Re: Encrypting boot partition Libvirt not showing the OS booting up

john doe <johndoe65534@xxxxxxxx> · Mon, 12 Oct 2020 14:14:55 +0200

On 10/12/2020 11:53 AM, john doe wrote:
On 10/12/2020 11:37 AM, Peter Krempa wrote:
On Mon, Oct 12, 2020 at 11:27:20 +0200, john doe wrote:
Hi, thank you for your answer, I'm sending this privatly as you asked
for private information.
Can I ask you to keep those information private?

On 10/12/2020 10:29 AM, Peter Krempa wrote:
On Mon, Oct 12, 2020 at 10:03:15 +0200, john doe wrote:
Hi,

I have installed Debian Buster with encrypted LVM so apon installation
my root partition is encrypted.
So far so good but as soon as I encrypt the boot partition, after
reboot
the OS won't start.
If I start the drive directly with qemu, it works but it looks like
Libvirt is somehow not able to deel with it.

This is not enough information to diagnose the problem.

We'll need the following:

1) Did you encrypt the partition using the debian installer

No, I did it after installation following the instructions at (1).

2) what vm XML you used:
      a) during installation

The domain xml file was created by virt-install with the following
command:
$ virsh destroy try01; virsh undefine try01; time virt-install
--name=try01 --ram=1024 --noreboot --cpuset=auto --cpu host
--vcpus=1,maxvcpus=4 --disk=path=/mnt/usbkey01/machines/try/try01,size=6
--graphic none --pxe --os-variant=debian10 --network
bridge=br0,mac=0e:35:32:84:c3:f3 --filesystem
type=mount,mode=mapped,source=/mnt/usbkey01/public,target=public_dir

      b) when trying to finally boot the vm

Attached as 'try01.xml' obtained by doing 'virsh dumpxml try01 >
try01.xml'.

3) what qemu command line you've used at the point you claim it worked

qemu-system-x86_64 -drive file=/mnt/usbkey01/machines/try/try01 -m 1024
-boot c -accel kvm   -machine q35 -nographic

4) what is the error/final state when the VM fails to boot with libvirt

After having encrypted the boot partition:

$virsh console try01
root@0e-35-32-84-c3-f3:# [  208.513259] watchdog: watchdog0: watchdog
did not stop!
[  208.855971] reboot: Restarting system

$ qemu-system-x86_64 -drive file=/mnt/usbkey01/machines/try/try01 -m
1024 -boot c -accel kvm   -machine q35 -nographic
SeaBIOS (version 1.12.0-1)

iPXE (http://ipxe.org) 00:02.0 C980 PCI2.10 PnP PMM+3FF8FE80+3FECFE80
C980

Booting from Hard Disk...
Attempting to decrypt master key...
Enter passphrase for hd0,msdos1 (43a322dfc8ba4628b80afc66d49642a7):

As you can see above, if I invoked qemu directly, I get prompted for the
boot passthrase but I'm not getting it when using libvirt.

Okay, so the root cause ... or "problem" here is that you don't see the
console via 'virsh console' after the guest OS rebooted.

My suspicion according to the VM XML is that the VM restart triggered a
restart of the qemu process and thus our internal handler of the console
passthrough disconnected.

Please try a "virsh destroy $VM" if the VM is running/stuck waiting for
the password without actually showing it and then start it using

virsh start --console $VM

This will start it and connect to the console immediately.

Please report your findings, we might want to discuss what happens when
a console is connected and the guest uses a setting of:

<on_reboot>restart</on_reboot>

when the VM is rebooted.

Still no luck:

$ virsh destroy try01; virsh start --console try01
error: Failed to destroy domain try01
error: Requested operation is not valid: domain is not running

Domain try01 started
Connected to domain try01
Escape character is ^]

I did not modify anything during the time I sent my answer and seeing
yours.

I sent privately the requested xml file to 'Peter Krempa
<pkrempa@xxxxxxxxxx>'.
Peter Krempa 's privately answered me back suggesting to add the
following in the domain xml file:

<bios useserial='yes'/> under <os>

such as ...

   <os>
     <type arch='x86_64' machine='pc-q35-3.1'>hvm</type>
     <boot dev='hd'/>
     <bios useserial='yes'/>
   </os>

This does not help at all and still give the output sent previously.

--
John Doe