Cannot setup a static IP after dracut-crypt-ssh was installed

fausp · August 16, 2021, 4:51pm

NethServer Version: 7.9

I try to setup Nethserver on encrypted filesystem and unlock it via ssh…

I installed CentOS with LUKS and then Nethserver… After Nethserver was installed I always had to put in my passphrase on the console…

As the last step I would like to use dracut-crypt-ssh to be able to unlock the crypt-fs via ssh but the problem is I cannot setup a static IP anymore!

HowTo-install-Dracut-Crypt-SSH-on-Nethserver

# Install dracut-crypt-ssh:
yum install wget -y
wget -O /etc/yum.repos.d/rbu-dracut-crypt-ssh-epel-7.repo https://copr.fedorainfracloud.org/coprs/rbu/dracut-crypt-ssh/repo/epel-7/rbu-dracut-crypt-ssh-epel-7.repo
yum install dracut-crypt-ssh -y


# Edit grub:
nano /etc/default/grub

# Insert rd.neednet=1 ip=dhcp between GRUB_CMDLINE_LINUX="crashkernel=auto and rd.luks.uuid=luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.neednet=1 ip=dhcp rd.lvm.lv=centos/root rd.luks.uuid=luks-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx rd.lvm.lv=cento$


# Regenerate you GRUB:
grub2-mkconfig -o /etc/grub2.cfg 


# Backup the original /etc/dracut.conf.d/crypt-ssh.conf:
mv /etc/dracut.conf.d/crypt-ssh.conf /etc/dracut.conf.d/crypt-ssh.conf.orig


# Create a new /etc/dracut.conf.d/crypt-ssh.conf:
nano /etc/dracut.conf.d/crypt-ssh.conf

# Copy and paste the following text:
dropbear_acl="/etc/dropbear/keys/authorized_keys"
dropbear_ecdsa_key="/etc/dropbear/keys/ssh_ecdsa_key"
dropbear_rsa_key="/etc/dropbear/keys/ssh_rsa_key"


# Create the directory keys under /etc/dropbear/, with the necessary directory permissions, 
# that will hold the authorized_keys, ssh_ecdsa_key and ssh_rsa_key files:
mkdir /etc/dropbear/keys/ && chmod 700 /etc/dropbear/keys/


# Generate the keys:
ssh-keygen -t ecdsa -f /etc/dropbear/keys/ssh_ecdsa_key
ssh-keygen -t rsa -f /etc/dropbear/keys/ssh_rsa_key


# Change permission of the keys:
chmod 400 /etc/dropbear/keys/*_key && chmod 444 /etc/dropbear/keys/*.pub

# Copy and paste the public key into the /etc/dropbear/keys/authorized_keys:
nano /etc/dropbear/keys/authorized_keys

# Build the initramfs and any subsequent update of the dracut-crypt-ssh configuration
dracut -f


# Unlocking the volumes interactively

ssh -p 222 root@my-server-ip-address
# console_peek   # to see what's on the console
# console_auth   # asks you for the passphrase and sends it to console
Passphrase:

mark_nl · August 16, 2021, 6:08pm

DUNO if it’s related or helps:

In the past had troubles with the dracut-network module, my best guess is dracut-crypt-ssh depends on dracut-network or has similar behavior…

You may try to disable rhel-import-state.service to be sure the network gets reconfigured after leaving the initramfs stage.

fausp · August 16, 2021, 6:11pm

OK Mark, will try that tomorrow… Thank you!

fausp · August 17, 2021, 7:11pm

I just had to edit /etc/default/grub and sertup a static ip with:
ip=<server-ip>::<gateway>:<netmask>:<hostname>::off:<dns1>:<dns2>

instead of:
ip=dhcp

Problem solved, everything works now…

mark_nl · August 17, 2021, 7:14pm

Hi @fausp glad you found the solution,
As such took the liberty to mark it as the solution