From 2a16458622be983aba3762079d7a72383bd8be02 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Fri, 29 Oct 2021 10:58:26 -0300 Subject: [PATCH 2/2] systemd: account for unlocking failures in clevis-luks-askpass As unlock may fail for some reason, e.g. the network is not up yet, one way cause problems would be to add extra `rd.luks.uuid' params to the cmdline, which would then cause such devices to be unlocked in early boot. If the unlocking fail, those devices might not be accounted for in the clevis_devices_to_unlock() check, as it is based on crypttab. Let's make sure there are no pending ask.* sockets waiting to be answered, before exiting. Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892 --- src/luks/systemd/clevis-luks-askpass.in | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in index 8f54859..a6699c9 100755 --- a/src/luks/systemd/clevis-luks-askpass.in +++ b/src/luks/systemd/clevis-luks-askpass.in @@ -67,8 +67,11 @@ while true; do done [ "${loop}" != true ] && break + # Checking for pending devices to be unlocked. - if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then + remaining_crypttab=$(clevis_devices_to_unlock) ||: + remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||: + if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then break; fi -- 2.33.1