openstack/octavia
Code Issues Proposed changes

Limit cryptsetup key RAM usage

Browse Source 
This patch limits cryptsetup to 256MB of RAM during the amphora
startup. Recent distros have changed to LUKS2 with Argon2
key derivation which defaults to using up to 1GB of RAM.
Typically our amphora are built with only 1GB of RAM for the whole
system.

Change-Id: I018e36f69a9c0b48a6651a01cc9a64abfc04d4de
Story: 2005837
Task: 33606
This commit is contained in:
Michael Johnson 2019-06-06 15:06:54 -07:00
parent ff4680eb71
commit 4007d56b3e
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service
View File

@ -4,7 +4,7 @@ After=cloud-config.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \\$$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"'
ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \\$$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"'
ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \\$$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;'
RemainAfterExit=yes
TimeoutSec=0

4
elements/certs-ramfs/init-scripts/sysv/certs-ramfs
View File

@ -21,8 +21,8 @@ case $1 in
passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
mkdir -p "${certs_path}"
echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 -
echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs -
mkfs.ext2 /dev/mapper/certfs-ramfs
mount /dev/mapper/certfs-ramfs "${certs_path}"
log_end_msg 0

4
elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf
View File

@ -8,8 +8,8 @@ pre-start script
passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
mkdir -p "${certs_path}"
echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 -
echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs -
mkfs.ext2 /dev/mapper/certfs-ramfs
mount /dev/mapper/certfs-ramfs "${certs_path}"
end script