luks_device: can't use device name "crypt00", see issue #409

[inflatador]

SUMMARY

If I try to run luks_device against an already-open luks device named 'crypt00', I get a failure.

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.crypto.luks_device

ANSIBLE VERSION

ansible [core 2.17.6]
  config file = /Users/user/.ansible.cfg
  configured module search path = ['/Users/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/user/venvs/P311/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/user/venvs/P311/bin/ansible
  python version = 3.11.9 (main, Apr  4 2024, 00:14:24) [Clang 9.1.0 (clang-902.0.39.2)] (/Users/user/venvs/P311/bin/python)
  jinja version = 3.1.3
  libyaml = True

COLLECTION VERSION

-->

# /Users/user/.ansible/collections/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.22.3

# /Users/user/venvs/P311/lib/python3.11/site-packages/ansible_collections
Collection       Version
---------------- -------
community.crypto 2.22.3

CONFIGURATION

CACHE_PLUGIN(/Users/user/.ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/Users/user/.ansible.cfg) = /tmp/ansible/facts_cache
CACHE_PLUGIN_TIMEOUT(/Users/user/.ansible.cfg) = 129600
CALLBACKS_ENABLED(/Users/user/.ansible.cfg) = ['ansible.posix.timer']
CONFIG_FILE() = /Users/user/.ansible.cfg
DEFAULT_HOST_LIST(/Users/user/.ansible.cfg) = ['/Users/user/code/riichilab/ansible-roles/hosts.ini']
DEFAULT_LOG_PATH(/Users/user/.ansible.cfg) = /Users/user/.ansible/var/log/ansible.log
DEFAULT_VAULT_IDENTITY_LIST(/Users/user/.ansible.cfg) = ['riichi@~/.ansible/vault', 'mir@~/.ansible/makeitrepeatable']
DEPRECATION_WARNINGS(/Users/user/.ansible.cfg) = False

OS / ENVIRONMENT

controller: MacOS
host: Debian Bookworm

STEPS TO REPRODUCE

If I try to run luks_device against an already-open luks device named 'crypt00', I get a failure.

- name: Ensure encrypted disk is open
  community.crypto.luks_device:
    device: '/dev/sda1'
    name: 'crypt00'
    state: 'opened'
    passphrase: "{{ luks_pw }}"

EXPECTED RESULTS

an "ok" response from ansible, indicating that the device is already open and no actions will be taken

ACTUAL RESULTS

I receive an error (listed below). If I change the name of the luks device to "enc00," the command works as expected. I suspect an issue similar to #409.

"luks_device error: Error while
 creating LUKS on /dev/sda: Cannot exclusively open /dev/sda, device in use.\

[felixfontein]

I tried to reproduce this in #821, but wasn't able to.

Can you provide the output of lsblk /dev/sda -nlo type,name and cryptsetup status crypt00 on your system?

[felixfontein]

@inflatador ping

[inflatador]

Sorry for the delay! Checking now.

[inflatador]

@felixfontein I have to apologize, as I messed up my original report. The task actually uses /dev/sda1, NOT /dev/sda. I've updated my comment. Requested info follows:

root@vectrex3:~# lsblk /dev/sda -nlo type,name
disk  sda
part  sda1
crypt crypt00

root@vectrex3:~# cryptsetup status crypt00
/dev/mapper/crypt00 is active.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: keyring
  device:  /dev/sda1
  sector size:  4096
  offset:  32768 sectors
  size:    976736256 sectors
  mode:    read/write

/dev/sda has a GPT partition table.

[felixfontein]

@inflatador I've looked closer into what luks_device would do in your case, and noticed that it runs cryptsetup isLuks /dev/sda1 first. If the return code is not 0, it tries to create a LUKS container on /dev/sda1 - which seems to be the operation that's failing in your case. Can you run that command and see what its return value is? To get the return value, you can run cryptsetup isLuks /dev/sda1 ; echo $? in a shell. It will print the return value in the last (and likely only) output line.

(Later during the module it will run lsblk /dev/sda1 -nlo type,name and not lsblk /dev/sda -nlo type,name. But from the error message you posted, I don't think it actually gets that far.)

[inflatador]

@felixfontein
I ran cryptsetup isLuks /dev/sda1 ; echo $? with the --debug flag . It does look like it's getting a successful return code.

Just in case it's useful, here's the output of lsblk /dev/sda1 -nlo type,name:

root@vectrex3:~# lsblk /dev/sda1 -nlo type,name
part  sda1
crypt crypt00

[felixfontein]

Hmm, in that case I don't see why the module should try to create a LUKS device. From the module parameters you provided and from the output of cryptsetup isLuks /dev/sda1, it should not try to create it. Are you maybe running the module with a different user than root?

That the module works with enc00 instead of crypt00 seems to indicate that there's a different reason though...

You might have more success if you try to debug the module to actually see what happens. An easy way to do that is to install q (https://pypi.org/project/q/) and sprinkle some import q ; q.q(xxx) in the code to output different variables.

[Matthew-Jenkins]

If you're using luks2 and try to reopen it with a luks1 utility you get that error.

Verify the cryptsetup in your shell is the same cryptsetup ansible is using.
The module searches for cryptsetup using https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/common/process.py#L12

It checks these paths in order ['/sbin', '/usr/sbin', '/usr/local/sbin']

In your shell on the target host do type cryptsetup as the user ansible uses and as root. Ensure they are the same.