Download | Devuan.org | Git | Bugs | Packages

The officially official Devuan Forum!

You are not logged in.

Pages: 1

#1 Re: Other Issues » [SOLVED] Network based disk encryption using clevis & tang fails » 2024-05-17 14:37:28

Morgennebel

Solved.

Solution documented: https://github.com/JarlMorgennebel/home … ain/devuan

#2 Re: Other Issues » [SOLVED] Network based disk encryption using clevis & tang fails » 2024-05-12 15:53:27

Morgennebel

Some more digging:

ip=dhcp

as kernel parameter within /etc/default/grub raised errors. Replaced this with

ip=192.168.1.187::192.168.1.1:255.255.255.0:guldukat:eth0:none:192.168.1.2

which adds one more step:

...
cryptsetup: WARNING: sdb3_crypt: ignoring unknown option '_netdev'
Please unlock disk sdb3_crypt: Begin: clevis: Waiting for interface eth0 to become available ... done
Begin: Waiting up to 180 secs for eth0 to become available ... done
IP-Config: eth0 hardware address d8:XX:XX.XX.XX.XX:XX mtu 1500
IP-Config: eth0 guessed broadcast address 192.168.1.255
IP-Config: eth0 complete:
   address: 192.168.1.187    broadcast: 192.168.1.255    netmask 255.255.255.0
   gateway: 192.168.1.1      dns0: 192.168.1.2           dns1: 0.0.0.0

So r8169 seems to be loaded and configured, but clevis still fails....

-MN

#3 Re: Other Issues » [SOLVED] Network based disk encryption using clevis & tang fails » 2024-05-12 14:48:23

Morgennebel

Thank you.

I just reinstalled after testing "apt install dracut" which resulted in a blank screen after grub :-/

On a fresh installation

allow-hotplug eth0

is missing from /etc/network/interfaces.

Also 

update-initramfs -v | grep interfaces

results in an empty output - how do I add this file into initramfs?

Thanks

#4 Other Issues » [SOLVED] Network based disk encryption using clevis & tang fails » 2024-05-12 10:04:24

Morgennebel
Replies: 5

Hej,

I am trying to implement a Network based disk encryption based on LUKS, clevis and tang.

Tang-server is a Pi Zero 2 running Raspberry OS lite and tang from apt repositories.

My client is a fresh installation of Daedalus. I installed clevis using apt:

apt install powertop vim-nox clevis-initramfs clevis-luks clevis-tpm2

and configured LVM-over-LUKS:

root@guldukat:~# lsblk
NAME                 MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sda                    8:0    0 29.8G  0 disk  
├─sda1                 8:1    0  365M  0 part  /boot/efi
├─sda2                 8:2    0  954M  0 part  /boot
└─sda3                 8:3    0 28.5G  0 part  
  └─sda3_crypt       254:0    0 28.5G  0 crypt 
    ├─FlashMem-opt   254:1    0  7.4G  0 lvm   /opt
    ├─FlashMem-swap  254:2    0  3.7G  0 lvm   [SWAP]
    └─FlashMem-root  254:3    0 17.3G  0 lvm   /
sdb                    8:16   0  1.8T  0 disk  
└─sdb1                 8:17   0  1.8T  0 part  
  └─sdb1_crypt       254:4    0  1.8T  0 crypt 
    └─USB2TBSSD-data 254:5    0  1.8T  0 lvm   /data

For both /dev/sda3 and /dev/sdb1 the tang server registered successfully:

cryptosetup luksDump /dev/sda3

reports

...
Tokens:
  0: clevis
	Keyslot:    1
....

I am failing with automatic decryption during boot, as the network is unreachable. As documented in clevis & tang documentation I have:

Changed /etc/default/grub to include

GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.neednet=1 ip=dhcp"

Added the module in /etc/initramfs-tools/modules to include my network card driver:

r8169

Added to /etc/crypttab the options _netdev

sda3_crypt UUID=1f4eXXXX-...-baXXXXX9cf0 none luks,discard,_netdev
sdb1_crypt UUID=7YYYYYe12-...-9a2dbYYYYYYf none luks,discard,_netdev

Recreated initrd using

update-initramfs -v -u -k 'all'

and updated grub

update-grub

However during a reboot no network is found and clevis cannot reach the tang server. The network module and dhpc appears much later after unlocking the disks manually.

My Google-Fu show a lot of recommendations for dracut instead of update-initramfs, but I think the error is more around network availability during early grub or early kernel stages.

Any advice?

Thanks, -MN

#5 Re: Installation » [SOLVED] apt-get update: gpg error (expired key) » 2022-09-08 16:50:42

Morgennebel
Morgennebel wrote:
fsmithred wrote:

To do a new install with the existing live isos, you can just download the package in a terminal with wget, check the sha256sum and install with dpkg or gdebi. Then run the installer.

I tried the server and netinstall ISOs. Both do not have dpkg available (or I did not found them in /usr/sbin, /sbin or /usr/bin).

You need first to chroot to /target first. dpkg is then available.

# chroot /target
# dpkg -i ....

Ciao, -MN

#6 Re: Installation » [SOLVED] apt-get update: gpg error (expired key) » 2022-09-05 16:09:23

Morgennebel
fsmithred wrote:

To do a new install with the existing live isos, you can just download the package in a terminal with wget, check the sha256sum and install with dpkg or gdebi. Then run the installer.

I tried the server and netinstall ISOs. Both do not have dpkg available (or I did not found them in /usr/sbin, /sbin or /usr/bin).

#7 Re: Installation » [SOLVED] apt-get update: gpg error (expired key) » 2022-09-05 09:48:18

Morgennebel

Unfortunately this bug also prevents new installations with existing ISO files.

Workaround:

* Once installer fails to read a network mirror
* Start a shell from the installer (somewhere at the bottom of the menu)
* Execute wget as described above
* mv *.deb /target/root
* chroot /target
* dpkg -i /root/*.deb
* exit shell
* Continue installation

-MN

#8 Re: Other Issues » Unable to ssh from A to B to execute sudo command with arguments » 2019-10-02 16:39:08

Morgennebel
chris2be8 wrote:

I've not used sudo for passwordless access for quite a few years. But as far as I can remember:
Start by running sudo -l on wolke7 and see what it says you can do.

Thank you, please see:

os@wolke7:~$ sudo -l
Matching Defaults entries for os on wolke7:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User os may run the following commands on wolke7:
    (root) NOPASSWD: /sbin/wondershaper *
    (ALL : ALL) ALL
os@wolke7:~$ sudo /sbin/wondershaper eth0 125 125
[sudo] password for os: 
Sorry, try again.
[sudo] password for os:

So sudo is not working for me.

If I redo the change to /etc/pam.d/sudo as described the link in the first post, it works as expected.
Is by chance /etc/pam.d/sudo broken in Devuan ASCII?

Thanks, -MN

#9 Re: Other Issues » Unable to ssh from A to B to execute sudo command with arguments » 2019-10-02 16:36:44

Morgennebel

Thank you,

I changed back the /etc/pam.d/sudo to original version:

root@wolke7:~# cat /etc/pam.d/sudo
#%PAM-1.0

@include common-auth
@include common-account
@include common-session-noninteractive

and adopted your proposal:

root@wolke7:~# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL
#os	ALL=(ALL) NOPASSWD:  /sbin/wondershaper eth0 *
#os	ALL=(root) NOPASSWD: /bin/echo foo
os	ALL= NOPASSWD: /sbin/wondershaper

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

As you can see, the two other lines are commented out.

After a reboot, sudo does not work:

os@wolke7:~$ sudo /sbin/wondershaper eth0 125 125
[sudo] password for os: 
Sorry, try again.
[sudo] password for os:

And in /var/log/auth.log I do see:

Oct  2 18:31:52 wolke7 su[2021]: pam_unix(su:session): session closed for user root
Oct  2 18:31:56 wolke7 sudo: pam_unix(sudo:auth): authentication failure; logname=os uid=1000 euid=0 tty=/dev/pts/0 ruser=os rhost=  user=os
Oct  2 18:32:22 wolke7 sudo: pam_unix(sudo:auth): conversation failed
Oct  2 18:32:22 wolke7 sudo: pam_unix(sudo:auth): auth could not identify password for [os]
Oct  2 18:32:22 wolke7 sudo:       os : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/home/os ; USER=root ; COMMAND=/sbin/wondershaper eth0 125 125
Oct  2 18:32:32 wolke7 su[2060]: Successful su for root by os
Oct  2 18:32:32 wolke7 su[2060]: + /dev/pts/0 os:root
Oct  2 18:32:32 wolke7 su[2060]: pam_unix(su:session): session opened for user root by os(uid=1000)
Oct  2 18:32:32 wolke7 su[2060]: pam_elogind(su:session): Cannot create session: Already running in a session
Oct  2 18:32:53 wolke7 su[2060]: pam_unix(su:session): session closed for user root
Oct  2 18:32:55 wolke7 sudo: pam_unix(sudo:auth): conversation failed
Oct  2 18:32:55 wolke7 sudo: pam_unix(sudo:auth): auth could not identify password for [os]
Oct  2 18:33:03 wolke7 su[2088]: Successful su for root by os
Oct  2 18:33:03 wolke7 su[2088]: + /dev/pts/0 os:root
Oct  2 18:33:03 wolke7 su[2088]: pam_unix(su:session): session opened for user root by os(uid=1000)
Oct  2 18:33:03 wolke7 su[2088]: pam_elogind(su:session): Cannot create session: Already running in a session

Even when adding a * to os    ALL= NOPASSWD: /sbin/wondershaper at the end to indicate arguments to wondershaper, it does not work.

/me confused.

Thanks, -MN

#10 Other Issues » Unable to ssh from A to B to execute sudo command with arguments » 2019-10-02 13:26:35

Morgennebel
Replies: 4

Dear,

I have system A with userA and system B with userB. Both systems run Devuan ASCII with all updates.

My challenge: I need to ssh userA@A to userB@B without a password to execute a command (wondershaper) which requires sudo rights.

My steps:

  • I enabled password-less ssh from userA@A to userB@B which works fine

  • I modified /etc/sudoers on B to allow userB@B to execute wondershaper without password

Logs passwordless-ssh:

fhem@smarthome:~$ 
fhem@smarthome:~$ ssh os@192.168.255.42
Linux wolke7 4.9.0-6-amd64 x86_64 GNU/Linux

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Oct  1 18:48:20 2019 from 192.168.255.100
os@wolke7:~$

The command to be executed from userB@B is /sbin/wondershaper with 3 arguments (Network device, Downspeed, Upspeed).

My /etc/sudoers (edited with visudo) on system B is

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
os      ALL=(ALL) NOPASSWD:  /sbin/wondershaper eth0 *
os      ALL=(root) NOPASSWD: /bin/echo foo

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

With this setup userB (= os) should be able to sudo without a password /sbin/wondershaper eth0 with two additional parameters.

However sudo is asking for the user password:

os@wolke7:~$ 
os@wolke7:~$ 
os@wolke7:~$ sudo /sbin/wondershaper eth0 1500 750
[sudo] password for os:

Logfile /var/log/auth.log reports:

Oct  2 15:17:01 wolke7 CRON[16018]: pam_unix(cron:session): session closed for user root
Oct  2 15:18:42 wolke7 su[16008]: pam_unix(su:session): session closed for user root
Oct  2 15:19:13 wolke7 sudo: pam_unix(sudo:auth): conversation failed
Oct  2 15:19:13 wolke7 sudo: pam_unix(sudo:auth): auth could not identify password for [os]
Oct  2 15:19:36 wolke7 sudo: pam_unix(sudo:auth): conversation failed
Oct  2 15:19:36 wolke7 sudo: pam_unix(sudo:auth): auth could not identify password for [os]
Oct  2 15:19:43 wolke7 su[16054]: Successful su for root by os
Oct  2 15:19:43 wolke7 su[16054]: + /dev/pts/1 os:root
Oct  2 15:19:43 wolke7 su[16054]: pam_unix(su:session): session opened for user root by os(uid=1000)
Oct  2 15:19:43 wolke7 su[16054]: pam_elogind(su:session): Cannot create session: Already running in a session

To read the logfile I used "su -" as userB on system B.

I found https://stackoverflow.com/questions/576 … ssword-for as potential solution which is to change /etc/pam.d/sudo . The Poster has the same challenge on a CentOS 7 system. The /etc/pam.d/sudo file looks similiar on my Devuan ASCII system missing lines like

# Fixing ssh "auth could not identify password for [username]"
auth       sufficient   pam_permit.so

I have very little to no experience configuring pam - is this the right solution for Devuan as well?

Thanks, -MN

#11 Other Issues » ascii/ceres: Upgrade from php7.0 to php7.1/7.2? » 2018-04-30 12:09:09

Morgennebel
Replies: 2

Dear,

I searched Google, Wiki and Forums for quite some time to learn how to upgrade from php7.0 to 7.1 or 7.2.

There are packages listed, but I have no idea how to upgrade them or add a repository for apt to get the packages.

Any hints/links?

Thanks so much,

Ciao, -MN

#12 Re: Other Issues » arm64: e2fsprogs too old for filesystem on installation image :-( » 2018-02-14 10:37:14

Morgennebel

And in addition to the backports e2fsprog update /etc/fstab needs an update

From:

## rootfs
/dev/mmcblk0p2    /             ext4   errors=remount-ro,sync,noatime 0    0

To:

## rootfs
/dev/mmcblk0p2    /             ext4   errors=remount-ro,sync,noatime 0    1

Also /dev/mmcblk0p2 has been configured to -1 for maximum mount count. For armhf64 and the buggy SD card I used:

root@devuan:~# tune2fs -c 10 /dev/mmcblk0p2

to check the filesystem every 10th mount time and to enable /forcefsck.

It also seems that the downloaded image for RPI3 is tagged dirty

[    3.495755] EXT4-fs (mmcblk0p2): warning: mounting unchecked fs, running e2fsck is recommended
[    3.499284] EXT4-fs (mmcblk0p2): re-mounted. Opts: errors=remount-ro

Ciao, -MN

#13 Re: Other Issues » arm64: e2fsprogs too old for filesystem on installation image :-( » 2018-02-08 19:15:02

Morgennebel

How many people/users will fail for the same trap and curse the image when they lose data?

It may work for the both of us now as we are aware - but everyone else using RPI with Devuan is at risk.

Ciao, -MN

#14 Re: Other Issues » arm64: e2fsprogs too old for filesystem on installation image :-( » 2018-02-08 18:10:22

Morgennebel

That looks good.

Then e2fsprogs 1.43.3 should be included into the main Raspberry Pi arm64 image?

Ciao, -MN

#15 Other Issues » arm64: e2fsprogs too old for filesystem on installation image :-( » 2018-02-08 14:59:13

Morgennebel
Replies: 7

Dear,

installed Devuan Jessie 1.0.0 using the download of devuan_jessie_1.0.0_arm64_raspi3.img.

The installation is setting up the filesystems as:

root@pi-hole:/home/os# mount | grep mmc
/dev/mmcblk0p2 on / type ext4 (ro,noatime,block_validity,delalloc,nojournal_checksum,norecovery,barrier,user_xattr,acl,errors=remount-ro)
/dev/mmcblk0p1 on /boot type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)

/ partition is being resized to match the entire SD-card space.

Unfortunately / or /dev/mmcblk0p2 is using the flag metadata_csum

root@pi-hole:/home/os# tune2fs -l /dev/mmcblk0p2
tune2fs 1.42.12 (29-Aug-2014)
Filesystem volume name:   <none>
Last mounted on:          /
Filesystem UUID:          3be31ccf-eda0-4239-bad7-2ca304abe1b9
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype extent 64bit flex_bg sparse_super large_file huge_file dir_nlink extra_isize metadata_csum

This flag is not support by e2fsprogs 1.42.12-2+b1 which is part of the installation image.

Thus, when the SD card fails there is no chance at all to get it fixed. e2fsck refuses to run, there is not sufficient time or no possibility to upgrade (as / is mounted ro). Therefore a single issue with the SD card (and there are many on a Pi) will break the entire system and require re-installation.

Suggested solution: please update the installation image to not use metadata_csum.

Thanks, -MN

#16 Re: Installation » [SOLVED] Installation on Latte Panda 4G/64GB Intel Cherry Trail Z8300 » 2017-06-08 06:27:13

Morgennebel

Thank you, Nick,

installation succeeded with devuan_jessie_1.0.0_amd64_DVD.iso from USB2.0 port without any issues. UEFI and grub were setup correctly.

Thanks again for the hint,

Ciao, -MN

#17 Installation » [SOLVED] Installation on Latte Panda 4G/64GB Intel Cherry Trail Z8300 » 2017-06-07 15:00:33

Morgennebel
Replies: 2

Dear,

I am trying to install Devuan on my new Latte Panda 4GB RAM/64 GB storage using an 64bit x86 Intel Atom X5 CPU and UEFI BIOS - see http://www.lattepanda.com/product-details/?pid=3 for full tech specs.

Using Rufus I have copied:

  • devuan_jessie_1.0.0_amd64_uefi_desktop_live.iso

  • devuan_jessie_1.0.0_amd64_DVD.iso

  • devuan_jessie_1.0.0_amd64_NETINST.iso

to an USB-disk and booted. The installer starts each time, I can select language, keyboard and timezone - but it fails in all three scenarios looking for the USB disk and drops me into a busybox shell.

The NETINST installer complained about a missing ehci-orion module.

Kindly ask for help in getting devuan installed.

Thanks, -MN

Pages: 1

Board footer

Forum Software