vaultlocker

skip trying to decrypt device if it already exists

Bug #1863014 reported by Rodrigo Barbieri
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bionic Backports
Fix Released
Undecided
James Page
vaultlocker
Fix Released
Medium
Rodrigo Barbieri
vaultlocker (Ubuntu)
Fix Released
Medium
Unassigned
Eoan
Fix Released
Medium
Unassigned
Focal
Fix Released
Medium
Unassigned

Bug Description

[Impact]
Restarting a vaultlocker-decrypt systemd unit after it has successfully executed results in a hanging vaultlocker process.

[Test Case]
Encrypt a block device using vaultlocker.
Restart the systemd unit associated with the device.

[Regression Potential]
Low - the change simply skips dmcrypt opening of the block device if it is already open on the local system.

[Original Bug Report]
In a scenario where vaultlocker decrypted the device but it ended up not being mounted (either due to bug https://bugs.launchpad.net/vaultlocker/+bug/1838607 or some other reason that I am still investigating), the system is in a state where both "var-lib-nova-instances.mount" and "vaultlocker-decrypt@4fe5e652-ca6b-4c14-aa5f-1085714cf3f1.service" are either failed/failed or inactive/dead.

To cleanly mount the device, I attempted to:

- Restart vaultlocker-decrypt@4fe5e652-ca6b-4c14-aa5f-1085714cf3f1.service. This causes the service to be stuck in state "activating" printing continuously:

Feb 12 18:20:16 juju-cc9161-bionic-queens-vault-6 sh[30272]: DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 10.5.0.138
Feb 12 18:20:16 juju-cc9161-bionic-queens-vault-6 sh[30272]: DEBUG:urllib3.connectionpool:http://10.5.0.138:8200 "POST /v1/auth/approle/login HTTP/1.1" 200 512
Feb 12 18:20:16 juju-cc9161-bionic-queens-vault-6 sh[30272]: DEBUG:urllib3.connectionpool:http://10.5.0.138:8200 "GET /v1/charm-vaultlocker/juju-cc9161-bionic-queens-vault-6/4fe5e652-ca6b-4c14-aa5f-1085714cf3f1 HTTP/1.1" 200 866
Feb 12 18:20:16 juju-cc9161-bionic-queens-vault-6 sh[30272]: INFO:vaultlocker.dmcrypt:LUKS opening 4fe5e652-ca6b-4c14-aa5f-1085714cf3f1
Feb 12 18:20:16 juju-cc9161-bionic-queens-vault-6 sh[30272]: Device crypt-4fe5e652-ca6b-4c14-aa5f-1085714cf3f1 already exists.

I stopped the service and killed the two processes it spawns in order to stop vaultlocker.

- Restart "var-lib-nova-instances.mount". This caused the same behavior as above because of systemd.requires dependency of the fstab mount entry. Since vaultlocker-decrypt service never transitions to "active", the dependency is never satisfied, so it never tries to mount.

If vaultlocker was patched to transition directly to "active" (and then inactive/dead), then restarting either one of them would be able to *only* mount the decrypted device in this scenario.

My workaround that worked was to run "cryptsetup luksClose /dev/mapper/crypt-4fe5e652-ca6b-4c14-aa5f-1085714cf3f1" and then restart vaultlocker-decrypt@4fe5e652-ca6b-4c14-aa5f-1085714cf3f1.service

See original description
Rodrigo Barbieri (rodrigo-barbieri2010)
Changed in vaultlocker:
assignee: nobody → Rodrigo Barbieri (rodrigo-barbieri2010)
Rodrigo Barbieri (rodrigo-barbieri2010)
tags: added: sts
Revision history for this message
Rodrigo Barbieri (rodrigo-barbieri2010) wrote :

PR: https://github.com/openstack-charmers/vaultlocker/pull/9

Changed in vaultlocker:
status: New → In Progress
James Page (james-page)
Changed in vaultlocker:
status: In Progress → Fix Committed
Changed in vaultlocker (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in vaultlocker:
importance: Undecided → Medium
James Page (james-page)
Changed in vaultlocker:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vaultlocker - 1.0.5-0ubuntu1

---------------
vaultlocker (1.0.5-0ubuntu1) focal; urgency=medium

  * New upstream point release (LP: #1863014).

 -- James Page <email address hidden> Fri, 21 Feb 2020 14:49:41 +0000

Changed in vaultlocker (Ubuntu):
status: Triaged → Fix Released
James Page (james-page)
no longer affects: vaultlocker (Ubuntu Bionic)
Changed in vaultlocker (Ubuntu Eoan):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
James Page (james-page) wrote :

bionic-backports test build in:

  https://launchpad.net/~james-page/+archive/ubuntu/bionic

description: updated
James Page (james-page)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Rodrigo, or anyone else affected,

Accepted vaultlocker into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/vaultlocker/1.0.6-0ubuntu0.19.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in vaultlocker (Ubuntu Eoan):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-eoan
James Page (james-page)
Changed in bionic-backports:
status: New → In Progress
assignee: nobody → James Page (james-page)
Revision history for this message
Edward Hope-Morley (hopem) wrote :

eoan-proposed verified using [Test Case] with output:

root@juju-773c15-lp1863014-eoan-10:/home/ubuntu# apt-cache policy vaultlocker
vaultlocker:
  Installed: 1.0.6-0ubuntu0.19.10.1
  Candidate: 1.0.6-0ubuntu0.19.10.1
  Version table:
 *** 1.0.6-0ubuntu0.19.10.1 500
        500 http://archive.ubuntu.com/ubuntu eoan-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     1.0.4-0ubuntu0.19.10.1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu eoan-updates/universe amd64 Packages
     1.0.3-0ubuntu2 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu eoan/universe amd64 Packages
root@juju-773c15-lp1863014-eoan-10:/home/ubuntu# systemctl restart vaultlocker-decrypt@76a2e3b7-0977-4dcd-a0c9-ec036259bac1.service
root@juju-773c15-lp1863014-eoan-10:/home/ubuntu# journalctl -u system-vaultlocker\x2ddecrypt.slice
-- Logs begin at Wed 2020-04-15 17:26:55 UTC, end at Thu 2020-04-16 12:58:40 UTC. --
-- No entries --
root@juju-773c15-lp1863014-eoan-10:/home/ubuntu# grep vault /var/log/syslog
Apr 16 12:58:38 juju-773c15-lp1863014-eoan-10 systemd[1]: Created slice system-vaultlocker\x2ddecrypt.slice.
Apr 16 12:58:38 juju-773c15-lp1863014-eoan-10 systemd[1]: Starting vaultlocker retrieve: 76a2e3b7-0977-4dcd-a0c9-ec036259bac1...
Apr 16 12:58:39 juju-773c15-lp1863014-eoan-10 sh[28985]: INFO:vaultlocker.shell:Checking if /dev/mapper/crypt-76a2e3b7-0977-4dcd-a0c9-ec036259bac1 exists.
Apr 16 12:58:39 juju-773c15-lp1863014-eoan-10 sh[28985]: INFO:vaultlocker.shell:Skipping setup of 76a2e3b7-0977-4dcd-a0c9-ec036259bac1 because it already exists.
Apr 16 12:58:39 juju-773c15-lp1863014-eoan-10 systemd[1]: vaultlocker-decrypt@76a2e3b7-0977-4dcd-a0c9-ec036259bac1.service: Succeeded.
Apr 16 12:58:39 juju-773c15-lp1863014-eoan-10 systemd[1]: Started vaultlocker retrieve: 76a2e3b7-0977-4dcd-a0c9-ec036259bac1.

tags: added: sts-sru-needed verification-done verification-done-eoan
removed: verification-needed verification-needed-eoan
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for vaultlocker has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vaultlocker - 1.0.6-0ubuntu0.19.10.1

---------------
vaultlocker (1.0.6-0ubuntu0.19.10.1) eoan; urgency=medium

  * New upstream point release including fixes for:
    - 1.0.5 - Skip trying to decrypt device if it already exists
      (LP: #1863014).
    - 1.0.6 - vaultlocker spins indefinitely if it starts before dns
      is configured (LP: #1868557).

 -- James Page <email address hidden> Thu, 09 Apr 2020 09:41:41 +0100

Changed in vaultlocker (Ubuntu Eoan):
status: Fix Committed → Fix Released
James Page (james-page)
Changed in bionic-backports:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.