[app-crypt/clevis] Add preliminary support for clevis

[krishjainx]

[app-crypt/clevis] Add preliminary support for clevis

I've added preliminary support for clevis and included all of its dependencies. On the suggestion of @pothos I am submitting this PR in order to get the image built through GitHub actions so that it can be downloaded later. (currently the bootengine ebuild here is also using the latest commit in krishjainx/bootengine).

Most of the work is already done. Just need to iron out a couple of ends and we should be able to include clevis support!

Testing done

Tested that the required wrappers and binaries are installed and accessible in the initramfs by building and using parameters for instance rd.shell rd.break=pre-pivot

CI: http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/2188/cldsv/

[pothos]

The branch needs a rebase on main for the CI to start.

[github-actions]

Build action triggered: https://github.com/flatcar/scripts/actions/runs/5596835179

[dongsupark]

Rebased this PR on main, pushed to https://github.com/flatcar/scripts/tree/krishjainx/add-clevis-krish.
Pushed required changes in bootengine to https://github.com/flatcar/bootengine/tree/krishjainx/add-clevis-krish.

Running Jenkins CI http://jenkins.infra.kinvolk.io:8080/job/container/job/packages_all_arches/2064/cldsv/.

[dongsupark]

CI failed when building cryptsetup.

!!! Fetched file: cryptsetup-2.6.1.tar.xz VERIFY FAILED!
!!! Reason: Insufficient data for checksum verification
!!! Got:      
!!! Expected: BLAKE2B BLAKE2S MD5 RMD160 SHA1 SHA256 SHA3_256 SHA3_512 SHA512 WHIRLPOOL

You would probably want to regenerate sdk_container/src/third_party/portage-stable/sys-fs/cryptsetup/Manifest.

[dongsupark]

Even after regenerating Manifest of cryptsetup, it does not build, because cryptsetup 2.6 started to require asciidoctor in the SDK for generating man pages.
The Gentoo ebuild does not provide a way to disable asciidoc.
This PR seems to require much more work as expected.
I will stop looking into it.

[krishjainx]

I have updated this PR, tested it with a local build, and rebased it on main (no merge conflicts). The updated Gentoo ebuild also enables cryptsetup 2.6 to work without asciidoctor in the SDK container. It seems to be functioning properly now. Thank you, @dongsupark

[dongsupark]

Thanks for updating the PR.

Why does this PR have the last commit Merge branch 'flatcar:main' into add-clevis-krish?
Could you please rebase or clean up commits to avoid having the merge commit?

See below:

[krishjainx]

Ah, I see. My bad. I was using the GitHub UI instead of the commandline git client. GitHub merged main into PR branch by default. Will fix it

…

On Mon, Jul 17, 2023, 13:47 Dongsu Park ***@***.***> wrote: ***@***.**** commented on this pull request. Thanks for updating the PR. Why does this PR have the last commit Merge branch 'flatcar:main' into add-clevis-krish? Could you please rebase or clean up commits to avoid having the merge commit? See below: ------------------------------ In sdk_container/src/third_party/coreos-overlay/app-crypt/clevis/clevis-19-r1.ebuild <#909 (comment)>: > @@ -0,0 +1,35 @@ +# Copyright 2022-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit meson + +DESCRIPTION="Automated Encryption Framework" +HOMEPAGE="https://github.com/latchset/clevis" +SRC_URI="https://github.com/latchset/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64" This KEYWORS prevents the builds from starting. !!! All ebuilds that could satisfy "clevis" for /build/amd64-usr/ have been masked. !!! One of the following masked packages is required to complete your request: - app-crypt/clevis-19-r1::coreos (masked by: ~amd64 keyword) You would probably want to add =app-crypt/clevis-19-r1 ~amd64 in sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords, or replace the KEYWORDS above with KEYWORDS="amd64". — Reply to this email directly, view it on GitHub <#909 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AR4RDLKGJQMO7544EWUDOSDXQTYJ5ANCNFSM6AAAAAAZFBCEHQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[dongsupark]

Running Jenkins CI again. http://jenkins.infra.kinvolk.io:8080/job/container/job/sdk/932/cldsv/

[dongsupark]

Good news: amd64 build passed, and managed to run CI tests.

However, there are 2 issues.
First, arm64 build was triggered, and failed to build clevis due to missing keywords.

Second, almost all amd64 tests failed with the following messages.

harness.go:582: Found systemd unit failed to start (clevis-luks-askpass.path - Forward Password Requests to Clevis Directory Watch.) on machine 97d60bce-de3e-4b35-a424-b14e929139ad console

[krishjainx]

Note: Our CI tests are run by kola tests of https://github.com/flatcar/mantle/tree/flatcar-master/kola, and their clusters are configured in https://github.com/flatcar/mantle/blob/flatcar-master/platform/machine/qemu/cluster.go. So in theory it is possible to add new options for tpm2 there, looking into this now!

[krishjainx]

#1560 was merged and replaces this PR. Good work everyone!