Unable to start systemd-nspawn machines with LUKS encrypted storage (XFS in my case): #2121883

Starting systemd-nspawn@mymachine.service - Container mymachine... loop0: detected capacity change from 0 to 20975616 loop0: p1 Failed to dissect image '/var/lib/machines/mymachine.raw': Connection timed out systemd-nspawn@mymachine.service: Main process exited, code=exited, status=1/FAILURE systemd-nspawn@mymachine.service: Failed with result 'exit-code'. Failed to start systemd-nspawn@mymachine.service - Container mymachine.

Normally, and in 5.18.x kernels, I would get the prompt to enter the LUKS password to decrypt the volume.

Otherwise the update seems to be generally functional so neutral karma.

In-place upgrade from 3.2 worked well, following


I realize this has already been pushed to stable but I wanted to note that with 5.18.5 and 5.18.6, I encounter critical NFS server and XFS failures (I think), reported at #2100859. I've had to revert to 5.17.


Monitoring, but have not encountered the issue reported by @agurenko in #2055362. In my case, my NFS server is on kernel-5.16.9-200.fc35.x86_64, my NFS clients are on kernel-5.16.10-200.fc35.x86_64, and both server and clients have nfs-utils-2.5.4-2.rc3.fc35.x86_64.

I wish I was unable to provide additional detail, but after a day or so of running I've also had two Intel NUC machines x86_64 hit what seems like the arbitrary total lockup--machines not pingable, no logs or kernel oops' retreivable. I look forward to trying 5.14.8.


Update functions well. Noted duplication of HoldQuarantinedMessages section before and after IgnoreAuthenticatedClients in /etc/opendmarc.conf

##  HoldQuarantinedMessages { true | false }
##      default "false"
##  If set, the milter will signal to the mta that messages with
##  p=quarantine, which fail dmarc authentication, should be held in
##  the MTA's "Hold" or "Quarantine" queue.  The name varies by MTA.
##  If false, messsages will be accepted and passed along with the 
##  regular mail flow, and the quarantine will be left up to downstream
##  MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers,
##  including the Authentication-Results header added by OpenDMARC
# HoldQuarantinedMessages false
BZ#1915468 /usr/lib/systemd/system/opendmarc.service:8: PIDFile= references a path below legacy directory /var/run/, updating /var/run/opendmarc/ → /run/opendmarc/; please update the unit file accordingly.

@kalvinist -- you are right -- thank you for the link.

New 1:30 boot delay noticed with this upgrade, though it may not be specifically related to the kernel. Occurs on Thinkpad X1 and several Intel NUCs:

Jul 02 21:33:36 systemd[1]: Found device /dev/mapper/fedora_ws1m-root.
Jul 02 21:33:36 systemd[1]: Reached target Initrd Root Device.
Jul 02 21:35:06 dracut-initqueue[895]: WARNING: D-Bus notification failed: Transport endpoint is not connected
Jul 02 21:35:06 systemd[1]: Found device /dev/mapper/fedora_ws1m-swap.

No negative Karma as otherwise general function seems unaffected.


Fixes #1943870

BZ#1943870 /usr/bin/taglib-config: line 51: unexpected EOF while looking for matching `"'

taglib-1.12-4.fc33 fixes #1943870. Thank you @rdieter.

BZ#1943870 /usr/bin/taglib-config: line 51: unexpected EOF while looking for matching `"'

The multilib patch is missing the ending ":

which causes

/usr/bin/taglib-config: line 51: unexpected EOF while looking for matching `"'

@kevin I have been running the web interface for a number of years with a public cert (LetsEncrypt). Since Fedora 14, I had used a Kerberos-enabled Koji infrastructure rather than one based on certificates so I only needed the cert for the public interfaces (web, kojihub, etc.)

I'm just noting that KojiHubCA wasn't required before (even when using TLS) and now it is.


Generally functional, but is seems now that the web.conf KojiHubCA option is now required after:

Maybe a sane default if not provided, like /etc/pki/tls/cert.pem would be nice.

The upgrade from freeipa-4.9.1-1.fc33 ( processed smoothly. I received the following afterward:

ns-slapd[3564]: [16/Feb/2021:14:51:42.716922896 -0600] - ERR - set_krb5_creds - The server will use the external SASL/GSSAPI credentials cache [FILE:/tmp/krb5cc_389].  If you want the server to automatically authenticate with its keytab, you must remove this cache.  If you did not intend to use this cache, you will likely see many SASL/GSSAPI authentication failures.

Then restarted both of my FreeIPA instances and I haven't seen this again.