MAAS deploy crypted partition leads to grub error

edw4rdr00t · 2 April 2025 13:32

Hi all!

I’m trying to deploy an Ubuntu 24 image with a crypted partition to be used by lvm.

The storage part of my curtin file is the following:

storage:
  version: 1
  config:
# Disk
    - id: disk-nvme
      type: disk
      ptable: gpt
      path: /dev/nvme0n1
      wipe: superblock
      preserve: false
      grub_device: true
# Partitions
    - id: part-efi
      type: partition
      device: disk-nvme
      size: 512M
      preserve: false
    - id: part-boot
      type: partition
      device: disk-nvme
      size: 5G
      preserve: false
    - id: part-lvm
      type: partition
      device: disk-nvme
      size: 60G
      preserve: false
# Crypt
    - id: part-lvm_crypt
      type: dm_crypt
      dm_name: lvm_crypt
      volume: part-lvm
      key: testtest
      keysize: '512'
# LVM
    - id: vg0
      name: volgroup0
      type: lvm_volgroup
      devices: [part-lvm_crypt]
    - id: lv-var
      type: lvm_partition
      volgroup: vg0
      name: lv_var
      size: 20G
    - id: lv-root
      type: lvm_partition
      volgroup: vg0
      name: lv_root
      size: 30G
# Format fs
    - id: fs-efi
      type: format
      volume: part-efi
      fstype: fat32
    - id: fs-boot
      type: format
      volume: part-boot
      fstype: ext4
    - id: fs-var
      type: format
      volume: lv-var
      fstype: ext4
    - id: fs-root
      type: format
      volume: lv-root
      fstype: ext4
# Mounts
    - id: mount-efi
      type: mount
      device: fs-efi
      path: /boot/efi
    - id: mount-boot
      type: mount
      device: fs-boot
      path: /boot
    - id: mount-root
      type: mount
      device: fs-root
      path: /
    - id: mount-var
      type: mount
      device: fs-var
      path: /var

But during deployment i recieve this error:

finish: cmd-install/stage-curthooks/builtin/cmd-curthooks/install-grub: FAIL: installing grub to target devices
finish: cmd-install/stage-curthooks/builtin/cmd-curthooks/configuring-bootloader: FAIL: configuring target system bootloader
finish: cmd-install/stage-curthooks/builtin/cmd-curthooks: FAIL: curtin command curthooks
Traceback (most recent call last):
  File "/curtin/curtin/commands/main.py", line 202, in main
    ret = args.func(args)
          ^^^^^^^^^^^^^^^
  File "/curtin/curtin/commands/curthooks.py", line 1918, in curthooks
    builtin_curthooks(cfg, target, state)
  File "/curtin/curtin/commands/curthooks.py", line 1883, in builtin_curthooks
    setup_grub(cfg, target, osfamily=osfamily,
  File "/curtin/curtin/commands/curthooks.py", line 821, in setup_grub
    install_grub(instdevs, target, uefi=uefi_bootable, grubcfg=grubcfg)
  File "/curtin/curtin/commands/install_grub.py", line 444, in install_grub
    in_chroot.subp(cmd, env=env, capture=True)
  File "/curtin/curtin/util.py", line 792, in subp
    return subp(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/curtin/curtin/util.py", line 280, in subp
    return _subp(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/curtin/curtin/util.py", line 144, in _subp
    raise ProcessExecutionError(stdout=out, stderr=err,
curtin.util.ProcessExecutionError: Unexpected error while running command.
Command: ['unshare', '--fork', '--pid', '--', 'chroot', '/tmp/tmpdipsl60_/target', '/usr/lib/grub/grub-multi-install']
Exit code: 1
Reason: -
Stdout: ''
Stderr: Installing grub to /var/lib/grub/esp.
        Installing for x86_64-efi platform.
        grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=y' in file `/etc/default/grub'.

It seems that MAAS is trying to install the grub in /var/lib/grub/esp (don’t know why) and fails to access it as it is crypted.

If i remove the crypting config, and install lvm on the uncrypted partition, everything works fine.

I already dug into some documentation:
general guidance: Deploying servers with full disk encryption (LUKS2)
Or a similar problem: LVM Storage Template breaks Installation on 20.04

…but nothing seems to work.

Do you have any idea on why MAAS is trying to install the grub in that folder? Am i missing something?

Thanks in advance!!!

axino · 3 April 2025 08:12

Hi @edw4rdr00t !

A shot in the dark but perhaps you need to add flag: boot to part-efi ?

The curtin doc says :

On gpt partition tables, the boot flag sets partition type guid to the appropriate value for the EFI System Partition / ESP.

Hope that helps

edw4rdr00t · 3 April 2025 10:44

Hi @axino !

I tried to set the flag but no luck, still same error:

...
 - device: disk-nvme
   flag: boot
   id: part-efi
   preserve: false
   size: 512M
   type: partition
....

Log:

Stderr: Installing grub to /var/lib/grub/esp.
        Installing for x86_64-efi platform.
        File descriptor 3 (pipe:[28161]) leaked on vgs invocation. Parent PID 218: 
        File descriptor 3 (pipe:[28161]) leaked on vgs invocation. Parent PID 218: 
        grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=y' in file `/etc/default/grub'.

I also tried to specify the grub path (which i see is supported in curtin docs), but still same result

grub:
  install_devices:
    - /boot/efi

Maybe trying to write the file /etc/default/grub with early_commands inserting GRUB_ENABLE_CRYPTODISK=y could work?

axino · 3 April 2025 12:49

Even though this is what the error says, I’m not sure that’s actually what you want. Pretty weird that grub-install isn’t respecting install_devices. I don’t have a server available to test all this right now I’m afraid though, but if you find the issue please let us know !

edw4rdr00t · 3 April 2025 13:56

Thanks for the advice!

Anyway, it really seems that is the crypting part that cause this problem.
I tried to redeploy the machine without the crypted disk and everything went smoothly:

cloud-init[1412]: Found primary UEFI ESP: part-efi
cloud-init[1412]: Found UEFI ESP(s) for grub install: ['part-efi']
cloud-init[1412]: Generating grub debconf_selections for devices=['/dev/nvme0n1p1'] uefi=True

Also tried to keep /var uncrypted, using a partition of the nvme directly, and just crypt /, same result with slighly different error:

        Stderr: Installing grub to /var/lib/grub/esp.
                Installing for x86_64-efi platform.
                File descriptor 3 (pipe:[32550]) leaked on vgs invocation. Parent PID 218: 
                File descriptor 3 (pipe:[32550]) leaked on vgs invocation. Parent PID 218: 
                grub-install: error: unknown filesystem.

I’ll make some more test to see if i can workaround the problem, any further help is appreciated!
Thanks!!

edw4rdr00t · 7 April 2025 07:50

I managed to work around the problem following the suggestion of another user: Deploying servers with full disk encryption + TPM2 key storage (with fips support)
The problem seems to be the mount order (/ then all the rest) and the missing UUIDs on disk, partition, crypt and format blocks. The final result is the following (working for both Ubuntu 22 and 24):

storage:
  config:
  - grub_device: true
    id: sda
    name: sda
    ptable: gpt
    type: disk
    wipe: superblock
    path: /dev/nvme0n1
# Partitioning
  - device: sda
    flag: boot
    id: boot-part
    name: boot-part
    number: 1
    offset: 4194304B
    size: 998244352B
    type: partition
    wipe: superblock
    uuid: 11111111-1111-1111-0000-000000000101
  - device: sda
    id: efi-part
    name: efi-part
    number: 2
    size: 5G
    type: partition
    wipe: superblock
    uuid: 11111111-1111-1111-0000-000000000102
  - device: sda
    id: lvm-part
    name: lvm-part
    number: 3
    size: 40G
    type: partition
    wipe: superblock
    uuid: 11111111-1111-1111-0000-000000000103
# Crypt
  - id: lvm-part_crypt
    type: dm_crypt
    dm_name: lvm-part_crypt
    volume: lvm-part
    key: 123123123
    keysize: '512'
    uuid: 11111111-1111-1111-0002-000000000001
# LVM block
  - id: vg0
    name: volgroup0
    type: lvm_volgroup
    devices: [lvm-part_crypt]
  - id: lv-root
    type: lvm_partition
    volgroup: vg0
    name: lv_root
    size: 20G
  - id: fs-root
    type: format
    volume: lv-root
    fstype: ext4
    label: ''
    uuid: 11111111-1111-1111-0003-000000000201
  - id: mount-root
    type: mount
    device: fs-root
    path: /
  - id: lv-var
    type: lvm_partition
    volgroup: vg0
    name: lv_var
    size: 10G
  - id: fs-var
    type: format
    volume: lv-var
    fstype: ext4
    label: ''
    uuid: 11111111-1111-1111-0003-000000000202
  - id: mount-var
    type: mount
    device: fs-var
    path: /var
# EFI-boot block
  - fstype: ext4
    id: efi-part-format
    label: ''
    type: format
    volume: efi-part
    uuid: 11111111-1111-1111-0003-000000000000
  - device: efi-part-format
    id: efi-part-mount
    options: ''
    path: /boot
    type: mount
  - fstype: fat32
    id: boot-part_format
    label: efi
    type: format
    volume: boot-part
  - device: boot-part_format
    id: boot-part_mount
    options: ''
    path: /boot/efi
    type: mount

system · 9 April 2025 07:50

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.