Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The clevis luks bind -d /dev/vda2 tang '{"url":"192.168.122.1"}' fails. https://lab.redhat.com/nbde-introduction step 4 of 5 #215

Closed
jgkootstra opened this issue Aug 9, 2021 · 7 comments · Fixed by #216
Closed

The clevis luks bind -d /dev/vda2 tang '{"url":"192.168.122.1"}' fails. https://lab.redhat.com/nbde-introduction step 4 of 5 #215

jgkootstra opened this issue Aug 9, 2021 · 7 comments · Fixed by #216

Comments

@jgkootstra
Copy link

clevis luks list -d /dev/vda2
gives empty output, so the scenario failed.

Reran the scenario 5 times to be sure that it was not caused due to missing a command.
@jgkootstra jgkootstra changed the title The clevis luks bind -d /dev/vda2 tang '{"url":"192.168.122.1"}' fails. https://lab.redhat.com/nbde-introduction step 4 o5 The clevis luks bind -d /dev/vda2 tang '{"url":"192.168.122.1"}' fails. https://lab.redhat.com/nbde-introduction step 4 of 5 Aug 9, 2021
@sergio-correia
Copy link
Contributor

DId you get any error messages when the clevis luks bind command failed?

If you get something like Unable to fetch advertisement: '192.168.122.1/adv', it is possible that Step no. 2 -- where we set up tang -- was not completed properly. If this is the case, would you please try to go back to step no. 2 and make sure to complete it properly and see if you will be able to perform the clevis luks bind operation afterwards?

@Tronde
Copy link

Tronde commented Aug 10, 2021

Time appropriate greetings everyone,
I have encountered the same issue yesterday and again today.

Step 2 was completed with the following output:

[root@tang ~]# systemctl enable --now tangd.socket
Created symlink /etc/systemd/system/multi-user.target.wants/tangd.socket → /usr/lib/systemd/system/tangd.socket.
[root@tang ~]# curl localhost/adv
{"payload":"eyJrZXlzIjpbeyJhbGciOiJFUzUxMiIsImNydiI6IlAtNTIxIiwia2V5X29wcyI6WyJ2ZXJpZnkiXSwia3R5IjoiRUMiLCJ4IjoiQVJRSGZ2bWRHeEkwcm52NUEwb0hvZzBnTXBaS0pkN3BSV2g1OEluWG8tT0lvdzhhemp1M1VTRE1pajJfUVoxNi1zMngtSHNsMXZ3YTgwbW5MaUR3TUpsUCIsInkiOiJBSU5wYzhyWEFMTm5yWTc0ay1HS0dibGZmUjN0VnZ4UFNiUzdpcFdyeTBoUTUxRHZkZHVlaVpmeUJkaFZqTWVON1NRRXdoYU5fNkluYmJ2czlwZmtjVWp0In0seyJhbGciOiJFQ01SIiwiY3J2IjoiUC01MjEiLCJrZXlfb3BzIjpbImRlcml2ZUtleSJdLCJrdHkiOiJFQyIsIngiOiJBUk95aGlpMnZ4cWxUX1FuSTRoaENWYk4wUGZHZjdmaXItOFJucE5tNDlHQVBHVEZITV9pZEF0LUdSd3J4VnlJQ0dXM1FxUVRWZUQ3Sm1idm1tZXdWZ3c3IiwieSI6IkFKX055UG9uOElKdlV4RWpHNG9hNjNtV3NWcGZzODkxTDdWR3hOaGdkWl9IQ1piWHgyNFlLY1c2VHIxNndpTzUzZGZ6RW5iNVFIY3ZjWDFIMUJnOWFIbHEifV19","protected":"eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9","signature":"AN7BpDByulvlkH35m272KDhGjButBql0-MulwS5kQauObj9HpqUUeytcb85E8ykOK5bMce6aKCJ8pr71HFEeiYFPAVftHEGqtJ8auTNA2d0Jkjo_JRcGkU6rVoON3SCK0VmL19rq0FXTn4oOfFO1oguwHHu7PvBhCtTfZv8sPlPzowqG"}[root@tang ~]#

In step 4 I got stuck with the following output:

Red Hat Enterprise Linux 8.4 (Ootpa)
Kernel 4.18.0-305.el8.x86_64 on an x86_64

clevis login: root
Password: 
[root@clevis ~]# lsblk --fs
NAME              FSTYPE LABEL UUID                                   MOUNTPOINT
vda                                                                   
├─vda1            xfs          bd5edf31-983b-449d-9330-cac3d2b4873b   /boot
└─vda2            crypto       75cce7fe-5992-4ab4-8cb9-816c2618ca1a   
  └─luks-75cce7fe-5992-4ab4-8cb9-816c2618ca1a
                  LVM2_m       RLOSzN-S7Qd-GfU1-GF0y-agZx-ISWn-DSmX5G 
    ├─rhel_clevis-root
    │             xfs          2e1f2fde-aec4-4024-80e3-139ba3f7b062   /
    └─rhel_clevis-swap
                  swap         f2d3af83-2fcf-45cb-ae61-0c8a5144eba4   [SWAP]
[root@clevis ~]# clevis luks bind -d /dev/vda2 tang '{"url":"192.168.122.1"}'
Warning: Value 512 is outside of the allowed entropy range, adjusting it.
Unable to fetch advertisement: '192.168.122.1/adv/'!
[root@clevis ~]# clevis luks list -d /dev/vda2
[root@clevis ~]#

I'm using Firefox 78.12.0esr (32-Bit) to access the lab. Don't know whether that could affect the scenario or not.

@jgkootstra
Copy link
Author

I'm using:
Microsoft Edge
Versie 92.0.902.67 (Officiële build) (64-bits)

@sergio-correia sergio-correia mentioned this issue Aug 10, 2021
Merged
@sergio-correia
Copy link
Contributor

Thanks for the information provided, @jgkootstra and @Tronde. I tracked down the issue to the need to open the tang port in the firewall, and I submitted a pull request updating the scenario.

@smcbrien smcbrien reopened this Aug 10, 2021
@smcbrien
Copy link
Contributor

I've applied the PR, waiting for confirmation before closing the issue.

@Tronde
Copy link

Tronde commented Aug 10, 2021

@smcbrien I confirm that it works, now. Thank you very much!

@smcbrien
Copy link
Contributor

As it's been validated as working, I'm going to close the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

nbde-introduction: include steps to open the tang port in the firewall sergio-correia/learn-katacoda
4 participants
@Tronde @smcbrien @jgkootstra @sergio-correia