-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clevis stubbornly keeps trying the first Tang Server (even when not Ready) for unlocking even though other Servers are Online and available #472
Comments
Hello @luckylinux . Can you please post what kind of configuration are you using? Are you binding the device multiple times or are you using |
Hi @sarroutbi. Not sure what "configuration" I am using to be Perfectly honest. I followed up a Tang+Clevis tutorial around a Year ago and had been using it like this ever since. This is a Script I use for my root on LUKS installs, that will install Keys for ALL configured Tang Servers:
|
@sarroutbi Any Update on this ? |
Hello @luckylinux . My suggestion is you to try binding your device through You should do something similar to this:
This is the recommended way for binding a 1+1 server configuration. Hope it helps |
But do I need to remove the other existing slots before I do this I guess, right ? |
Yes, remove the previous ones with |
I originally reported the Issue on Ubuntu Launchpad BUG Tracker since that is where I first noticed it.
However, seems to occur on every Platform.
Essentially I have 4 x Tang Servers that register their Key in one LUKS Keyslot respectively (besides the Manual Passphrase/Password).
The issue is, if the First Tang Server (
Tang1
) is NOT ready (in the specific case it is "Booting" but NOT unlocked - for security reasons the Tang Servers have Full Disk Encryption for / and must be unlocked Manually), then Clevis will keep tryingTang1
, despiteTang2
/Tang3
/Tang4
being available, online and unlocked.Tang1
is "stuck" with "Please enter the passphrase for xxxxxx" boot Message (typical of LUKS without any Tang/Clevis/other automated unlocking). I just checked and, in that phase, theTang1
Host Networking is DOWN (Tang1
doesn't even reply toping
/ ICMP Packets).Eventually, Clevis will contact one of the other Servers (after 5 Minutes / 300 Seconds), but shouldn't this be done much faster ?
I would expect Clevis to be smart enough to query
Tang2
/Tang3
/Tang4
or even better, to query Tang Servers in a round-Robin manner ("random"). Basically "Tang 1 Decryption Fails, move on toTang2
". Or, as stated before, do so in a round-Robin/random Query manner.The text was updated successfully, but these errors were encountered: