From a59e7235560ad045b24c58ed722ab62a451174d3 Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Fri, 13 Dec 2019 12:49:01 +0100 Subject: [PATCH] Use LUKS1 for certfs-ramfs for all distributions This commit forces the use of LUKS1 in cryptsetup. Centos uses LUKS2 by default in cryptsetup, ubuntu uses LUKS1. Formating a LUKS2 block device is way longer than formating a LUKS1 device (15 sec vs 8 sec in my env) and LUKS2 doesn't provide any significant features for octavia (it only improves recovery and metadata). The commit aslo limits the creation of more than 1 block ram device (amphora doesn't need 16 ram devices), which reduces startup time. Change-Id: I5cdc0a9ccc01548f195eed80f2ee2848a1a93e17 (cherry picked from commit c2ef7792fd17c5e54e4b82a63ea448d1f8310c31) --- .../static/usr/local/bin/certfs-ramfs | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/elements/certs-ramfs/static/usr/local/bin/certfs-ramfs b/elements/certs-ramfs/static/usr/local/bin/certfs-ramfs index 8de35ffccd..5d93a6a814 100755 --- a/elements/certs-ramfs/static/usr/local/bin/certfs-ramfs +++ b/elements/certs-ramfs/static/usr/local/bin/certfs-ramfs @@ -1,19 +1,16 @@ #!/bin/bash -modprobe brd +cryptsetup_args="--type=luks1" + +# Only 1 block ram device is needed +modprobe brd rd_nr=1 + passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) mkdir -p "${certs_path}" -echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksFormat /dev/ram0 - -# Some distrobutions have an old cryptsetup, try without --pbkdf-memory -if [ $? -eq 0 ] -then - echo -n "${passphrase}" | cryptsetup --pbkdf-memory=262144 luksOpen /dev/ram0 certfs-ramfs - -else - echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 - - echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs - -fi +echo -n "${passphrase}" | cryptsetup $cryptsetup_args luksFormat /dev/ram0 - +echo -n "${passphrase}" | cryptsetup $cryptsetup_args luksOpen /dev/ram0 certfs-ramfs - mkfs.ext2 /dev/mapper/certfs-ramfs mount /dev/mapper/certfs-ramfs "${certs_path}"