Package: dracut Version: 106-5 Severity: critical X-Debbugs-Cc: adrela...@whonix.org, arraybo...@ubuntu.com
Unsure if the chosen severity is appropriate, but this bug renders affected systems unbootable and the recovery procedure is a serious headache, so I think this counts as "breaking the whole system". Steps to reproduce: * Install Debian Trixie with LUKS full disk encryption. The encryption + LVM setup created by D-I works, as does a encrypted root + unencrypted /boot setup made using Calamares with a live Debian Trixie ISO. * Boot into the installed system. * Install `dracut` with `sudo apt install dracut`. * Reboot. Expected result: The system should present a passphrase prompt for you to unlock the disk, upon providing the passphrase the disk should be unlocked and the system should boot. Actual result: The system hangs on the Plymouth screen for about 360 seconds. If you attempt to boot with `rd.debug` set, you will see it's unable to find the root filesystem. What's happening here, based on my research, is that dracut does not install the info needed to find the LUKS volume into the initramfs unless `hostonly=yes` is set. As a result, the initramfs isn't able to find the encrypted disk, and then of course the system fails to boot. If you end up with an unbootable system, the recovery procedure requires booting the system from a live USB, manually decrypting the LUKS volume with the right name, mounting it, mounting in the boot directory, bind-mounting in critical other directories, then chrooting in and regenerating the initramfs that way. It's doable, yes, but it's not easy, and I believe if you don't specify the right name when decrypting the disk, you'll probably end up with a broken initramfs when you regenerate it. The solution is to set `hostonly=yes` somewhere in Dracut's config in Debian. This will cause the generated initramfs to be machine-specific; this can be mitigated by also setting `hostonly_mode=sloppy` so that additional drivers are installed into the initramfs. That way the installation is more likely to work if moved between different computers. See https://www.man7.org/linux/man-pages/man5/dracut.conf.5.html. Note, I believe this is the same issue reported by Celejar at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078792#75. However, the root cause of the issue was fundamentally different than that (already fixed) bug, so I filed a new report.
pgpBkF6Km5LkO.pgp
Description: OpenPGP digital signature
