Hi,
I currently run into an issue with the role.
When running the playbook, it finishes as "successful" but the automatic unlocking does not work.
While troubleshooting I notices that the role did not save the keys for both tang servers into the keyslots.
There is only the keyslot 0 with the initial passphrase propagated. No further errors are reported.
OS: Fedora 43 Server
Did I miss something?
Playbook:
- name: Setup default disk encryption
hosts: all
become: true
gather_facts: true
vars:
nbde_client_bindings:
- device: /dev/sda4
encryption_password: "{{ default_disk_encryption_passphrase }}"
threshold: 1
password_temporary: false
servers:
- http://tang-00.my.host
- http://tang-01.my.host
state: present
roles:
- fedora.linux_system_roles.nbde_clientAskpass Service:
○ clevis-luks-askpass.service - Forward Password Requests to Clevis
Loaded: loaded (/usr/lib/systemd/system/clevis-luks-askpass.service; static)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: inactive (dead) since Tue 2026-03-31 18:08:53 CEST; 17h ago
Duration: 14.991s
Invocation: 92ed5dc9f56e44859f219dff06ce0661
TriggeredBy: ● clevis-luks-askpass.path
Docs: man:clevis-luks-unlockers(7)
Main PID: 522 (code=exited, status=0/SUCCESS)
Mem peak: 6.2M
CPU: 3.489s
Mar 31 18:08:38 e2e-tests.my.host systemd[1]: Started clevis-luks-askpass.service - Forward Password Requests to Clevis.
Mar 31 18:08:53 e2e-tests.my.host systemd[1]: clevis-luks-askpass.service: Deactivated successfully.
Mar 31 18:08:53 e2e-tests.my.host systemd[1]: clevis-luks-askpass.service: Consumed 3.489s CPU time, 6.2M memory peak.
luksDump:
LUKS header information
Version: 2
Epoch: 4
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: <REDACTED>
Label: (no label)
Subsystem: (no subsystem)
Flags: allow-discards
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 4
Memory: 875538
Threads: 2
Salt: <REDACTED>
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 343120
Salt: <REDACTED>
Digest: <REDACTED>
Playbook run without debuging:
PLAY [Setup default disk encryption] *******************************************
TASK [Gathering Facts] *********************************************************
ok: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Set version specific variables] ***
included: /tmp/semaphore/project_1/repository_1_template_3/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/nbde_client/tasks/set_vars.yml for e2e-tests
TASK [fedora.linux_system_roles.nbde_client : Ensure ansible_facts used by role] ***
skipping: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Set platform/version specific variables] ***
ok: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Include the appropriate provider tasks] ***
included: /tmp/semaphore/project_1/repository_1_template_3/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/nbde_client/tasks/main-clevis.yml for e2e-tests
TASK [fedora.linux_system_roles.nbde_client : Ensure required packages are installed] ***
ok: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Get services] ********************
ok: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Enable clevis askpass unit] ******
ok: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Generate nbde_client dracut config] ***
ok: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Check whether devices are at the desired state] ***
skipping: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Create temporary directory to hold key files] ***
skipping: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Ensure we transfer key files] ****
skipping: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Perform clevis operations] *******
skipping: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Remove temporary directory used to hold key files] ***
skipping: [e2e-tests]
TASK [fedora.linux_system_roles.nbde_client : Deploy mechanism to clear network configuration generated during early boot] ***
included: /tmp/semaphore/project_1/repository_1_template_3/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/nbde_client/tasks/clear_initrd_netcfg-networkmanager_config.yml for e2e-tests
TASK [fedora.linux_system_roles.nbde_client : Deploy NetworkManager configuration] ***
ok: [e2e-tests]
PLAY RECAP *********************************************************************
e2e-tests : ok=10 changed=0 unreachable=0 failed=0 skipped=6 rescued=0 ignored=0
Hi,
I currently run into an issue with the role.
When running the playbook, it finishes as "successful" but the automatic unlocking does not work.
While troubleshooting I notices that the role did not save the keys for both tang servers into the keyslots.
There is only the keyslot 0 with the initial passphrase propagated. No further errors are reported.
OS: Fedora 43 Server
Did I miss something?
Playbook:
Askpass Service:
luksDump:
Playbook run without debuging: