Ignition fails for luks encrypted root with btrfs

Ask Fedora
1

Hello, I have encountered problem trying to install coreos from ignition file, with encrypted root and btrfs filesystem.
Here is butane storage config part:

variant: fcos
version: 1.5.0
storage:
  filesystems:
    - device: /dev/mapper/root
      path: /
      format: btrfs
      wipe_filesystem: true
      label: root
  luks:
    - name: root
      label: root
      device: /dev/disk/by-partlabel/root
      discard: true
      key_file:
        inline: test-pass-to-be-changed
      wipe_volume: true

After reboot, ignition fails with cryptic output (error?):

image
image1371×770 162 KB

this screenshot show basically whole log of failed growfs service.
Finally partitions look like this:
image
image1366×417 36 KB

Is this setup supported?

2

I found some other discussion and something looking like solution: Root LUKS in ignition - #2 by jlebon
but with this config it just fails more miserably:

storage:
  disks:
    - device: /dev/vda
      partitions:
        - label: root
          number: 4
          # 0 means to use all available space
          size_mib: 0
          resize: true
  filesystems:
    - device: /dev/mapper/root
      path: /
      format: btrfs
      wipe_filesystem: true
      label: root
  luks:
    - name: root
      label: root
      device: /dev/disk/by-partlabel/root
      discard: true
      key_file:
        inline: test-pass-to-be-changed
      wipe_volume: true

image
image1579×872 178 KB

3

Try without the path: / key.

Note that using keyfiles for the rootfs is not usually recommended. It means that you would have to type in a password on every boot, which is not compatible with automatic updates.

1 Like
4

Yeap I forgot I added the path later when trying to fix this. After removing it installation works.

It would be better to not have to specify the device path, as this makes the config less flexible, but it is not that bad I guess.

I currently use coreos for stuff that rather does not fit the automatic reboot for update scheme, so that is why I prefer password on boot.

5

Ahh yes, I should also mention that instead of /dev/vda, you can use /dev/disk/by-id/coreos-boot-disk. I’ve opened storage: don't use `/dev/vda` by jlebon · Pull Request #633 · coreos/fedora-coreos-docs · GitHub.

1 Like