diff --git a/diskimage-create/diskimage-create.sh b/diskimage-create/diskimage-create.sh index 8211e1b8bf..1b6ba3ac6e 100755 --- a/diskimage-create/diskimage-create.sh +++ b/diskimage-create/diskimage-create.sh @@ -371,8 +371,8 @@ fi # Add pip-cache element AMP_element_sequence="$AMP_element_sequence pip-cache" -# Add certificate ramfs ecrypt element -AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt" +# Add certificate ramfs element +AMP_element_sequence="$AMP_element_sequence certs-ramfs" # Allow full elements override if [ "$DIB_ELEMENTS" ]; then diff --git a/elements/cert-ramfs-ecrypt/README.rst b/elements/cert-ramfs-ecrypt/README.rst deleted file mode 100644 index ee07dc50e4..0000000000 --- a/elements/cert-ramfs-ecrypt/README.rst +++ /dev/null @@ -1,4 +0,0 @@ -Element to setup a ramfs with ecrypt to store the TLS certificates and keys. - -Enabling this element will mean that the amphroa can no longer recover from a -reboot. diff --git a/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service b/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service deleted file mode 100644 index 5bfb137130..0000000000 --- a/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service +++ /dev/null @@ -1,15 +0,0 @@ -[unit] -Description=Creates an encrypted ramfs for Octavia certs -After=cloud-config.target - -[Service] -Type=oneshot -ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path' -ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path' -RemainAfterExit=yes -TimeoutSec=0 - -[Install] -# TODO(johnsom) Fix when amphora-agent has a systemd script -WantedBy=multi-user.target - diff --git a/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf b/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf deleted file mode 100644 index 2b72dd6b4d..0000000000 --- a/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf +++ /dev/null @@ -1,19 +0,0 @@ -description "Creates an encrypted ramfs for Octavia certs" - -start on started cloud-config -stop on runlevel [!2345] - -pre-start script - passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) - token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}') - certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) - mkdir -p $certs_path - mount -t ramfs -o size=1m ramfs $certs_path - mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path -end script - -post-stop script - certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) - umount $certs_path - umount $certs_path -end script diff --git a/elements/cert-ramfs-ecrypt/package-installs.yaml b/elements/cert-ramfs-ecrypt/package-installs.yaml deleted file mode 100644 index 9171e7bcce..0000000000 --- a/elements/cert-ramfs-ecrypt/package-installs.yaml +++ /dev/null @@ -1 +0,0 @@ -ecryptfs-utils: diff --git a/elements/cert-ramfs-ecrypt/svc-map b/elements/cert-ramfs-ecrypt/svc-map deleted file mode 100644 index 17e143a912..0000000000 --- a/elements/cert-ramfs-ecrypt/svc-map +++ /dev/null @@ -1,2 +0,0 @@ -cert-ramfs-ecrypt: - default: cert-ramfs-ecrypt diff --git a/elements/certs-ramfs/README.rst b/elements/certs-ramfs/README.rst new file mode 100644 index 0000000000..e8e87f05de --- /dev/null +++ b/elements/certs-ramfs/README.rst @@ -0,0 +1,4 @@ +Element to setup an encrypted ramfs to store the TLS certificates and keys. + +Enabling this element will mean that the amphora can no longer recover from a +reboot. diff --git a/elements/cert-ramfs-ecrypt/element-deps b/elements/certs-ramfs/element-deps similarity index 100% rename from elements/cert-ramfs-ecrypt/element-deps rename to elements/certs-ramfs/element-deps diff --git a/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service new file mode 100644 index 0000000000..3686b444f3 --- /dev/null +++ b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service @@ -0,0 +1,13 @@ +[Unit] +Description=Creates an encrypted ramfs for Octavia certs +After=cloud-config.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"' +ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;' +RemainAfterExit=yes +TimeoutSec=0 + +[Install] +WantedBy=amphora-agent.service diff --git a/elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt b/elements/certs-ramfs/init-scripts/sysv/certs-ramfs similarity index 53% rename from elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt rename to elements/certs-ramfs/init-scripts/sysv/certs-ramfs index 4979176844..4b9d7ade13 100644 --- a/elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt +++ b/elements/certs-ramfs/init-scripts/sysv/certs-ramfs @@ -1,5 +1,5 @@ ### BEGIN INIT INFO -# Provides: cert-ramfs-ecrypt +# Provides: certs-ramfs # Required-Start: $remote_fs $syslog $network cloud-config # Required-Stop: $remote_fs $syslog $network # Default-Start: 2 3 4 5 @@ -12,25 +12,26 @@ # Using the lsb functions to perform the operations. . /lib/lsb/init-functions # Process name ( For display ) -NAME=cert-ramfs-ecrypt +NAME=certs-ramfs case $1 in start) log_daemon_msg "Starting the process" "$NAME" - passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) - token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}') - - certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) - mkdir -p $certs_path - mount -t ramfs -o size=1m ramfs $certs_path - mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path + modprobe brd + passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) + certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) + mkdir -p "${certs_path}" + echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 - + echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs - + mkfs.ext2 /dev/mapper/certfs-ramfs + mount /dev/mapper/certfs-ramfs "${certs_path}" log_end_msg 0 ;; stop) log_daemon_msg "Stopping the process" "$NAME" - certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) - umount $certs_path - umount $certs_path + certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) + umount "${certs_path}" + cryptsetup luksClose /dev/mapper/certfs-ramfs log_end_msg 0 ;; restart) diff --git a/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf b/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf new file mode 100644 index 0000000000..886dc339f3 --- /dev/null +++ b/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf @@ -0,0 +1,21 @@ +description "Creates an encrypted ramfs for Octavia certs" + +start on started cloud-config +stop on runlevel [!2345] + +pre-start script + modprobe brd + passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) + certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) + mkdir -p "${certs_path}" + echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 - + echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs - + mkfs.ext2 /dev/mapper/certfs-ramfs + mount /dev/mapper/certfs-ramfs "${certs_path}" +end script + +post-stop script + certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) + umount "${certs_path}" + cryptsetup luksClose /dev/mapper/certfs-ramfs +end script diff --git a/elements/certs-ramfs/package-installs.yaml b/elements/certs-ramfs/package-installs.yaml new file mode 100644 index 0000000000..2edcf41eb6 --- /dev/null +++ b/elements/certs-ramfs/package-installs.yaml @@ -0,0 +1 @@ +cryptsetup: diff --git a/elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service b/elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service new file mode 100755 index 0000000000..9a19b60af4 --- /dev/null +++ b/elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service @@ -0,0 +1,21 @@ +#!/bin/bash + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +case "$DIB_INIT_SYSTEM" in + upstart|sysv) + # nothing to do + exit 0 + ;; + systemd) + systemctl enable certs-ramfs.service + ;; + *) + echo "Unsupported init system $DIB_INIT_SYSTEM" + exit 1 + ;; +esac diff --git a/elements/certs-ramfs/svc-map b/elements/certs-ramfs/svc-map new file mode 100644 index 0000000000..5837681f11 --- /dev/null +++ b/elements/certs-ramfs/svc-map @@ -0,0 +1,2 @@ +certs-ramfs: + default: certs-ramfs