search

cockpit-project / cockpit

Cockpit is a web-based graphical interface for servers.
http://www.cockpit-project.org/
GNU Lesser General Public License v2.1
10.6k stars 1.07k forks source link

NBDE package check does not work without PackageKit #20602

Open martinpitt opened 1 week ago

martinpitt commented 1 week ago 
          Sorry, I didn't get a chance to test this until 317 was released, but it's still not working (though it breaks in a new place).

nbde-fail

$ rpm-ostree status
State: idle
Deployments:
  fedora:fedora/40/x86_64/kinoite
                  Version: 40.20240606.0 (2024-06-06T00:43:46Z)
               BaseCommit: 7a8e9ef139f942aeef07fe3a0ce28d3e9d47aa914f094632c8ac98450e3c5db0
             GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC
          LayeredPackages: /usr/bin/virsh clevis clevis-dracut clevis-udisks2 cockpit cockpit-machines cockpit-selinux ksshaskpass libvirt postgresql powerline-fonts powerline-go python3-gssapi python3-pip
                           virt-manager zsh
            LocalPackages: redhat-internal-cert-install-0.1-30.el7.csb.noarch redhat-internal-NetworkManager-openvpn-profiles-0.1-54.el7.csb.noarch
                           redhat-internal-NetworkManager-openvpn-profiles-non-gnome-0.1-54.el7.csb.noarch redhat-internal-openvpn-profiles-0.1-54.el7.csb.noarch

● fedora:fedora/40/x86_64/kinoite
                  Version: 40.20240606.0 (2024-06-06T00:43:46Z)
               BaseCommit: 7a8e9ef139f942aeef07fe3a0ce28d3e9d47aa914f094632c8ac98450e3c5db0
             GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC
          LayeredPackages: /usr/bin/virsh clevis clevis-dracut clevis-udisks2 cockpit cockpit-machines cockpit-selinux ksshaskpass libvirt postgresql powerline-fonts powerline-go python3-gssapi python3-pip
                           virt-manager zsh
            LocalPackages: redhat-internal-cert-install-0.1-30.el7.csb.noarch redhat-internal-NetworkManager-openvpn-profiles-0.1-54.el7.csb.noarch
                           redhat-internal-NetworkManager-openvpn-profiles-non-gnome-0.1-54.el7.csb.noarch redhat-internal-openvpn-profiles-0.1-54.el7.csb.noarch

  fedora:fedora/40/x86_64/kinoite
                  Version: 40.20240605.0 (2024-06-05T00:45:00Z)
               BaseCommit: 28c52fa53e435b6b197ec3af71743ae235308f32d4dfa4a931698d90bdf2d4ad
             GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC
          LayeredPackages: /usr/bin/virsh clevis clevis-dracut clevis-udisks2 cockpit cockpit-machines cockpit-selinux ksshaskpass libvirt postgresql powerline-fonts powerline-go python3-gssapi python3-pip
                           virt-manager zsh
            LocalPackages: redhat-internal-cert-install-0.1-30.el7.csb.noarch redhat-internal-NetworkManager-openvpn-profiles-0.1-54.el7.csb.noarch
                           redhat-internal-NetworkManager-openvpn-profiles-non-gnome-0.1-54.el7.csb.noarch redhat-internal-openvpn-profiles-0.1-54.el7.csb.noarch

I already have clevis-dracut installed as an overlay package, so it shouldn't be trying to install it.

Originally posted by @sgallagher in https://github.com/cockpit-project/cockpit/issues/20419#issuecomment-2152769175

martinpitt commented 1 week ago

@sgallagher : That functionality is called in two cases:

It shouldn't be possible to install clevis-dracut without clevis-systemd. But I noticed that merely installing clevis-dracut doesn't actually regenerate the initrd, so most likely you are in that situation?

Can you please check and confirm that it's the missing initrd refresh? It should work after sudo dracut --force --regenerate-all. If it's that, then I know what to fix.

sgallagher commented 1 week ago

@sgallagher : That functionality is called in two cases:

* `sudo lsinitrd -m` does not contain "clevis"

This is the case

* `systemctl is-enabled clevis-luks-askpass.path` fails with "not-found"

This is enabled

It shouldn't be possible to install clevis-dracut without clevis-systemd. But I noticed that merely installing clevis-dracut doesn't actually regenerate the initrd, so most likely you are in that situation?

Seems likely.

Can you please check and confirm that it's the missing initrd refresh? It should work after sudo dracut --force --regenerate-all. If it's that, then I know what to fix.

I cannot run dracut on an ostree system, it seems:

dracut[F]: Can't write to /boot/efi/9de46937ac73408a91b563c4e76afb84/6.8.11-300.fc40.x86_64: Directory /boot/efi/9de46937ac73408a91b563c4e76afb84/6.8.11-300.fc40.x86_64 does not exist or is not accessible.
sgallagher commented 1 week ago

So, just to attempt this from bare-bones, I removed the layered clevis packages from my system and attempted to enable NBDE again. I got the same result: it properly detects that clevis is unavailable and then can't do anything because PackageKit is not installed.

martinpitt commented 1 week ago

Thanks @sgallagher for confirming. Yes, one can't rebuild the initrd in an OSTree system. This really needs to happen in clevis-dracut's %post or a manuaal rebuild when building the ostree. So cockpit can't magically make this work, but we can handle this more gracefully in the UI -- i.e. not even offer it.