LUKS on 512e disk breaks ignition-ostree-growfs.service
#1384
Comments
|
Observed the same issue on my bare-metal device: |
jlebon
changed the title
ignition-ostree-growfs.service
|
Hmm, this seems like a bug in cryptsetup. It should know to resize to a new size aligned to the LUKS sector size and not just the maximum. I guess we could also work around this by manually providing the size. |
On 512e disks, `sfdisk` (which is used by `growpart`) will end up growing the rootfs to a size not aligned to a 4K boundary. This is mostly fine because, well, the drive claims to be 512b-compatible. Issues arise however if one wants to also put LUKS on top: cryptsetup, trying to optimize performance, wants to set the sector size of the LUKS device to that of the physical value, which is 4K. But if the partition range itself isn't 4K-aligned, it will choke. Ideally, this should be fixed in sfdisk: util-linux/util-linux#2140 (Though cryptsetup could also learn to align the mapped area itself). Anyway, for now work aorund this by manually checking if the size of the partition is a multiple of 4k. If not, and the physical sector size is 4k, then trim off the edge of the partition to make it so. Note the partition start is always going to be aligned (they're 1M-aligned). Closes: coreos/fedora-coreos-tracker#1384 Closes: https://issues.redhat.com/browse/OCPBUGS-35410 See also: https://gitlab.com/cryptsetup/cryptsetup/-/issues/585
|
I was debugging a similar RHCOS bug and got to the bottom of this. The report there was that LUKS on 512e disks used to work in OCP 4.15 but in 4.16 it now no longer worked. The debugging that ensued ended up being interesting enough that I feel it's worth sharing all the gory details. When cryptsetup initially formats the partition, it tries to auto-detect the optimal sector size to use. It does this by querying the physical sector size of the device. This will be 4096 on a 512e disk. Then, it verifies whether the partition boundaries are aligned to the chosen sector size (in this case, aligned to 4096). If it does, it chooses 4096. If it doesn't, it gracefully falls back to 512. In 4.15 and earlier, the RHCOS metal image was partitioned using sgdisk. In 4.16 and later, we moved to osbuild, which uses sfdisk underneath for partitioning. A peculiar difference between the two is that sgdisk will size the rootfs to just take up the maximum amount of space available, whereas sfdisk will round it down to the closest 1M boundary. Putting it together, what happens then when configuring LUKS on 4.15 on a 512e disk would be that cryptsetup would still use a sector size of 512 during formatting, because the rootfs partition size wasn't aligned to a 4k boundary. OTOH, on 4.16 it would successfully choose a sector size of 4096 because it is aligned. Now, ignition-ostree-growfs comes along and wants to grow the partition and the LUKS device on top. First, the partition. It calls out to When ignition-ostree-growfs goes to resize the LUKS partition (using There's lots of possible ways to fix this, but I think the cleanest would be to fix the inconsistency in Obviously related here is the discussions in #1646; this wouldn't happen in a partition+filesystem-level install (i.e. not disk image-based install) because the partition would initially be created at its maximum size with the right alignment. |
On 512e disks, `sfdisk` (which is used by `growpart`) will end up growing the rootfs to a size not aligned to a 4K boundary. This is mostly fine because, well, the drive claims to be 512b-compatible. Issues arise however if one wants to also put LUKS on top: cryptsetup, trying to optimize performance, wants to set the sector size of the LUKS device to that of the physical value, which is 4K. But if the partition range itself isn't 4K-aligned, it will choke. Ideally, this should be fixed in sfdisk: util-linux/util-linux#2140 (Though cryptsetup could also learn to align the mapped area itself). Anyway, for now work aorund this by manually checking if the size of the partition is a multiple of 4k. If not, and the physical sector size is 4k, then trim off the edge of the partition to make it so. Note the partition start is always going to be aligned (they're 1M-aligned). Closes: coreos/fedora-coreos-tracker#1384 Closes: https://issues.redhat.com/browse/OCPBUGS-35410 See also: https://gitlab.com/cryptsetup/cryptsetup/-/issues/585
On 512e disks, `sfdisk` (which is used by `growpart`) will end up growing the rootfs to a size not aligned to a 4K boundary. This is mostly fine because, well, the drive claims to be 512b-compatible. Issues arise however if one wants to also put LUKS on top: cryptsetup, trying to optimize performance, wants to set the sector size of the LUKS device to that of the physical value, which is 4K. But if the partition range itself isn't 4K-aligned, it will choke. Ideally, this should be fixed in sfdisk: util-linux/util-linux#2140 (Though cryptsetup could also learn to align the mapped area itself). Anyway, for now work aorund this by manually checking if the size of the partition is a multiple of 4k. If not, and the physical sector size is 4k, then trim off the edge of the partition to make it so. Note the partition start is always going to be aligned (they're 1M-aligned). Closes: coreos/fedora-coreos-tracker#1384 Closes: https://issues.redhat.com/browse/OCPBUGS-35410 See also: https://gitlab.com/cryptsetup/cryptsetup/-/issues/585
On 512e disks, `sfdisk` (which is used by `growpart`) will end up growing the rootfs to a size not aligned to a 4K boundary. This is mostly fine because, well, the drive claims to be 512b-compatible. Issues arise however if one wants to also put LUKS on top: cryptsetup, trying to optimize performance, wants to set the sector size of the LUKS device to that of the physical value, which is 4K. But if the partition range itself isn't 4K-aligned, it will choke. Ideally, this should be fixed in sfdisk: util-linux/util-linux#2140 (Though cryptsetup could also learn to align the mapped area itself). Anyway, for now work aorund this by manually checking if the size of the partition is a multiple of 4k. If not, and the physical sector size is 4k, then trim off the edge of the partition to make it so. Note the partition start is always going to be aligned (they're 1M-aligned). Closes: coreos/fedora-coreos-tracker#1384 Closes: https://issues.redhat.com/browse/OCPBUGS-35410 See also: https://gitlab.com/cryptsetup/cryptsetup/-/issues/585 (cherry picked from commit 067e1f7)
travier
added
the
status/pending-testing-release
On 512e disks, `sfdisk` (which is used by `growpart`) will end up growing the rootfs to a size not aligned to a 4K boundary. This is mostly fine because, well, the drive claims to be 512b-compatible. Issues arise however if one wants to also put LUKS on top: cryptsetup, trying to optimize performance, wants to set the sector size of the LUKS device to that of the physical value, which is 4K. But if the partition range itself isn't 4K-aligned, it will choke. Ideally, this should be fixed in sfdisk: util-linux/util-linux#2140 (Though cryptsetup could also learn to align the mapped area itself). Anyway, for now work aorund this by manually checking if the size of the partition is a multiple of 4k. If not, and the physical sector size is 4k, then trim off the edge of the partition to make it so. Note the partition start is always going to be aligned (they're 1M-aligned). Closes: coreos/fedora-coreos-tracker#1384 Closes: https://issues.redhat.com/browse/OCPBUGS-35410 See also: https://gitlab.com/cryptsetup/cryptsetup/-/issues/585 (cherry picked from commit 067e1f7)
|
The short-term workaround for this until the longer-term workaround in coreos/fedora-coreos-config#3033 lands everywhere is to make Ignition resize the rootfs. E.g.: variant: fcos
version: 1.5.0
boot_device:
luks:
tpm2: true
storage:
disks:
- device: /dev/disk/by-id/coreos-boot-disk
partitions:
- number: 4
size_mib: 0
resize: true |
|
The fix for this went into testing stream release |
marmijo
added
status/pending-stable-release
|
The fix for this went into |
marmijo
removed
the
status/pending-stable-release
Describe the bug
Cannot deploy a VM with Luks on Azure.
Reproduction steps
Expected behavior
luks deployment should work
Actual behavior
System details
and VM having
Ignition config
failing config:
working config:
Additional information
in failing case, when cryptsetup deduces a 4096B sector size:
in working case, when we enforce 512B sector size
I think it's a combination of
https://gitlab.com/cryptsetup/cryptsetup/-/issues/585 making this error fatal,
and
https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/135 trying to improve the default sector size,
and
https://github.com/coreos/fedora-coreos-config/blob/next/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh#L94 resizing the disk and letting cryptsetup choose the size, and Azure (and also, my baremetal servers, but I did not try to reproduce over there) having different value for physical and logical block size.
I think it should work out of the box, but just a documentation update would be great.
The text was updated successfully, but these errors were encountered: