I have found two problems regarding the update from Fedora 30 Server to Fedora 31 Server that I want to share with you.

Problem #1: Docker and the CGroups

With the update to version 31, Fedora now uses CgroupsV2 – the latest version of the control groups to manage Linux processes in hierarchies.

Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused \"open /sys/fs/cgroup/docker/cpuset.cpus.effective: no such file or directory\"": unknown
Error: failed to start containers:

Unfortunately, after updating to version 31 with the new control groups, it is no longer possible to run the existing containers on the system. In order to achieve backwards compatibility, the CgroupsV1 must be activated via boot parameters on the kernel. This can be done with the following command:

grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"

After a restart, Docker works again and the containers present on the system can be started without any problems.

Problem #2: Decryption via TPM does not work any more

Obviously the program used to read the PCR lists from the TPM has been moved to another package. After the update one of my computers was not able to read the TPM pin with Dracut in the early boot phase.

To reinstall the necessary tool, the following commands are necessary:

dnf install tpm2-tools
dracut -f

Read more

Photo by Victória Kubiaki on Unsplash

Tags:

2 Comments

  1. Buddy, I’m trying to make tpm2 unlock luks more when using the command
    “echo Hello World | clevis encrypt tpm2 ‘{}’> test.txt
    “sudo clevis luks links -d / dev / sda1 tpm2 ‘{” pcr_ids “:” 7 “}'”
    displays the following message:

    tpm2_createprimary: invalid option – ‘H’
    Creation of TPM2 primary key failed!

    I’ve searched the internet this problem more unsuccessfully. could you help me solve?

    1. Hey there Alan,

      first: Please check my blog post on that: https://techrevelations.de/2019/02/04/tpm-encryption-in-fedora-linux/

      The correct command to bind the PCR7-pin to a luks encrypted partition is:
      sudo clevis luks bind -d /dev/sda3 tpm2 ‘{“pcr_ids”:”7″}’
      (replace sda3 with the actual encrypted partition).

      About the error message:
      tpm2_createprimary indeed has no H-option in version 4.0.1 which is the current version in F31. If the error shows up when using the clevis tools I recommend checking the issues in the developer’s github page: https://github.com/latchset/clevis/issues. But before you do that please make sure you are using the current versions.

      Best wishes
      Benjamin

Leave a Reply

Your email address will not be published. Required fields are marked *