systemd cryptsetup not working after kernel upgrade

Issues related to applications and software problems
e-Ra
Posts: 7
Joined: 2018/11/30 18:27:42

systemd cryptsetup not working after kernel upgrade

Post by e-Ra » 2018/11/30 18:49:14

Hi all,

after an upgrade to Centos 7.5 (3.10.0-862.14.4.el7.x86_64) it is not possible to encrypt my luks container with the included root partition (on lvm) on system startup. It is only possible with an older rescue image (3.10.0-327.el7.x86_64).

Following errors occur during system boot:
systemd: Dependency failed for Cryptography Setup for luks-...ID...
systemd: Dependency failed for Local Encrypted Volumes.
systemd: Job cryptsetup.taget/start failed with result 'dependency'.
systemd: Job systemd-cryptsetup@luks\...ID...service/start failed with result 'dependency'.
systemd: Job dev-disk-by\...ID....device/start failed with result 'timeout'.

Installed (maybe relevant) packages:
Updated cryptsetup-1.6.7-1.el7.x86_64 @anaconda
Update 1.7.4-4.el7.x86_64 @base
Updated cryptsetup-libs-1.6.7-1.el7.x86_64 @anaconda
Update 1.7.4-4.el7.x86_64 @base
Updated device-mapper-7:1.02.107-5.el7.x86_64 @anaconda
Update 7:1.02.146-4.el7.x86_64 @base
Updated device-mapper-event-7:1.02.107-5.el7.x86_64 @anaconda
Update 7:1.02.146-4.el7.x86_64 @base
Updated device-mapper-event-libs-7:1.02.107-5.el7.x86_64 @anaconda
Update 7:1.02.146-4.el7.x86_64 @base
Updated device-mapper-libs-7:1.02.107-5.el7.x86_64 @anaconda
Update 7:1.02.146-4.el7.x86_64 @base
Updated device-mapper-persistent-data-0.5.5-1.el7.x86_64 @anaconda
Update 0.7.3-3.el7.x86_64 @base
Updated systemd-219-19.el7.x86_64 @anaconda
Update 219-57.el7.x86_64 @base
Updated systemd-libs-219-19.el7.x86_64 @anaconda
Dep-Install systemd-libs-219-57.el7.i686 @base
Update systemd-libs-219-57.el7.x86_64 @base
Updated systemd-sysv-219-19.el7.x86_64 @anaconda
Update 219-57.el7.x86_64 @base

/etc/crypttab:
luks-...ID... UUID=...ID... none

/proc/cmdline (rescue image, same options of the actual kernel options)
BOOT_IMAGE=/vmlinuz-0-rescue-2fbcab4aa18842679257440bf3f685b0 root=/dev/mapper/centos-root ro crashkernel=auto rd.lvm.lv=centos/root rd.luks.uuid=luks-...ID... rd.lvm.lv=centos/swap rhgb quiet

Can someone help?

Thanks
Last edited by e-Ra on 2018/12/02 18:43:24, edited 1 time in total.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: systemd cryptsetup not working with kernel

Post by hunter86_bg » 2018/12/02 02:57:23

I have recently updated a box which has 3 LUKS devices and it decrypts properly on boot.
Do you mean encrypt or decrypt?
What is the output of:

Code: Select all

systemctl cat cryptsetup.target

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: systemd cryptsetup not working with kernel

Post by TrevorH » 2018/12/02 11:14:24

I believe that you will need to remove rhgb quiet from your kernel command line in order to see the passphrase prompt...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

e-Ra
Posts: 7
Joined: 2018/11/30 18:27:42

Re: systemd cryptsetup not working with kernel

Post by e-Ra » 2018/12/02 18:46:22

hunter86_bg wrote:
2018/12/02 02:57:23
I have recently updated a box which has 3 LUKS devices and it decrypts properly on boot.
Do you mean encrypt or decrypt?
What is the output of:

Code: Select all

systemctl cat cryptsetup.target
I mean decrypt on system startup

Code: Select all

systemctl cat cryptsetup.target

# /usr/lib/systemd/system/cryptsetup.target
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Local Encrypted Volumes
Documentation=man:systemd.special(7)

e-Ra
Posts: 7
Joined: 2018/11/30 18:27:42

Re: systemd cryptsetup not working with kernel

Post by e-Ra » 2018/12/02 18:48:39

TrevorH wrote:
2018/12/02 11:14:24
I believe that you will need to remove rhgb quiet from your kernel command line in order to see the passphrase prompt...
Good hint, but already tried it without quiet and rhgb (same behavior).

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: systemd cryptsetup not working after kernel upgrade

Post by hunter86_bg » 2018/12/04 10:44:08

Does the UUID in /etc/crypttab match the output of:
cryptsetup luksUUID /luks/device

e-Ra
Posts: 7
Joined: 2018/11/30 18:27:42

Re: systemd cryptsetup not working after kernel upgrade

Post by e-Ra » 2018/12/04 13:17:08

hunter86_bg wrote:
2018/12/04 10:44:08
Does the UUID in /etc/crypttab match the output of:
cryptsetup luksUUID /luks/device

Code: Select all

/etc/crypttab:
luks-...ID... UUID=...ID... none

cryptsetup luksUUID /dev/sda3
...ID...
The output of the cryptsetup command is the same as the part after the UUID= from crypttab

Is the behavior maybe related to this: https://github.com/systemd/systemd/issues/6381

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: systemd cryptsetup not working after kernel upgrade

Post by TrevorH » 2018/12/04 16:08:39

You know uuids are not security sensitive information?

Did you try any of the workarounds/tests listed in that bug report?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: systemd cryptsetup not working after kernel upgrade

Post by hunter86_bg » 2018/12/04 17:19:15

Our workstation has 3 LUKS devices and I still don't get what is so different from your setup.
I will check the cmd line and try to find the differences.

e-Ra
Posts: 7
Joined: 2018/11/30 18:27:42

Re: systemd cryptsetup not working after kernel upgrade

Post by e-Ra » 2018/12/06 19:59:23

TrevorH wrote:
2018/12/04 16:08:39
You know uuids are not security sensitive information?

Did you try any of the workarounds/tests listed in that bug report?
Yes, didn't want to copy the letters from the screen.

I tried the 'luks.options=timeout=30s' kernel option without effect.
The other stuff seems to be more arch related.

Post Reply