Updating OKD from version 4.7.0-0.okd-2021-06-19-191547 to 4.7.0-0.okd-2021-08-07-063045 broke the autodecryption of the boot disk (LUKS) with Tang

[zfiel]

Describe the bug

Clevis can no longer decrypt the root partition with a Tang server after an OKD update (from 4.7.0-0.okd-2021-06-19-191547 to 4.7.0-0.okd-2021-08-07-063045).

The message clevis-luks-askpass[XXX] : Error communicating with the server! keeps spamming when I boot the cluster nodes. I have to type the passphrase to decrypt the boot disk.

And when I connect to the nodes via SSH, I see a message telling me that the nm-initrd.service could not start.

Version

• OKD version : 4.7.0-0.okd-2021-08-07-063045
• FCOS version : 34.20210518.3.0 and 34.20210725.3.0 (fresh install)
• Installation method : UPI (bare metal)

Additional information

Here is the MachineConfig template I use to encrypt my nodes :

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 90-{{ NODE_ROLE }}-tang
  labels:
    machineconfiguration.openshift.io/role: {{ NODE_ROLE }}
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      disks:
      - device: /dev/sda
        partitions:
        - label: root
          number: 4
          sizeMiB: 0
          resize: true
      luks:
      - name: root
        device: /dev/disk/by-partlabel/root
        label: luks-root
        clevis:
          tang:
          - url: http://{{ SERVICES_VM_IP }}:7500
            thumbprint: {{ TANG_THUMBPRINT }}
        keyFile:
          source: data:,{{ LUKS_PASSPHRASE }}
        options: [--cipher, aes-cbc-essiv:sha256]
        wipeVolume: true
      filesystems:
      - device: /dev/mapper/root
        format: xfs
        wipeFilesystem: true
        label: root
  kernelArguments:
  - rd.neednet=1

Update to 4.7.0-0.okd-2021-08-07-063045 also upgraded some packages :

Upgraded:
  NetworkManager 1:1.30.4-1.fc34 -> 1:1.32.7-28720.copr.788c13c94f.fc34
  NetworkManager-cloud-setup 1:1.30.4-1.fc34 -> 1:1.32.7-28720.copr.788c13c94f.fc34
  NetworkManager-libnm 1:1.30.4-1.fc34 -> 1:1.32.7-28720.copr.788c13c94f.fc34
  NetworkManager-ovs 1:1.30.4-1.fc34 -> 1:1.32.7-28720.copr.788c13c94f.fc34
  NetworkManager-team 1:1.30.4-1.fc34 -> 1:1.32.7-28720.copr.788c13c94f.fc34
  NetworkManager-tui 1:1.30.4-1.fc34 -> 1:1.32.7-28720.copr.788c13c94f.fc34
  WALinuxAgent-udev 2.2.52-5.fc34 -> 2.3.0.2-1.fc34
  audit-libs 3.0.1-2.fc34 -> 3.0.2-1.fc34
  bind-libs 32:9.16.15-1.fc34 -> 32:9.16.18-1.fc34
  bind-license 32:9.16.15-1.fc34 -> 32:9.16.18-1.fc34
  bind-utils 32:9.16.15-1.fc34 -> 32:9.16.18-1.fc34
  ca-certificates 2020.2.41-7.fc34 -> 2021.2.50-1.0.fc34
  containernetworking-plugins 1.0.0-0.1.rc1.fc34 -> 1.0.0-0.2.rc1.fc34
  containers-common 4:1-16.fc34 -> 4:1-20.fc34
  coreos-installer 0.9.1-1.fc34 -> 0.9.1-2.fc34
  coreos-installer-bootinfra 0.9.1-1.fc34 -> 0.9.1-2.fc34
  coreutils 8.32-26.fc34 -> 8.32-30.fc34
  coreutils-common 8.32-26.fc34 -> 8.32-30.fc34
  crun 0.19.1-3.fc34 -> 0.20.1-1.fc34
  cryptsetup 2.3.5-2.fc34 -> 2.3.6-1.fc34
  cryptsetup-libs 2.3.5-2.fc34 -> 2.3.6-1.fc34
  curl-minimal 7.76.1-4.fc34 -> 7.76.1-7.fc34
  dbus-broker 28-3.fc34 -> 29-1.fc34
  dracut 053-5.fc34 -> 055-3.fc34
  dracut-network 053-5.fc34 -> 055-3.fc34
  elfutils-default-yama-scope 0.183-1.fc34 -> 0.185-2.fc34
  elfutils-libelf 0.183-1.fc34 -> 0.185-2.fc34
  elfutils-libs 0.183-1.fc34 -> 0.185-2.fc34
  ethtool 2:5.12-1.fc34 -> 2:5.13-1.fc34
  expat 2.2.10-2.fc34 -> 2.4.1-1.fc34
  fedora-coreos-pinger 0.0.4-9.fc34 -> 0.0.4-11.fc34
  file 5.39-5.fc34 -> 5.39-6.fc34
  file-libs 5.39-5.fc34 -> 5.39-6.fc34
  fuse-common 3.10.3-1.fc34 -> 3.10.4-1.fc34
  fuse-sshfs 3.7.1-2.fc34 -> 3.7.2-1.fc34
  fuse3 3.10.3-1.fc34 -> 3.10.4-1.fc34
  fuse3-libs 3.10.3-1.fc34 -> 3.10.4-1.fc34
  fwupd 1.5.9-2.fc34 -> 1.5.10-1.fc34
  gdisk 1.0.7-1.fc34 -> 1.0.8-1.fc34
  glibc 2.33-8.fc34 -> 2.33-18.fc34
  glibc-common 2.33-8.fc34 -> 2.33-18.fc34
  glibc-minimal-langpack 2.33-8.fc34 -> 2.33-18.fc34
  glusterfs 9.2-1.fc34 -> 9.3-1.fc34
  glusterfs-client-xlators 9.2-1.fc34 -> 9.3-1.fc34
  glusterfs-fuse 9.2-1.fc34 -> 9.3-1.fc34
  gnutls 3.7.1-2.fc34 -> 3.7.2-1.fc34
  grub2-common 1:2.06~rc1-4.fc34 -> 1:2.06-2.fc34
  grub2-efi-x64 1:2.06~rc1-4.fc34 -> 1:2.06-2.fc34
  grub2-pc 1:2.06~rc1-4.fc34 -> 1:2.06-2.fc34
  grub2-pc-modules 1:2.06~rc1-4.fc34 -> 1:2.06-2.fc34
  grub2-tools 1:2.06~rc1-4.fc34 -> 1:2.06-2.fc34
  grub2-tools-minimal 1:2.06~rc1-4.fc34 -> 1:2.06-2.fc34
  hwdata 0.348-1.fc34 -> 0.349-1.fc34
  ignition 2.10.1-3.fc34 -> 2.11.0-2.fc34
  kernel 5.12.7-300.fc34 -> 5.12.19-300.fc34
  kernel-core 5.12.7-300.fc34 -> 5.12.19-300.fc34
  kernel-modules 5.12.7-300.fc34 -> 5.12.19-300.fc34
  libcurl-minimal 7.76.1-4.fc34 -> 7.76.1-7.fc34
  libdrm 2.4.105-1.fc34 -> 2.4.107-1.fc34
  libeconf 0.3.8-5.fc34 -> 0.4.0-1.fc34
  libgcc 11.1.1-1.fc34 -> 11.1.1-3.fc34
  libgcrypt 1.9.3-2.fc34 -> 1.9.3-3.fc34
  libgfrpc0 9.2-1.fc34 -> 9.3-1.fc34
  libgfxdr0 9.2-1.fc34 -> 9.3-1.fc34
  libglusterfs0 9.2-1.fc34 -> 9.3-1.fc34
  libgomp 11.1.1-1.fc34 -> 11.1.1-3.fc34
  libipa_hbac 2.5.0-2.fc34 -> 2.5.1-2.fc34
  libnfsidmap 1:2.5.3-3.rc2.fc34 -> 1:2.5.4-0.fc34
  libpcap 14:1.10.0-1.fc34 -> 14:1.10.1-1.fc34
  librepo 1.14.0-1.fc34 -> 1.14.1-1.fc34
  libreport-filesystem 2.15.1-1.fc34 -> 2.15.2-2.fc34
  libslirp 4.4.0-2.fc34 -> 4.4.0-4.fc34
  libsmbclient 2:4.14.4-0.fc34 -> 2:4.14.5-0.fc34
  libsss_certmap 2.5.0-2.fc34 -> 2.5.1-2.fc34
  libsss_idmap 2.5.0-2.fc34 -> 2.5.1-2.fc34
  libsss_nss_idmap 2.5.0-2.fc34 -> 2.5.1-2.fc34
  libsss_sudo 2.5.0-2.fc34 -> 2.5.1-2.fc34
  libstdc++ 11.1.1-1.fc34 -> 11.1.1-3.fc34
  libuser 0.63-3.fc34 -> 0.63-4.fc34
  libwbclient 2:4.14.4-0.fc34 -> 2:4.14.5-0.fc34
  libxcrypt 4.4.20-2.fc34 -> 4.4.23-1.fc34
  libxml2 2.9.12-2.fc34 -> 2.9.12-4.fc34
  microcode_ctl 2:2.1-45.fc34 -> 2:2.1-46.fc34
  mozjs78 78.10.0-1.fc34 -> 78.11.0-1.fc34
  nettle 3.7.2-1.fc34 -> 3.7.3-1.fc34
  nfs-utils-coreos 1:2.5.3-3.rc2.fc34 -> 1:2.5.4-0.fc34
  open-vm-tools 11.2.5-9.fc34 -> 11.3.0-1.fc34
  openldap 2.4.57-3.fc34 -> 2.4.57-5.fc34
  openshift-hyperkube 1.20.0-1.1079.87cc9a4 -> 1.20.0-1.1089.558d959
  openssh 8.5p1-2.fc34 -> 8.6p1-3.fc34
  openssh-clients 8.5p1-2.fc34 -> 8.6p1-3.fc34
  openssh-server 8.5p1-2.fc34 -> 8.6p1-3.fc34
  pam 1.5.1-5.fc34 -> 1.5.1-6.fc34
  podman 3:3.1.2-3.fc34 -> 3:3.2.2-1.fc34
  podman-plugins 3:3.1.2-3.fc34 -> 3:3.2.2-1.fc34
  polkit 0.117-3.fc34 -> 0.117-3.fc34.1
  polkit-libs 0.117-3.fc34 -> 0.117-3.fc34.1
  python-setuptools-wheel 53.0.0-1.fc34 -> 53.0.0-2.fc34
  python3 3.9.5-2.fc34 -> 3.9.6-2.fc34
  python3-libs 3.9.5-2.fc34 -> 3.9.6-2.fc34
  qemu-guest-agent 2:5.2.0-7.fc34 -> 2:5.2.0-8.fc34
  rpm-ostree 2021.5-1.fc34 -> 2021.6-2.fc34
  rpm-ostree-libs 2021.5-1.fc34 -> 2021.6-2.fc34
  samba-client-libs 2:4.14.4-0.fc34 -> 2:4.14.5-0.fc34
  samba-common 2:4.14.4-0.fc34 -> 2:4.14.5-0.fc34
  samba-common-libs 2:4.14.4-0.fc34 -> 2:4.14.5-0.fc34
  skopeo 1:1.2.3-1.fc34 -> 1:1.3.0-1.fc34
  sssd-ad 2.5.0-2.fc34 -> 2.5.1-2.fc34
  sssd-client 2.5.0-2.fc34 -> 2.5.1-2.fc34
  sssd-common 2.5.0-2.fc34 -> 2.5.1-2.fc34
  sssd-common-pac 2.5.0-2.fc34 -> 2.5.1-2.fc34
  sssd-ipa 2.5.0-2.fc34 -> 2.5.1-2.fc34
  sssd-krb5 2.5.0-2.fc34 -> 2.5.1-2.fc34
  sssd-krb5-common 2.5.0-2.fc34 -> 2.5.1-2.fc34
  sssd-ldap 2.5.0-2.fc34 -> 2.5.1-2.fc34
  systemd 248.3-1.fc34 -> 248.5-1.fc34
  systemd-container 248.3-1.fc34 -> 248.5-1.fc34
  systemd-libs 248.3-1.fc34 -> 248.5-1.fc34
  systemd-pam 248.3-1.fc34 -> 248.5-1.fc34
  systemd-rpm-macros 248.3-1.fc34 -> 248.5-1.fc34
  systemd-udev 248.3-1.fc34 -> 248.5-1.fc34
  toolbox 0.0.99.1-1.fc34 -> 0.0.99.2-1.fc34
  tpm2-tools 5.0-2.fc34 -> 5.1.1-1.fc34
  vim-minimal 2:8.2.2879-1.fc34 -> 2:8.2.3070-1.fc34
  zchunk-libs 1.1.14-1.fc34 -> 1.1.15-1.fc34
  zram-generator 0.3.2-3.fc34 -> 0.3.2-4.fc34

The initramfs (after the update) contains the following dracut modules :

dracut modules:
systemd
systemd-initrd
systemd-sysusers
modsign
dbus-broker
dbus
coreos-sysctl
i18n
coreos-azure-udev
afterburn
ignition
coreos-ignition
coreos-live
coreos-multipath
coreos-network
network-manager
ignition-conf
ignition-ostree
network
ifcfg
url-lib
coreos-kernel
ignition-conf-fcos
rdcore
clevis
clevis-pin-sss
clevis-pin-tang
clevis-pin-tpm2
coreos-agetty-workaround
btrfs
crypt
dm
kernel-modules
kernel-modules-extra
kernel-network-modules
mdraid
multipath
nvdimm
qemu
qemu-net
cifs
lunmask
resume
rootfs-block
terminfo
udev-rules
walinuxagent
dracut-systemd
ostree
usrmount
base
emergency-timeout
fs-lib
journal-conf
shutdown

I think the bug is due to NetworkManager packages upgrades because when I rollback to the previous version of the machine OS, everything works as it used to :

[core@okd4-control-plane-0 ~]$ sudo rpm-ostree status
State: idle
Deployments:
● pivot://quay.io/openshift/okd-content@sha256:c4b29959c87a1632923e5f30aa211f6439c652c8ab9af94d55b9f40b458b48f7
              CustomOrigin: Managed by machine-config-operator
                   Version: 47.34.202107301811-0 (2021-07-30T18:14:58Z)

  pivot://quay.io/openshift/okd-content@sha256:ce3e69194860476064a7a36075a9de3b46b2eaf6851ceedae41a69e5124a3637
              CustomOrigin: Managed by machine-config-operator
                   Version: 47.34.202106191111-0 (2021-06-19T11:14:24Z)
[core@okd4-control-plane-0 ~]$ sudo rpm-ostree rollback

I also noticed that I could not add new nodes because when I send a request to the MCO endpoint (e.g. curl -v -I -k https://api-int.{{ CLUSTER_NAME }}:22623/config/worker), I have the following message from the machine-config-server pods :

I0823 17:54:11.806634       1 api.go:117] Pool worker requested by address:"X.X.X.X:46488" User-Agent:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/X.X.X.X Safari/537.36 Edg/X.X.X.X" Accept-Header: "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
E0823 17:54:12.055116       1 api.go:165] couldn't convert config for req: {worker 0xc0000b4140}, error: failed to convert config from spec v3.2 to v2.2: unable to convert Ignition spec v3 config to v2: LUKS is not supported on 2.2

I don't know why the MCO wants to convert the config to Ignition v2.2.0.

How can I solve this problem ? Note that I tried to update to the latest release (4.7.0-0.okd-2021-08-22-163618) but I am still facing this issue.

How reproducible

• Update OKD to 4.7.0-0.okd-2021-08-07-063045 (with Tang encryption)
• Create a new OKD cluster at version 4.7.0-0.okd-2021-08-07-063045 (with Tang encryption)

[vrutkovs]

@dustymabe could you help us with Tang issue?

I also noticed that I could not add new nodes because when I send a request to the MCO endpoint (e.g. curl -v -I -k https://api-int.{{ CLUSTER_NAME }}:22623/config/worker), I have the following message from the machine-config-server pods :

You need to include Ignition version

[zfiel]

Indeed, it worked with :

curl -H "Accept: application/vnd.coreos.ignition+json; version=3.2.0" -k https://api-int.{{ CLUSTER_NAME }}:22623/config/worker

In MCS :

I0824 08:56:26.215995       1 api.go:117] Pool worker requested by address:"X.X.X.X:56364" User-Agent:"curl/7.76.1" Accept-Header: "application/vnd.coreos.ignition+json; version=3.2.0"

But still unable to add new nodes (getting connection refused) :

As stated earlier, it looks like something's wrong with nm-initrd.service.

[zfiel]

I also deploy my nodes using the coreos-installer utility.

Here is the Butane template that I use :

variant: fcos
version: 1.3.0

systemd:
  units:
    - name: install.service
      enabled: true
      contents: |
        [Unit]
        Description=Run CoreOS Installer
        Requires=coreos-installer-pre.target
        After=coreos-installer-pre.target
        OnFailure=emergency.target
        OnFailureJobMode=replace-irreversibly
        After=network-online.target
        Wants=network-online.target

        [Service]
        Type=oneshot
        ExecStart=/usr/bin/coreos-installer install /dev/sda --insecure-ignition \
                  --ignition-url http://{{ WEB_SERVER_IP }}:8080/okd4/worker.ign \
                  --image-url http://{{ WEB_SERVER_IP }}:8080/okd4/fcos.raw.xz \
                  --append-karg ip={{ NODE_IP1 }}::{{ DEFAULT_GATEWAY }}:255.255.255.0:{{ NODE_FQDN }}:{{ NET_DEVICE }}:none \
                  --append-karg ip={{ NODE_IP2 }}:::255.255.255.0::{{ NET_DEVICE }}:none \
                  --append-karg nameserver={{ DNS1_IP }} \
                  --append-karg nameserver={{ DNS2_IP }} \
                  --append-karg nameserver={{ DNS3_IP }}
        ExecStart=/usr/bin/systemctl --no-block reboot
        StandardOutput=kmsg+console
        StandardError=kmsg+console

        [Install]
        RequiredBy=default.target

Then when I start the nodes, I type the following kernel argument :

ignition.config.url=http://{{ WEB_SERVER_IP }}:8080/okd4/install-worker-X.ign

Does this way of deploying my nodes work in newer versions of FCOS?

[zfiel]

coreos/fedora-coreos-tracker#943