Merge "Use cryptsetup/LUKS for encrypted ramfs"

diskimage-create/diskimage-create.sh

@@ -371,8 +371,8 @@ fi
 # Add pip-cache element
 AMP_element_sequence="$AMP_element_sequence pip-cache"
 
-# Add certificate ramfs ecrypt element
-AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt"
+# Add certificate ramfs element
+AMP_element_sequence="$AMP_element_sequence certs-ramfs"
 
 # Allow full elements override
 if [ "$DIB_ELEMENTS" ]; then

elements/cert-ramfs-ecrypt/README.rst

@@ -1,4 +0,0 @@
-Element to setup a ramfs with ecrypt to store the TLS certificates and keys.
-
-Enabling this element will mean that the amphroa can no longer recover from a
-reboot.

elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service

@@ -1,15 +0,0 @@
-[unit]
-Description=Creates an encrypted ramfs for Octavia certs
-After=cloud-config.target
-
-[Service]
-Type=oneshot
-ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path'
-ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path'
-RemainAfterExit=yes
-TimeoutSec=0
-
-[Install]
-# TODO(johnsom) Fix when amphora-agent has a systemd script
-WantedBy=multi-user.target
-

elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf

@@ -1,19 +0,0 @@
-description "Creates an encrypted ramfs for Octavia certs"
-
-start on started cloud-config
-stop on runlevel [!2345]
-
-pre-start script
-    passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
-    token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
-    certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
-    mkdir -p $certs_path
-    mount -t ramfs -o size=1m ramfs $certs_path
-    mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
-end script
-
-post-stop script
-    certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
-    umount $certs_path
-    umount $certs_path
-end script

elements/cert-ramfs-ecrypt/package-installs.yaml

@@ -1 +0,0 @@
-ecryptfs-utils:

elements/cert-ramfs-ecrypt/svc-map

@@ -1,2 +0,0 @@
-cert-ramfs-ecrypt:
-  default: cert-ramfs-ecrypt

elements/certs-ramfs/README.rst

@@ -0,0 +1,4 @@
+Element to setup an encrypted ramfs to store the TLS certificates and keys.
+
+Enabling this element will mean that the amphora can no longer recover from a
+reboot.

elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Creates an encrypted ramfs for Octavia certs
+After=cloud-config.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"'
+ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;'
+RemainAfterExit=yes
+TimeoutSec=0
+
+[Install]
+WantedBy=amphora-agent.service

elements/certs-ramfs/init-scripts/sysv/certs-ramfs

@@ -1,5 +1,5 @@
 ### BEGIN INIT INFO
-# Provides:          cert-ramfs-ecrypt
+# Provides:          certs-ramfs
 # Required-Start:    $remote_fs $syslog $network cloud-config
 # Required-Stop:     $remote_fs $syslog $network
 # Default-Start:     2 3 4 5
@@ -12,25 +12,26 @@
 # Using the lsb functions to perform the operations.
 . /lib/lsb/init-functions
 # Process name ( For display )
-NAME=cert-ramfs-ecrypt
+NAME=certs-ramfs
 
 case $1 in
  start)
   log_daemon_msg "Starting the process" "$NAME"
-  passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
-  token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
-
-  certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
-  mkdir -p $certs_path
-  mount -t ramfs -o size=1m ramfs $certs_path
-  mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
+  modprobe brd
+  passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
+  certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
+  mkdir -p "${certs_path}"
+  echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
+  echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
+  mkfs.ext2 /dev/mapper/certfs-ramfs
+  mount /dev/mapper/certfs-ramfs "${certs_path}"
   log_end_msg 0
   ;;
  stop)
   log_daemon_msg "Stopping the process" "$NAME"
-  certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
-  umount $certs_path
-  umount $certs_path
+  certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
+  umount "${certs_path}"
+  cryptsetup luksClose /dev/mapper/certfs-ramfs
   log_end_msg 0
   ;;
  restart)

elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf

@@ -0,0 +1,21 @@
+description "Creates an encrypted ramfs for Octavia certs"
+
+start on started cloud-config
+stop on runlevel [!2345]
+
+pre-start script
+    modprobe brd
+    passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
+    certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
+    mkdir -p "${certs_path}"
+    echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
+    echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
+    mkfs.ext2 /dev/mapper/certfs-ramfs
+    mount /dev/mapper/certfs-ramfs "${certs_path}"
+end script
+
+post-stop script
+    certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
+    umount "${certs_path}"
+    cryptsetup luksClose /dev/mapper/certfs-ramfs
+end script

elements/certs-ramfs/package-installs.yaml

@@ -0,0 +1 @@
+cryptsetup:

elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+case "$DIB_INIT_SYSTEM" in
+    upstart|sysv)
+        # nothing to do
+        exit 0
+        ;;
+    systemd)
+        systemctl enable certs-ramfs.service
+        ;;
+    *)
+        echo "Unsupported init system $DIB_INIT_SYSTEM"
+        exit 1
+        ;;
+esac

elements/certs-ramfs/svc-map

@@ -0,0 +1,2 @@
+certs-ramfs:
+  default: certs-ramfs