diff --git a/diskimage-create/diskimage-create.sh b/diskimage-create/diskimage-create.sh index 1bc680b98a..ddd8c4631e 100755 --- a/diskimage-create/diskimage-create.sh +++ b/diskimage-create/diskimage-create.sh @@ -357,6 +357,9 @@ fi # Add pip-cache element AMP_element_sequence="$AMP_element_sequence pip-cache" +# Add certificate ramfs ecrypt element +AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt" + # Allow full elements override if [ "$DIB_ELEMENTS" ]; then AMP_element_sequence="$DIB_ELEMENTS" diff --git a/elements/cert-ramfs-ecrypt/README.rst b/elements/cert-ramfs-ecrypt/README.rst new file mode 100644 index 0000000000..ee07dc50e4 --- /dev/null +++ b/elements/cert-ramfs-ecrypt/README.rst @@ -0,0 +1,4 @@ +Element to setup a ramfs with ecrypt to store the TLS certificates and keys. + +Enabling this element will mean that the amphroa can no longer recover from a +reboot. diff --git a/elements/cert-ramfs-ecrypt/element-deps b/elements/cert-ramfs-ecrypt/element-deps new file mode 100644 index 0000000000..be9833530d --- /dev/null +++ b/elements/cert-ramfs-ecrypt/element-deps @@ -0,0 +1,2 @@ +dib-init-system +package-installs diff --git a/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service b/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service new file mode 100644 index 0000000000..5bfb137130 --- /dev/null +++ b/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service @@ -0,0 +1,15 @@ +[unit] +Description=Creates an encrypted ramfs for Octavia certs +After=cloud-config.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path' +ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path' +RemainAfterExit=yes +TimeoutSec=0 + +[Install] +# TODO(johnsom) Fix when amphora-agent has a systemd script +WantedBy=multi-user.target + diff --git a/elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt b/elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt new file mode 100644 index 0000000000..4979176844 --- /dev/null +++ b/elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt @@ -0,0 +1,45 @@ +### BEGIN INIT INFO +# Provides: cert-ramfs-ecrypt +# Required-Start: $remote_fs $syslog $network cloud-config +# Required-Stop: $remote_fs $syslog $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Creates an encrypted ramfs for Octavia certs +# Description: Creates an encrypted ramfs for Octavia TLS +# certificates and key storage. +### END INIT INFO + +# Using the lsb functions to perform the operations. +. /lib/lsb/init-functions +# Process name ( For display ) +NAME=cert-ramfs-ecrypt + +case $1 in + start) + log_daemon_msg "Starting the process" "$NAME" + passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) + token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}') + + certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) + mkdir -p $certs_path + mount -t ramfs -o size=1m ramfs $certs_path + mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path + log_end_msg 0 + ;; + stop) + log_daemon_msg "Stopping the process" "$NAME" + certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) + umount $certs_path + umount $certs_path + log_end_msg 0 + ;; + restart) + # Restart the daemon. + $0 stop && sleep 2 && $0 start + ;; + *) + # For invalid arguments, print the usage message. + echo "Usage: $0 {start|stop|restart|reload|status}" + exit 2 + ;; +esac diff --git a/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf b/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf new file mode 100644 index 0000000000..2b72dd6b4d --- /dev/null +++ b/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf @@ -0,0 +1,19 @@ +description "Creates an encrypted ramfs for Octavia certs" + +start on started cloud-config +stop on runlevel [!2345] + +pre-start script + passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) + token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}') + certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) + mkdir -p $certs_path + mount -t ramfs -o size=1m ramfs $certs_path + mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path +end script + +post-stop script + certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) + umount $certs_path + umount $certs_path +end script diff --git a/elements/cert-ramfs-ecrypt/package-installs.yaml b/elements/cert-ramfs-ecrypt/package-installs.yaml new file mode 100644 index 0000000000..8004f22609 --- /dev/null +++ b/elements/cert-ramfs-ecrypt/package-installs.yaml @@ -0,0 +1,4 @@ +ecryptfs-utils: +keyutils: +libecryptfs0: +libnss3-1d: diff --git a/elements/cert-ramfs-ecrypt/svc-map b/elements/cert-ramfs-ecrypt/svc-map new file mode 100644 index 0000000000..17e143a912 --- /dev/null +++ b/elements/cert-ramfs-ecrypt/svc-map @@ -0,0 +1,2 @@ +cert-ramfs-ecrypt: + default: cert-ramfs-ecrypt diff --git a/releasenotes/notes/cert-encrypted-ramfs-381ffe3d4a7392d7.yaml b/releasenotes/notes/cert-encrypted-ramfs-381ffe3d4a7392d7.yaml new file mode 100644 index 0000000000..51d2301f5b --- /dev/null +++ b/releasenotes/notes/cert-encrypted-ramfs-381ffe3d4a7392d7.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - To enabled encrypted ramfs storage for certificates + and keys, you must upgrade your amphora image. +deprecations: + - Amphora with a terminated HTTPS load balancer can + no longer be rebooted. If they reboot, they will + trigger a failover of the amphora. +security: + - Certificate and key storage for terminated HTTPS + load balancers is now in an encrypted ramfs path + inside the amphora.