reboot doesn't honor disk encryption setting in earlier tinkerbell action during EKS anywhere cluster creation for bare metal

[ygao-armada]

What happened: I try to introduce disk encryption in EKS anywhere cluster for bare metal as follows: I try to setup the the disk encryption for directory like /var in a tinkerbell action (right before tinkerbell action reboot). Everything looks good in following areas:

1. /dev/mapper/ has cryption target name "sda1_crypt"
2. /etc/fstab maps "/var" to "/dev/mapper/sda1_crypt" with type "ext4"
3. /etc/crypttab maps target "sda1_crypt" to partition "/dev/sda1", which is consistent with output of "fdisk -l"

Only interesting thing is that, after command "cryptsetup luksOpen /dev/sda1 sda1_crypt" in the tinkerbell action, dummy file /etc/crypttab is not generated (if we run the command in command line, we will see /etc/crypttab shows up with a comment line).

However, tinkerbell action "reboot" doesn't ask for passphrase, and after reboot, all the cryption setting mentioned above disappears.

What you expected to happen: I expected reboot will ask for encryption passphrase, and after reboot, the encryption settings will stay

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

• EKS Anywhere Release:
• EKS Distro Release:

[jacobweinstock]

Hey @ygao-armada , mind sharing your full Tinkerbell workflow? A few things to note:

• /dev/ is not what the OS will see but what in the in memory HookOS sees. Anything like /dev/mapper will not be persistent after a reboot.
• A reboot from HookOS not asking for a passphrase is expected, in my view, as the encrypted disk was never booted into.
• All your actions need to be sure they are working against the disk device and you are using chroot otherwise you'll lose any setup/configuration you've done.

[ygao-armada]

@jacobweinstock thanks for your explanation. Do you plan to make the change so we can get consistent experience with HookOS and later the OS installed on the disk w.r.t /dev especially /dev/mapper, and also reboot asking for passphrase, and the config in /etc ?

My full Tinkerbell workflow is in the EKS anywhere machine template, the main ones are the last 2, "partition_cmds" and "reboot":

    tasks:
    - actions:
      - environment:
          COMPRESSED: "true"
          DEST_DISK: /dev/sda
          IMG_URL: <urlprefix>/ubuntu-2004-efi-eksa-sp-kube-v1.26.7.gz
        image: public.ecr.aws/eks-anywhere/tinkerbell/hub/image2disk:6c0f0d437bde2c836d90b000312c8b25fa1b65e1-eks-a-15
        name: stream-image
        timeout: 2400
      - environment:
          CONTENTS: |
            datasource:
              Ec2:
                metadata_urls: <urls>
                strict_id: false
            manage_etc_hosts: localhost
            warnings:
              dsid_missing_source: off
          DEST_DISK: /dev/sda2
          DEST_PATH: /etc/cloud/cloud.cfg.d/10_tinkerbell.cfg
          DIRMODE: "0700"
          FS_TYPE: ext4
          GID: "0"
          MODE: "0600"
          UID: "0"
        image: public.ecr.aws/eks-anywhere/tinkerbell/hub/writefile:6c0f0d437bde2c836d90b000312c8b25fa1b65e1-eks-a-15
        name: add-tink-cloud-init-config
        timeout: 90
      - environment:
          CONTENTS: |
            network:
              config: disabled
          DEST_DISK: /dev/sda2
          DEST_PATH: /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
          DIRMODE: "0700"
          FS_TYPE: ext4
          GID: "0"
          MODE: "0600"
          UID: "0"
        image: public.ecr.aws/eks-anywhere/tinkerbell/hub/writefile:6c0f0d437bde2c836d90b000312c8b25fa1b65e1-eks-a-15
        name: disable-cloud-init-network-capabilities
        timeout: 90
      - environment:
          CONTENTS: |
            datasource: Ec2
          DEST_DISK: /dev/sda2
          DEST_PATH: /etc/cloud/ds-identify.cfg
          DIRMODE: "0700"
          FS_TYPE: ext4
          GID: "0"
          MODE: "0600"
          UID: "0"
        image: public.ecr.aws/eks-anywhere/tinkerbell/hub/writefile:6c0f0d437bde2c836d90b000312c8b25fa1b65e1-eks-a-15
        name: add-tink-cloud-init-ds-config
        timeout: 90
      - environment:
          BLOCK_DEVICE: /dev/sda2
          CHROOT: "y"
          CMD_LINE: apt -y update && apt -y install openssl
          DEFAULT_INTERPRETER: /bin/sh -c
          FS_TYPE: ext4
        image: public.ecr.aws/eks-anywhere/tinkerbell/hub/cexec:6c0f0d437bde2c836d90b000312c8b25fa1b65e1-eks-a-41
        name: install-openssl
        timeout: 90
      - environment:
          BLOCK_DEVICE: /dev/sda2
        image: armadaeksatest.azurecr.io/disk_action:v0.1
        name: partition-cmds
        timeout: 120
      - environment:
          BLOCK_DEVICE: /dev/sda2
          FS_TYPE: ext4
          CHROOT: "y"
          DEFAULT_INTERPRETER: "/bin/sh -c"
          CMD_LINE: "useradd --password $(openssl passwd -1 tinkerbell) --shell /bin/bash --create-home --groups sudo tinkerbell"
        image: public.ecr.aws/l0g8r8j6/tinkerbell/hub/cexec:6c0f0d437bde2c836d90b000312c8b25fa1b65e1-eks-a-v0.0.0-dev-build.2301
        name: "create-user"
        timeout: 90
      - environment:
          BLOCK_DEVICE: /dev/sda2
        image: <prefix>disk_action:v0.1
        name: partition-cmds
        timeout: 120
      - name: "reboot"
        image: public.ecr.aws/eks-anywhere/tinkerbell/hub/reboot:6c0f0d437bde2c836d90b000312c8b25fa1b65e1-eks-a-15
        timeout: 90
        volumes:
          - /worker:/worker
      name: mgmt02
      volumes:
      - /dev:/dev
      - /dev/console:/dev/console
      - /lib/firmware:/lib/firmware:ro
      worker: '{{.device_1}}'
    version: "0.1"