** Description changed: - Affects: - * cryptsetup version 2:2.7.0-1ubuntu4.2 (likely older versions too) - * Ubuntu 24.04.3 installer (subiquity / d-i variant used to produce 24.04.3 images) + Summary + Fresh install of Ubuntu 24.04.3 fails to boot when the root filesystem is an LVM LV on a VG spanning multiple encrypted PVs. Initramfs only decrypts one PV due to missing `initramfs` flags in `/etc/crypttab` and a limitation in cryptsetup’s `cryptroot` hook auto-detection logic. - Symptoms: - * Fresh install fails to boot. - * System drops to initramfs BusyBox shell on first boot. - * Root LV is missing because LVM never activates the VG. - * LVM activation fails because one or more encrypted PVs are not decrypted, leaving the VG incomplete. + Affects + - cryptsetup 2:2.7.0-1ubuntu4.2 (likely earlier as well) + - Ubuntu 24.04.3 installer (subiquity / d-i variant used to produce 24.04.3 images) - Conditions: - * Root filesystem is on an LVM logical volume. - * LVM VG spans two encrypted PVs, each on its own disk. - * Failure occurs during initramfs stage inside /usr/share/initramfs-tools/hooks/cryptroot and the dynamic generation of /cryptroot/crypttab. - * Occurs immediately after a fresh installation of Ubuntu 24.04.3. - * Reproducible 100% on first boot. + What Happens + - First boot after installation drops to initramfs BusyBox shell. + - Root LV is not available. + - LVM cannot activate the VG because one encrypted PV is not decrypted. + - VG remains incomplete → root LV never appears → boot stops in initramfs. - Why - --- + Conditions + - Root filesystem placed on an LVM LV. + - LV belongs to a VG spanning two encrypted PVs, one per disk. + - Failure occurs during initramfs generation and execution in: + - /usr/share/initramfs-tools/hooks/cryptroot + - dynamic creation of /cryptroot/crypttab + - Occurs on fresh installs; reproducible 100% on first boot. - Two independent bugs interact: + Root Cause + This is triggered by two independent bugs that interact. - --- + 1. Installer bug: /etc/crypttab missing `initramfs` option + The installer writes /target/etc/crypttab entries without the `initramfs` option for the encrypted PVs. - 1. Installer Bug: Missing initramfs Option in /etc/crypttab + Consequences: + - update-initramfs does not copy these entries into the initramfs. + - cryptroot falls back to auto-detecting encrypted devices. - Symptoms: - * Installer writes /target/etc/crypttab entries for PVs without the initramfs option. + Failure mechanism: - Consequence: - * update-initramfs does not copy these crypttab entries into the initramfs image. - * cryptroot hook then attempts auto-discovery of encrypted devices. + cryptroot scans /sys/dev/block/<major>:<minor>/slaves to identify + encrypted parents of the root LV. - Failure Mechanism: - - cryptroot scans `/sys/dev/block/<major>:<minor>/slaves` to identify - underlying encrypted volumes. - - This logic fails when: - * The root LV happens to live entirely inside one PV, and - * LVM cannot scan/activate the VG until all PVs are decrypted, even if the LV’s blocks reside only on one. + This fails when: + - the root LV extents reside entirely in one PV, and + - the VG cannot activate until all PVs are decrypted. Result: - * Auto-detection misses the second encrypted PV. - * VG activation fails. - * Root LV never appears. - * Boot drops to BusyBox. + - Only one PV is auto-detected. + - Second PV is never decrypted. + - VG activation fails. + - Root LV missing → initramfs drops to BusyBox. - Proposed Fix - ------------ - Installer should always set the initramfs option for any encrypted PVs participating in the VG that contains the root LV. + Proposed installer fix: + * Ensure all encrypted PVs in the root VG are written to /etc/crypttab with the `initramfs` option so they are reliably included in /cryptroot/crypttab. - This ensures crypttab entries are reliably included in - /cryptroot/crypttab, bypassing the fragile auto-detection logic. + 2. cryptsetup bug: cryptroot auto-detection does not handle multi-PV VGs + cryptroot attempts to infer encrypted volumes only from the immediate PV backing the root LV. - --- + Problem: + It does not handle the case where the LV is stored on one PV but the VG requires all PVs to be unlocked before activation. - 2. cryptsetup Bug: cryptroot Auto-Detection Does Not Handle Mixed-PV LVs + Consequences: + - Only one PV is added to /cryptroot/crypttab. + - Other PVs skipped. + - VG activation fails. + - Boot breaks. - Symptoms: - * The cryptroot hook tries to infer which encrypted devices to unlock based on root LV’s backing devices. - * It does not account for VGs where: - * The root LV is contained entirely within one PV, but - * The VG cannot activate unless all PVs are unlocked. - Consequence: - * Only one PV is considered “required” for unlocking. - * Other PVs skip decryption. - * VG activation fails at boot. - * Root LV missing → initramfs shell. - - Proposed Fix - ------------ - - Patch hooks/cryptroot to ensure all PVs in a VG that contains the root - LV are added to /cryptroot/crypttab, regardless of where the LV’s - extents are physically located. + Proposed cryptsetup fix: + * Modify hooks/cryptroot to include all PVs in the VG containing the root LV, regardless of which PV stores LV extents. Status: + * Patch attached; verified locally to generate correct /cryptroot/crypttab and allow successful boot. - Patch attached: Verified to generate correct crypttab entries and fix - boot. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: udisks2 2.10.1-6ubuntu1.3 ProcVersionSignature: Ubuntu 6.8.0-88.89-generic 6.8.12 Uname: Linux 6.8.0-88-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.28.1-0ubuntu3.8 Architecture: amd64 CasperMD5CheckResult: pass CustomUdevRuleFiles: ubuntu--vg-ceph--osd.rules ubuntu--vg-ubuntu--lv.rules md0.rules Date: Tue Nov 25 07:37:18 2025 InstallationDate: Installed on 2025-11-25 (0 days ago) InstallationMedia: Ubuntu-Server 24.04.3 LTS "Noble Numbat" - Release amd64 (20250805.1) MachineType: System manufacturer System Product Name ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-6.8.0-88-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro SourcePackage: cryptsetup Symptom: storage Title: cryptroot: LVM root on VG with multiple encrypted PVs only emits one encrypted PV into /cryptroot/crypttab in initramfs after fresh install of Ubuntu 24.04 UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 01/13/2021 dmi.bios.release: 5.12 dmi.bios.vendor: American Megatrends Inc. dmi.bios.version: 2801 dmi.board.asset.tag: Default string dmi.board.name: ROG STRIX Z370-E GAMING dmi.board.vendor: ASUSTeK COMPUTER INC. dmi.board.version: Rev X.0x dmi.chassis.asset.tag: Default string dmi.chassis.type: 3 dmi.chassis.vendor: Default string dmi.chassis.version: Default string dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr2801:bd01/13/2021:br5.12:svnSystemmanufacturer:pnSystemProductName:pvrSystemVersion:rvnASUSTeKCOMPUTERINC.:rnROGSTRIXZ370-EGAMING:rvrRevX.0x:cvnDefaultstring:ct3:cvrDefaultstring:skuSKU: dmi.product.family: To be filled by O.E.M. dmi.product.name: System Product Name dmi.product.sku: SKU dmi.product.version: System Version dmi.sys.vendor: System manufacturer
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2132383 Title: cryptroot: initramfs fails to include all encrypted PVs for LVM root VG spanning multiple LUKS devices after fresh Ubuntu 24.04 install To manage notifications about this bug go to: https://bugs.launchpad.net/cryptsetup/+bug/2132383/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
