New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dracut unlocker + tang pin cannot perform DNS lookups on Fedora 31 #148
Comments
I opened https://bugzilla.redhat.com/show_bug.cgi?id=1779394 for tracking this issue. I also added a possible solution in there (adding |
Thanks for the report and the pointers! Unfortunately that library is already included in the initramfs, at least according to |
Uh, or maybe it did change, let me test this a little further. |
I have this here:
|
Indeed. Sorry, it was a brainfart I guess. Adding |
Let's see how that issue progresses, what the dracut maintainers have to say on the matter. At a first glance, it seems like something that should be fixed by dracut. |
Well, unfortunately they don't seem to care much. I've bumped that ticket but I doubt they'll react fast on it. I'm not sure of what else we can do to get the upstream fedora to act on this. |
Probably not related but I am having the exact same issue on Ubuntu 18.04, except I already have libnss_dns in my initramfs:
I'm testing this on Clevis 12 but with the PR I have in for the initramfs changes (if that did anything). EDIT: I can confirm that I simply can't curl by dns even though my /etc/resolv.conf appears to be fine (I can query those servers from local) so even though things are still broken, it's not a clevis related problem. |
My team found the solution internally and it is related to what Sergio said - In our case the dns module was present but it was the 32bit version because this system happened to have libc6:i386 installed. Apparently the initramfs builder preferences 32 bit over 64 bit (which is backwards imo). We didn't catch this early because we were looking for the libdns/libnss files and mentally autocompleted on the i386 vs x86_64 stuff. There are 2 solutions for this. 1 - uninstall libc6:i386 and rebuild initramfs 2 - Add in your own hook that just blanket copies it as so:
|
Thanks a lot for the comment, @jmarcelletti ! Oddly, I ran into this on 18.04 too, although I thought it already worked on Ubuntu. In any case, your hook complained about various syntax errors, so I ended up using something like this:
One more note: the hook needs to be executable, otherwise |
If I bind to the tang server by hostname, e.g.
The boot log shows these errors:
And it repeats until I manually enter the passphrase. If I bind with an IP address, like so (plus the changes in #147 necessary to make it work until Dracut in Fedora receives the updates):
It works as expected.
Ad-hoc encrypt-decrypt pairs like this:
Do work in a started up session, so I'd rule out server errors. Come to think of it, the bind would also fail if it didn't work after boot.
Required libs and binaries are built as explained in #136
The text was updated successfully, but these errors were encountered: