clevis icon indicating copy to clipboard operation
clevis copied to clipboard
verified publisher icon latchset

Clevis luks not unlocking at boot when url is specified as hostname but IP address works

Open jeremyatourville opened this issue 2 years ago • 2 comments

See #412 for more details. Client gets DNS from IdM server. Client is enrolled in IdM domain using ipa-client. IdM server is Active Directory integrated with a one way trust established and using split DNS. All DNS for Idm (linux) domain is resolved by IdM and all DNS for Windows is handled by AD.

clevis luks bind -d /dev/sda2 tang '{"url":"http://tang.srv"}'  ## DOESN'T WORK
clevis luks bind -d /dev/sda2 tang '{"url":"http://10.31.x.x."}'  ## WORKS

Seems like a timing issue of some sort related to DNS and the boot up process. Thoughts?

jeremyatourville avatar May 10 '23 17:05 jeremyatourville

Could you post the dracut modules that are part of your initramfs, please? Probably something like this could help here: lsinitrd | awk '/^Version:/,/^=/'

sergio-correia avatar May 10 '23 18:05 sergio-correia 

[root@gsil-yum localadm]# lsinitrd | awk '/^Version:/,/^=/'
Version: dracut-049-218.git20221019.el8_7

Arguments: --kver '4.18.0-425.19.2.el8_7.x86_64' -f -v --kernel-cmdline 'ip=10.31.x.x::10.31.8.1:255.255.255.0::ens192:none'

dracut modules:
bash
systemd
fips
systemd-initrd
nss-softokn
i18n
network-manager
network
ifcfg
drm
plymouth
clevis
clevis-pin-null
clevis-pin-sss
clevis-pin-tang
clevis-pin-tpm2
prefixdevname
crypt
dm
kernel-modules
kernel-modules-extra
kernel-network-modules
lvm
resume
rootfs-block
terminfo
udev-rules
biosdevname
dracut-systemd
usrmount
base
fs-lib
memstrack
microcode_ctl-fw_dir_override
shutdown
========================================================================
[root@gsil-yum localadm]#

jeremyatourville avatar May 11 '23 16:05 jeremyatourville