[Help/Question] Network Bound Disk Unlocking (Clevis) using Tang on Alpine Linux
gb-123-git opened this issue · 3 comments
Hello,
I am having trouble creating booting Alpine Linux(v 3.19) with boot image created by booster, so I wanted to check if the configuration is correct before filing any bug report.
The intent of his test is to generate boot image using booster to unlock LUKS boot partition using clevis and tang.
I have installed the following apks :
- clevis
- booster
My configurations:
/etc/booster.yaml
# Reference Manual @ https://man.archlinux.org/man/booster.1
network:
interfaces: eth0
dhcp: on
universal: false
enable_lvm: true
# default to gzip since that's what mkinitfs uses
compression: gzip
# timeout if mounting of fs fails within given timespan
mount_timeout: 0m60s
# uncomment to enable emergency shell on error/timeout
extra_files: fsck,fsck.ext4
/etc/update-extlinux.d/booster
LABEL booster
MENU LABEL Linux lts (booster)
LINUX vmlinuz-lts
INITRD booster-lts
APPEND root=/dev/xvda2 rootfstype=ext4 ip=dhcp rd.luks.uuid=5xxxxx-7xxx-4xxx-8xxx-040decxxxxxx rd.neednet=1
Note:
/dev/xvda2 maps to /dev/mapper/vg0-lv_root once unlocked and booted.
Results :
The image created fails to boot as it fails to unlock using clevis and asks for a password.
Once the password is provided, it fails to boot as it fails to find the root drive.
I also noticed that uuid of the root that it is trying to find is different from the one provided.
Anything wrong in my configuration ?
Hi @gb-123-git ,
Let's try to debug. Here are a few things you can try:
- use different way to reference your root device, something like
UUID=xxx
. Maybe namexvda2
was not correctly mapped. - Enable universal mode
- Enable debugging to print more information about the boot sequence. The post the debug logs to us.
@anatol
Thanks for the guidance.
Here is my setup:
This is a VM:
OS : Alpine Linux 3.19
blkid Output (when default boot image is used):
/dev/xvda1: UUID="ex-x-x-x-x" BLOCK_SIZE="1024" TYPE="ext4" PARTUUID="x-01"
/dev/xvda2: UUID="5x-7x-4x-8x-0x" TYPE="crypto_LUKS" PARTUUID="x-02"
/dev/mapper/vg0-lv_swap: UUID="3x-ax-4x-8x-8x" TYPE="swap"
/dev/mapper/vg0-lv_root: UUID="6x-ex-4x-bx-fx" BLOCK_SIZE="4096" TYPE="ext4"
/dev/mapper/root: UUID="Px-Gx-nx-zx-0x-3x-Qx" TYPE="LVM2_member"
/dev/xvda2 contains the entrypted LVM which inturn contains /dev/mapper/vg0-lv_root
Which root=UUID=$UUID
should I be using from the above?
Updated /etc/update-extlinux.d/booster
LABEL booster
MENU LABEL Linux lts (booster)
LINUX vmlinuz-lts
INITRD booster-lts
APPEND rd.luks.uuid=5x-7x-4x-8x-0x root=UUID=6x-ex-4x-bx-fx rootfstype=ext4 booster.log=debug,console
My new /etc/booster.yaml
# Reference Manual @ https://man.archlinux.org/man/booster.1
network:
dhcp: on
universal: true
append_all_modaliases: true
enable_lvm: true
compression: gzip
mount_timeout: 0m15s
extra_files: busybox,nano,fsck,fsck.ext4
Result :
I get something like
booster: /dev/dm-2 /dev/mapper/vg0-lv_root : file exists
and then
sh: can't access tty; job control turned off
So I am unable to run dmesg command and/ or post logs.
This is after I manually enter the password for unlock. Booster does not seem to network unlock.
I manually entered the password to see if I can get to any console so that I can further debug.
The messages on screen come so fast that I cant capture them.
When I try to run dmesg
or lsmod
, it says command not found.