| 2020-09-21 16:06:57 |
dann frazier |
bug |
|
|
added bug |
| 2020-09-21 16:37:07 |
dann frazier |
nominated for series |
|
Ubuntu Groovy |
|
| 2020-09-21 16:37:07 |
dann frazier |
bug task added |
|
clevis (Ubuntu Groovy) |
|
| 2020-09-21 16:37:07 |
dann frazier |
nominated for series |
|
Ubuntu Focal |
|
| 2020-09-21 16:37:07 |
dann frazier |
bug task added |
|
clevis (Ubuntu Focal) |
|
| 2020-09-21 16:37:07 |
dann frazier |
nominated for series |
|
Ubuntu Bionic |
|
| 2020-09-21 16:37:07 |
dann frazier |
bug task added |
|
clevis (Ubuntu Bionic) |
|
| 2020-09-21 17:03:13 |
dann frazier |
clevis (Ubuntu Groovy): status |
New |
In Progress |
|
| 2020-09-21 17:35:44 |
dann frazier |
clevis (Ubuntu Focal): status |
New |
Confirmed |
|
| 2020-09-21 17:35:46 |
dann frazier |
clevis (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2020-09-21 17:35:50 |
dann frazier |
clevis (Ubuntu Groovy): assignee |
|
dann frazier (dannf) |
|
| 2020-09-21 17:36:10 |
dann frazier |
clevis (Ubuntu Focal): status |
Confirmed |
Triaged |
|
| 2020-09-21 17:36:12 |
dann frazier |
clevis (Ubuntu Bionic): status |
Confirmed |
Triaged |
|
| 2020-09-22 19:59:47 |
dann frazier |
clevis (Ubuntu Groovy): status |
In Progress |
Fix Released |
|
| 2020-09-28 22:29:41 |
dann frazier |
description |
[Impact]
Currently if you install clevis-initramfs, it will always try to bring up networking even in cases where it is unnecessary. It's not necessary if, say, the volume is to be unlocked via TPM, or perhaps no pin at all and clevis just happens to be installed. In those cases, the user is stuck waiting for configure_networking() to finish before they get prompted for a passphrase,
and that will take nearly 5 minutes to timeout if the system is offline. It is also not clear to users that it *will* eventually timeout, which they may interpret as leaving their system unbootable w/o a network connection.
[Test Case]
- Regression test a system that is online and uses a tang pin.
- Test a system using a tang pin that is offline, and confirm the user is prompted with a passphrase prompt without delay.
- Test a system that does not use a tang pin and verify that network config is not attempted.
[Fix]
Backport of this upstream patch series:
https://github.com/latchset/clevis/commit/adaef407265479cd1067c4fbf69fdaa0dd6ae586
https://github.com/latchset/clevis/commit/ee369808473945165a3f3b79a52c1d10f29eb5c4
https://github.com/latchset/clevis/commit/780eb30986323613f5b192c03c881caecae8cd7b
[Regression Potential]
If the tang pin detection is buggy, it's possible that systems will fail to auto-unlock using a tang server. It's also possible (but seemingly unlikely) that users have been relying on network access in the initramfs as a side-effect of having clevis installed, and that could no longer be the case if clevis determines it is not necessary for its own purposes. |
[Impact]
Currently if you install clevis-initramfs, it will always try to bring up networking even in cases where it is unnecessary. It's not necessary if, say, the volume is to be unlocked via TPM, or perhaps no pin at all and clevis just happens to be installed. In those cases, the user is stuck waiting for configure_networking() to finish before they get prompted for a passphrase, which will take nearly 5 minutes to timeout if the system is offline. It is also not clear to users that it *will* eventually timeout, which they may interpret as leaving their system unbootable w/o a network connection.
[Test Case]
- Regression test a system that is online and uses a tang pin.
- Test a system using a tang pin that is offline, and confirm the user is prompted with a passphrase prompt without delay.
- Test a system that does not use a tang pin and verify that network config is not attempted.
[Fix]
Backport of this upstream patch series:
https://github.com/latchset/clevis/commit/adaef407265479cd1067c4fbf69fdaa0dd6ae586
https://github.com/latchset/clevis/commit/ee369808473945165a3f3b79a52c1d10f29eb5c4
https://github.com/latchset/clevis/commit/780eb30986323613f5b192c03c881caecae8cd7b
[Regression Potential]
If the tang pin detection is buggy, it's possible that systems will fail to auto-unlock using a tang server. It's also possible (but seemingly unlikely) that users have been relying on network access in the initramfs as a side-effect of having clevis installed, and that could no longer be the case if clevis determines it is not necessary for its own purposes. |
|
| 2020-09-28 22:29:54 |
dann frazier |
clevis (Ubuntu Focal): status |
Triaged |
In Progress |
|
| 2020-09-28 22:29:56 |
dann frazier |
clevis (Ubuntu Focal): assignee |
|
dann frazier (dannf) |
|
| 2020-10-20 21:20:41 |
Brian Murray |
clevis (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2020-10-20 21:20:44 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2020-10-20 21:20:47 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2020-10-20 21:20:49 |
Brian Murray |
tags |
|
verification-needed verification-needed-focal |
|
| 2020-10-20 22:11:38 |
Brian Murray |
clevis (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
| 2020-10-20 22:11:44 |
Brian Murray |
tags |
verification-needed verification-needed-focal |
verification-needed verification-needed-bionic verification-needed-focal |
|
| 2020-10-20 23:39:19 |
dann frazier |
tags |
verification-needed verification-needed-bionic verification-needed-focal |
verification-done-focal verification-needed verification-needed-bionic |
|
| 2020-10-23 20:01:07 |
dann frazier |
tags |
verification-done-focal verification-needed verification-needed-bionic |
verification-done verification-done-bionic verification-done-focal |
|
| 2020-10-28 01:17:24 |
Launchpad Janitor |
clevis (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2020-10-28 01:30:53 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2020-10-28 01:41:43 |
Launchpad Janitor |
clevis (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
