initramfs-tools support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
clevis (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
dann frazier | ||
Eoan |
Fix Released
|
Undecided
|
dann frazier | ||
Focal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
clevis <= 12 did not integrate with initramfs-tools. This meant that if users wanted to automatically decrypt a luks volume for /, they had to use dracut, which is poorly supported in Ubuntu (see bug 1814460).
[Test Case]
sudo apt install clevis-luks clevis-initramfs
Bind your root luks / device to a remote tang server, e.g.:
sudo clevis luks bind -d /dev/vda3 tang '{"url": "http://
Accept the key when prompted. Reboot - your luks / should automatically decrypt.
[Fix]
As we've done in focal, introduce a new clevis-initramfs package. The patches are all from upstream, and are standalone other than minor build-system changes required to do the build/install.
[Regression Risk]
clevis introduced initramfs-tools support by adding a new leaf package - clevis-initramfs. Existing users would not have this package installed, so would be immune from any issues it causes by default.
The eoan version of this package previously build-depended on dracut, and this requires an additional build-dep on initramfs-tools. dracut and initramfs-tools conflict, so this is an impossible situation. In focal, this was fixed by changing the build-dep on dracut to dracut-core and I've done the same here. AFAICT, the only reason for build-dep'ing on dracut* is that it uses pkgconfig for meson to decide whether or not to install dracut files at all, and the pkgconfig bits for dracut are part of dracut-core, not dracut. There is a risk that there is some other side-effect of the dracut build-dep that could cause a regression. The bionic build doesn't rely on the meson hinting (it hadn't been converted to meson yet), so build-deps weren't impacted.
Changed in clevis (Ubuntu): | |
status: | New → Fix Released |
Changed in clevis (Ubuntu Bionic): | |
assignee: | nobody → dann frazier (dannf) |
Changed in clevis (Ubuntu Eoan): | |
assignee: | nobody → dann frazier (dannf) |
Changed in clevis (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in clevis (Ubuntu Eoan): | |
status: | New → In Progress |
description: | updated |
description: | updated |
description: | updated |
Changed in clevis (Ubuntu Focal): | |
status: | New → Fix Released |
As part of this SRU, I think I would like us to make sure that the dracut parts still work as expected. Though I guess that the since the only thing that changed dependency-wise is the build-deps, I assume that if the dracut dependencies were wrong, we'd simply get a FTBFS as clevis-dracut would not have the files needed to be installed? Anyway, I think we'd like to verify that at least all the dracut-related files are in the package as before. Not sure if there is any risk of it regressing there - if yes, maybe some smoke-test?
This SRU is more of a new-feature- introduction than a bugfix, which usually isn't SRU material. But seeing that there is demand (and this being an universe package), I think I can get this accepted.