scripts icon indicating copy to clipboard operation
scripts copied to clipboard

Published 20 hours ago verified publisher icon flatcar

[app-crypt/clevis] Add preliminary support for clevis

Open krishjainx opened this issue 1 year ago • 10 comments

[app-crypt/clevis] Add preliminary support for clevis

I've added preliminary support for clevis and included all of its dependencies. On the suggestion of @pothos I am submitting this PR in order to get the image built through GitHub actions so that it can be downloaded later. (currently the bootengine ebuild here is also using the latest commit in krishjainx/bootengine).

Most of the work is already done. Just need to iron out a couple of ends and we should be able to include clevis support!

Testing done

Tested that the required wrappers and binaries are installed and accessible in the initramfs by building and using parameters for instance rd.shell rd.break=pre-pivot

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/2188/cldsv/

krishjainx avatar Jun 13 '23 15:06 krishjainx

The branch needs a rebase on main for the CI to start.

pothos avatar Jun 14 '23 10:06 pothos

Build action triggered: https://github.com/flatcar/scripts/actions/runs/5596835179

github-actions[bot] avatar Jun 14 '23 10:06 github-actions[bot]

Rebased this PR on main, pushed to https://github.com/flatcar/scripts/tree/krishjainx/add-clevis-krish. Pushed required changes in bootengine to https://github.com/flatcar/bootengine/tree/krishjainx/add-clevis-krish.

Running Jenkins CI http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/2064/cldsv/.

dongsupark avatar Jun 28 '23 11:06 dongsupark

CI failed when building cryptsetup.

!!! Fetched file: cryptsetup-2.6.1.tar.xz VERIFY FAILED!
!!! Reason: Insufficient data for checksum verification
!!! Got:      
!!! Expected: BLAKE2B BLAKE2S MD5 RMD160 SHA1 SHA256 SHA3_256 SHA3_512 SHA512 WHIRLPOOL

You would probably want to regenerate sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/Manifest.

dongsupark avatar Jun 28 '23 11:06 dongsupark

Even after regenerating Manifest of cryptsetup, it does not build, because cryptsetup 2.6 started to require asciidoctor in the SDK for generating man pages. The Gentoo ebuild does not provide a way to disable asciidoc. This PR seems to require much more work as expected. I will stop looking into it.

dongsupark avatar Jun 29 '23 10:06 dongsupark

I have updated this PR, tested it with a local build, and rebased it on main (no merge conflicts). The updated Gentoo ebuild also enables cryptsetup 2.6 to work without asciidoctor in the SDK container. It seems to be functioning properly now. Thank you, @dongsupark

krishjainx avatar Jul 16 '23 06:07 krishjainx

Ah, I see. My bad. I was using the GitHub UI instead of the commandline git client. GitHub merged main into PR branch by default. Will fix it

On Mon, Jul 17, 2023, 13:47 Dongsu Park @.***> wrote:

@.**** commented on this pull request.

Thanks for updating the PR.

Why does this PR have the last commit Merge branch 'flatcar:main' into add-clevis-krish? Could you please rebase or clean up commits to avoid having the merge commit?

See below:

In sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild https://github.com/flatcar/scripts/pull/909#discussion_r1265019232:

@@ -0,0 +1,35 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2

+EAPI=8 + +inherit meson + +DESCRIPTION="Automated Encryption Framework" +HOMEPAGE="https://github.com/latchset/clevis" +SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64"

This KEYWORS prevents the builds from starting.

!!! All ebuilds that could satisfy "clevis" for /build/amd64-usr/ have been masked. !!! One of the following masked packages is required to complete your request:

  • app-crypt/clevis-19-r1::coreos (masked by: ~amd64 keyword)

You would probably want to add =app-crypt/clevis-19-r1 ~amd64 in sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords, or replace the KEYWORDS above with KEYWORDS="amd64".

— Reply to this email directly, view it on GitHub https://github.com/flatcar/scripts/pull/909#pullrequestreview-1532228653, or unsubscribe https://github.com/notifications/unsubscribe-auth/AR4RDLKGJQMO7544EWUDOSDXQTYJ5ANCNFSM6AAAAAAZFBCEHQ . You are receiving this because you authored the thread.Message ID: @.***>

krishjainx avatar Jul 17 '23 08:07 krishjainx

Running Jenkins CI again. http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/932/cldsv/

dongsupark avatar Jul 18 '23 10:07 dongsupark

Good news: amd64 build passed, and managed to run CI tests.

However, there are 2 issues. First, arm64 build was triggered, and failed to build clevis due to missing keywords.

Second, almost all amd64 tests failed with the following messages.

harness.go:582: Found systemd unit failed to start (clevis-luks-askpass.path - Forward Password Requests to Clevis Directory Watch.) on machine 97d60bce-de3e-4b35-a424-b14e929139ad console

dongsupark avatar Jul 19 '23 08:07 dongsupark

Note: Our CI tests are run by kola tests of https://github.com/flatcar/mantle/tree/flatcar-master/kola, and their clusters are configured in https://github.com/flatcar/mantle/blob/flatcar-master/platform/machine/qemu/cluster.go. So in theory it is possible to add new options for tpm2 there, looking into this now!

krishjainx avatar Jul 20 '23 11:07 krishjainx

https://github.com/flatcar/scripts/pull/1560 was merged and replaces this PR. Good work everyone!

krishjainx avatar Jul 05 '24 10:07 krishjainx