From 0dd4649f37f2f9a6fe14f43cde0bfeb31a810ece Mon Sep 17 00:00:00 2001 From: Bernard Cafarelli Date: Mon, 28 Nov 2016 12:03:54 +0100 Subject: [PATCH] Use cryptsetup/LUKS for encrypted ramfs ecryptfs was dropped from RHEL/CentOS, use LUKS on a RAM-backed block device (brd) instead. Made the element name more generic Added systemctl enable call in postinstall (for systemd init), so that the service is correctly started and listed as wanted by amphora-agent Change-Id: Id8c7ff93ae244ef14480e22c85dc79355a902105 Closes-Bug: #1642982 Closes-Bug: #1662952 --- diskimage-create/diskimage-create.sh | 4 +-- elements/cert-ramfs-ecrypt/README.rst | 4 --- .../systemd/cert-ramfs-ecrypt.service | 15 ----------- .../upstart/cert-ramfs-ecrypt.conf | 19 -------------- .../cert-ramfs-ecrypt/package-installs.yaml | 1 - elements/cert-ramfs-ecrypt/svc-map | 2 -- elements/certs-ramfs/README.rst | 4 +++ .../element-deps | 0 .../init-scripts/systemd/certs-ramfs.service | 13 ++++++++++ .../init-scripts/sysv/certs-ramfs} | 25 ++++++++++--------- .../init-scripts/upstart/certs-ramfs.conf | 21 ++++++++++++++++ elements/certs-ramfs/package-installs.yaml | 1 + .../30-enable-certs-ramfs-service | 21 ++++++++++++++++ elements/certs-ramfs/svc-map | 2 ++ 14 files changed, 77 insertions(+), 55 deletions(-) delete mode 100644 elements/cert-ramfs-ecrypt/README.rst delete mode 100644 elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service delete mode 100644 elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf delete mode 100644 elements/cert-ramfs-ecrypt/package-installs.yaml delete mode 100644 elements/cert-ramfs-ecrypt/svc-map create mode 100644 elements/certs-ramfs/README.rst rename elements/{cert-ramfs-ecrypt => certs-ramfs}/element-deps (100%) create mode 100644 elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service rename elements/{cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt => certs-ramfs/init-scripts/sysv/certs-ramfs} (53%) create mode 100644 elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf create mode 100644 elements/certs-ramfs/package-installs.yaml create mode 100755 elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service create mode 100644 elements/certs-ramfs/svc-map diff --git a/diskimage-create/diskimage-create.sh b/diskimage-create/diskimage-create.sh index 8211e1b8bf..1b6ba3ac6e 100755 --- a/diskimage-create/diskimage-create.sh +++ b/diskimage-create/diskimage-create.sh @@ -371,8 +371,8 @@ fi # Add pip-cache element AMP_element_sequence="$AMP_element_sequence pip-cache" -# Add certificate ramfs ecrypt element -AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt" +# Add certificate ramfs element +AMP_element_sequence="$AMP_element_sequence certs-ramfs" # Allow full elements override if [ "$DIB_ELEMENTS" ]; then diff --git a/elements/cert-ramfs-ecrypt/README.rst b/elements/cert-ramfs-ecrypt/README.rst deleted file mode 100644 index ee07dc50e4..0000000000 --- a/elements/cert-ramfs-ecrypt/README.rst +++ /dev/null @@ -1,4 +0,0 @@ -Element to setup a ramfs with ecrypt to store the TLS certificates and keys. - -Enabling this element will mean that the amphroa can no longer recover from a -reboot. diff --git a/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service b/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service deleted file mode 100644 index 5bfb137130..0000000000 --- a/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service +++ /dev/null @@ -1,15 +0,0 @@ -[unit] -Description=Creates an encrypted ramfs for Octavia certs -After=cloud-config.target - -[Service] -Type=oneshot -ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path' -ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path' -RemainAfterExit=yes -TimeoutSec=0 - -[Install] -# TODO(johnsom) Fix when amphora-agent has a systemd script -WantedBy=multi-user.target - diff --git a/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf b/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf deleted file mode 100644 index 2b72dd6b4d..0000000000 --- a/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf +++ /dev/null @@ -1,19 +0,0 @@ -description "Creates an encrypted ramfs for Octavia certs" - -start on started cloud-config -stop on runlevel [!2345] - -pre-start script - passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) - token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}') - certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) - mkdir -p $certs_path - mount -t ramfs -o size=1m ramfs $certs_path - mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path -end script - -post-stop script - certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) - umount $certs_path - umount $certs_path -end script diff --git a/elements/cert-ramfs-ecrypt/package-installs.yaml b/elements/cert-ramfs-ecrypt/package-installs.yaml deleted file mode 100644 index 9171e7bcce..0000000000 --- a/elements/cert-ramfs-ecrypt/package-installs.yaml +++ /dev/null @@ -1 +0,0 @@ -ecryptfs-utils: diff --git a/elements/cert-ramfs-ecrypt/svc-map b/elements/cert-ramfs-ecrypt/svc-map deleted file mode 100644 index 17e143a912..0000000000 --- a/elements/cert-ramfs-ecrypt/svc-map +++ /dev/null @@ -1,2 +0,0 @@ -cert-ramfs-ecrypt: - default: cert-ramfs-ecrypt diff --git a/elements/certs-ramfs/README.rst b/elements/certs-ramfs/README.rst new file mode 100644 index 0000000000..e8e87f05de --- /dev/null +++ b/elements/certs-ramfs/README.rst @@ -0,0 +1,4 @@ +Element to setup an encrypted ramfs to store the TLS certificates and keys. + +Enabling this element will mean that the amphora can no longer recover from a +reboot. diff --git a/elements/cert-ramfs-ecrypt/element-deps b/elements/certs-ramfs/element-deps similarity index 100% rename from elements/cert-ramfs-ecrypt/element-deps rename to elements/certs-ramfs/element-deps diff --git a/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service new file mode 100644 index 0000000000..3686b444f3 --- /dev/null +++ b/elements/certs-ramfs/init-scripts/systemd/certs-ramfs.service @@ -0,0 +1,13 @@ +[Unit] +Description=Creates an encrypted ramfs for Octavia certs +After=cloud-config.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"' +ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;' +RemainAfterExit=yes +TimeoutSec=0 + +[Install] +WantedBy=amphora-agent.service diff --git a/elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt b/elements/certs-ramfs/init-scripts/sysv/certs-ramfs similarity index 53% rename from elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt rename to elements/certs-ramfs/init-scripts/sysv/certs-ramfs index 4979176844..4b9d7ade13 100644 --- a/elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt +++ b/elements/certs-ramfs/init-scripts/sysv/certs-ramfs @@ -1,5 +1,5 @@ ### BEGIN INIT INFO -# Provides: cert-ramfs-ecrypt +# Provides: certs-ramfs # Required-Start: $remote_fs $syslog $network cloud-config # Required-Stop: $remote_fs $syslog $network # Default-Start: 2 3 4 5 @@ -12,25 +12,26 @@ # Using the lsb functions to perform the operations. . /lib/lsb/init-functions # Process name ( For display ) -NAME=cert-ramfs-ecrypt +NAME=certs-ramfs case $1 in start) log_daemon_msg "Starting the process" "$NAME" - passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) - token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}') - - certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) - mkdir -p $certs_path - mount -t ramfs -o size=1m ramfs $certs_path - mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path + modprobe brd + passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) + certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) + mkdir -p "${certs_path}" + echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 - + echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs - + mkfs.ext2 /dev/mapper/certfs-ramfs + mount /dev/mapper/certfs-ramfs "${certs_path}" log_end_msg 0 ;; stop) log_daemon_msg "Stopping the process" "$NAME" - certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) - umount $certs_path - umount $certs_path + certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) + umount "${certs_path}" + cryptsetup luksClose /dev/mapper/certfs-ramfs log_end_msg 0 ;; restart) diff --git a/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf b/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf new file mode 100644 index 0000000000..886dc339f3 --- /dev/null +++ b/elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf @@ -0,0 +1,21 @@ +description "Creates an encrypted ramfs for Octavia certs" + +start on started cloud-config +stop on runlevel [!2345] + +pre-start script + modprobe brd + passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) + certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) + mkdir -p "${certs_path}" + echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 - + echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs - + mkfs.ext2 /dev/mapper/certfs-ramfs + mount /dev/mapper/certfs-ramfs "${certs_path}" +end script + +post-stop script + certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf) + umount "${certs_path}" + cryptsetup luksClose /dev/mapper/certfs-ramfs +end script diff --git a/elements/certs-ramfs/package-installs.yaml b/elements/certs-ramfs/package-installs.yaml new file mode 100644 index 0000000000..2edcf41eb6 --- /dev/null +++ b/elements/certs-ramfs/package-installs.yaml @@ -0,0 +1 @@ +cryptsetup: diff --git a/elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service b/elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service new file mode 100755 index 0000000000..9a19b60af4 --- /dev/null +++ b/elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service @@ -0,0 +1,21 @@ +#!/bin/bash + +if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +case "$DIB_INIT_SYSTEM" in + upstart|sysv) + # nothing to do + exit 0 + ;; + systemd) + systemctl enable certs-ramfs.service + ;; + *) + echo "Unsupported init system $DIB_INIT_SYSTEM" + exit 1 + ;; +esac diff --git a/elements/certs-ramfs/svc-map b/elements/certs-ramfs/svc-map new file mode 100644 index 0000000000..5837681f11 --- /dev/null +++ b/elements/certs-ramfs/svc-map @@ -0,0 +1,2 @@ +certs-ramfs: + default: certs-ramfs