From 4007d56b3eda356a476ac583fbf3f92cb0f179ef Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Thu, 6 Jun 2019 15:06:54 -0700 Subject: [PATCH] Limit cryptsetup key RAM usage This patch limits cryptsetup to 256MB of RAM during the amphora startup. Recent distros have changed to LUKS2 with Argon2 key derivation which defaults to using up to 1GB of RAM. Typically our amphora are built with only 1GB of RAM for the whole system. Change-Id: I018e36f69a9c0b48a6651a01cc9a64abfc04d4de Story: 2005837 Task: 33606 --- elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service | 2 +- elements/certs-ramfs/init-scripts/sysv/certs-ramfs | 4 ++-- elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service index 2222da2fd8..f0a8dc1dd8 100644 --- a/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service +++ b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service @@ -4,7 +4,7 @@ After=cloud-config.target [Service] Type=oneshot -ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \\$$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"' +ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \\$$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"' ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \\$$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;' RemainAfterExit=yes TimeoutSec=0 diff --git a/elements/certs-ramfs/init-scripts/sysv/certs-ramfs b/elements/certs-ramfs/init-scripts/sysv/certs-ramfs index 4b9d7ade13..8e2b3949ba 100644 --- a/elements/certs-ramfs/init-scripts/sysv/certs-ramfs +++ b/elements/certs-ramfs/init-scripts/sysv/certs-ramfs @@ -21,8 +21,8 @@ case $1 in passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) mkdir -p "${certs_path}" - echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 - - echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs - + echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 - + echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs - mkfs.ext2 /dev/mapper/certfs-ramfs mount /dev/mapper/certfs-ramfs "${certs_path}" log_end_msg 0 diff --git a/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf b/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf index 886dc339f3..01ae647559 100644 --- a/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf +++ b/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf @@ -8,8 +8,8 @@ pre-start script passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) mkdir -p "${certs_path}" - echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 - - echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs - + echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 - + echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs - mkfs.ext2 /dev/mapper/certfs-ramfs mount /dev/mapper/certfs-ramfs "${certs_path}" end script