besawn
commented
3 years ago @mattvw Thanks for the thorough description of the issue. We will investigate.
Open mattvw opened 3 years ago
besawn
commented
3 years ago @mattvw Thanks for the thorough description of the issue. We will investigate.
mattvw
commented
3 years ago Hello @besawn,
Any updates on a fix for this? I think just changing it to 'inst.txt' should work for what is desired (based on the code comments). But if not, can the parameter be configurable through xCAT?
Thanks!
besawn
commented
3 years ago In general, xCAT is intended to be used for fully unattended installation. 'inst.cmdline' still seems to be the most appropriate choice for fully unattended installs. I understand that it would make your use case easier if xCAT changed to using 'inst.text', but there is also a need to balance the behavior expected by the majority of users versus this particular use case.
Approximately how many nodes are you regularly installing using this partially unattended installation method?
mattvw
commented
3 years ago @besawn My apologies for the delay in responding...it's been quite busy here the past month...
We have at least 5 RHEL 8 systems that use LUKS encryption that have this issue currently. The xnba boot file for each of these has to be manually "hacked" after running nodeset to change the kcmdline to 'inst.text' so it would prompt us for the LUKS passphrase correctly (instead of the install simply failing for no obvious reason).
I know we have quite a few RHEL 7 systems with LUKS encryption (many regularly rebuilt) that we are holding off on moving to RHEL 8 due to xCAT not working correctly for RHEL 8 LUKS builds (without having to manually "hack" the xnba boot file after every nodeset).
I feel like what is put in the kickstart should be honored for what is used on the kcmdline, instead of xCAT always overriding it for every install. Like I said, we specify 'text' explicitly in the kickstart file. This worked in RHEL 7 but seems to be broken in RHEL 8 (where what xCAT is setting overrides what is desired by the user).
I understand you want to keep the default to use 'inst.cmdline', as that works for the majority of use cases. But It would be nice if it would be a configurable option, preferably set in the osimage definition possibly? Or it could honor what is specified in the kickstart file too. I'm open to what you think would work best, but it would be preferred to be something that wouldn't have to be set/changed for every nodeset command.
Thank you!
mattvw
commented
3 years ago @besawn Any update or thoughts on this issue?
Thank you!
besawn
commented
3 years ago @mattvw Sorry for the delay. We are not including any new features to address this in the next xCAT release, but we will consider this issue again during planning for the following release. Thanks for the reminder.
mattvw
commented
2 years ago Hello @besawn,
Any updates or thoughts on this issue?
Thank you!
besawn
commented
2 years ago @mattvw I have not forgotten about this request, but it is still lower priority than the other tasks the core team is currently working on.
mattvw
commented
2 years ago Hello @besawn,
Just wanted to check-in to see if you had any new updates or thoughts on this issue?
We keep adding more RHEL 8 systems that require LUKS encryption and it'd be really great if we didn't have to manually "hack" the xnba boot file each time we build new ones or rebuild existing ones. (We don't believe having to put LUKS passwords in plain-text in the kickstart files is a valid option with today's security requirements.)
Thank you for your attention and help with this!
besawn
commented
2 years ago @mattvw xCAT supports encrypted passwords for the kickstart file rootpw:
# grep rootpw /install/autoinst/compute001
rootpw --iscrypted $5$1XXXXXXXXXXXXXXXXXXXXXXXIt's possible we could use a similar technique for setting the LUKS passwords you are configuring.
Can you provide an example of the kickstart keywords you are manually modifying after running nodeset? (Please redact any sensitive information.)
mattvw
commented
2 years ago @besawn Sorry for the delay!
The file we have to change is the xnba boot file for the specific system(s) located under /tftpboot/xcat/xnba/nodes/ (I believe this is the default location for xCAT) after running nodeset. We have to change 'inst.cmdline' to 'inst.text' for RHEL 8 builds to allow us to put in the password during the install. We don't change anything in the kickstart file themselves (since that doesn't appear to help for RHEL 8 now).
So for example, after running nodeset, in the file /tftpboot/xcat/xnba/nodes/node1, we would change the line
imgargs kernel quiet inst.repo=http://xcatserver:80/install/rhels8.6.0/x86_64 inst.ks=http://xcatserver/install/autoinst/node1 ip=nic:dhcp inst.cmdline console=tty0 console=ttyS0,115200n8r BOOTIF=01-${netX/machyp}
to
imgargs kernel quiet inst.repo=http://xcatserver:80/install/rhels8.6.0/x86_64 inst.ks=http://xcatserver/install/autoinst/node1 ip=nic:dhcp inst.text console=tty0 console=ttyS0,115200n8r BOOTIF=01-${netX/machyp}
to make it prompt us correctly during the install for the password.
For RHEL 7, we didn't have to change anything in this file and it "just worked" based on the 'text' line in the kickstart file. The RHEL 7 xnba boot file even still has 'inst.cmdline' but it doesn't matter.
For RHEL 8, it no longer seems to honor what's set in the kickstart file and just uses what's set by default in the xnba boot file, which breaks the functionality we expect.
I don't know what exactly changed between RHEL 7 and RHEL 8 to break this exactly. Maybe this is what needs to be investigated further to figure out the real cause of this breaking and see if there's a way to fix it?
Alternatively, having an xCAT option to use 'inst.text' globally for the kcmdline instead of 'inst.cmdline' would be super helpful.
Hopefully this helps clear things up. Let me know if you have any questions.
Thank you for your help!
Hello,
In the xnba boot file for RHEL 8, you are adding 'inst.cmdline' to the kcmdline. This appears to break when using LUKS encryption for the install and you need to specify the passphrase during the install (as opposed to putting it in plain-text in the kickstart/template file). If no passphrase is specified, then RH defaults to prompting you during the install to enter the passphrase to use.
This seems to be set here: https://github.com/xcat2/xcat-core/blob/9cbb9edc5dba8e363d2905e75a009db381ddeabf/xCAT-server/lib/xcat/plugins/anaconda.pm#L1465-L1470
If I manually change it to 'inst.text' in the file after using nodeset, then it prompts me for the passphrase as expected. 'inst.text' allows for interaction but still doesn't use graphical interface for serial console (per RH documentation).
This is the case for RHEL 8 regardless of what you specify in the kickstart/template file. This seems to have changed from the behavior for RHEL 7, where the option specified in the kickstart/template file overrode what was specified on the kcmdline. We have specified 'text' in our kickstart files for both RHEL 7 and RHEL 8.
Can you please make this parameter configurable or, better yet, just change to 'inst.text' what you add to the file instead of 'inst.cmdline'? I believe 'inst.text' should work just fine for what is desired (based on the comments in the code).
Thank you.