After Binding to Tang Server (LUKS) Boot fails with Password

[u297b]

Hi All:

Can someone please help me sort this out on my new Centos8 install?

Situation: I bound my luks root partition to a tang server and that part works without a problem (ie. if server can contact tang-server over network, everything boots without a problem).

However, if network is not active or tang server is unavailable I can no longer use manually typed in password to successfully boot. It accepts the password and the password is correct, it just simply no longer boots successfully. After a few minutes it times out and drops me into a dracut emergency shell.

From this shell I can manually cryptsetup luksOpen /dev/nvmep1 etc and manually mount my /root partition, but I don't understand why the boot process is not doing this automatically.

Now the strange part is that I originally was booting this by typing password in console everytime and it always booted fine, but ever since I bound to tang it now no longer boots by password only. To further complicate my understand: If network is connected, but I manually enter a password is works?!? So to summarize:

• Tang Server Unavail: Doesn't boot by manual password entry
• Tang Server Avail: Boots fine automatically
• Tang Server Avail: Boots fine with password

I feel that this issue is initrd / dracut related, but I'm having difficulty in understand how to diagnose further?

[hunter86_bg]

Can you check the number of slots taken:

Code: Select all

luksmeta show -d /dev/DEVICE

There should be 2 active slots.

[u297b]

Code: Select all

# luksmeta show -d /dev/nvme0n1p2

0   active empty
1   active cb6e8904-81ff-40da-a84a-07ab9ab5715e
2 inactive empty
3 inactive empty
4 inactive empty
5 inactive empty
6 inactive empty
7 inactive empty

What does the UUID in 2nd field refer to? I can't find reference in blkid or /dev/mapper....

[u297b]

Ok....I am a step closer. I'm no longer even sure this a LUKS issue. Here is what I've noticed:

1. My cl_box/home LVM Logical Volume was being marked as "inactive" when I was being dropped into dracut emergency shell. Upon investigating I noticed the grub boot command was missing the rd.lvm.lv=cl_box/home directive, so I added that an now it was at least dropping me into the dracut emergency terminal with all LVs activated
2. Now upon immediately entering the dracut emergency terminal, if I just immediately exit, then boot continues normally. However I'm still at a loss of why am I being dropped into an emergency shell?

I mainly documenting this to assist anyone searching about this issue in the future. Still a work in progress on finding a smooth boot experience though....

[hunter86_bg]

I think that you can try booting from Live DVD and mount all your devices , /sys, /proc , /dev & /run and rebuild the initramfs .
As far as I know dracut is trying to reduce the ammount of kernel modules and that could be your case... The CentOS Troubleshoot option (select 1) will decrypt (ask for password) and mount your storage.