[Help/Question] Network Bound Disk Unlocking (Clevis) using Tang on Alpine Linux

gb-123-git commented 2 months ago

Hello,

I am having trouble creating booting Alpine Linux(v 3.19) with boot image created by booster, so I wanted to check if the configuration is correct before filing any bug report. The intent of his test is to generate boot image using booster to unlock LUKS boot partition using clevis and tang.

I have installed the following apks :

clevis
booster

My configurations:

/etc/booster.yaml

# Reference Manual @ https://man.archlinux.org/man/booster.1
network:
  interfaces: eth0
  dhcp: on
universal: false
enable_lvm: true

# default to gzip since that's what mkinitfs uses
compression: gzip

# timeout if mounting of fs fails within given timespan
mount_timeout: 0m60s

# uncomment to enable emergency shell on error/timeout
extra_files: fsck,fsck.ext4

/etc/update-extlinux.d/booster

LABEL booster
        MENU LABEL Linux lts (booster)
        LINUX vmlinuz-lts
        INITRD booster-lts
        APPEND root=/dev/xvda2 rootfstype=ext4 ip=dhcp rd.luks.uuid=5xxxxx-7xxx-4xxx-8xxx-040decxxxxxx rd.neednet=1

Note: /dev/xvda2 maps to /dev/mapper/vg0-lv_root once unlocked and booted.

Results :

The image created fails to boot as it fails to unlock using clevis and asks for a password. Once the password is provided, it fails to boot as it fails to find the root drive. I also noticed that uuid of the root that it is trying to find is different from the one provided.

Anything wrong in my configuration ?

gb-123-git commented 1 month ago

@anatol @nmeum @firasuke Any help would be appreciated. I have gone through everything online but somehow unable to get this working. I really want to switch over to booster. Thanks a lot.

anatol commented 1 month ago

Hi @gb-123-git ,

Let's try to debug. Here are a few things you can try:

use different way to reference your root device, something like UUID=xxx. Maybe name xvda2 was not correctly mapped.
Enable universal mode
Enable debugging to print more information about the boot sequence. The post the debug logs to us.

gb-123-git commented 1 month ago

@anatol Thanks for the guidance.

Here is my setup:

This is a VM:
OS : Alpine Linux 3.19
blkid Output (when default boot image is used):

/dev/xvda1: UUID="ex-x-x-x-x" BLOCK_SIZE="1024" TYPE="ext4" PARTUUID="x-01"
/dev/xvda2: UUID="5x-7x-4x-8x-0x" TYPE="crypto_LUKS" PARTUUID="x-02"
/dev/mapper/vg0-lv_swap: UUID="3x-ax-4x-8x-8x" TYPE="swap"
/dev/mapper/vg0-lv_root: UUID="6x-ex-4x-bx-fx" BLOCK_SIZE="4096" TYPE="ext4"
/dev/mapper/root: UUID="Px-Gx-nx-zx-0x-3x-Qx" TYPE="LVM2_member"

/dev/xvda2 contains the entrypted LVM which inturn contains /dev/mapper/vg0-lv_root

Which root=UUID=$UUID should I be using from the above?

Updated /etc/update-extlinux.d/booster

LABEL booster
    MENU LABEL Linux lts (booster)
        LINUX vmlinuz-lts
        INITRD booster-lts
        APPEND rd.luks.uuid=5x-7x-4x-8x-0x root=UUID=6x-ex-4x-bx-fx rootfstype=ext4 booster.log=debug,console

My new /etc/booster.yaml

# Reference Manual @ https://man.archlinux.org/man/booster.1 
network:
  dhcp: on
universal: true
append_all_modaliases: true
enable_lvm: true
compression: gzip
mount_timeout: 0m15s
extra_files: busybox,nano,fsck,fsck.ext4

Result : I get something like booster: /dev/dm-2 /dev/mapper/vg0-lv_root : file exists and then sh: can't access tty; job control turned off

So I am unable to run dmesg command and/ or post logs.

This is after I manually enter the password for unlock. Booster does not seem to network unlock. I manually entered the password to see if I can get to any console so that I can further debug.

The messages on screen come so fast that I cant capture them.

When I try to run dmesg or lsmod, it says command not found.

anatol / booster

[Help/Question] Network Bound Disk Unlocking (Clevis) using Tang on Alpine Linux #262