I have found two problems regarding the update from Fedora 30 Server to Fedora 31 Server that I want to share with you.

Problem #1: Docker and the CGroups

With the update to version 31, Fedora now uses CgroupsV2 – the latest version of the control groups to manage Linux processes in hierarchies.

Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused \"open /sys/fs/cgroup/docker/cpuset.cpus.effective: no such file or directory\"": unknown
Error: failed to start containers:

Unfortunately, after updating to version 31 with the new control groups, it is no longer possible to run the existing containers on the system. In order to achieve backwards compatibility, the CgroupsV1 must be activated via boot parameters on the kernel. This can be done with the following command:

grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0" --make-default

After a restart, Docker works again and the containers present on the system can be started without any problems.

Problem #2: Decryption via TPM does not work any more

Obviously the program used to read the PCR lists from the TPM has been moved to another package. After the update one of my computers was not able to read the TPM pin with Dracut in the early boot phase. You’ll see this error message:

dracut-initqueue: Unable to locate pin 'tpm2'!

This bug has been fixed now! Just update your system if you are still getting this error.

It seems the the current version of tpm2-tools-4.0.1-1 is missing the program tpm2_pcrlist. To find the latest package providing this tool, run this command:

dnf provides tpm2_pcrlist

To reinstall the necessary tool, the following commands are necessary:

dnf install tpm2-tools-3.2.0-3.fc31.x86_64
dracut -f

Until this bug has been fixed, exclude the tpm2-tools from update:

dnf update --exclude=tpm2-tools

Read more

Photo by Victória Kubiaki on Unsplash

Tags:

2 Comments

  1. Buddy, I’m trying to make tpm2 unlock luks more when using the command
    “echo Hello World | clevis encrypt tpm2 ‘{}’> test.txt
    “sudo clevis luks links -d / dev / sda1 tpm2 ‘{” pcr_ids “:” 7 “}'”
    displays the following message:

    tpm2_createprimary: invalid option – ‘H’
    Creation of TPM2 primary key failed!

    I’ve searched the internet this problem more unsuccessfully. could you help me solve?

    1. Hey there Alan,

      first: Please check my blog post on that: https://techrevelations.de/2019/02/04/tpm-encryption-in-fedora-linux/

      The correct command to bind the PCR7-pin to a luks encrypted partition is:
      sudo clevis luks bind -d /dev/sda3 tpm2 ‘{“pcr_ids”:”7″}’
      (replace sda3 with the actual encrypted partition).

      About the error message:
      tpm2_createprimary indeed has no H-option in version 4.0.1 which is the current version in F31. If the error shows up when using the clevis tools I recommend checking the issues in the developer’s github page: https://github.com/latchset/clevis/issues. But before you do that please make sure you are using the current versions.

      Best wishes
      Benjamin

Leave a Reply

Your email address will not be published. Required fields are marked *