-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dracut module issue detecting TANG for "rd.neednet" injection #468
Comments
Anyway, I have not found any |
$ grep -r pipefail
modules.d/99kdumpbase/kdump.sh:# POSIX doesn't have pipefail, only apply when using bash
modules.d/99kdumpbase/kdump.sh:[ -n "$BASH" ] && set -o pipefail This is a RHEL9 system and I don't believe I have enable or disabled anything from install. I don't even know what kdump is. |
Thanks, so it has to be enabled somewhere else. I have checked Dracut sources and it seems |
According to https://unix.stackexchange.com/a/743266/239414 the solution could be: if (clevis luks list -d "${dev}"; true) | grep -q tang; then but that looks more like a workaround to me (but my opinion is not unbiased due to my script 😅). |
I was configuring network based decryption on my system and noticed the system was not decrypting. I've set it up before and was pretty baffled. I narrowed it down to the lack of "rd.neednet" being present on the commandline. Why I asked, that should be automatic. Turns out there is some issue with the check. I'm /guessing/ it has to do with "hardware" (this is a VM, with a networked disk) speed.
This is the questionable line of code.
clevis/src/luks/dracut/clevis-pin-tang/module-setup.sh.in
Line 30 in 2b34226
I hacked up the module-setup.sh to figure out what was going on. I added these lines:
This is what I got:
From a "quick google" it seems like the exit code 141 is because "pipefail" is set (dracut sets it??) and
grep -q
terminates as soon as a match is found but the previous command is still running / printing to the pipe.Some solutions:
if grep -q tang <(clevis luks list -d "${dev}")
--
Just for some further clarity. I do believe that my having additional unlockers is partially to blame. But I think that should be a supported configuration.
Here is the full output of the list.
The text was updated successfully, but these errors were encountered: