Hi,
We have a problem now with using FAI to do an install which sets up a
2nd hard drive as an encrypted volume.
Our previous FAI server was running fai-server 5.10.3, and this worked.
We use a partitioning scheme like:
disk_config disk1 disklabel:gpt bootable:1 fstabkey:uuid
primary /boot/efi 100MiB vfat rw
primary / 370GiB ext4 rw
primary swap 10GiB-20GiB swap sw
disk_config disk2 disklabel:gpt fstabkey:uuid
primary - 390GiB-500GiB - -
disk_config cryptsetup
luks - disk2.1 - -
During partitioning, this would then create a luks key file in /tmp/fai.
We would then use a script to copy this keyfile to a safe location and
use it in /etc/crypttab to unlock the drive on boot.
However, a while ago we made a new FAI server, this one running
fai-server 6.2.3. Now, FAI partitions the drive and makes the keyfile in
/tmp/fai but then almost immediately deletes it (you can see it if you
cd to /tmp/fai and ls at the exact right moment). Then of course, as
they file no longer exists we can't copy it anywhere, and can't get the
drive to unlock.
Looking at the setup-storage man pages, it says:
"Crypto support requires some site-specific changes: If you use
cryptsetup stanza, a *crypttab*(5) file and key files for all luks
volumes will be created (unless you used the passphrase option). The key
files are left in /tmp/fai; you will want to copy these to some
removable media."
So it looks like this is still supposed to be the behaviour. But does
anyone know why the luks keyfile is being immediately deleted from
/tmp/fai after the partitoning? And either a way to stop it being
deleted or a way to copy the key to somewhere else before it is deleted?
We have just tried updating fai-server to to 6.4.1, and recreating the
nfsroot, but with no change in this behaviour.
Thanks,
Richard Grant
University of Leicester
