu2.3 from focal-proposed tested in a VM by using the nbde_client ansible role to install clevis and bind two LUKS-encrypted disks to a tang server. It worked as expected. Both disks unlocked during early boot. ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948598 Title: Can't unlock multiple devices in initramfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/1948598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948598] Re: Can't unlock multiple devices in initramfs
@dannf Works like a charm in my test case! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948598 Title: Can't unlock multiple devices in initramfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/1948598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948598] Re: Can't unlock multiple devices in initramfs
@dannf I would love to! I can do it tomorrow at around this time. Looking forward to it! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948598 Title: Can't unlock multiple devices in initramfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/1948598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948598] Re: Can't unlock multiple devices in initramfs
** Description changed:
- [Impact]
+ [Impact]
clevis can be used to automatically unlock LUKS-encrypted devices during boot
by asking a remote server for the key (sort of). It does so by monitoring for
the processes that send up the interactive prompts "Please unlock disk xxx:"
and then sends a key to that process through a fifo that the process has opened.
The bug that existed in clevis versions prior to version 17 forgot to clear a
saved PID-variable (used to store the PID of the process that creates the
prompt for the user), so when the PID of the first process has been found it
won't look for more processes of this type. This means it can only unlock one
device. If you have for example some sort of RAID root filesystem with multiple
disks (or a ZFS mirror as me) then clevis does not work at all.
[Test Plan]
- Setup a tang server on a different host:
# sudo apt install tang
# sudo systemctl enable tangd.socket --now
# reboot
- Setup two LUKS-disks that shall be decrypted during early boot (append
option initramfs to them in /etc/crypttab)
- Setup clevis:
# sudo apt install clevis
# sudo apt install clevis-luks
# sudo apt install clevis-initramfs
- Bind the encrypted disks to the tang server:
# sudo clevis luks bind -d /dev/ tang '{"url": "http://"}'
# sudo clevis luks bind -d /dev/ tang '{"url": "http://"}'
- Regenerate initramfs
# sudo update-initramfs -u -k 'all'
- Reboot
# reboot
After the reboot you will be stuck at "Please unlock disk xxx:" until
you enter the passphrase manually.
If you perform all the steps using only one disk it will work.
[Where problems could occur]
If something is wrong with the patch it will show up when clevis is unlocking
a LUKS-encrypted disk during initramfs.
[Other Info]
- This has been fixed in upstream (latchset/clevis, version 17, commit
0abdfbc7812c8ef588ee22fd35941b5e831fdce7)
+ This has been fixed in upstream (latchset/clevis, version 17, commit
0abdfbc7812c8ef588ee22fd35941b5e831fdce7 on Feb 24, 2021)
** Description changed:
[Impact]
clevis can be used to automatically unlock LUKS-encrypted devices during boot
by asking a remote server for the key (sort of). It does so by monitoring for
the processes that send up the interactive prompts "Please unlock disk xxx:"
and then sends a key to that process through a fifo that the process has opened.
The bug that existed in clevis versions prior to version 17 forgot to clear a
saved PID-variable (used to store the PID of the process that creates the
prompt for the user), so when the PID of the first process has been found it
won't look for more processes of this type. This means it can only unlock one
device. If you have for example some sort of RAID root filesystem with multiple
disks (or a ZFS mirror as me) then clevis does not work at all.
[Test Plan]
- Setup a tang server on a different host:
# sudo apt install tang
# sudo systemctl enable tangd.socket --now
# reboot
- Setup two LUKS-disks that shall be decrypted during early boot (append
option initramfs to them in /etc/crypttab)
- Setup clevis:
# sudo apt install clevis
# sudo apt install clevis-luks
# sudo apt install clevis-initramfs
- Bind the encrypted disks to the tang server:
# sudo clevis luks bind -d /dev/ tang '{"url": "http://"}'
# sudo clevis luks bind -d /dev/ tang '{"url": "http://"}'
- Regenerate initramfs
# sudo update-initramfs -u -k 'all'
- Reboot
# reboot
After the reboot you will be stuck at "Please unlock disk xxx:" until
you enter the passphrase manually.
If you perform all the steps using only one disk it will work.
[Where problems could occur]
If something is wrong with the patch it will show up when clevis is unlocking
a LUKS-encrypted disk during initramfs.
[Other Info]
- This has been fixed in upstream (latchset/clevis, version 17, commit
0abdfbc7812c8ef588ee22fd35941b5e831fdce7 on Feb 24, 2021)
+ This has been fixed in upstream (https://github.com/latchset/clevis, version
17, commit 0abdfbc7812c8ef588ee22fd35941b5e831fdce7 on Feb 24, 2021)
** Description changed:
[Impact]
- clevis can be used to automatically unlock LUKS-encrypted devices during boot
by asking a remote server for the key (sort of). It does so by monitoring for
the processes that send up the interactive prompts "Please unlock disk xxx:"
and then sends a key to that process through a fifo that the process has opened.
+ clevis can be used to automatically unlock LUKS-encrypted devices during boot
by asking a remote server for the key (sort of). It does so by finding the PID
of the process that send up the interactive prompt "Please unlock disk xxx:"
and then sends a key to that process through a fifo that the process has opened.
The bug that existed in clevis versions prior to version 17 forgot to clear a
saved PID-variable (used to store the PID of the process that creates
[Bug 1948598] Re: Can't unlock multiple devices in initramfs
** Description changed:
- It is not possible to unlock multiple devices in the initramfs phase,
- for example when having a zfs mirror as the root filesystem. This makes
- the package unusable in that case.
+ [Impact]
+ clevis can be used to automatically unlock LUKS-encrypted devices during boot
by asking a remote server for the key (sort of). It does so by monitoring for
the processes that send up the interactive prompts "Please unlock disk xxx:"
and then sends a key to that process through a fifo that the process has opened.
+ The bug that existed in clevis versions prior to version 17 forgot to clear a
saved PID-variable (used to store the PID of the process that creates the
prompt for the user), so when the PID of the first process has been found it
won't look for more processes of this type. This means it can only unlock one
device. If you have for example some sort of RAID root filesystem with multiple
disks (or a ZFS mirror as me) then clevis does not work at all.
- This has been fixed in upstream (latchset/clevis, version 17, commit
- 0abdfbc7812c8ef588ee22fd35941b5e831fdce7)
+ [Test Plan]
+ - Setup a tang server on a different host:
+ # sudo apt install tang
+ # sudo systemctl enable tangd.socket --now
+ # reboot
+
+ - Setup two LUKS-disks that shall be decrypted during early boot (append
+ option initramfs to them in /etc/crypttab)
+
+ - Setup clevis:
+ # sudo apt install clevis
+ # sudo apt install clevis-luks
+ # sudo apt install clevis-initramfs
+
+ - Bind the encrypted disks to the tang server:
+ # sudo clevis luks bind -d /dev/ tang '{"url": "http://"}'
+ # sudo clevis luks bind -d /dev/ tang '{"url": "http://"}'
+
+ - Regenerate initramfs
+ # sudo update-initramfs -u -k 'all'
+
+ - Reboot
+ # reboot
+
+ After the reboot you will be stuck at "Please unlock disk xxx:" until
+ you enter the passphrase manually.
+
+ If you perform all the steps using only one disk it will work.
+
+ [Where problems could occur]
+ If something is wrong with the patch it will show up when clevis is unlocking
a LUKS-encrypted disk during initramfs.
+
+ [Other Info]
+ This has been fixed in upstream (latchset/clevis, version 17, commit
0abdfbc7812c8ef588ee22fd35941b5e831fdce7)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1948598
Title:
Can't unlock multiple devices in initramfs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/1948598/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948598] Re: Can't unlock multiple devices in initramfs
@dannf Thank you very much for the help and the information! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948598 Title: Can't unlock multiple devices in initramfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/1948598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948598] Re: Can't unlock multiple devices in initramfs
@dannf I thought I was filing a bug report for Ubuntu 20.04. Do bugfixes never get backported to previous releases? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948598 Title: Can't unlock multiple devices in initramfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/1948598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948598] Re: Can't unlock multiple devices in initramfs
** Description changed: It is not possible to unlock multiple devices in the initramfs phase, for example when having a zfs mirror as the root filesystem. This makes the package unusable in that case. - This has been fixed in upstream (latchset/clevis, version 18, commit + This has been fixed in upstream (latchset/clevis, version 17, commit 0abdfbc7812c8ef588ee22fd35941b5e831fdce7) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948598 Title: Can't unlock multiple devices in initramfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/1948598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948598] [NEW] Can't unlock multiple devices in initramfs
Public bug reported: It is not possible to unlock multiple devices in the initramfs phase, for example when having a zfs mirror as the root filesystem. This makes the package unusable in that case. This has been fixed in upstream (latchset/clevis, version 17, commit 0abdfbc7812c8ef588ee22fd35941b5e831fdce7) ** Affects: clevis (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948598 Title: Can't unlock multiple devices in initramfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/1948598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1779498] Re: Generates initrd-image with wrong name
What is happening here? No reaction for 6 months? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1779498 Title: Generates initrd-image with wrong name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/1779498/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814460] [NEW] systemd-cryptsetup fails during initrd stage of boot
Public bug reported: I use Ubuntu 18.04.1 with systemd version: systemd 237 +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid I use dracut + clevis for automatic decryption of my LUKS encrypted drives during boot. I get the following message from one of the non-root disks: ● systemd-cryptsetup@luks\x2data\x2dWDC_WD30EFRX\x2d68EUZN0_WD\x2dWCC4N5DC8C4C\x2dpart1.service - Cryptography Setup for luks-ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1 Loaded: loaded (/etc/crypttab; generated) Active: failed (Result: signal) since Sun 2019-02-03 15:04:35 UTC; 5min ago Docs: man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8) Process: 589 ExecStart=/lib/systemd/systemd-cryptsetup attach luks-ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1 /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1 none luks,discard (code=killed, signal=ABRT) Main PID: 589 (code=killed, signal=ABRT) Feb 03 15:04:26 beta systemd[1]: Starting Cryptography Setup for luks-ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1... Feb 03 15:04:35 beta systemd-cryptsetup[589]: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1. Feb 03 15:04:35 beta systemd-cryptsetup[589]: realloc(): invalid next size Feb 03 15:04:35 beta systemd[1]: systemd-cryptsetup@luks\x2data\x2dWDC_WD30EFRX\x2d68EUZN0_WD\x2dWCC4N5DC8C4C\x2dpart1.service: Main process exited, code=killed, status=6/ABRT Feb 03 15:04:35 beta systemd[1]: systemd-cryptsetup@luks\x2data\x2dWDC_WD30EFRX\x2d68EUZN0_WD\x2dWCC4N5DC8C4C\x2dpart1.service: Failed with result 'signal'. Feb 03 15:04:35 beta systemd[1]: Failed to start Cryptography Setup for luks-ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1. The systemd issue reporting template told me to not report systemd issues for anything but the two newest versions of systemd, and refered to the distribution bug tracker instead. ** Affects: systemd (Ubuntu) Importance: Undecided Status: New ** Description changed: I use Ubuntu 18.04.1 with systemd version: systemd 237 +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid I use dracut + clevis for automatic decryption of my LUKS encrypted drives during boot. I get the following message from one of the non-root disks: ● systemd-cryptsetup@luks\x2data\x2dWDC_WD30EFRX\x2d68EUZN0_WD\x2dWCC4N5DC8C4C\x2dpart1.service - Cryptography Setup for luks-ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1 -Loaded: loaded (/etc/crypttab; generated) -Active: failed (Result: signal) since Sun 2019-02-03 15:04:35 UTC; 5min ago - Docs: man:crypttab(5) -man:systemd-cryptsetup-generator(8) -man:systemd-cryptsetup@.service(8) - Process: 589 ExecStart=/lib/systemd/systemd-cryptsetup attach luks-ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1 /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1 none luks,discard (code=killed, signal=ABRT) - Main PID: 589 (code=killed, signal=ABRT) + Loaded: loaded (/etc/crypttab; generated) + Active: failed (Result: signal) since Sun 2019-02-03 15:04:35 UTC; 5min ago + Docs: man:crypttab(5) + man:systemd-cryptsetup-generator(8) + man:systemd-cryptsetup@.service(8) + Process: 589 ExecStart=/lib/systemd/systemd-cryptsetup attach luks-ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1 /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1 none luks,discard (code=killed, signal=ABRT) + Main PID: 589 (code=killed, signal=ABRT) Feb 03 15:04:26 beta systemd[1]: Starting Cryptography Setup for luks-ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1... Feb 03 15:04:35 beta systemd-cryptsetup[589]: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1. Feb 03 15:04:35 beta systemd-cryptsetup[589]: realloc(): invalid next size Feb 03 15:04:35 beta systemd[1]: systemd-cryptsetup@luks\x2data\x2dWDC_WD30EFRX\x2d68EUZN0_WD\x2dWCC4N5DC8C4C\x2dpart1.service: Main process exited, code=killed, status=6/ABRT Feb 03 15:04:35 beta systemd[1]: systemd-cryptsetup@luks\x2data\x2dWDC_WD30EFRX\x2d68EUZN0_WD\x2dWCC4N5DC8C4C\x2dpart1.service: Failed with result 'signal'. Feb 03 15:04:35 beta systemd[1]: Failed to start Cryptography Setup for luks-ata-WDC_WD30EFRX-68EUZN0_WD-WCC4N5DC8C4C-part1. The systemd issue reporting template told me to not report systemd - issues for anything but the two newest versions of systemd. + issues for anything but the two newest versions of systemd, and refered + to the distribution bug tracker instead. -- You received this bug notification becaus
[Bug 1779498] [NEW] Generates initrd-image with wrong name
Public bug reported: Running 'dracut -f' on Ubuntu 18.04 creates the file /boot/initramfs-4.15.0-23-generic.img. I have to manually move it to overwrite the file /boot/initrd.img-4.15.0-23-generic that is in use. ** Affects: dracut (Ubuntu) Importance: Undecided Status: New ** Description changed: Running 'dracut -f' on Ubuntu 18.04 creates the file /boot/initramfs-4.15.0-23-generic.img. - I have to manually move it to overwrite the file /boot/initrd.img-4.15.0-23-generic that are in use. + I have to manually move it to overwrite the file /boot/initrd.img-4.15.0-23-generic that is in use. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1779498 Title: Generates initrd-image with wrong name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/1779498/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1779494] [NEW] Missing dependency
Public bug reported: This package needs the jose package to work correctly. ** Affects: tang (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1779494 Title: Missing dependency To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tang/+bug/1779494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
