|
 |
0a57f1 |
From aed47c18aee593d155d45c0fe9ba29a9e3123cf6 Mon Sep 17 00:00:00 2001
|
|
|
0a57f1 |
From: Benjamin Gilbert <bgilbert@redhat.com>
|
|
|
0a57f1 |
Date: Mon, 17 Jan 2022 21:17:08 -0500
|
|
|
0a57f1 |
Subject: [PATCH] disks: fix reuse of statically keyed LUKS volume
|
|
|
0a57f1 |
|
|
|
0a57f1 |
We need to persist a volume's keyfile to the real root even if we take
|
|
|
0a57f1 |
the early `continue` when reusing the volume. Rather than copying code,
|
|
|
0a57f1 |
enable persistence up front and then disable it afterward if we decide
|
|
|
0a57f1 |
not to persist the key.
|
|
|
0a57f1 |
|
|
|
0a57f1 |
Fixes error:
|
|
|
0a57f1 |
|
|
|
0a57f1 |
CRITICAL : Ignition failed: creating crypttab entries: missing persisted keyfile for [...]
|
|
|
0a57f1 |
|
|
|
0a57f1 |
Fixes: https://github.com/coreos/ignition/issues/1305
|
|
|
0a57f1 |
Fixes: 65e9c1611128 ("stages/disks: use State to persist keyfiles for files stage")
|
|
|
0a57f1 |
---
|
|
|
0a57f1 |
internal/exec/stages/disks/luks.go | 15 ++++++++-------
|
|
|
0a57f1 |
1 file changed, 8 insertions(+), 7 deletions(-)
|
|
|
0a57f1 |
|
|
|
0a57f1 |
diff --git a/internal/exec/stages/disks/luks.go b/internal/exec/stages/disks/luks.go
|
|
|
0a57f1 |
index 77ecc24e..5fa15e70 100644
|
|
|
0a57f1 |
--- a/internal/exec/stages/disks/luks.go
|
|
|
0a57f1 |
+++ b/internal/exec/stages/disks/luks.go
|
|
|
0a57f1 |
@@ -156,6 +156,13 @@ func (s *stage) createLuks(config types.Config) error {
|
|
|
0a57f1 |
}
|
|
|
0a57f1 |
}
|
|
|
0a57f1 |
}
|
|
|
0a57f1 |
+ // store the key to be persisted into the real root
|
|
|
0a57f1 |
+ // do this here so device reuse works correctly
|
|
|
0a57f1 |
+ key, err := ioutil.ReadFile(keyFilePath)
|
|
|
0a57f1 |
+ if err != nil {
|
|
|
0a57f1 |
+ return fmt.Errorf("failed to read keyfile %q: %w", keyFilePath, err)
|
|
|
0a57f1 |
+ }
|
|
|
0a57f1 |
+ s.State.LuksPersistKeyFiles[luks.Name] = dataurl.EncodeBytes(key)
|
|
|
0a57f1 |
|
|
|
0a57f1 |
if !util.IsTrue(luks.WipeVolume) {
|
|
|
0a57f1 |
// If the volume isn't forcefully being created, then we need
|
|
|
0a57f1 |
@@ -329,13 +336,7 @@ func (s *stage) createLuks(config types.Config) error {
|
|
|
0a57f1 |
); err != nil {
|
|
|
0a57f1 |
return fmt.Errorf("removing key file from luks device: %v", err)
|
|
|
0a57f1 |
}
|
|
|
0a57f1 |
- } else {
|
|
|
0a57f1 |
- // store the key to be persisted into the real root
|
|
|
0a57f1 |
- key, err := ioutil.ReadFile(keyFilePath)
|
|
|
0a57f1 |
- if err != nil {
|
|
|
0a57f1 |
- return fmt.Errorf("failed to read keyfile %q: %w", keyFilePath, err)
|
|
|
0a57f1 |
- }
|
|
|
0a57f1 |
- s.State.LuksPersistKeyFiles[luks.Name] = dataurl.EncodeBytes(key)
|
|
|
0a57f1 |
+ delete(s.State.LuksPersistKeyFiles, luks.Name)
|
|
|
0a57f1 |
}
|
|
|
0a57f1 |
}
|
|
|
0a57f1 |
|
|
|
0a57f1 |
--
|
|
|
0a57f1 |
2.33.1
|
|
|
0a57f1 |
|