|
 |
dcf37d |
From aed47c18aee593d155d45c0fe9ba29a9e3123cf6 Mon Sep 17 00:00:00 2001
|
|
|
dcf37d |
From: Benjamin Gilbert <bgilbert@redhat.com>
|
|
|
dcf37d |
Date: Mon, 17 Jan 2022 21:17:08 -0500
|
|
|
dcf37d |
Subject: [PATCH] disks: fix reuse of statically keyed LUKS volume
|
|
|
dcf37d |
|
|
|
dcf37d |
We need to persist a volume's keyfile to the real root even if we take
|
|
|
dcf37d |
the early `continue` when reusing the volume. Rather than copying code,
|
|
|
dcf37d |
enable persistence up front and then disable it afterward if we decide
|
|
|
dcf37d |
not to persist the key.
|
|
|
dcf37d |
|
|
|
dcf37d |
Fixes error:
|
|
|
dcf37d |
|
|
|
dcf37d |
CRITICAL : Ignition failed: creating crypttab entries: missing persisted keyfile for [...]
|
|
|
dcf37d |
|
|
|
dcf37d |
Fixes: https://github.com/coreos/ignition/issues/1305
|
|
|
dcf37d |
Fixes: 65e9c1611128 ("stages/disks: use State to persist keyfiles for files stage")
|
|
|
dcf37d |
---
|
|
|
dcf37d |
internal/exec/stages/disks/luks.go | 15 ++++++++-------
|
|
|
dcf37d |
1 file changed, 8 insertions(+), 7 deletions(-)
|
|
|
dcf37d |
|
|
|
dcf37d |
diff --git a/internal/exec/stages/disks/luks.go b/internal/exec/stages/disks/luks.go
|
|
|
dcf37d |
index 77ecc24e..5fa15e70 100644
|
|
|
dcf37d |
--- a/internal/exec/stages/disks/luks.go
|
|
|
dcf37d |
+++ b/internal/exec/stages/disks/luks.go
|
|
|
dcf37d |
@@ -156,6 +156,13 @@ func (s *stage) createLuks(config types.Config) error {
|
|
|
dcf37d |
}
|
|
|
dcf37d |
}
|
|
|
dcf37d |
}
|
|
|
dcf37d |
+ // store the key to be persisted into the real root
|
|
|
dcf37d |
+ // do this here so device reuse works correctly
|
|
|
dcf37d |
+ key, err := ioutil.ReadFile(keyFilePath)
|
|
|
dcf37d |
+ if err != nil {
|
|
|
dcf37d |
+ return fmt.Errorf("failed to read keyfile %q: %w", keyFilePath, err)
|
|
|
dcf37d |
+ }
|
|
|
dcf37d |
+ s.State.LuksPersistKeyFiles[luks.Name] = dataurl.EncodeBytes(key)
|
|
|
dcf37d |
|
|
|
dcf37d |
if !util.IsTrue(luks.WipeVolume) {
|
|
|
dcf37d |
// If the volume isn't forcefully being created, then we need
|
|
|
dcf37d |
@@ -329,13 +336,7 @@ func (s *stage) createLuks(config types.Config) error {
|
|
|
dcf37d |
); err != nil {
|
|
|
dcf37d |
return fmt.Errorf("removing key file from luks device: %v", err)
|
|
|
dcf37d |
}
|
|
|
dcf37d |
- } else {
|
|
|
dcf37d |
- // store the key to be persisted into the real root
|
|
|
dcf37d |
- key, err := ioutil.ReadFile(keyFilePath)
|
|
|
dcf37d |
- if err != nil {
|
|
|
dcf37d |
- return fmt.Errorf("failed to read keyfile %q: %w", keyFilePath, err)
|
|
|
dcf37d |
- }
|
|
|
dcf37d |
- s.State.LuksPersistKeyFiles[luks.Name] = dataurl.EncodeBytes(key)
|
|
|
dcf37d |
+ delete(s.State.LuksPersistKeyFiles, luks.Name)
|
|
|
dcf37d |
}
|
|
|
dcf37d |
}
|
|
|
dcf37d |
|
|
|
dcf37d |
--
|
|
|
dcf37d |
2.33.1
|
|
|
dcf37d |
|