Adjustments for clevis with initramfs-tools on Debian Buster

[bytesplit]

It was some long trial and error to get Clevis running on my first container. It is running Debian Buster 10.2.

1. my ps showed a single line for environ making the grep in scripts/local-top/clevis ln 109 fail. I had to adjust it: local "$(grep -o 'CRYPTTAB_SOURCE=/[a-z]*/[a-z]*[0-9]' /proc/"$pid"/environ)" (Yes /dev/ could perhaps be hardcoded and fs could limit to to sd and vd but it worked for me)
2. I had to include the requested ip command in hooks/clevis: copy_exec /bin/ip || die 1 "/bin/ip not found"
3. I'm using DNS lookup to find the tang server, thus I need libnss_dns (also in hooks/clevis): for _LIBRARY in /usr/lib/x86_64-linux-gnu/libnss_dns.so*; do if [ -e "${_LIBRARY}" ]; then copy_exec "${_LIBRARY}" || die 2 "Unable to copy ${_LIBRARY}" fi done
4. Related to 3 - According to some bug report the kernel actually never gets the DNS server. I also added that to a script named 0nameserver to be loaded BEFORE clevis: #!/bin/bash -e echo "nameserver 192.168.0.2" > /etc/resolv.conf

Now clevis is correctly checking with the tang server, encrypts the filesystem and boots!

Disclaimer: I compiled only the clevis scripts for initramfs-tools. Clevis itself is from Buster sources.

[tiagosantosvdl]

I too had issues running clevis 12 from experimental repository on buster 10.3

Your fix #1 solves a very annoying bug that makes bash spam the “warning: command substitution: ignored null byte in input” error The rest didn't apply for me, but I had a different problem. I had to run the configure_networking earlier on, during the init-premount stage, to have the interface up in time for clevis to start, apparently because it has to load a firmware What I did was to create a "preclevis" script in the /etc/initramfs-tools/scripts/init-premount folder containing this:

#!/bin/sh

case $1 in
prereqs) exit 0;;
esac

. /scripts/functions
configure_networking