Ubuntu
clevis package

user should be warned about problems with multiple nics

Bug #1896289 reported by dann frazier
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
clevis (Ubuntu)
Fix Released
Undecided
dann frazier
Bionic
Fix Released
Undecided
dann frazier
Focal
Fix Released
Undecided
dann frazier
Groovy
Fix Released
Undecided
dann frazier

Bug Description

[Impact]
If a user has multiple NICs, and only one of them can reach the tang server, the default experience with clevis is unpredictable. initramfs-tools' configure_networking() function will try to configure each interface until one succeeds. But the one that configures fastest may not be the one that can communicate with the server. This could cause the system to fail to automatically unlock a LUKS volume, requiring physical access to enter a passphrase to unlock

[Fix]
In a multi-NIC case, the only way for configure_networking() to know which interface is the correct one is for the user to tell it. This can be done using the standard ip= command line parameter. However, there are currently no in-band recommendations for the user to know to do this. Since the failure mode will likely be intermittent due to the race, it can be difficult to identify the cause and therefore the solution. We can detect the situation at boot time though, and warn the user, as done in this upstream commit:
  https://github.com/latchset/clevis/commit/ae3249ed5ff102aa57650c3171330c47a41c95e8

[Test Case]
1) Boot a system w/ 2 NICs and no ip= parameter; verify that the warning is displayed.
2) Boot a system w/ 2 NICs and an ip= parameter; verify that the warning is *not* displayed

In both situations, verify that the system still unlocks automatically.

[Regression Potential]
A coding error here could break auto-unlocking of a LUKs root device, requiring the user to manually enter a passphrase on the console.

See original description
dann frazier (dannf)
Changed in clevis (Ubuntu Groovy):
status: New → In Progress
assignee: nobody → dann frazier (dannf)
Changed in clevis (Ubuntu Focal):
status: New → Triaged
Changed in clevis (Ubuntu Bionic):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clevis - 13-2ubuntu1

---------------
clevis (13-2ubuntu1) groovy; urgency=medium

  * initramfs: Fix parsing of interface names when bringing the network
    back down in local-bottom, which also avoids a mess of "ip: can't find
    device '/sys/class/net/$iface'" errors on the console. LP: #1896294.
  * initramfs: Warn users with multiple interfaces that they should consider
    specifying an 'ip=' parameter for reliable operation. LP: #1896289.
    As a side-effect, also fix interface parsing while bringing links
    up. LP: #1873593.
  * initramfs: Wait for interface to appear before attempting configuration.
    LP: #1873914.

 -- dann frazier <email address hidden> Mon, 21 Sep 2020 11:04:00 -0600

Changed in clevis (Ubuntu Groovy):
status: In Progress → Fix Released
dann frazier (dannf)
description: updated
dann frazier (dannf)
Changed in clevis (Ubuntu Focal):
status: Triaged → In Progress
Changed in clevis (Ubuntu Bionic):
status: Triaged → In Progress
assignee: nobody → dann frazier (dannf)
Changed in clevis (Ubuntu Focal):
assignee: nobody → dann frazier (dannf)
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello dann, or anyone else affected,

Accepted clevis into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/clevis/12-1ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in clevis (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello dann, or anyone else affected,

Accepted clevis into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/clevis/8-1ubuntu0.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in clevis (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
dann frazier (dannf) wrote :
Download full text (3.8 KiB)

= focal verification =
== 2 nics, no ip= ==
Begin: Mounting root file system ... Begin: Running /scripts/local-top ... Volume group "ubuntu-vg" not found
  Cannot process volume group ubuntu-vg
Please unlock disk dm_crypt-0:
clevis: Warning: multiple network interfaces available but no ip= parameter provided.
Internet Systems Consortium DHCP Client 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/enp7s0/52:54:00:43:b0:20
Sending on LPF/enp7s0/52:54:00:43:b0:20
Listening on LPF/enp1s0/52:54:00:a0:ea:b7
Sending on LPF/enp1s0/52:54:00:a0:ea:b7
Sending on Socket/fallback
DHCPDISCOVER on enp7s0 to 255.255.255.255 port 67 interval 3 (xid=0x1248bd07)
DHCPDISCOVER on enp1s0 to 255.255.255.255 port 67 interval 3 (xid=0xc19e2c5e)
DHCPOFFER of 192.168.122.155 from 192.168.122.1
DHCPREQUEST for 192.168.122.155 on enp1s0 to 255.255.255.255 port 67 (xid=0x5e2c9ec1)
DHCPACK of 192.168.122.155 from 192.168.122.1 (xid=0xc19e2c5e)
bound to 192.168.122.155 -- renewal in 1376 seconds.

cryptsetup: dm_crypt-0: set up successfully
done.
Begin: Running /scripts/local-premount ... [ 8.774867] Btrfs loaded, crc32c=crc32c-intel
Scanning for Btrfs filesystems
done.
Warning: fsck not present, so skipping root file system
[ 8.992696] EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: (null)
done.
Begin: Running /scripts/local-bottom ... Terminated
done.
<...>

Ubuntu 20.04.1 LTS clevis-focal ttyS0

clevis-focal login:

== 2 nics, w/ ip= ==
Begin: Mounting root file system ... Begin: Running /scripts/local-top ... Volume group "ubuntu-vg" not found
  Cannot process volume group ubuntu-vg
[ 3.927883] pcieport 0000:00:02.5: pciehp: Failed to check link status
Please unlock disk dm_crypt-0: Begin: clevis: Waiting for interface enp1s0 to become available ... done.
IP-Config: enp1s0 hardware address 52:54:00:a0:ea:b7 mtu 1500 DHCP RARP
IP-Config: no response after 2 secs - giving up
IP-Config: enp1s0 hardware address 52:54:00:a0:ea:b7 mtu 1500 DHCP RARP
IP-Config: enp1s0 complete (dhcp from 192.168.122.1):
 address: 192.168.122.155 broadcast: 192.168.122.255 netmask: 255.255.255.0
 gateway: 192.168.122.1 dns0 : 192.168.122.1 dns1 : 0.0.0.0
 rootserver: 192.168.122.1 rootpath:
 filename :

cryptsetup: dm_crypt-0: set up successfully
done.
Begin: Running /scripts/local-premount ... [ 18.436541] Btrfs loaded, crc32c=crc32c-intel
Scanning for Btrfs filesystems
done.
Warning: fsck not present, so skipping root file system
[ 18.613839] EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: (null)
done.
Begin: Running /scripts/local-bottom ... Terminated
done.
<...>
Begin: Mounting root file system ... Begin: Running /scripts/local-top ... Volume group "ubuntu-vg" not found
  Cannot process volume group ubuntu-vg
[ 3.927883] pcieport 0000:00:02.5: pciehp: Failed to check link status
Please unlock disk dm_crypt-0: Begin: clevis: Waiting for interface enp1s0 to become available ... done.
IP-Config: enp1s0 hardware address 52:54:00:a0:ea:b7 mtu 1500 DHCP RARP
IP-Config: no response after 2 secs - giving ...

Read more...

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
dann frazier (dannf) wrote :
Download full text (3.6 KiB)

= bionic verification =
== 2 nics, no ip= ==
= bionic verification =
Begin: Running /scripts/init-premount ... done.
Begin: Mounting root file system ... Begin: Running /scripts/local-top ... WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "clevis-bionic-vg" not found
  Cannot process volume group clevis-bionic-vg
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "clevis-bionic-vg" not found
  Cannot process volume group clevis-bionic-vg
Please unlock disk vda3_crypt:
clevis: Warning: multiple network interfaces available but no ip= parameter provided.
IP-Config: enp1s0 hardware address 52:54:00:d7:51:6a mtu 1500 DHCP RARP
IP-Config: enp7s0 hardware address 52:54:00:43:d0:14 mtu 1500 DHCP RARP
IP-Config: no response after 2 secs - giving up
IP-Config: enp1s0 hardware address 52:54:00:d7:51:6a mtu 1500 DHCP RARP
IP-Config: enp7s0 hardware address 52:54:00:43:d0:14 mtu 1500 DHCP RARP
IP-Config: enp1s0 complete (dhcp from 192.168.122.1):
 address: 192.168.122.29 broadcast: 192.168.122.255 netmask: 255.255.255.0
 gateway: 192.168.122.1 dns0 : 192.168.122.1 dns1 : 0.0.0.0
 rootserver: 192.168.122.1 rootpath:
 filename :

[ 16.033245] NET: Registered protocol family 38
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Reading all physical volumes. This may take a while...
  Found volume group "clevis-bionic-vg" using metadata type lvm2
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  2 logical volume(s) in volume group "clevis-bionic-vg" now active
cryptsetup (vda3_crypt): set up successfully
done.
Begin: Running /scripts/local-premount ... [ 18.369789] Btrfs loaded, crc32c=crc32c-intel
Scanning for Btrfs filesystems
done.
Begin: Will now check root file system ... fsck from util-linux 2.31.1
[/sbin/fsck.ext4 (1) -- /dev/mapper/clevis--bionic--vg-root] fsck.ext4 -a -C0 /dev/mapper/clevis--bionic--vg-root
/dev/mapper/clevis--bionic--vg-root: clean, 111545/840480 files, 663482/3360768 blocks
done.
[ 18.566842] EXT4-fs (dm-1): mounted filesystem with ordered data mode. Opts: (null)
done.
Begin: Running /scripts/local-bottom ... /scripts/local-top/clevis: line 117: 502 Terminated sleep 5
done.

== 2 nics w/ ip= ==
Begin: Mounting root file system ... Begin: Running /scripts/local-top ... WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "clevis-bionic-vg" not found
  Cannot process volume group clevis-bionic-vg
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  Volume group "clevis-bionic-vg" not found
  Cannot process volume group clevis-bionic-vg
Please unlock disk vda3_crypt: Begin: clevis: Waiting for interface enp1s0 to become available ... done.
IP-Config: enp1s0 hardware address 52:54:00:d7:51:6a mtu 1500 DHCP RARP
IP-Config: no response after 2 secs - giving up
IP-Config: enp1s0 hardware address 52:54:00:d7:51:6a mtu 1500 DHCP RARP
IP-Config: enp1s0 complete (dhcp from 192.168.122.1):
 address: 192.168.122.30 broadcast: 192.168.122.255 netmask: 255.255.255.0
 gateway: 192.168.122.1 dns0 : 192.168.122.1 dns1 : 0.0.0.0
 rootserv...

Read more...

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clevis - 8-1ubuntu0.2

---------------
clevis (8-1ubuntu0.2) bionic; urgency=medium

  * initramfs: Fix parsing of interface names when bringing the network
    back down in local-bottom, which also avoids a mess of "ip: can't find
    device '/sys/class/net/$iface'" errors on the console. LP: #1896294.
  * initramfs: Warn users with multiple interfaces that they should consider
    specifying an 'ip=' parameter for reliable operation. LP: #1896289.
    As a side-effect, also fix interface parsing while bringing links
    up. LP: #1873593.
  * initramfs: Wait for interface to appear before attempting configuration.
    LP: #1873914.
  * initramfs: Make network configuration as-needed. This functionality
    depends on the new clevis-luks-list command which is also backported.
    LP: #1896509. Requires new build-dep on asciidoctor in order to build
    the clevis-luks-list manpage.

 -- dann frazier <email address hidden> Wed, 14 Oct 2020 11:23:01 -0600

Changed in clevis (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for clevis has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clevis - 12-1ubuntu2.2

---------------
clevis (12-1ubuntu2.2) focal; urgency=medium

  * initramfs: Fix parsing of interface names when bringing the network
    back down in local-bottom, which also avoids a mess of "ip: can't find
    device '/sys/class/net/$iface'" errors on the console. LP: #1896294.
  * initramfs: Warn users with multiple interfaces that they should consider
    specifying an 'ip=' parameter for reliable operation. LP: #1896289.
    As a side-effect, also fix interface parsing while bringing links
    up. LP: #1873593.
  * initramfs: Wait for interface to appear before attempting configuration.
    LP: #1873914.
  * initramfs: Make network configuration as-needed. This functionality
    depends on the new clevis-luks-list command which is also backported.
    LP: #1896509.

 -- dann frazier <email address hidden> Tue, 13 Oct 2020 17:00:47 -0600

Changed in clevis (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.