Use cryptsetup/LUKS for encrypted ramfs

ecryptfs was dropped from RHEL/CentOS, use LUKS on a RAM-backed block
device (brd) instead.

Made the element name more generic

Added systemctl enable call in postinstall (for systemd init), so that
the service is correctly started and listed as wanted by amphora-agent

Change-Id: Id8c7ff93ae244ef14480e22c85dc79355a902105
Closes-Bug: #1642982
Closes-Bug: #1662952
This commit is contained in:
Bernard Cafarelli 2016-11-28 12:03:54 +01:00
parent 7c9baeb9d1
commit 0dd4649f37
14 changed files with 77 additions and 55 deletions

View File

@ -371,8 +371,8 @@ fi
# Add pip-cache element # Add pip-cache element
AMP_element_sequence="$AMP_element_sequence pip-cache" AMP_element_sequence="$AMP_element_sequence pip-cache"
# Add certificate ramfs ecrypt element # Add certificate ramfs element
AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt" AMP_element_sequence="$AMP_element_sequence certs-ramfs"
# Allow full elements override # Allow full elements override
if [ "$DIB_ELEMENTS" ]; then if [ "$DIB_ELEMENTS" ]; then

View File

@ -1,4 +0,0 @@
Element to setup a ramfs with ecrypt to store the TLS certificates and keys.
Enabling this element will mean that the amphroa can no longer recover from a
reboot.

View File

@ -1,15 +0,0 @@
[unit]
Description=Creates an encrypted ramfs for Octavia certs
After=cloud-config.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path'
ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path'
RemainAfterExit=yes
TimeoutSec=0
[Install]
# TODO(johnsom) Fix when amphora-agent has a systemd script
WantedBy=multi-user.target

View File

@ -1,19 +0,0 @@
description "Creates an encrypted ramfs for Octavia certs"
start on started cloud-config
stop on runlevel [!2345]
pre-start script
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
mkdir -p $certs_path
mount -t ramfs -o size=1m ramfs $certs_path
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
end script
post-stop script
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
umount $certs_path
umount $certs_path
end script

View File

@ -1 +0,0 @@
ecryptfs-utils:

View File

@ -1,2 +0,0 @@
cert-ramfs-ecrypt:
default: cert-ramfs-ecrypt

View File

@ -0,0 +1,4 @@
Element to setup an encrypted ramfs to store the TLS certificates and keys.
Enabling this element will mean that the amphora can no longer recover from a
reboot.

View File

@ -0,0 +1,13 @@
[Unit]
Description=Creates an encrypted ramfs for Octavia certs
After=cloud-config.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"'
ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;'
RemainAfterExit=yes
TimeoutSec=0
[Install]
WantedBy=amphora-agent.service

View File

@ -1,5 +1,5 @@
### BEGIN INIT INFO ### BEGIN INIT INFO
# Provides: cert-ramfs-ecrypt # Provides: certs-ramfs
# Required-Start: $remote_fs $syslog $network cloud-config # Required-Start: $remote_fs $syslog $network cloud-config
# Required-Stop: $remote_fs $syslog $network # Required-Stop: $remote_fs $syslog $network
# Default-Start: 2 3 4 5 # Default-Start: 2 3 4 5
@ -12,25 +12,26 @@
# Using the lsb functions to perform the operations. # Using the lsb functions to perform the operations.
. /lib/lsb/init-functions . /lib/lsb/init-functions
# Process name ( For display ) # Process name ( For display )
NAME=cert-ramfs-ecrypt NAME=certs-ramfs
case $1 in case $1 in
start) start)
log_daemon_msg "Starting the process" "$NAME" log_daemon_msg "Starting the process" "$NAME"
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) modprobe brd
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}') passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) mkdir -p "${certs_path}"
mkdir -p $certs_path echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
mount -t ramfs -o size=1m ramfs $certs_path echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path mkfs.ext2 /dev/mapper/certfs-ramfs
mount /dev/mapper/certfs-ramfs "${certs_path}"
log_end_msg 0 log_end_msg 0
;; ;;
stop) stop)
log_daemon_msg "Stopping the process" "$NAME" log_daemon_msg "Stopping the process" "$NAME"
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
umount $certs_path umount "${certs_path}"
umount $certs_path cryptsetup luksClose /dev/mapper/certfs-ramfs
log_end_msg 0 log_end_msg 0
;; ;;
restart) restart)

View File

@ -0,0 +1,21 @@
description "Creates an encrypted ramfs for Octavia certs"
start on started cloud-config
stop on runlevel [!2345]
pre-start script
modprobe brd
passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
mkdir -p "${certs_path}"
echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
mkfs.ext2 /dev/mapper/certfs-ramfs
mount /dev/mapper/certfs-ramfs "${certs_path}"
end script
post-stop script
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
umount "${certs_path}"
cryptsetup luksClose /dev/mapper/certfs-ramfs
end script

View File

@ -0,0 +1 @@
cryptsetup:

View File

@ -0,0 +1,21 @@
#!/bin/bash
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
case "$DIB_INIT_SYSTEM" in
upstart|sysv)
# nothing to do
exit 0
;;
systemd)
systemctl enable certs-ramfs.service
;;
*)
echo "Unsupported init system $DIB_INIT_SYSTEM"
exit 1
;;
esac

View File

@ -0,0 +1,2 @@
certs-ramfs:
default: certs-ramfs