Use cryptsetup/LUKS for encrypted ramfs

ecryptfs was dropped from RHEL/CentOS, use LUKS on a RAM-backed block
device (brd) instead.

Made the element name more generic

Added systemctl enable call in postinstall (for systemd init), so that
the service is correctly started and listed as wanted by amphora-agent

Change-Id: Id8c7ff93ae244ef14480e22c85dc79355a902105
Closes-Bug: #1642982
Closes-Bug: #1662952

diskimage-create/diskimage-create.sh

@@ -371,8 +371,8 @@ fi
 # Add pip-cache element
 AMP_element_sequence="$AMP_element_sequence pip-cache"
 
-# Add certificate ramfs ecrypt element
-AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt"
+# Add certificate ramfs element
+AMP_element_sequence="$AMP_element_sequence certs-ramfs"
 
 # Allow full elements override
 if [ "$DIB_ELEMENTS" ]; then

elements/cert-ramfs-ecrypt/README.rst

@@ -1,4 +0,0 @@
-Element to setup a ramfs with ecrypt to store the TLS certificates and keys.
-
-Enabling this element will mean that the amphroa can no longer recover from a
-reboot.

elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service

@@ -1,15 +0,0 @@
-[unit]
-Description=Creates an encrypted ramfs for Octavia certs
-After=cloud-config.target
-
-[Service]
-Type=oneshot
-ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path'
-ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path'
-RemainAfterExit=yes
-TimeoutSec=0
-
-[Install]
-# TODO(johnsom) Fix when amphora-agent has a systemd script
-WantedBy=multi-user.target
-

elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf

@@ -1,19 +0,0 @@
-description "Creates an encrypted ramfs for Octavia certs"
-
-start on started cloud-config
-stop on runlevel [!2345]
-
-pre-start script
-    passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
-    token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
-    certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
-    mkdir -p $certs_path
-    mount -t ramfs -o size=1m ramfs $certs_path
-    mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
-end script
-
-post-stop script
-    certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
-    umount $certs_path
-    umount $certs_path
-end script

elements/cert-ramfs-ecrypt/package-installs.yaml

@@ -1 +0,0 @@
-ecryptfs-utils:

elements/cert-ramfs-ecrypt/svc-map

@@ -1,2 +0,0 @@
-cert-ramfs-ecrypt:
-  default: cert-ramfs-ecrypt

elements/certs-ramfs/README.rst

@@ -0,0 +1,4 @@
+Element to setup an encrypted ramfs to store the TLS certificates and keys.
+
+Enabling this element will mean that the amphora can no longer recover from a
+reboot.

elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Creates an encrypted ramfs for Octavia certs
+After=cloud-config.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"'
+ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;'
+RemainAfterExit=yes
+TimeoutSec=0
+
+[Install]
+WantedBy=amphora-agent.service

elements/certs-ramfs/init-scripts/sysv/certs-ramfs

@@ -1,5 +1,5 @@
 ### BEGIN INIT INFO
-# Provides:          cert-ramfs-ecrypt
+# Provides:          certs-ramfs
 # Required-Start:    $remote_fs $syslog $network cloud-config
 # Required-Stop:     $remote_fs $syslog $network
 # Default-Start:     2 3 4 5
@@ -12,25 +12,26 @@
 # Using the lsb functions to perform the operations.
 . /lib/lsb/init-functions
 # Process name ( For display )
-NAME=cert-ramfs-ecrypt
+NAME=certs-ramfs
 
 case $1 in
  start)
   log_daemon_msg "Starting the process" "$NAME"
-  passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
-  token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
-
-  certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
-  mkdir -p $certs_path
-  mount -t ramfs -o size=1m ramfs $certs_path
-  mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
+  modprobe brd
+  passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
+  certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
+  mkdir -p "${certs_path}"
+  echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
+  echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
+  mkfs.ext2 /dev/mapper/certfs-ramfs
+  mount /dev/mapper/certfs-ramfs "${certs_path}"
   log_end_msg 0
   ;;
  stop)
   log_daemon_msg "Stopping the process" "$NAME"
-  certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
-  umount $certs_path
-  umount $certs_path
+  certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
+  umount "${certs_path}"
+  cryptsetup luksClose /dev/mapper/certfs-ramfs
   log_end_msg 0
   ;;
  restart)

elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf

@@ -0,0 +1,21 @@
+description "Creates an encrypted ramfs for Octavia certs"
+
+start on started cloud-config
+stop on runlevel [!2345]
+
+pre-start script
+    modprobe brd
+    passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
+    certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
+    mkdir -p "${certs_path}"
+    echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
+    echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
+    mkfs.ext2 /dev/mapper/certfs-ramfs
+    mount /dev/mapper/certfs-ramfs "${certs_path}"
+end script
+
+post-stop script
+    certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
+    umount "${certs_path}"
+    cryptsetup luksClose /dev/mapper/certfs-ramfs
+end script

elements/certs-ramfs/package-installs.yaml

@@ -0,0 +1 @@
+cryptsetup:

elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+case "$DIB_INIT_SYSTEM" in
+    upstart|sysv)
+        # nothing to do
+        exit 0
+        ;;
+    systemd)
+        systemctl enable certs-ramfs.service
+        ;;
+    *)
+        echo "Unsupported init system $DIB_INIT_SYSTEM"
+        exit 1
+        ;;
+esac

elements/certs-ramfs/svc-map

@@ -0,0 +1,2 @@
+certs-ramfs:
+  default: certs-ramfs