Improve error and docs re resizing LUKS rootfs

[sedlund]

I didnt see this documented as a limitation, but ignition fails with

ignition-ostree-growfs 'nothing to read on input'

Seems to come from: https://github.com/coreos/fedora-coreos-config/blob/532fd714e4fff8ee6f6f77cd09f4889560512299/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh#L88

Here is an ignition

variant: fcos
version: 1.4.0
passwd:
  users:
    - name: core
      password_hash: $6$ub
      ssh_authorized_keys:
        - ssh-rsa AAAAB3Nz

boot_device:
  luks:
    tpm2: true

storage:

  disks:
    - device: /dev/nvme0n1
      partitions:
        - label: ceph
          # 12G + 1 MiB for the partition table, 384 for `/boot`, 127 for `/boot/efi`
          start_mib: 12801
          size_mib: 0

  filesystems:
    - device: /dev/mapper/root
      format: btrfs
      label: root
      mount_options:
        - compress=zstd:1
      wipe_filesystem: true

[bgilbert]

I just tried your config with 35.20220116.2.0 and it worked for me. What version of Fedora CoreOS are you running?

It shouldn't affect your issue, but you can also spell the partitions section as:

        - number: 4
          label: root
          size_mib: 12288
          resize: true
        - label: ceph

[sedlund]

My apologies, I originally got the error using luks key_file not tpm2.

Using https://console.aws.amazon.com/ec2/home?region=us-east-1#launchAmi=ami-0ebf4b94cc66b73f2 on t3a.medium.

I will try the partitioning as suggested.

Attached: rdsosreport.txt.gz

Here is the correct ignition:

variant: fcos
version: 1.4.0
passwd:
  users:
    - name: core
      password_hash: $6$ubjP0
      ssh_authorized_keys:
        - ssh-rsa AAAA

storage:

  disks:
    - device: /dev/nvme0n1
      partitions:
        - label: ceph
          # 12G + 1 MiB for the partition table, 384 for `/boot`, 127 for `/boot/efi`
          start_mib: 12801
          size_mib: 0

  luks:
    - name: root
      label: luks-root
      device: /dev/disk/by-partlabel/root
      wipe_volume: true
      # using key_file on a rootfs will ask for pass on boot
      key_file:
        inline: "canttellyou"

  filesystems:
    - device: /dev/mapper/root
      format: btrfs
      label: root
      mount_options:
        - compress=zstd:1
      wipe_filesystem: true

[sedlund]

Same error with suggested partitioning:

[jlebon]

Using password LUKS unlocking is not supported for the rootfs. growfs is erroring out because it only supports a Clevis-locked rootfs. Likely we should provide a clearer error message for this (and maybe even a Butane warning) and document it.

Did you actually intend to deploy this configuration in a production environment, or was it more to play around? If the former, can you provide more details about your use case?

[sedlund]

I was using password LUKS for testing ignition on AWS to ensure my ignition file works properly before deploying with tang in my prod setup. I do not have a tangd setup in AWS, It's mainly for quick iteration of the ignition file to validate as deployment in AWS is much faster than my prod hosting.

[bgilbert]

Ah, I see. You may want to do a scratch Tang deployment for that purpose. We opted not to support password-based LUKS for the rootfs because someone would have to type in a password on console, which doesn't make sense for server nodes that are automatically deployed and managed.

I'll leave this open to track improvement of the error message and docs.