Terminated HTTPS certs and keys in encrypted ramfs
This patch adds an element that causes the terminated HTTPS certificates and keys to be stored in an encrypted ramfs path so they are encrypted at rest. Change-Id: Id0f80f311d37d5691087e855fb1291011451c851 Closes-Bug: #1627370
This commit is contained in:
parent
e4162aa5b4
commit
f85e617a84
@ -357,6 +357,9 @@ fi
|
||||
# Add pip-cache element
|
||||
AMP_element_sequence="$AMP_element_sequence pip-cache"
|
||||
|
||||
# Add certificate ramfs ecrypt element
|
||||
AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt"
|
||||
|
||||
# Allow full elements override
|
||||
if [ "$DIB_ELEMENTS" ]; then
|
||||
AMP_element_sequence="$DIB_ELEMENTS"
|
||||
|
4
elements/cert-ramfs-ecrypt/README.rst
Normal file
4
elements/cert-ramfs-ecrypt/README.rst
Normal file
@ -0,0 +1,4 @@
|
||||
Element to setup a ramfs with ecrypt to store the TLS certificates and keys.
|
||||
|
||||
Enabling this element will mean that the amphroa can no longer recover from a
|
||||
reboot.
|
2
elements/cert-ramfs-ecrypt/element-deps
Normal file
2
elements/cert-ramfs-ecrypt/element-deps
Normal file
@ -0,0 +1,2 @@
|
||||
dib-init-system
|
||||
package-installs
|
@ -0,0 +1,15 @@
|
||||
[unit]
|
||||
Description=Creates an encrypted ramfs for Octavia certs
|
||||
After=cloud-config.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path'
|
||||
ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path'
|
||||
RemainAfterExit=yes
|
||||
TimeoutSec=0
|
||||
|
||||
[Install]
|
||||
# TODO(johnsom) Fix when amphora-agent has a systemd script
|
||||
WantedBy=multi-user.target
|
||||
|
@ -0,0 +1,45 @@
|
||||
### BEGIN INIT INFO
|
||||
# Provides: cert-ramfs-ecrypt
|
||||
# Required-Start: $remote_fs $syslog $network cloud-config
|
||||
# Required-Stop: $remote_fs $syslog $network
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: Creates an encrypted ramfs for Octavia certs
|
||||
# Description: Creates an encrypted ramfs for Octavia TLS
|
||||
# certificates and key storage.
|
||||
### END INIT INFO
|
||||
|
||||
# Using the lsb functions to perform the operations.
|
||||
. /lib/lsb/init-functions
|
||||
# Process name ( For display )
|
||||
NAME=cert-ramfs-ecrypt
|
||||
|
||||
case $1 in
|
||||
start)
|
||||
log_daemon_msg "Starting the process" "$NAME"
|
||||
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
|
||||
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
|
||||
|
||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
||||
mkdir -p $certs_path
|
||||
mount -t ramfs -o size=1m ramfs $certs_path
|
||||
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
|
||||
log_end_msg 0
|
||||
;;
|
||||
stop)
|
||||
log_daemon_msg "Stopping the process" "$NAME"
|
||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
||||
umount $certs_path
|
||||
umount $certs_path
|
||||
log_end_msg 0
|
||||
;;
|
||||
restart)
|
||||
# Restart the daemon.
|
||||
$0 stop && sleep 2 && $0 start
|
||||
;;
|
||||
*)
|
||||
# For invalid arguments, print the usage message.
|
||||
echo "Usage: $0 {start|stop|restart|reload|status}"
|
||||
exit 2
|
||||
;;
|
||||
esac
|
@ -0,0 +1,19 @@
|
||||
description "Creates an encrypted ramfs for Octavia certs"
|
||||
|
||||
start on started cloud-config
|
||||
stop on runlevel [!2345]
|
||||
|
||||
pre-start script
|
||||
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
|
||||
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
|
||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
||||
mkdir -p $certs_path
|
||||
mount -t ramfs -o size=1m ramfs $certs_path
|
||||
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
|
||||
end script
|
||||
|
||||
post-stop script
|
||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
||||
umount $certs_path
|
||||
umount $certs_path
|
||||
end script
|
4
elements/cert-ramfs-ecrypt/package-installs.yaml
Normal file
4
elements/cert-ramfs-ecrypt/package-installs.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
ecryptfs-utils:
|
||||
keyutils:
|
||||
libecryptfs0:
|
||||
libnss3-1d:
|
2
elements/cert-ramfs-ecrypt/svc-map
Normal file
2
elements/cert-ramfs-ecrypt/svc-map
Normal file
@ -0,0 +1,2 @@
|
||||
cert-ramfs-ecrypt:
|
||||
default: cert-ramfs-ecrypt
|
@ -0,0 +1,12 @@
|
||||
---
|
||||
upgrade:
|
||||
- To enabled encrypted ramfs storage for certificates
|
||||
and keys, you must upgrade your amphora image.
|
||||
deprecations:
|
||||
- Amphora with a terminated HTTPS load balancer can
|
||||
no longer be rebooted. If they reboot, they will
|
||||
trigger a failover of the amphora.
|
||||
security:
|
||||
- Certificate and key storage for terminated HTTPS
|
||||
load balancers is now in an encrypted ramfs path
|
||||
inside the amphora.
|
Loading…
Reference in New Issue
Block a user