Centos 9 dracut unlocker hangs on starting initqueue hooks

[ACiDGRiM]

I've installed the clevis and clevis-dracut packages on a Centos 9 system and after rebuilding the initramfs with dracut it hangs on the step "starting initqueue hooks"

I've made the following changes to ensure my system has an IP address on boot:

cat /etc/dracut.conf.d/network-module.conf 
add_dracutmodules+=" network-manager "

cat /etc/default/grub 
GRUB_TIMEOUT=5
GRUB_GFXPAYLOAD_LINUX=1920x1080x32
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="resume=/dev/mapper/cl_spancnode01-swap rd.lvm.lv=cl_spancnode01/root rd.luks.uuid=luks-89fd8945-6bce-49b4-90af-ba9c1615b553 rd.lvm.lv=cl_spancnode01/swap console=ttyS1,115200 rd.neednet=1 ip=enp0s31f6:any crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M"
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_BLSCFG=true

I tried to remove the rd.luks.uuid from the boot cmd and it didn't change anything when dracut crashes to the recovery console, I can source clevis-luks-common-functions and unlock the drive manually with clevis_luks_ unlock_device /dev/sdd3 | cryptsetup luksOpen /dev/sdd3 luks-root and then exiting the recovery console to continue booting.

[sarroutbi]

This seems more like a dracut issue, right? Did you configure clevis to unlock the encrypted device?

Could you please detail the steps followed so that we can have an idea of the issue?

[ACiDGRiM]

I'd agree it could a dracut issue but it only happened after installing clevis, which suggests that the clevis script is hanging

1) install packages 2) bind root disk luks to tang server 3) test dracut network configuration via rd.break and confirm ping 4) boot into system and add _netdev to root crypttab and fstab 5) run dracut -f and reboot 6) initramfs environment hangs at initqueue

I can confirm in the initramfs the crypttab lists the root luks volume. Can you at least give me a pointer on how to manually trigger the askpass sequence and run the clevis dracut unlocker so I can start to rule-out or identify where it's breaking?

[sergio-correia]

What options do you have in your crypttab? Do you have something like _netdev?

[sergio-correia]

I just saw that you have it, from step 4. Please, remove it, recreate your initramfs and try again, to see if it helps.

[ACiDGRiM]

I'm going to reinstall the system from scratch, I have frequent kernel panics before clevis and this was an attempt to bypass the boot prompt while the kernel issue was investigated. I'll update if this occurs or not on a newly deployed and updated system.

[ACiDGRiM]

huh, it actually boots successfully and unlocks the drives with _netdev removed.

Also a point I see in the clevis dracut modulesetup it mentions that rd.neednet is supposed to be turned on, but I have to set it in the kernel cmdline for it to activate the network connection.