-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.10
What were you trying to do that didn't work?
Many customers have systems with encrypted partitions, one for each specific mount point (e.g. for STIG): slash, swap, /var, /var/tmp, etc.
Even when the LUKS devices do not require a passphrase to be decrypted, e.g. because they are bound to TPM2 device, leapp fails in reboot phase because it cannot find the devices:
[ 26.800888] /dev/mapper/luks-aecc6a62-900f-4bf5-9808-33f54c76499b: Can't lookup blockdev [ 26.801568] /dev/mapper/luks-b8e94c2d-855e-43bf-9511-2d530dacfb51: Can't lookup blockdev [ 26.698390] upgrade[1211]: mount: /opt: special device /dev/mapper/luks-aecc6a62-900f-4bf5-9808-33f54c76499b does not exist. [ 26.802713] /dev/mapper/luks-da585fa3-1b96-4e27-bd1e-8e6bfd8b4000: Can't lookup blockdev [ 26.699467] upgrade[1211]: mount: /tmp: special device /dev/mapper/luks-b8e94c2d-855e-43bf-9511-2d530dacfb51 does not exist. [ 26.700544] upgrade[1211]: mount: /var: special device /dev/mapper/luks-da585fa3-1b96-4e27-bd1e-8e6bfd8b4000 does not exist. [ 26.701150] upgrade[1211]: mount: /var/log: mount point does not exist. [ 26.701516] upgrade[1211]: mount: /var/log/audit: mount point does not exist. [ 26.701915] upgrade[1211]: mount: /var/tmp: mount point does not exist.
The reason for this is only slash and swap are pre-decrypted in the initramfs, the rest is to be decrypted after switching root, but leapp has no code to do that.
An (ugly) workaround is to pre-decrypt everything in the initramfs through modifying the BLS entry for leapp as shown below, prior to rebooting:
# ALL_RD_LUKS=$(echo $(awk '/^luks/ { print "rd.luks.uuid=" $1 }' /etc/crypttab)) # ALL_RD_VG=$(echo $(vgs -o name --noheadings | awk '{ print "rd.lvm.vg=" $1 }')) # sed -i "s#^\(options .*\)#\1 $ALL_RD_LUKS $ALL_RD_VG#" /boot/loader/entries/$(cat /etc/machine-id)-upgrade.x86_64.conf
What is the impact of this issue to you?
Can't upgrade LUKS encrypted (STIG) systems.
Please provide the package NVR for which the bug is seen:
leapp-upgrade-el8toel9-0.23.0-1.el8_10.noarch
How reproducible is this bug?
Steps to reproduce
- Install a UEFI RHEL8 system with a TPM2 and attached kickstart (beware, French keyboard inside
)
This will generate a LVM+LUKS layout as shown below:# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sr0 11:0 1 1024M 0 rom vda 252:0 0 30G 0 disk ├─vda1 252:1 0 200M 0 part /boot/efi ├─vda2 252:2 0 1G 0 part /boot └─vda3 252:3 0 28.8G 0 part ├─rhel-root 253:0 0 14.8G 0 lvm │ └─luks-522b7104-47c1-4300-b49a-f5603cddea77 253:2 0 14.8G 0 crypt / ├─rhel-swap 253:1 0 1G 0 lvm │ └─luks-e983569c-1255-44dd-8201-6de51ca5385d 253:3 0 1008M 0 crypt [SWAP] ├─rhel-opt 253:4 0 1G 0 lvm │ └─luks-aecc6a62-900f-4bf5-9808-33f54c76499b 253:11 0 1008M 0 crypt /opt ├─rhel-tmp 253:5 0 1G 0 lvm │ └─luks-b8e94c2d-855e-43bf-9511-2d530dacfb51 253:15 0 1008M 0 crypt /tmp ├─rhel-var_tmp 253:6 0 1G 0 lvm │ └─luks-d3542a15-11ba-4e6e-85b8-ed646e3c8425 253:13 0 1008M 0 crypt /var/tmp ├─rhel-var_log_audit 253:7 0 1G 0 lvm │ └─luks-aab625bb-4f80-4f26-97be-10a28f75ffc9 253:10 0 1008M 0 crypt /var/log/audit ├─rhel-var_log 253:8 0 1G 0 lvm │ └─luks-c32cdc66-3697-416b-8563-3e0f677ab6fe 253:14 0 1008M 0 crypt /var/log └─rhel-var 253:9 0 8G 0 lvm └─luks-da585fa3-1b96-4e27-bd1e-8e6bfd8b4000 253:12 0 8G 0 crypt /var
- Leapp it
Expected results
No failure
Actual results
Emergency prompt
- links to
