From 2bb2f918ee4fb38b7a17fb6f8781042d204b05e8 Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Fri, 28 Jun 2019 10:18:10 -0700 Subject: [PATCH] Fix cryptsetup --pbkdf-memory failures A recent patch[1] added --pbkdf-memory to the cryptsetup command line to limit the memory cryptsetup is using. However, some distros use an older version of cryptsetup that does not need this setting. This patch adds logic to detect this and run the commands without --pbkdf-memory. [1] https://review.opendev.org/663784 Change-Id: I9e0debcbfe6ceeff0012c827d70d80d938b5a2fb Story: 2006066 Task: 34782 --- elements/certs-ramfs/element-deps | 1 + .../init-scripts/systemd/certs-ramfs.service | 2 +- .../certs-ramfs/init-scripts/sysv/certs-ramfs | 9 +-------- .../init-scripts/upstart/certs-ramfs.conf | 9 +-------- .../static/usr/local/bin/certfs-ramfs | 19 +++++++++++++++++++ 5 files changed, 23 insertions(+), 17 deletions(-) create mode 100755 elements/certs-ramfs/static/usr/local/bin/certfs-ramfs diff --git a/elements/certs-ramfs/element-deps b/elements/certs-ramfs/element-deps index be9833530d..41b5ab2462 100644 --- a/elements/certs-ramfs/element-deps +++ b/elements/certs-ramfs/element-deps @@ -1,2 +1,3 @@ dib-init-system package-installs +install-static diff --git a/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service index f0a8dc1dd8..075067fe1c 100644 --- a/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service +++ b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service @@ -4,7 +4,7 @@ After=cloud-config.target [Service] Type=oneshot -ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \\$$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"' +ExecStart=/usr/local/bin/certfs-ramfs ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \\$$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;' RemainAfterExit=yes TimeoutSec=0 diff --git a/elements/certs-ramfs/init-scripts/sysv/certs-ramfs b/elements/certs-ramfs/init-scripts/sysv/certs-ramfs index 8e2b3949ba..2cf110079f 100644 --- a/elements/certs-ramfs/init-scripts/sysv/certs-ramfs +++ b/elements/certs-ramfs/init-scripts/sysv/certs-ramfs @@ -17,14 +17,7 @@ NAME=certs-ramfs case $1 in start) log_daemon_msg "Starting the process" "$NAME" - modprobe brd - passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) - certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) - mkdir -p "${certs_path}" - echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 - - echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs - - mkfs.ext2 /dev/mapper/certfs-ramfs - mount /dev/mapper/certfs-ramfs "${certs_path}" + /usr/local/bin/certfs-ramfs log_end_msg 0 ;; stop) diff --git a/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf b/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf index 01ae647559..050474b245 100644 --- a/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf +++ b/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf @@ -4,14 +4,7 @@ start on started cloud-config stop on runlevel [!2345] pre-start script - modprobe brd - passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) - certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) - mkdir -p "${certs_path}" - echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 - - echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs - - mkfs.ext2 /dev/mapper/certfs-ramfs - mount /dev/mapper/certfs-ramfs "${certs_path}" + /usr/local/bin/certfs-ramfs end script post-stop script diff --git a/elements/certs-ramfs/static/usr/local/bin/certfs-ramfs b/elements/certs-ramfs/static/usr/local/bin/certfs-ramfs new file mode 100755 index 0000000000..8de35ffccd --- /dev/null +++ b/elements/certs-ramfs/static/usr/local/bin/certfs-ramfs @@ -0,0 +1,19 @@ +#!/bin/bash + +modprobe brd +passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) +certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) +mkdir -p "${certs_path}" + +echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 - +# Some distrobutions have an old cryptsetup, try without --pbkdf-memory +if [ $? -eq 0 ] +then + echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs - +else + echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 - + echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs - +fi + +mkfs.ext2 /dev/mapper/certfs-ramfs +mount /dev/mapper/certfs-ramfs "${certs_path}"