NBDE with Clevis and static IP does not work anymore

Issues related to configuring your network
Post Reply
felixb
Posts: 2
Joined: 2020/03/02 11:39:55

NBDE with Clevis and static IP does not work anymore

Post by felixb » 2020/03/02 12:23:29

Hello community,

I am currently trying to get network-bound disk encryption to work under CentOS 8 using the same commands as with CentOS 7, but I've had no luck so far. A quick summary of my setup:
  • One tang keyserver with an IP address of 192.168.100.10
  • One clevis client with an IP address of 192.168.100.20
  • The gateway is 192.168.100.1
  • Both are inside the same subnet
  • No DHCP
Somewhere around a year ago, I was experimenting with NBDE and used the following command on the clevis client (running CentOS 7 at that time):

Code: Select all

yum install clevis clevis-dracut clevis-luks
clevis luks bind -d /dev/sda3 tang '{ "url": "http://192.168.100.10" }'
dracut -f --kernel-cmdline "ip=192.168.100.20::192.168.100.1:24:192.168.100.20:em1:none"
And it just worked. This was all around last year's spring.

Now when I run these commands on the very same machine but running CentOS 8 the automatic decryption does not kick in. I realize that the names of the interfaces have changed, so I used the new one instead of em1 but other than that, the commands are still the same. When I boot the machine I see the password prompt for the root disk but it does not disappear after a while as it did before. Instead, I see a message shortly before that says 'RTNETLINK answers: Network is unreachable'. The funny thing is: I can ping that machine from the tang keyserver.
I even double checked by reinstalling CentOS 7 and running the same set of commands once more. It worked again. Made the switch back to CentOS 8 and it stopped.

If it is any help, here is a tcpdump from the tang keyserver:

Code: Select all

12:55:19.677624 ARP, Request who-has 192.168.100.20 (Broadcast) tell 0.0.0.0, length 46
12:55:20.677950 ARP, Request who-has 192.168.100.20 (Broadcast) tell 0.0.0.0, length 46
12:55:21.713101 ARP, Request who-has 192.168.100.1 (Broadcast) tell 192.168.100.20, length 46
I would be grateful for any help provided, even a hint in the right direction / where to look would be really helpful.

User avatar
TrevorH
Forum Moderator
Posts: 29932
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: NBDE with Clevis and static IP does not work anymore

Post by TrevorH » 2020/03/02 12:38:30

I'd suggest changing the netmask in your ip= to use 255.255.255.0 and not 24. The doc says
The netmask parameter is the netmask to be used. This can either be a full netmask for IPv4 (for example 255.255.255.0) or a prefix for IPv6 (for example 64).
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

felixb
Posts: 2
Joined: 2020/03/02 11:39:55

Re: NBDE with Clevis and static IP does not work anymore

Post by felixb » 2020/03/02 15:01:50

Hi Trevor,

thanks for the hint. I managed to find the culprit:

After increasing the debug level I saw that the clevis hook did indeed get run repeatedly but didn't really do anything. So I took a look at the hook script and I saw that it iterates over the output of the luksmeta command. I then ran the command myself:

Code: Select all

luksmeta show -d /dev/sda3
and received the following output:

Code: Select all

0   active empty
1 inactive cb6e8904-81ff-40da-a84a-07ab9ab5715e
2 inactive empty
3 inactive empty
4 inactive empty
5 inactive empty
6 inactive empty
7 inactive empty
I ran this command before but never really thought about the meaning of the output because everything ran smoothly under CentOS 7. I realized that the hook would never be able to do anything because no slot was both active and had the metadata field set. So I did an unbind of slot 1, which luksmeta now showed as both inactive and empty, and did new bind. This resulted in a slot that was both active and non-empty. It works now :shock:

I have absolutely no idea how this could happen. And I was so sure that the issue was network related... How about we move this thread to a more fitting forum? I will change the netmask to the format you proposed though, because I don't want it to become a problem in a future release.

Thank you for replying so quick, and have a nice day :)

EDIT / ADDENDUM:

This also just happened on a virtual machine (fresh install). Steps to reproduce:
  1. Create VM
  2. Install CentOS 8, choose to encrypt the root drive
  3. After installation is finished, install clevis and related packages
  4. perform clevis bind on root volume
  5. observe that it does not automatically decrypt
  6. decrypt manually, do an unbind followed by a bind
  7. now it works
Should I file a bug report?

nortalf
Posts: 1
Joined: 2020/10/27 09:56:13

Re: NBDE with Clevis and static IP does not work anymore

Post by nortalf » 2020/10/27 10:00:56

Hi felixb,

could you please provide, how did you evade this issue? I'd be gratefull for exact commands you used. Especialy unbind and bind a new one. Seems I have the similar issue now.

Thank you

Post Reply

Return to “CentOS 8 - Networking Support”