Merge "Use cryptsetup/LUKS for encrypted ramfs"
This commit is contained in:
commit
15e9b51b7b
|
@ -371,8 +371,8 @@ fi
|
||||||
# Add pip-cache element
|
# Add pip-cache element
|
||||||
AMP_element_sequence="$AMP_element_sequence pip-cache"
|
AMP_element_sequence="$AMP_element_sequence pip-cache"
|
||||||
|
|
||||||
# Add certificate ramfs ecrypt element
|
# Add certificate ramfs element
|
||||||
AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt"
|
AMP_element_sequence="$AMP_element_sequence certs-ramfs"
|
||||||
|
|
||||||
# Allow full elements override
|
# Allow full elements override
|
||||||
if [ "$DIB_ELEMENTS" ]; then
|
if [ "$DIB_ELEMENTS" ]; then
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
Element to setup a ramfs with ecrypt to store the TLS certificates and keys.
|
|
||||||
|
|
||||||
Enabling this element will mean that the amphroa can no longer recover from a
|
|
||||||
reboot.
|
|
|
@ -1,15 +0,0 @@
|
||||||
[unit]
|
|
||||||
Description=Creates an encrypted ramfs for Octavia certs
|
|
||||||
After=cloud-config.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path'
|
|
||||||
ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path'
|
|
||||||
RemainAfterExit=yes
|
|
||||||
TimeoutSec=0
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
# TODO(johnsom) Fix when amphora-agent has a systemd script
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
|
|
|
@ -1,19 +0,0 @@
|
||||||
description "Creates an encrypted ramfs for Octavia certs"
|
|
||||||
|
|
||||||
start on started cloud-config
|
|
||||||
stop on runlevel [!2345]
|
|
||||||
|
|
||||||
pre-start script
|
|
||||||
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
|
|
||||||
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
|
|
||||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
|
||||||
mkdir -p $certs_path
|
|
||||||
mount -t ramfs -o size=1m ramfs $certs_path
|
|
||||||
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
|
|
||||||
end script
|
|
||||||
|
|
||||||
post-stop script
|
|
||||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
|
||||||
umount $certs_path
|
|
||||||
umount $certs_path
|
|
||||||
end script
|
|
|
@ -1 +0,0 @@
|
||||||
ecryptfs-utils:
|
|
|
@ -1,2 +0,0 @@
|
||||||
cert-ramfs-ecrypt:
|
|
||||||
default: cert-ramfs-ecrypt
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
Element to setup an encrypted ramfs to store the TLS certificates and keys.
|
||||||
|
|
||||||
|
Enabling this element will mean that the amphora can no longer recover from a
|
||||||
|
reboot.
|
|
@ -0,0 +1,13 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Creates an encrypted ramfs for Octavia certs
|
||||||
|
After=cloud-config.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"'
|
||||||
|
ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;'
|
||||||
|
RemainAfterExit=yes
|
||||||
|
TimeoutSec=0
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=amphora-agent.service
|
|
@ -1,5 +1,5 @@
|
||||||
### BEGIN INIT INFO
|
### BEGIN INIT INFO
|
||||||
# Provides: cert-ramfs-ecrypt
|
# Provides: certs-ramfs
|
||||||
# Required-Start: $remote_fs $syslog $network cloud-config
|
# Required-Start: $remote_fs $syslog $network cloud-config
|
||||||
# Required-Stop: $remote_fs $syslog $network
|
# Required-Stop: $remote_fs $syslog $network
|
||||||
# Default-Start: 2 3 4 5
|
# Default-Start: 2 3 4 5
|
||||||
|
@ -12,25 +12,26 @@
|
||||||
# Using the lsb functions to perform the operations.
|
# Using the lsb functions to perform the operations.
|
||||||
. /lib/lsb/init-functions
|
. /lib/lsb/init-functions
|
||||||
# Process name ( For display )
|
# Process name ( For display )
|
||||||
NAME=cert-ramfs-ecrypt
|
NAME=certs-ramfs
|
||||||
|
|
||||||
case $1 in
|
case $1 in
|
||||||
start)
|
start)
|
||||||
log_daemon_msg "Starting the process" "$NAME"
|
log_daemon_msg "Starting the process" "$NAME"
|
||||||
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
|
modprobe brd
|
||||||
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
|
passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
|
||||||
|
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
|
||||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
mkdir -p "${certs_path}"
|
||||||
mkdir -p $certs_path
|
echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
|
||||||
mount -t ramfs -o size=1m ramfs $certs_path
|
echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
|
||||||
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
|
mkfs.ext2 /dev/mapper/certfs-ramfs
|
||||||
|
mount /dev/mapper/certfs-ramfs "${certs_path}"
|
||||||
log_end_msg 0
|
log_end_msg 0
|
||||||
;;
|
;;
|
||||||
stop)
|
stop)
|
||||||
log_daemon_msg "Stopping the process" "$NAME"
|
log_daemon_msg "Stopping the process" "$NAME"
|
||||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
|
||||||
umount $certs_path
|
umount "${certs_path}"
|
||||||
umount $certs_path
|
cryptsetup luksClose /dev/mapper/certfs-ramfs
|
||||||
log_end_msg 0
|
log_end_msg 0
|
||||||
;;
|
;;
|
||||||
restart)
|
restart)
|
|
@ -0,0 +1,21 @@
|
||||||
|
description "Creates an encrypted ramfs for Octavia certs"
|
||||||
|
|
||||||
|
start on started cloud-config
|
||||||
|
stop on runlevel [!2345]
|
||||||
|
|
||||||
|
pre-start script
|
||||||
|
modprobe brd
|
||||||
|
passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
|
||||||
|
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
|
||||||
|
mkdir -p "${certs_path}"
|
||||||
|
echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
|
||||||
|
echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
|
||||||
|
mkfs.ext2 /dev/mapper/certfs-ramfs
|
||||||
|
mount /dev/mapper/certfs-ramfs "${certs_path}"
|
||||||
|
end script
|
||||||
|
|
||||||
|
post-stop script
|
||||||
|
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
|
||||||
|
umount "${certs_path}"
|
||||||
|
cryptsetup luksClose /dev/mapper/certfs-ramfs
|
||||||
|
end script
|
|
@ -0,0 +1 @@
|
||||||
|
cryptsetup:
|
|
@ -0,0 +1,21 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
||||||
|
set -x
|
||||||
|
fi
|
||||||
|
set -eu
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
case "$DIB_INIT_SYSTEM" in
|
||||||
|
upstart|sysv)
|
||||||
|
# nothing to do
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
systemd)
|
||||||
|
systemctl enable certs-ramfs.service
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Unsupported init system $DIB_INIT_SYSTEM"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
|
@ -0,0 +1,2 @@
|
||||||
|
certs-ramfs:
|
||||||
|
default: certs-ramfs
|
Loading…
Reference in New Issue