Natxo Asenjo
2021-Dec-15 20:17 UTC
[CentOS] network bound disk encryption bond interface not working
hi, running 8.5 I cannot get to automatically unlock the luks container on a dell poweredge 740. This is the setup. The clevis client has bound a tang server: # clevis luks list -d /dev/sdb2 1: tang '{"url":"http://10.x.x.200"}' This sdb2 is the boot device. dracut config: kernel_cmdline="bond=bond0:eno1,eno2:mode=4,miimon=100 ip=10.xx.x.1::10.xx.x.254:255.255.255.0::bond0:none " omit_dracutmodules+="ifcfg" After a reboot, I see that the tang server receives a post from this ip, and sends a 200 back: 16:45:02.247838 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 10.xx.x.200.80 > 10.xx.x.1.46374: Flags [S.], cksum 0x391b (incorrect -> 0x0686), seq 2182485757, ack 3195393805, win 28960, options [mss 1460,sackOK,TS val 329378980 ecr 3156670178,nop,wscale 7], length 0 16:45:02.248057 IP (tos 0x0, ttl 63, id 8950, offset 0, flags [DF], proto TCP (6), length 52) 10.xx.x.1.46374 > 10.xx.x.200.80: Flags [.], cksum 0xa58d (correct), ack 1, win 229, options [nop,nop,TS val 3156670178 ecr 329378980], length 0 16:45:02.248191 IP (tos 0x0, ttl 63, id 8951, offset 0, flags [DF], proto TCP (6), length 448) 10.xx.xx.1.46374 > 10.xx.x.200.80: Flags [P.], cksum 0x134d (correct), seq 1:397, ack 1, win 229, options [nop,nop,TS val 3156670178 ecr 329378980], length 396: HTTP, length: 396 POST /rec/BMZ0nj7Ecn79Au8t24041JoChXk HTTP/1.1 Host: 10.xx.x.200 User-Agent: curl/7.61.1 Accept: */* Content-Type: application/jwk+json Content-Length: 230 {"alg":"ECMR","crv":"P-521","kty":"EC","x":"ARUMMnBG_wm8o3KuHk9qnEPbft1M7SMSlHkFHiSD0dDZSegvIZARe8U1V6lsaYZGSJ8mPBvI-NlUUc4yrdF3naaz","y":"ANQwwFFAEzl6UWiDrv37Pr8yTuWdwlDwq_QR0Q9TNP34_fsJAZ-y3oJv0uIoat6KLhPylWTjAY_jJIblOzWhQZpW"} 16:45:02.248215 IP (tos 0x0, ttl 64, id 58644, offset 0, flags [DF], proto TCP (6), length 52) 10.xxx.xx.200.80 > 10.xx.x.1.46374: Flags [.], cksum 0x3913 (incorrect -> 0xa3fb), ack 397, win 235, options [nop,nop,TS val 329378980 ecr 3156670178], length 0 16:45:02.282326 IP (tos 0x0, ttl 64, id 58645, offset 0, flags [DF], proto TCP (6), length 69) 10.xx.x.200.80 > 10.x.x.1.46374: Flags [P.], cksum 0x3924 (incorrect -> 0xe3fa), seq 1:18, ack 397, win 235, options [nop,nop,TS val 329379014 ecr 3156670178], length 17: HTTP, length: 17 HTTP/1.1 200 OK So basically, it should unlock, but it's not unlocking. Does anyone have experience with bond interfaces and nbde on 8/9? TIA. -- regards, Natxo