storage: Tang keyserver and passphrase management for Stratis #18818

mvollmer · 2023-05-17T13:16:34Z

Storage: Stratis pools can now be bound to a Tang server

In addition to a passphrase (or instead of it), a Stratis pool can now use Tang server for encryption.

mvollmer · 2023-05-17T13:22:56Z

A random thing I just learned: when adding a block device, all unlocking tokens must be available: passphrase and key server. If one of them is missing (wrong passphrase or key server not reachable), adding the block device will fail with this misleading error message:

"Neither the key in the kernel keyring nor Clevis could be used to perform encryption
operations on the devices in the pool; check that either the appropriate key in the keyring
is set or that the Clevis key storage method is available"

mvollmer · 2023-05-19T14:08:29Z

About Stratis, Tang, and reboots:

A Stratis fsys that is bound to tang can only be unlocked via tang during boot. The stratis-fstab-set service will not ask for a passphrase if there is a celvis binding on a pool.
With "fail" mode in fstab, a boot will thus reliably break. It's expected that clevis can't unlock the fsys, but it's maybe unexpected that there is no possibility to input a passphrase. But Cockpit should definitely steer people away from this.
"nofail" will also fail to mount the fsys since the setup is run without network (unless you have rd.neednet set during boot) This is kinda expected and maybe we can allow this in Cockpit (with a warning?)
"netdev" will also fail, and this is unexpected. The mount unit has a dependency on network-online and on fstab-setup (which is the service that invokes clevis), but fstab-setup does not have a dependency on network-online. Thus, systemd starts fstab-setup very early and it will fail, which of course causes the mount unit to fail.

Thus:

We need to fix the ordering of fstab-setup for netdev filesystems. Maybe introduce a separate fstab-remote-setup that runs the same code but has a dep on network-online.
Changing the AtBoot mount option should select fstab-setup or fstab-remote-setup, as appropriate.
Cockpit should refuse to add a Tang server when there are filesystems that are "local", and should warn if there are filesystems that are "nofail". Maybe give the user an option to change all filesystems to "netdev".
New filesystems should be forced to "netdev" when a pool has already a tang binding.
Maybe warning triangles when netdev is missing for tang pools, and when the wrong setup unit is used.

Alternatively, we might make fstab-setup more robust:

If clevis fails, ask for a passphrase. Or better yet, run clevis and the passphrase in parallel and use whatever comes first.
Explicitly wait for network-online before starting clevis.

This would make things a bit simpler for Cockpit. (We still need to force netdev for tanged filesystems, but don't need to worry about which setup unit to use.)

mvollmer · 2023-05-29T06:36:39Z

Alright, I totally missed the "clevis_info" argument to CreatePool. Stratis allows the creation of a pool without a passphrase but clevis_info instead. We should support this here as well, and also make sure that pools without passphrases work as expected. Adding a passphrase to a pool without one should probably be part of #18842.

mvollmer · 2023-05-29T11:05:57Z

Adding a passphrase to a pool without one should probably be part of #18842.

Ah, heck, let's do it all here. It's all connected.

mvollmer · 2023-07-04T12:14:55Z

@garrett , please take another look. New demo: https://youtu.be/HFCzWqqRXHQ

I have kept the "Add" / "Remove"` terminology for passphrases and keyservers. I couldn't think of anything better... can you?

mvollmer · 2023-07-05T10:05:41Z

Alternatively, we might make fstab-setup more robust:
[...]
* Explicitly wait for network-online before starting clevis.

This seems to be the plan, see stratis-storage/stratisd#3348. With that solution, "nofail" is good enough, and since it is the default used by Cockpit, we probably don't need to do anything special.

mvollmer · 2023-07-06T10:01:39Z

When SHA-1 is still needed:

The code that constructs the dialog does not know whether SHA-1 is needed, unfortunately. This was worked on in #18908 and has now been merged.

jelly

Is my comment correct about the translation? Otherwise LGTM.

pkg/storaged/stratis-panel.jsx

mvollmer · 2023-07-07T10:51:16Z

Hmm, now there is a failure on Arch:

warning: Command failed: cmd: "/usr/sbin/clevis" "luks" "bind" "-d" "/dev/sda" "-e" "1" "-t" "2" "tang" "{\"adv\":{\"payload\":\"eyJrZXlzIjogW3siYWxnIjogIkVTNTEyIiwgImt0eSI6ICJFQyIsICJjcnYiOiAiUC01MjEiLCAieCI6ICJBSGoya3FlM1k5Vmd6WXVrY1BTZGo2MkJUcy1taHFGV0cyXzZ2UkhTVmV3bTZ0YjJ4SFUtZGFIYkxCQlVNMkJrTmhBdzZNTlpqeHZMcjdTOU1JYmpYVTU1IiwgInkiOiAiQUlaOExrbm1udHlnSHN4WllCdG1DNDRGV2VfV1NKWUlvZG9WNkhodnliZGY3dGxRcDE1STBjYUgxamxnQ2lOS2VXM2U3bWdQNWRjMnlrUUVjMFFnN3dRYyIsICJrZXlfb3BzIjogWyJ2ZXJpZnkiXX0sIHsiYWxnIjogIkVDTVIiLCAia3R5IjogIkVDIiwgImNydiI6ICJQLTUyMSIsICJ4IjogIkFTb2JnRDBQRjgyd1Z3QTZYYXdMRW9idmxHRWNMUmhlR1dCdXRhbUlQd2FhTVFUeHBHZUNCYTk4b0dHblVPYUtfU0g0eUh6cS1lVGVRU2pkS05SWFNpekIiLCAieSI6ICJBWGFVN2k0RWx4TVFJbkVSdnBqTXd2YnlpNkQyM1RCQU5ja1l3N3BibFhtLXpJaDlLUldCRGdEZEFvY1RQQ2JINUkxWldOb1ZYRG5kMWNMWXlzS3FIdndCIiwgImtleV9vcHMiOiBbImRlcml2ZUtleSJdfV19\",\"protected\":\"eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9\",\"signature\":\"AbeUCV01KbM6yi_Ccp-nGvgKjdozlwo14REw9w6MREILhfY1PjEPcQ2UlmomrPkphzHuSGKYc4JGMpPwnw7CSmqzAX4Mz_FbX_ZyZABMGNJ4xw0cn109zFJHwazsc8x2YR59GuuxTUcGBYl7G5Bfycw9CWMpzdvUxOxARcHGAuaVPAhL\"},\"url\":\"10.111.112.5\"}", exit reason: 2 stdout:  stderr: 
Usage: clevis luks bind [-y] [-f] [-s SLT] [-k KEY] [-t TOKEN_ID] -d DEV PIN CFG

Binds a LUKS device using the specified policy:

  -f           Do not prompt for LUKSMeta initialization

  -d DEV       The LUKS device on which to perform binding

  -y           Automatically answer yes for all questions

  -s SLT       The LUKS slot to use

  -t TKN_ID    The LUKS token ID to use; only available for LUKS2

  -k KEY       Non-interactively read LUKS password from KEY file
  -k -         Non-interactively read LUKS password from standard input

clevis luks bind is missing the -e option.

mvollmer · 2023-07-07T10:53:06Z

clevis luks bind is missing the -e option.

Ah, this is because Arch now has stratisd 3.5. @jelly, looks like clevis needs to be udpated as well...

mvollmer · 2023-08-08T09:47:12Z

clevis luks bind is missing the -e option.

Ah, this is because Arch now has stratisd 3.5. @jelly, looks like clevis needs to be udpated as well...

Seems fixed.

cockpituous · 2023-08-08T12:46:22Z

pkg/storaged/client.js

                    return client.stratis_manager.CreatePool(name, [false, 0],
                                                             devs,
                                                             key_desc ? [true, key_desc] : [false, ""],
-                                                             [false, ["", ""]]);
+                                                             clevis_info ? [true, clevis_info] : [false, ["", ""]]);
