Fix cryptsetup --pbkdf-memory failures

A recent patch[1] added --pbkdf-memory to the cryptsetup command line to limit the memory cryptsetup is using. However, some distros use an older version of cryptsetup that does not need this setting. This patch adds logic to detect this and run the commands without --pbkdf-memory. [1] https://review.opendev.org/663784 Change-Id: I9e0debcbfe6ceeff0012c827d70d80d938b5a2fb Story: 2006066 Task: 34782
2019-06-28 10:18:10 -07:00 · 2019-06-28 10:18:10 -07:00 · 2bb2f918ee
commit 2bb2f918ee
parent 58a4490bbf
5 changed files with 23 additions and 17 deletions
--- a/elements/certs-ramfs/element-deps
+++ b/elements/certs-ramfs/element-deps
@ -1,2 +1,3 @@
 dib-init-system
 package-installs
+install-static
--- a/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service
+++ b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service
@ -4,7 +4,7 @@ After=cloud-config.target

 [Service]
 Type=oneshot
-ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \\$$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"'
+ExecStart=/usr/local/bin/certfs-ramfs
 ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \\$$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;'
 RemainAfterExit=yes
 TimeoutSec=0
--- a/elements/certs-ramfs/init-scripts/sysv/certs-ramfs
+++ b/elements/certs-ramfs/init-scripts/sysv/certs-ramfs
@ -17,14 +17,7 @@ NAME=certs-ramfs
 case $1 in
 start)
  log_daemon_msg "Starting the process" "$NAME"
-  modprobe brd
-  passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
-  certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
-  mkdir -p "${certs_path}"
-  echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 -
-  echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs -
-  mkfs.ext2 /dev/mapper/certfs-ramfs
-  mount /dev/mapper/certfs-ramfs "${certs_path}"
+  /usr/local/bin/certfs-ramfs
  log_end_msg 0
  ;;
 stop)
--- a/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf
+++ b/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf
@ -4,14 +4,7 @@ start on started cloud-config
 stop on runlevel [!2345]

 pre-start script
-    modprobe brd
-    passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
-    certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
-    mkdir -p "${certs_path}"
-    echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 -
-    echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs -
-    mkfs.ext2 /dev/mapper/certfs-ramfs
-    mount /dev/mapper/certfs-ramfs "${certs_path}"
+    /usr/local/bin/certfs-ramfs
 end script

 post-stop script
--- a/elements/certs-ramfs/static/usr/local/bin/certfs-ramfs
+++ b/elements/certs-ramfs/static/usr/local/bin/certfs-ramfs
@ -0,0 +1,19 @@
+#!/bin/bash
+
+modprobe brd
+passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
+certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
+mkdir -p "${certs_path}"
+
+echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 -
+# Some distrobutions have an old cryptsetup, try without --pbkdf-memory
+if [ $? -eq 0 ]
+then
+  echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs -
+else
+  echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
+  echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
+fi
+
+mkfs.ext2 /dev/mapper/certfs-ramfs
+mount /dev/mapper/certfs-ramfs "${certs_path}"