richm
commented
2 years ago Thanks. Is there a way to test this in an automated fashion?
Closed headwest closed 2 years ago
richm
commented
2 years ago Thanks. Is there a way to test this in an automated fashion?
headwest
commented
2 years ago You're welcome. I add the var name to the existing test for defaults. I've never done automated testing with this role, so I'm not sure what else may be required. For context, this is the situation which made the change necessary. clevis-luks-askpass@.path is what's getting installed by the role. I'm not sure why the @ was added in version 11-9.
# dnf whatprovides "/usr/*/clevis-luks-askpass*"
...
clevis-systemd-11-2.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-eus-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-11-9.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-eus-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-11-9.el8_2.1.x86_64 : systemd integration for clevis
Repo : @System
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-11-9.el8_2.1.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-eus-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass@sergio-correia Seems like the role should handle this - it should use either clevis-luks-askpass or clevis-luks-askpass@ depending on the version of clevis-systemd
richm
commented
2 years ago [citest]
sergio-correia
commented
2 years ago @sergio-correia Seems like the role should handle this - it should use either
clevis-luks-askpassorclevis-luks-askpass@depending on the version ofclevis-systemd
Yeah, I also think the role should handle this. However, this was a downstream-only change at the time that was later reverted, so perhaps it will be better to check whether clevis-luks-askpass (or the templated one with @) exists, and handle it differently based on this.
If I recall correctly -- I will have to double check this --, for the templated version, we need to enable it for each LUKS device, something like clevis-luks-askpass@<LUKS-UUID>.path.
richm
commented
2 years ago @sergio-correia Seems like the role should handle this - it should use either
clevis-luks-askpassorclevis-luks-askpass@depending on the version ofclevis-systemdYeah, I also think the role should handle this. However, this was a downstream-only change at the time that was later reverted, so perhaps it will be better to check whether
clevis-luks-askpass(or the templated one with @) exists, and handle it differently based on this.If I recall correctly -- I will have to double check this --, for the templated version, we need to enable it for each LUKS device, something like
clevis-luks-askpass@<LUKS-UUID>.path.
I don't understand - is there a current and/or future version of clevis-systemd that uses clevis-luks-askpass@? Because
this was a downstream-only change at the time that was later reverted
implies that there isn't a version now that supports clevis-luks-askpass@?
sergio-correia
commented
2 years ago @sergio-correia Seems like the role should handle this - it should use either
clevis-luks-askpassorclevis-luks-askpass@depending on the version ofclevis-systemdYeah, I also think the role should handle this. However, this was a downstream-only change at the time that was later reverted, so perhaps it will be better to check whether
clevis-luks-askpass(or the templated one with @) exists, and handle it differently based on this. If I recall correctly -- I will have to double check this --, for the templated version, we need to enable it for each LUKS device, something likeclevis-luks-askpass@<LUKS-UUID>.path.I don't understand - is there a current and/or future version of
clevis-systemdthat usesclevis-luks-askpass@? Becausethis was a downstream-only change at the time that was later reverted
implies that there isn't a version now that supports
clevis-luks-askpass@?
This is correct, current/future versions do not support it, there is only clevis-luks-askpass. Some older versions -- the ones that were shipped in CentOS/RHEL 8.2 and 8.3 -- supported clevis-luks-askpass@
richm
commented
2 years ago This is correct, current/future versions do not support it, there is only clevis-luks-askpass. Some older versions -- the ones that were shipped in CentOS/RHEL 8.2 and 8.3 -- supported clevis-luks-askpass@
Ok - since RHEL 8.2 is an EUS release (https://access.redhat.com/articles/rhel-eus) the role will need special handling for clevis-luks-askpass@ - would you like me to file a BZ for this?
sergio-correia
commented
2 years ago This is correct, current/future versions do not support it, there is only clevis-luks-askpass. Some older versions -- the ones that were shipped in CentOS/RHEL 8.2 and 8.3 -- supported clevis-luks-askpass@
Ok - since RHEL 8.2 is an EUS release (https://access.redhat.com/articles/rhel-eus) the role will need special handling for
clevis-luks-askpass@- would you like me to file a BZ for this?
Sure. Please, go ahead, and thanks in advance.
headwest
commented
2 years ago @sergio-correia Seems like the role should handle this - it should use either
clevis-luks-askpassorclevis-luks-askpass@depending on the version ofclevis-systemdYeah, I also think the role should handle this. However, this was a downstream-only change at the time that was later reverted, so perhaps it will be better to check whether
clevis-luks-askpass(or the templated one with @) exists, and handle it differently based on this.If I recall correctly -- I will have to double check this --, for the templated version, we need to enable it for each LUKS device, something like
clevis-luks-askpass@<LUKS-UUID>.path.
It may be recommended to enable clevis-luks-askpass@<LUKS-UUID>.path, but enabling clevis-luks-askpass@.path seems to work.
sergio-correia
commented
2 years ago @sergio-correia Seems like the role should handle this - it should use either
clevis-luks-askpassorclevis-luks-askpass@depending on the version ofclevis-systemdYeah, I also think the role should handle this. However, this was a downstream-only change at the time that was later reverted, so perhaps it will be better to check whether
clevis-luks-askpass(or the templated one with @) exists, and handle it differently based on this. If I recall correctly -- I will have to double check this --, for the templated version, we need to enable it for each LUKS device, something likeclevis-luks-askpass@<LUKS-UUID>.path.It may be recommended to enable
clevis-luks-askpass@<LUKS-UUID>.path, but enablingclevis-luks-askpass@.pathseems to work.
Probably dracut enabled the @<LUKS-UUID> ones, which is why it works -- could you check if they are enabled, please?
Note that if you are only unlocking /, /usr and/or swap, there is no need to enable it for them, as they will be unlocked in early boot.
headwest
commented
2 years ago @sergio-correia Seems like the role should handle this - it should use either
clevis-luks-askpassorclevis-luks-askpass@depending on the version ofclevis-systemdYeah, I also think the role should handle this. However, this was a downstream-only change at the time that was later reverted, so perhaps it will be better to check whether
clevis-luks-askpass(or the templated one with @) exists, and handle it differently based on this. If I recall correctly -- I will have to double check this --, for the templated version, we need to enable it for each LUKS device, something likeclevis-luks-askpass@<LUKS-UUID>.path.It may be recommended to enable
clevis-luks-askpass@<LUKS-UUID>.path, but enablingclevis-luks-askpass@.pathseems to work.Probably dracut enabled the
@<LUKS-UUID>ones, which is why it works -- could you check if they are enabled, please?Note that if you are only unlocking
/,/usrand/orswap, there is no need to enable it for them, as they will be unlocked in early boot.
We are unlocking secondary storage for virtual machine disks which is mounted at /var/lib/nova/instances. This is what is enabled, and the disk layout after a reboot.
[root@compute-ls-az1-0 ~]# systemctl list-unit-files | grep clevis
clevis-luks-askpass@.path enabled
clevis-luks-askpass@.service static
[root@compute-ls-az1-0 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 894.2G 0 disk
├─sda1 8:1 0 200M 0 part
├─sda2 8:2 0 1M 0 part
└─sda3 8:3 0 894G 0 part /
nvme1n1 259:0 0 3.7T 0 disk
└─md0 9:0 0 7.3T 0 raid0
└─luks-bb0a1fb8-25bf-4e4e-958f-ed94c15202d9 253:0 0 7.3T 0 crypt /var/lib/nova/instances
nvme0n1 259:1 0 3.7T 0 disk
└─md0 9:0 0 7.3T 0 raid0
└─luks-bb0a1fb8-25bf-4e4e-958f-ed94c15202d9 253:0 0 7.3T 0 crypt /var/lib/nova/instancessystemctl list-unit-files | grep clevis
What about find /etc/systemd/ -name "clevis-luks-askpass@*"?
headwest
commented
2 years ago Yeah, it's there.
[root@compute-ls-az1-0 ~]# find /etc/systemd/ -name "clevis-luks-askpass@*"
/etc/systemd/system/basic.target.wants/clevis-luks-askpass@.path
/etc/systemd/system/basic.target.wants/clevis-luks-askpass@873a1dfc-9d55-4a79-8cc5-e6505c4d84d6.path
/etc/systemd/system/basic.target.wants/clevis-luks-askpass@bb0a1fb8-25bf-4e4e-958f-ed94c15202d9.pathI have done more testing, and it appears that the Enable clevis askpass unit task isn't required for RHEL 8.2. If the task is skipped, the templated unit is enabled anyway. If it is acceptable to skip the task for RHEL 8.2 (and 8.3?), then I'll be happy to update the PR.
richm
commented
2 years ago I have done more testing, and it appears that the Enable clevis askpass unit task isn't required for RHEL 8.2. If the task is skipped, the templated unit is enabled anyway. If it is acceptable to skip the task for RHEL 8.2 (and 8.3?), then I'll be happy to update the PR.
So, something like this?
- name: Enable clevis askpass unit
service:
name: clevis-luks-askpass.path
name: "{{ nbde_client_clevis_luks_askpass_unit }}"
enabled: yes
when: not ansible_facts["os_family"] == "RedHat" or
(not ansible_facts["distribution_version"] is version("8.2", "==") and
not ansible_facts["distribution_version"] is version("8.3", "=="))The version check is probably not sufficient - not sure if there is a way to get just the major.minor version for comparison purposes.
headwest
commented
2 years ago I have done more testing, and it appears that the Enable clevis askpass unit task isn't required for RHEL 8.2. If the task is skipped, the templated unit is enabled anyway. If it is acceptable to skip the task for RHEL 8.2 (and 8.3?), then I'll be happy to update the PR.
So, something like this?
- name: Enable clevis askpass unit service: name: clevis-luks-askpass.path name: "{{ nbde_client_clevis_luks_askpass_unit }}" enabled: yes when: not ansible_facts["os_family"] == "RedHat" or (not ansible_facts["distribution_version"] is version("8.2", "==") and not ansible_facts["distribution_version"] is version("8.3", "=="))The version check is probably not sufficient - not sure if there is a way to get just the major.minor version for comparison purposes.
Yes, something like that. I'm not sure if this is what you're talking about, but it's what I was using to test. It works on RHEL 8.2, but would need to be structured like your example in order to work properly for non-Red Hat distributions.
when:
- ansible_distribution_version | float != 8.2
- ansible_distribution_version | float != 8.3So a corrected version of what I was doing would be something like this.
when: not ansible_distribution == "RedHat" or
(ansible_distribution_version | float != 8.2) and
(ansible_distribution_version | float != 8.3)I tried a few different rhel systems - it looks like the version is reported like this:
"ansible_facts": {
...
"ansible_distribution_version": "8.7",That is - in major.minor form.
re: using the | float filter - I would strongly prefer the use of the is version(..) test instead
headwest
commented
2 years ago The PR has been updated to use version in a when statement to skip the task for RHEL 8.2 and 8.3. Please let me know if this solution is acceptable.
richm
commented
2 years ago [citest] queue is pretty full - may take a few hours to get results . . .
sergio-correia
commented
2 years ago test failures are known - please ignore - lgtm - @sergio-correia ok?
I think this is an OK change, as it prevents an error in those systems, since the unit we try to enable does not exist there. The needed units are enabled by dracut, which is why it magically works.
headwest
commented
2 years ago It seems there have been updates to the clevis-systemd packages available in RHEL 8.2. The downstream change which started using templated units has been reverted in the latest packages. This PR was trying to workaround the downstream change, but now breaks for RHEL 8.2 (and I assume 8.3) as the unit is never enabled. What is the best way to handle situations like this?
[root@compute-ls-az1-1 ~]# dnf whatprovides "/usr/*/clevis-luks-askpass*"
Updating Subscription Management repositories.
This system is registered to Red Hat Subscription Management, but is not receiving updates. You can use subscription-manager to assign subscriptions.
Last metadata expiration check: 0:03:53 ago on Mon 26 Sep 2022 02:58:51 PM UTC.
clevis-systemd-11-2.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-11-9.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-11-9.el8_2.1.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-13-3.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-15-1.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-15-1.el8_5.1.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-15-8.el8.x86_64 : systemd integration for clevis
Repo : @System
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-15-8.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpassIs clevis-systemd-15-1.el8 available in 8.2 and 8.3? I was under the impression that was available in 8.4. From that point on, we have again clevis-luks-askpass.path.
sergio-correia
commented
2 years ago What I had in mind when this PR initially came was something along the lines of gathering the service facts after installing clevis-systemd and checking for clevis-luks-askpass@.service to use in the conditionals. This may be more reliable than checking versions.
headwest
commented
2 years ago Is
clevis-systemd-15-1.el8available in 8.2 and 8.3? I was under the impression that was available in 8.4. From that point on, we have againclevis-luks-askpass.path.
This is the result on two systems, both with RHEL 8.2, but using different repos. I'm not sure why the repos differ between the systems as they should be the same, but that's irrelevant to the issue I suppose. The first is using the rhel-8-for-x86_64-appstream-rpms repo while the latter is using rhel-8-for-x86_64-appstream-eus-rpms.
[root@compute-ls-az1-1 ~]# dnf whatprovides "/usr/*/clevis-luks-askpass*"
...
clevis-systemd-11-2.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-11-9.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-11-9.el8_2.1.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-13-3.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-15-1.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-15-1.el8_5.1.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-15-8.el8.x86_64 : systemd integration for clevis
Repo : @System
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-15-8.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass[root@compute-ls-az2-0 ~]# dnf whatprovides "/usr/*/clevis-luks-askpass*"
...
clevis-systemd-11-2.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-eus-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-11-9.el8.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-eus-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-11-9.el8_2.1.x86_64 : systemd integration for clevis
Repo : @System
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
clevis-systemd-11-9.el8_2.1.x86_64 : systemd integration for clevis
Repo : rhel-8-for-x86_64-appstream-eus-rpms
Matched from:
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.path
Filename : /usr/lib/systemd/system/clevis-luks-askpass@.service
Filename : /usr/libexec/clevis-luks-askpass
Allows role consumers to specify the name of the clevis luks askpass systemd unit to enable.