Join Log in
Score:0
Bennelong Ryde avatar Server

LUKS encrypted, fails to open with /etc/crypttab

is flag
Bennelong Ryde 
#platform=x86, AMD64, or Intel EM64T
#version=DEVEL

text
url --url=http://caching-proxy/repos/rhel8/8.5/rhn/base/unstable
repo --name=cache-rhn-base --baseurl=http://caching-proxy/repos/rhel8/8.5/rhn/base/unstable --install
repo --name=cacherhn-appstream --baseurl=http://caching-proxy/repos/rhel8/8.5/rhn/appstream/unstable --install
lang en_US.UTF-8
keyboard us
rootpw simplePass
timezone Etc/UTC --isUtc
#authconfig --enableshadow --passalgo=sha512 (*authconfig deprecated, use authselect instead)
selinux --enforcing
firewall --disabled

bootloader --location=mbr --append="loglevel=7"
clearpart --all --initlabel
part /boot --fstype=xfs --size=512
part pv.01 --grow --size=1

volgroup vg01 pv.01
logvol / --fstype=xfs --name=lvroot --vgname=vg01 --size=4096 --grow --encrypted --passphrase=SecretPassword

%packages
@core
#osversion: rhel8
# Default package to be removed... eg:
-firewalld
#-omit random pkgs

# start packages
clevis
clevis-dracut
clevis-luks
dracut-config-generic   # we need this image to be portable
dracut-norescue         # rescue mode isn't useful here
## bunch of pkgs, omitted
%end

%post --interpreter=/bin/bash
INITIAL_LUKS_PWFILE=/boot/temp-keyfile
echo SecretPassword > ${INITIAL_LUKS_PWFILE}
udevadm settle
#echo "/dev/mapper/vg01-lvroot / xfs defaults 0 0" >> /etc/fstab
blkid /dev/mapper/vg01-lvroot -s UUID -o value > /tmp/luks-uuid
echo "vg01-lvroot UUID=$(cat /tmp/luks-uuid) ${INITIAL_LUKS_PWFILE} luks,keyfile-timeout=30s" > /etc/crypttab

KERNEL_VERSION=$(rpm -q kernel --qf '%{V}-%{R}.%{arch}\n')
INITRAMFS_FILE=/boot/initramfs-$KERNEL_VERSION.img
DRACUT_CMD="dracut --install ${INITIAL_LUKS_PWFILE} --install /etc/crypttab --verbose -f $INITRAMFS_FILE $KERNEL_VERSION"
echo ${DRACUT_CMD} > /tmp/dracut-cmd     
eval ${DRACUT_CMD} &> /tmp/dracut-output #run the command, save the output.
%end

The above does lead to an entry in the /etc/crypttab file in /mnt/sysroot/etc/crypttab, where it looks like:

luks-<uuid> <uuid> /boot/temp-keyfile luks,keyfile-timeout=30s

However, it doesn't unlock the device and still asks for me to enter the password manually.

One method I used to try diagnose the issue was running lsinitrd | grep '/etc/crypttab', and I noticed it wasn't inside the initramfs. So I did --install /etc/crypttab inside the kickstart script, and I did find it when I grepped for it. However, this caused the image, when booting (via Packer) to get stuck on a 3 white dots, on a gray-screen background. (Also, I feel --install /etc/crypttab should not be necessary!)

23
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.