[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
This bug was fixed in the package cloud-initramfs-tools - 0.30ubuntu1.1 --- cloud-initramfs-tools (0.30ubuntu1.1) yakkety; urgency=medium * sync with upstream at 0.32ubuntu1 (revno 129) * overlayroot: fix overlayroot=crypt with newer initramfs-tools (LP: #1634310) * overlayroot: support random seed from systemd systemd-random-seed.service * cloud-initramfs-dyn-netconf: Further adjustments to support IPV6 and the new DEVICE6 and net6-DEVICE.conf files. (LP: #1621615) -- Scott Moser Mon, 28 Nov 2016 20:21:14 -0500 ** Changed in: cloud-initramfs-tools (Ubuntu Yakkety) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
This bug was fixed in the package cloud-initramfs-tools - 0.27ubuntu1.3 --- cloud-initramfs-tools (0.27ubuntu1.3) xenial; urgency=medium * sync with upstream at 0.32ubuntu1 (revno 129) * overlayroot: fix overlayroot=crypt with newer initramfs-tools (LP: #1634310) * overlayroot: support random seed from systemd systemd-random-seed.service * cloud-initramfs-dyn-netconf: Further adjustments to support IPV6 and the new DEVICE6 and net6-DEVICE.conf files. (LP: #1621615) * overlayroot: support 'overlay' filesystem explicitly rather than relying on ubuntu specific kernel module 'overlayfs'. (LP: #1493188) * overlayroot: write debug to /run/initramfs not /dev/.initramfs but support writing to /dev/.initramfs if that is all there is. (LP: #1485752) * overlayroot: fix overlayroot if recurse=0 was not provided. This fuctionality was lost since workdir support was added. (LP: #1619459) * whitespace cleanup. -- Scott Moser Mon, 28 Nov 2016 20:12:51 -0500 ** Changed in: cloud-initramfs-tools (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
I've verified this functional in yakkety with test case as described above. $ dpkg-query --show overlayroot overlayroot 0.30ubuntu1.1 $ cat /etc/cloud/build.info build_name: server serial: 20161123 ** Tags added: verification-done-yakkety -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
I verified this functional in xenial with the test case as described in the sru
template.
$ dpkg-query --show overlayroot
overlayroot 0.27ubuntu1.3
** Description changed:
=== Begin SRU Template ===
[Impact]
Using overlay to put overlay data onto an encrypted volume with a randomly
generated password does not function as documented.
[Test Case]
The following should work, but currently does not.
Note, to test the fix, between step 1 and 2, you'll need to enable
proposed and install overlayroot.
1. Start an instance of a cloud image with 2 disks.
-One disk is the root disk, one disk is the target.
-This can be done locally with qemu or within openstack or any other cloud.
+ One disk is the root disk, one disk is the target.
+ This can be done locally with qemu or within openstack or any other cloud.
2. configure overlayroot to write to target disk, reboot
-$ target=/dev/vdb
-$ echo "overlayroot=crypt:dev=$target" | sudo tee
/etc/overlayroot.local.conf
-$ sudo reboot
+# remove the entry in /etc/fstab for the device we're using
+$ sudo sed -i.dist '/comment=cloudconfig/d' /etc/fstab
+
+ $ target=/dev/vdb
+ $ echo "overlayroot=crypt:dev=$target" | sudo tee
/etc/overlayroot.local.conf
+ $ sudo reboot
3. log back in and look around
-a.) check that 'overlayroot' is in /proc/mounts
-$ awk '$1 == "overlayroot" { print $0 }' /proc/mounts
-overlayroot / overlay
rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_
0 0
+ a.) check that 'overlayroot' is in /proc/mounts
+ $ awk '$1 == "overlayroot" { print $0 }' /proc/mounts
+ overlayroot / overlay
rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_
0 0
-b.) check that the upperdir listed (/media/root-rw) is encrypted
-$ df -h /media/root-rw/
-Filesystem Size Used Avail Use% Mounted on
-/dev/mapper/secure 40G 50M 38G 1% /media/root-rw
+ b.) check that the upperdir listed (/media/root-rw) is encrypted
+ $ df -h /media/root-rw/
+ Filesystem Size Used Avail Use% Mounted on
+ /dev/mapper/secure 40G 50M 38G 1% /media/root-rw
-c.) check /run/initramfs/overlayroot.log
-$ grep success /run/initramfs/overlayroot.log
-[success]: configured root with 'crypt:dev=/dev/vdb' using overlay per
/dev/vda1/etc/overlayroot.local.conf
-d.) show password file.
-$ pf=$(echo /run/initramfs/overlayroot.??);
-$ for f in $pf; do ls -l $f; sudo cat $f; done
--rw--- 1 root root 128 Nov 29 20:22
/run/initramfs/overlayroot.4bHuqg
-8c420e20a49254..659eb663e
+ c.) check /run/initramfs/overlayroot.log
+ $ grep success /run/initramfs/overlayroot.log
+ [success]: configured root with 'crypt:dev=/dev/vdb' using overlay per
/dev/vda1/etc/overlayroot.local.conf
+ d.) show password file.
+ $ pf=$(echo /run/initramfs/overlayroot.??);
+ $ for f in $pf; do ls -l $f; sudo cat $f; done
+ -rw--- 1 root root 128 Nov 29 20:22
/run/initramfs/overlayroot.4bHuqg
+ 8c420e20a49254..659eb663e
[Regression Potential]
The most likely path for failure on this I would think is related to setting
of PERSIST_DIR. If PERSIST_DIR was not set correctly, then the logging
would likely fail and the password file would not be created.
That should be caught and logged with:
- log_fail "failed creation of password file";
+ log_fail "failed creation of password file";
[Other Info]
The full overlayroot/init-bottom/overlayroot can be seen at [1]. The
specific change that fixed the issue is in revision 126 at [2]
[1]
http://bazaar.launchpad.net/~cloud-initramfs-tools/cloud-initramfs-tools/trunk/view/head:/overlayroot/scripts/init-bottom/overlayroot
[2]
http://bazaar.launchpad.net/~cloud-initramfs-tools/cloud-initramfs-tools/trunk/revision/126
=== End SRU Template ===
-
For the life of me I cannot get the parameter crypt:dev=/dev/vdb to work
in /etc/overlayroot.conf.
I have tried the line
overlayroot=crypt:dev=/dev/vdb,pass=somepass,mkfs=0
Which works when I create the LUKS device ahead of time, and set the
passphrase 'somepass'. But when I try
overlayroot=crypt:dev=/dev/vdb,mkfs=1
or just
overlayroot=crypt:dev=/dev/vdb
I get no overlay after reboot. I have also tried the "debug=1" parameter
and I'm not getting any debug output either. Where are the logs and/or
where should I be able to see the debug output?
As Dustin has so eloquently documented, it defeats the privacy of your
encryption if you have to specify the passphrase in clear text in your
unencrypted read-only directory. So the only way I will be using this is
if I can use the simple "overlayroot=crypt:dev=/dev/vdb" one-liner and
have t
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
Hello Alexander, or anyone else affected, Accepted cloud-initramfs-tools into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source /cloud-initramfs-tools/0.30ubuntu1.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: cloud-initramfs-tools (Ubuntu Yakkety) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
Hello Alexander, or anyone else affected, Accepted cloud-initramfs-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source /cloud-initramfs-tools/0.27ubuntu1.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: cloud-initramfs-tools (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
** Description changed:
+ === Begin SRU Template ===
+ [Impact]
+ Using overlay to put overlay data onto an encrypted volume with a randomly
+ generated password does not function as documented.
+
+ [Test Case]
+ The following should work, but currently does not.
+ Note, to test the fix, between step 1 and 2, you'll need to enable
+ proposed and install overlayroot.
+
+ 1. Start an instance of a cloud image with 2 disks.
+One disk is the root disk, one disk is the target.
+This can be done locally with qemu or within openstack or any other cloud.
+
+ 2. configure overlayroot to write to target disk, reboot
+
+$ target=/dev/vdb
+$ echo "overlayroot=crypt:dev=$target" | sudo tee
/etc/overlayroot.local.conf
+$ sudo reboot
+
+ 3. log back in and look around
+
+a.) check that 'overlayroot' is in /proc/mounts
+$ awk '$1 == "overlayroot" { print $0 }' /proc/mounts
+overlayroot / overlay
rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_
0 0
+
+b.) check that the upperdir listed (/media/root-rw) is encrypted
+$ df -h /media/root-rw/
+Filesystem Size Used Avail Use% Mounted on
+/dev/mapper/secure 40G 50M 38G 1% /media/root-rw
+
+c.) check /run/initramfs/overlayroot.log
+$ grep success /run/initramfs/overlayroot.log
+[success]: configured root with 'crypt:dev=/dev/vdb' using overlay per
/dev/vda1/etc/overlayroot.local.conf
+d.) show password file.
+$ pf=$(echo /run/initramfs/overlayroot.??);
+$ for f in $pf; do ls -l $f; sudo cat $f; done
+-rw--- 1 root root 128 Nov 29 20:22
/run/initramfs/overlayroot.4bHuqg
+8c420e20a49254..659eb663e
+
+ [Regression Potential]
+ The most likely path for failure on this I would think is related to setting
+ of PERSIST_DIR. If PERSIST_DIR was not set correctly, then the logging
+ would likely fail and the password file would not be created.
+ That should be caught and logged with:
+ log_fail "failed creation of password file";
+
+ [Other Info]
+ The full overlayroot/init-bottom/overlayroot can be seen at [1]. The
+ specific change that fixed the issue is in revision 126 at [2]
+
+ [1]
http://bazaar.launchpad.net/~cloud-initramfs-tools/cloud-initramfs-tools/trunk/view/head:/overlayroot/scripts/init-bottom/overlayroot
+ [2]
http://bazaar.launchpad.net/~cloud-initramfs-tools/cloud-initramfs-tools/trunk/revision/126
+ === End SRU Template ===
+
+
For the life of me I cannot get the parameter crypt:dev=/dev/vdb to work
in /etc/overlayroot.conf.
I have tried the line
overlayroot=crypt:dev=/dev/vdb,pass=somepass,mkfs=0
Which works when I create the LUKS device ahead of time, and set the
passphrase 'somepass'. But when I try
overlayroot=crypt:dev=/dev/vdb,mkfs=1
or just
overlayroot=crypt:dev=/dev/vdb
I get no overlay after reboot. I have also tried the "debug=1" parameter
and I'm not getting any debug output either. Where are the logs and/or
where should I be able to see the debug output?
As Dustin has so eloquently documented, it defeats the privacy of your
encryption if you have to specify the passphrase in clear text in your
unencrypted read-only directory. So the only way I will be using this is
if I can use the simple "overlayroot=crypt:dev=/dev/vdb" one-liner and
have the passphrase generated automatically on boot.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634310
Title:
crypt:dev=/dev/vdb parameter does not work with randomly generated
passphrase
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
** Also affects: cloud-initramfs-tools (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: cloud-initramfs-tools (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: cloud-initramfs-tools (Ubuntu Xenial) Status: New => Confirmed ** Changed in: cloud-initramfs-tools (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: cloud-initramfs-tools (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: cloud-initramfs-tools (Ubuntu Yakkety) Importance: Undecided => Medium ** Changed in: cloud-initramfs-tools (Ubuntu Xenial) Status: Confirmed => In Progress ** Changed in: cloud-initramfs-tools (Ubuntu Yakkety) Status: Confirmed => In Progress ** Changed in: cloud-initramfs-tools (Ubuntu Xenial) Assignee: (unassigned) => Scott Moser (smoser) ** Changed in: cloud-initramfs-tools (Ubuntu Yakkety) Assignee: (unassigned) => Scott Moser (smoser) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
This bug was fixed in the package cloud-initramfs-tools - 0.32ubuntu1 --- cloud-initramfs-tools (0.32ubuntu1) zesty; urgency=medium * overlayroot: fix overlayroot=crypt with newer initramfs-tools (LP: #1634310) * overlayroot: support random seed from systemd systemd-random-seed.service -- Scott Moser Mon, 14 Nov 2016 12:25:10 -0500 ** Changed in: cloud-initramfs-tools (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
** Branch linked: lp:cloud-initramfs-tools -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
** Changed in: cloud-initramfs-tools (Ubuntu) Importance: Undecided => High ** Changed in: cloud-initramfs-tools (Ubuntu) Status: New => In Progress ** Changed in: cloud-initramfs-tools (Ubuntu) Assignee: (unassigned) => Scott Moser (smoser) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
I'm taking a look at this, thanks for the detailed bug report. broken logging is bug 1493188, which is fixed after xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
I can confirm that the crypt parameter without pass= set isn't working
in Ubuntu 16.04. At least in the cloud images that I've tested.
I tried it on a freshly launched Ubuntu 14.04 instance and had no
problems setting overlayroot=crypt:dev=/dev/vdb and getting everything
as expected including logging in /dev/.initramfs/${MYTAG}.log.
Then I did the same thing on a fresh Ubuntu 16.04 instance and couldn't
use the same overlayroot=crypt:dev=/dev/vdb to get the expected result.
Then I just tried overlayroot=/dev/vdb, without encryption, after
creating a filesystem on the extra volume and that worked, but I still
don't get any logging.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634310
Title:
crypt:dev=/dev/vdb parameter does not work with randomly generated
passphrase
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
This is on a fresh Ubuntu 16.04 cloud instance at an OpenStack host, launched from the typical Ubuntu cloud image with overlayroot already included. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1634310 Title: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase
Also, I am not getting any logging output in
"/dev/.initramfs/${MYTAG}.log". The .initramfs directory is never
created.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634310
Title:
crypt:dev=/dev/vdb parameter does not work with randomly generated
passphrase
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
