Skip to content
Permalink
Browse files

Verify existing unlocked LUKS devices without keys (#1624617)

Blivet doesn't remove decrypted devices after a teardown of unlocked
LUKS devices and later fails to set them up without a key, so report
an error to prevent a traceback during the installation.

Resolves: rhbz#1624617
  • Loading branch information
poncovka committed Sep 6, 2019
1 parent 1e1a2f8 commit a8b4f2d547f5ea987e52b32e33bc323c7aa21442
Showing with 27 additions and 0 deletions.
  1. +27 −0 pyanaconda/storage/checker.py
@@ -316,6 +316,32 @@ def verify_mountpoints_on_linuxfs(storage, constraints, report_error, report_war
report_error(_("The mount point %s must be on a linux file system.") % mountpoint)


def verify_unlocked_devices_have_key(storage, constraints, report_error, report_warning):
""" Verify that existing unlocked LUKS devices have some way of obtaining a key.
Blivet doesn't remove decrypted devices after a teardown of unlocked LUKS devices
and later fails to set them up without a key, so report an error to prevent a
traceback during the installation.
:param storage: a storage to check
:param constraints: a dictionary of constraints
:param report_error: a function for error reporting
:param report_warning: a function for warning reporting
"""
devices = [
d for d in storage.devices
if d.format.type == "luks"
and d.format.exists
and not d.format.has_key
and d.children
]

for dev in devices:
report_error(_("The existing unlocked LUKS device {} cannot be used for "
"the installation without an encryption key specified for "
"this device. Please, rescan the storage.").format(dev.name))


def verify_luks_devices_have_key(storage, constraints, report_error, report_warning):
""" Verify that all non-existant LUKS devices have some way of obtaining a key.
@@ -590,6 +616,7 @@ def set_default_checks(self):
self.add_check(verify_swap_uuid)
self.add_check(verify_mountpoints_on_linuxfs)
self.add_check(verify_mountpoints_on_root)
self.add_check(verify_unlocked_devices_have_key)
self.add_check(verify_luks_devices_have_key)
self.add_check(verify_luks2_memory_requirements)
self.add_check(verify_mounted_partitions)

1 comment on commit a8b4f2d

@egdoc

This comment has been minimized.

Copy link

egdoc commented on a8b4f2d Nov 5, 2019

This change makes impossible to perform a kickstart installation on an already existing LUKS container. This is usually done by opening the LUKS container in the %pre section of the kickstart file, and then re-using the decrypted partition or lvm logical volumes. Since the container is not opened by anaconda, the device doesn't get a key, therefore the installation is aborted. I am not sure this is the right place for this comment, please excuse me if it's not.

Please sign in to comment.
You can’t perform that action at this time.