diff --git a/.clevis.metadata b/.clevis.metadata
index bf45872..0964fdd 100644
--- a/.clevis.metadata
+++ b/.clevis.metadata
@@ -1 +1 @@
-42dba83266ab4b9e882f6f33c541aa3679b5a956 SOURCES/clevis-6.tar.bz2
+70cc377c0976fb32fd55a3033f2374080b713b5d SOURCES/clevis-7.tar.bz2
diff --git a/.gitignore b/.gitignore
index 0fc7979..695fe37 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/clevis-6.tar.bz2
+SOURCES/clevis-7.tar.bz2
diff --git a/SOURCES/clevis-7-dracut.patch b/SOURCES/clevis-7-dracut.patch
new file mode 100644
index 0000000..beb8941
--- /dev/null
+++ b/SOURCES/clevis-7-dracut.patch
@@ -0,0 +1,61 @@
+From bcb46fe1e40b390cb39353b75806bf3e05177ef0 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Mon, 13 Nov 2017 11:28:14 -0500
+Subject: [PATCH] Fix dracut unlocker
+
+We weren't generating the path to clevis-luks-askpass correctly in the
+dracut module.
+
+Fixes: #23
+---
+ src/dracut/Makefile.am | 10 ++++------
+ src/dracut/clevis-hook.sh.in | 2 +-
+ src/dracut/{module-setup.sh => module-setup.sh.in} | 2 +-
+ 3 files changed, 6 insertions(+), 8 deletions(-)
+ rename src/dracut/{module-setup.sh => module-setup.sh.in} (96%)
+
+diff --git a/src/dracut/Makefile.am b/src/dracut/Makefile.am
+index 5a3a0f4..e26b61f 100644
+--- a/src/dracut/Makefile.am
++++ b/src/dracut/Makefile.am
+@@ -1,12 +1,10 @@
+ dracutdir = @dracutmodulesdir@/60$(PACKAGE_NAME)
+-nodist_dracut_SCRIPTS = clevis-hook.sh
+-dist_dracut_SCRIPTS = module-setup.sh
+-
+-CLEANFILES=clevis-hook.sh
+-EXTRA_DIST=clevis-hook.sh.in
++nodist_dracut_SCRIPTS = clevis-hook.sh module-setup.sh
++EXTRA_DIST=clevis-hook.sh.in module-setup.sh.in
++CLEANFILES=clevis-hook.sh module-setup.sh
+
+ %: %.in
+ $(AM_V_GEN)mkdir -p $(dir $@)
+ $(AM_V_GEN)$(SED) \
+- -e 's,@libexedir\@,$(libexecdir),g' \
++ -e 's,@libexecdir\@,$(libexecdir),g' \
+ $(srcdir)/$@.in > $@
+diff --git a/src/dracut/clevis-hook.sh.in b/src/dracut/clevis-hook.sh.in
+index 5d0c814..cb257c9 100755
+--- a/src/dracut/clevis-hook.sh.in
++++ b/src/dracut/clevis-hook.sh.in
+@@ -1,2 +1,2 @@
+ #!/bin/bash
+-@libexec@/clevis-luks-askpass
++@libexecdir@/clevis-luks-askpass
+diff --git a/src/dracut/module-setup.sh b/src/dracut/module-setup.sh.in
+similarity index 96%
+rename from src/dracut/module-setup.sh
+rename to src/dracut/module-setup.sh.in
+index 92fe08e..5087d56 100755
+--- a/src/dracut/module-setup.sh
++++ b/src/dracut/module-setup.sh.in
+@@ -37,7 +37,7 @@ install() {
+ clevis-decrypt-http \
+ clevis-decrypt-tang \
+ clevis-decrypt-sss \
+- clevis-luks-askpass \
++ @libexecdir@/clevis-luks-askpass \
+ clevis-decrypt \
+ luksmeta \
+ clevis \
diff --git a/SOURCES/clevis-7-retry.patch b/SOURCES/clevis-7-retry.patch
new file mode 100644
index 0000000..2826d72
--- /dev/null
+++ b/SOURCES/clevis-7-retry.patch
@@ -0,0 +1,103 @@
+From 2a82ba4040c8dc10dcbe7e2c3ae6646c2778f0b1 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Tue, 16 Jan 2018 13:29:54 -0500
+Subject: [PATCH] Retry until success during systemd boot
+
+With dracut, we just try once because we're being called in a loop. But with
+systemd, there might be a race condition for network to come up. So when
+running under systemd, we loop until success. This should not change the dracut
+behavior.
+---
+ src/systemd/clevis-luks-askpass | 66 ++++++++++++++++++++----------
+ src/systemd/clevis-luks-askpass.service.in | 2 +-
+ 2 files changed, 46 insertions(+), 22 deletions(-)
+
+diff --git a/src/systemd/clevis-luks-askpass b/src/systemd/clevis-luks-askpass
+index 2fadd5c..6fe5269 100755
+--- a/src/systemd/clevis-luks-askpass
++++ b/src/systemd/clevis-luks-askpass
+@@ -23,26 +23,50 @@ UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
+
+ shopt -s nullglob
+
+-for question in /run/systemd/ask-password/ask.*; do
+- d=
+- s=
+-
+- while read line; do
+- case "$line" in
+- Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
+- Socket=*) s="${line##Socket=}";;
+- esac
+- done < "$question"
+-
+- [ -z "$d" -o -z "$s" ] && continue
+-
+- luksmeta show -d "$d" | while read -r slot state uuid; do
+- [ "$state" != "active" ] && continue
+- [ "$uuid" != "$UUID" ] && continue
+-
+- if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then
+- echo -n "+$pt" | nc -U -u --send-only "$s"
+- break
+- fi
++while getopts ":l" o; do
++ case "$o" in
++ l) loop=true;;
++ esac
++done
++
++while true; do
++ todo=0
++
++ for question in /run/systemd/ask-password/ask.*; do
++ metadata=false
++ unlocked=false
++ d=
++ s=
++
++ while read line; do
++ case "$line" in
++ Id=cryptsetup:*) d="${line##Id=cryptsetup:}";;
++ Socket=*) s="${line##Socket=}";;
++ esac
++ done < "$question"
++
++ [ -z "$d" -o -z "$s" ] && continue
++
++ while read -r slot state uuid; do
++ [ "$state" != "active" ] && continue
++ [ "$uuid" != "$UUID" ] && continue
++ metadata=true
++
++ if pt="`luksmeta load -d $d -s $slot -u $UUID | clevis decrypt`"; then
++ echo -n "+$pt" | nc -U -u --send-only "$s"
++ unlocked=true
++ break
++ fi
++ done < <(luksmeta show -d "$d")
++
++ [ $metadata == true ] || continue
++ [ $unlocked == true ] && continue
++ todo=$((todo + 1))
+ done
++
++ if [ $todo -eq 0 ] || [ "$loop" != "true" ]; then
++ break;
++ fi
++
++ sleep 0.5
+ done
+diff --git a/src/systemd/clevis-luks-askpass.service.in b/src/systemd/clevis-luks-askpass.service.in
+index aa38a5b..2c6bbed 100644
+--- a/src/systemd/clevis-luks-askpass.service.in
++++ b/src/systemd/clevis-luks-askpass.service.in
+@@ -5,4 +5,4 @@ After=network-online.target
+
+ [Service]
+ Type=oneshot
+-ExecStart=@libexecdir@/clevis-luks-askpass
++ExecStart=@libexecdir@/clevis-luks-askpass -l
+--
+2.14.3
+
diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec
index e086bf9..c80b6d3 100644
--- a/SPECS/clevis.spec
+++ b/SPECS/clevis.spec
@@ -1,21 +1,26 @@
%global _hardened_build 1
Name: clevis
-Version: 6
-Release: 1%{?dist}
+Version: 7
+Release: 4%{?dist}
Summary: Automated decryption framework
License: GPLv3+
URL: https://github.com/latchset/%{name}
Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.bz2
+Patch0: clevis-7-dracut.patch
+Patch1: clevis-7-retry.patch
BuildRequires: libjose-devel >= 8
-BuildRequires: libluksmeta-devel
+BuildRequires: libluksmeta-devel >= 8
+BuildRequires: audit-libs-devel >= 2.8.1
BuildRequires: libudisks2-devel
BuildRequires: openssl-devel
BuildRequires: desktop-file-utils
BuildRequires: pkgconfig
+BuildRequires: autoconf
+BuildRequires: automake
BuildRequires: systemd
BuildRequires: dracut
BuildRequires: tang >= 6
@@ -41,18 +46,26 @@ volumes during early boot.
Summary: LUKSv1 integration for clevis
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: cryptsetup
-Requires: luksmeta
+Requires: luksmeta >= 8
%description luks
LUKSv1 integration for clevis. This package allows you to bind a LUKSv1
volume to a clevis unlocking policy. For automated unlocking, an unlocker
will also be required. See, for example, clevis-dracut and clevis-udisks2.
+%package systemd
+Summary: systemd integration for clevis
+Requires: %{name}-luks%{?_isa} = %{version}-%{release}
+Requires: systemd%{?_isa} >= 219-45.20171030
+Requires: nc
+
+%description systemd
+Automatically unlocks LUKSv1 _netdev block devices from /etc/crypttab.
+
%package dracut
Summary: Dracut integration for clevis
-Requires: %{name}-luks%{?_isa} = %{version}-%{release}
+Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
Requires: dracut-network
-Requires: nc
%description dracut
Automatically unlocks LUKSv1 block devices in early boot.
@@ -66,14 +79,16 @@ Automatically unlocks LUKSv1 block devices in desktop environments that
use UDisks2 or storaged (like GNOME).
%prep
-%setup -q
+%autosetup -p1
%build
+autoreconf -if
%configure --enable-user=clevis --enable-group=clevis
%make_build V=1
%install
%make_install
+ln -sf %{name}-luks-bind.1.gz %{buildroot}/%{_mandir}/man1/%{name}-bind-luks.1.gz
%check
desktop-file-validate \
@@ -104,8 +119,18 @@ exit 0
%{_mandir}/man1/%{name}.1*
%files luks
-%{_bindir}/%{name}-bind-luks
+%{_mandir}/man1/%{name}-luks-unlockers.1*
+%{_mandir}/man1/%{name}-luks-unlock.1*
+%{_mandir}/man1/%{name}-luks-bind.1*
%{_mandir}/man1/%{name}-bind-luks.1*
+%{_bindir}/%{name}-luks-unlock
+%{_bindir}/%{name}-luks-bind
+%{_bindir}/%{name}-bind-luks
+
+%files systemd
+%{_libexecdir}/%{name}-luks-askpass
+%{_unitdir}/%{name}-luks-askpass.path
+%{_unitdir}/%{name}-luks-askpass.service
%files dracut
%{_prefix}/lib/dracut/modules.d/60%{name}
@@ -115,6 +140,26 @@ exit 0
%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
%changelog
+* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-4
+- Retry unlocking under systemd. This prevents a race condition.
+- Resolves: rhbz#1475406
+
+* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-3
+- Add patch to fix path generation issues with dracut
+- Resolves: rhbz#1512638
+
+* Fri Nov 03 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-2
+- Add man page symlink for the clevis-bind-luks => clevis-luks-bind
+- Related: rhbz#1475406
+
+* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
+- Update to v7
+- Resolves: rhbz#1467907
+- Resolves: rhbz#1467908
+- Resolves: rhbz#1475406
+- Resolves: rhbz#1500975
+- Resolves: rhbz#1478888
+
* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
- New upstream release
- Specify unprivileged user/group during configuration