Ubuntu
clevis package

initramfs-tools support

Bug #1872832 reported by dann frazier
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
clevis (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
dann frazier
Eoan
Fix Released
Undecided
dann frazier
Focal
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
clevis <= 12 did not integrate with initramfs-tools. This meant that if users wanted to automatically decrypt a luks volume for /, they had to use dracut, which is poorly supported in Ubuntu (see bug 1814460).

[Test Case]
sudo apt install clevis-luks clevis-initramfs
Bind your root luks / device to a remote tang server, e.g.:
sudo clevis luks bind -d /dev/vda3 tang '{"url": "http://192.168.122.1"}'
Accept the key when prompted. Reboot - your luks / should automatically decrypt.

[Fix]
As we've done in focal, introduce a new clevis-initramfs package. The patches are all from upstream, and are standalone other than minor build-system changes required to do the build/install.

[Regression Risk]
clevis introduced initramfs-tools support by adding a new leaf package - clevis-initramfs. Existing users would not have this package installed, so would be immune from any issues it causes by default.

The eoan version of this package previously build-depended on dracut, and this requires an additional build-dep on initramfs-tools. dracut and initramfs-tools conflict, so this is an impossible situation. In focal, this was fixed by changing the build-dep on dracut to dracut-core and I've done the same here. AFAICT, the only reason for build-dep'ing on dracut* is that it uses pkgconfig for meson to decide whether or not to install dracut files at all, and the pkgconfig bits for dracut are part of dracut-core, not dracut. There is a risk that there is some other side-effect of the dracut build-dep that could cause a regression. The bionic build doesn't rely on the meson hinting (it hadn't been converted to meson yet), so build-deps weren't impacted.

See original description
dann frazier (dannf)
Changed in clevis (Ubuntu):
status: New → Fix Released
Changed in clevis (Ubuntu Bionic):
assignee: nobody → dann frazier (dannf)
Changed in clevis (Ubuntu Eoan):
assignee: nobody → dann frazier (dannf)
Changed in clevis (Ubuntu Bionic):
status: New → In Progress
Changed in clevis (Ubuntu Eoan):
status: New → In Progress
dann frazier (dannf)
description: updated
dann frazier (dannf)
description: updated
dann frazier (dannf)
description: updated
dann frazier (dannf)
Changed in clevis (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

As part of this SRU, I think I would like us to make sure that the dracut parts still work as expected. Though I guess that the since the only thing that changed dependency-wise is the build-deps, I assume that if the dracut dependencies were wrong, we'd simply get a FTBFS as clevis-dracut would not have the files needed to be installed? Anyway, I think we'd like to verify that at least all the dracut-related files are in the package as before. Not sure if there is any risk of it regressing there - if yes, maybe some smoke-test?

This SRU is more of a new-feature-introduction than a bugfix, which usually isn't SRU material. But seeing that there is demand (and this being an universe package), I think I can get this accepted.

Changed in clevis (Ubuntu Eoan):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-eoan
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello dann, or anyone else affected,

Accepted clevis into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/clevis/11-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello dann, or anyone else affected,

Accepted clevis into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/clevis/8-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in clevis (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
dann frazier (dannf) wrote :

Thanks for reviewing Łukasz!

I believe dracut support has never worked - see bug 1814460, which we resolved by adding initramfs-tools support in focal. I will include a demonstration that the clevis-dracut package has not changed as part of verification, thanks for that suggestion.

I hear you wrt this being a new feature. Arguably we had the "automatic-root-unlocking-via-tang" feature back in bionic by way of the (broken) dracut support, and this fixes it. But it does so by introducing a new package which is at the same time both regression mitigating and new-featurey.

Revision history for this message
dann frazier (dannf) wrote :
Download full text (3.9 KiB)

= Verification =
== eoan ==
=== dracut package contents haven't changed ===
$ mkdir 11-2
$ mkdir 11-2ubuntu0.1
$ dpkg-deb -x clevis-dracut_11-2_all.deb 11-2
$ dpkg-deb -x clevis-dracut_11-2ubuntu0.1_all.deb 11-2ubuntu0.1
$ diff -urpN 11-2 11-2ubuntu0.1
diff: 11-2/usr/share/doc/clevis-dracut/changelog.Debian.gz: No such file or directory
diff: 11-2ubuntu0.1/usr/share/doc/clevis-dracut/changelog.Debian.gz: No such file or directory
$
=== tang unlocking works from initramfs ===
Begin: Running /scripts/init-premount ... done.
Begin: Mounting root file system ... Begin: Running /scripts/local-top ... Internet Systems Consortium DHCP Client 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/enp1s0/52:54:00:7d:4b:55
Sending on LPF/enp1s0/52:54:00:7d:4b:55
Sending on Socket/fallback
DHCPDISCOVER on enp1s0 to 255.255.255.255 port 67 interval 3 (xid=0x5361280a)
DHCPOFFER of 192.168.122.7 from 192.168.122.1
DHCPREQUEST for 192.168.122.7 on enp1s0 to 255.255.255.255 port 67 (xid=0xa286153)
DHCPACK of 192.168.122.7 from 192.168.122.1 (xid=0x5361280a)
bound to 192.168.122.7 -- renewal in 1645 seconds.
  Volume group "ubuntu-vg" not found
  Cannot process volume group ubuntu-vg
Please unlock disk dm_crypt-0:
cryptsetup: dm_crypt-0: set up successfully
done.
Begin: Running /scripts/local-premount ... [ 11.861518] Btrfs loaded, crc32c=crc32c-intel
Scanning for Btrfs filesystems
done.
Warning: fsck not present, so skipping root file system
[ 12.028454] EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: (null)
done.

== bionic ==
=== dracut package contents haven't changed ===
$ for i in 8-1 8-1ubuntu0.1; do mkdir $i; dpkg-deb -x clevis-dracut_${i}_all.deb ${i}; done
$ diff -urpN 8-1 8-1ubuntu0.1
diff: 8-1/usr/share/doc/clevis-dracut/changelog.Debian.gz: No such file or directory
diff: 8-1ubuntu0.1/usr/share/doc/clevis-dracut/changelog.Debian.gz: No such file or directory
$
=== tang unlocking works from initramfs ===
Begin: Running /scripts/init-premount ... done.
Begin: Mounting root file system ... Begin: Running /scripts/local-top ... IP-Config: enp1s0 hardware address 52:54:00:35:1c:03 mtu 1500 DHCP RARP
IP-Config: enp2s0 hardware address 52:54:00:00:d6:69 mtu 1500 DHCP RARP
IP-Config: enp1s0 complete (dhcp from 192.168.122.1):
 address: 192.168.122.24 broadcast: 192.168.122.255 netmask: 255.255.255.0
 gateway: 192.168.122.1 dns0 : 192.168.122.1 dns1 : 0.0.0.0
 rootserver: 192.168.122.1 rootpath:
 filename :
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "ubuntu18-vg" not found
  Cannot process volume group ubuntu18-vg
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "ubuntu18-vg" not found
  Cannot process volume group ubuntu18-vg
Please unlock disk vda3_crypt:
[ 7.309094] NET: Registered protocol family 38
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Reading all physical volumes. This may take a while...
  Found volume group "ubuntu18-vg" using metadata type lvm2
  WARNING: Failed to conn...

Read more...

tags: added: verification-done verification-done-bionic verification-done-eoan
removed: verification-needed verification-needed-bionic verification-needed-eoan
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clevis - 8-1ubuntu0.1

---------------
clevis (8-1ubuntu0.1) bionic; urgency=medium

  * Add clevis-initramfs package (LP: #1872832)

 -- dann frazier <email address hidden> Wed, 29 Apr 2020 16:18:51 -0600

Changed in clevis (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for clevis has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clevis - 11-2ubuntu0.1

---------------
clevis (11-2ubuntu0.1) eoan; urgency=medium

  * Fix FTBFS when bash-completion is installed. (LP: #1872846)
  * Add clevis-initramfs package (LP: #1872832)

 -- dann frazier <email address hidden> Wed, 29 Apr 2020 16:15:55 -0600

Changed in clevis (Ubuntu Eoan):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.