Use cryptsetup/LUKS for encrypted ramfs

ecryptfs was dropped from RHEL/CentOS, use LUKS on a RAM-backed block
device (brd) instead.

Made the element name more generic

Added systemctl enable call in postinstall (for systemd init), so that
the service is correctly started and listed as wanted by amphora-agent

Change-Id: Id8c7ff93ae244ef14480e22c85dc79355a902105
Closes-Bug: #1642982
Closes-Bug: #1662952
changes/17/403817/5
Bernard Cafarelli 6 years ago
parent 7c9baeb9d1
commit 0dd4649f37

@ -371,8 +371,8 @@ fi
# Add pip-cache element
AMP_element_sequence="$AMP_element_sequence pip-cache"
# Add certificate ramfs ecrypt element
AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt"
# Add certificate ramfs element
AMP_element_sequence="$AMP_element_sequence certs-ramfs"
# Allow full elements override
if [ "$DIB_ELEMENTS" ]; then

@ -1,4 +0,0 @@
Element to setup a ramfs with ecrypt to store the TLS certificates and keys.
Enabling this element will mean that the amphroa can no longer recover from a
reboot.

@ -1,15 +0,0 @@
[unit]
Description=Creates an encrypted ramfs for Octavia certs
After=cloud-config.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path'
ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path'
RemainAfterExit=yes
TimeoutSec=0
[Install]
# TODO(johnsom) Fix when amphora-agent has a systemd script
WantedBy=multi-user.target

@ -1,19 +0,0 @@
description "Creates an encrypted ramfs for Octavia certs"
start on started cloud-config
stop on runlevel [!2345]
pre-start script
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
mkdir -p $certs_path
mount -t ramfs -o size=1m ramfs $certs_path
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
end script
post-stop script
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
umount $certs_path
umount $certs_path
end script

@ -1,2 +0,0 @@
cert-ramfs-ecrypt:
default: cert-ramfs-ecrypt

@ -0,0 +1,4 @@
Element to setup an encrypted ramfs to store the TLS certificates and keys.
Enabling this element will mean that the amphora can no longer recover from a
reboot.

@ -0,0 +1,13 @@
[Unit]
Description=Creates an encrypted ramfs for Octavia certs
After=cloud-config.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"'
ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;'
RemainAfterExit=yes
TimeoutSec=0
[Install]
WantedBy=amphora-agent.service

@ -1,5 +1,5 @@
### BEGIN INIT INFO
# Provides: cert-ramfs-ecrypt
# Provides: certs-ramfs
# Required-Start: $remote_fs $syslog $network cloud-config
# Required-Stop: $remote_fs $syslog $network
# Default-Start: 2 3 4 5
@ -12,25 +12,26 @@
# Using the lsb functions to perform the operations.
. /lib/lsb/init-functions
# Process name ( For display )
NAME=cert-ramfs-ecrypt
NAME=certs-ramfs
case $1 in
start)
log_daemon_msg "Starting the process" "$NAME"
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
mkdir -p $certs_path
mount -t ramfs -o size=1m ramfs $certs_path
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
modprobe brd
passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
mkdir -p "${certs_path}"
echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
mkfs.ext2 /dev/mapper/certfs-ramfs
mount /dev/mapper/certfs-ramfs "${certs_path}"
log_end_msg 0
;;
stop)
log_daemon_msg "Stopping the process" "$NAME"
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
umount $certs_path
umount $certs_path
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
umount "${certs_path}"
cryptsetup luksClose /dev/mapper/certfs-ramfs
log_end_msg 0
;;
restart)

@ -0,0 +1,21 @@
description "Creates an encrypted ramfs for Octavia certs"
start on started cloud-config
stop on runlevel [!2345]
pre-start script
modprobe brd
passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
mkdir -p "${certs_path}"
echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
mkfs.ext2 /dev/mapper/certfs-ramfs
mount /dev/mapper/certfs-ramfs "${certs_path}"
end script
post-stop script
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
umount "${certs_path}"
cryptsetup luksClose /dev/mapper/certfs-ramfs
end script

@ -0,0 +1,21 @@
#!/bin/bash
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
case "$DIB_INIT_SYSTEM" in
upstart|sysv)
# nothing to do
exit 0
;;
systemd)
systemctl enable certs-ramfs.service
;;
*)
echo "Unsupported init system $DIB_INIT_SYSTEM"
exit 1
;;
esac

@ -0,0 +1,2 @@
certs-ramfs:
default: certs-ramfs
Loading…
Cancel
Save