Use cryptsetup/LUKS for encrypted ramfs
ecryptfs was dropped from RHEL/CentOS, use LUKS on a RAM-backed block device (brd) instead. Made the element name more generic Added systemctl enable call in postinstall (for systemd init), so that the service is correctly started and listed as wanted by amphora-agent Change-Id: Id8c7ff93ae244ef14480e22c85dc79355a902105 Closes-Bug: #1642982 Closes-Bug: #1662952
This commit is contained in:
parent
7c9baeb9d1
commit
0dd4649f37
@ -371,8 +371,8 @@ fi
|
||||
# Add pip-cache element
|
||||
AMP_element_sequence="$AMP_element_sequence pip-cache"
|
||||
|
||||
# Add certificate ramfs ecrypt element
|
||||
AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt"
|
||||
# Add certificate ramfs element
|
||||
AMP_element_sequence="$AMP_element_sequence certs-ramfs"
|
||||
|
||||
# Allow full elements override
|
||||
if [ "$DIB_ELEMENTS" ]; then
|
||||
|
@ -1,4 +0,0 @@
|
||||
Element to setup a ramfs with ecrypt to store the TLS certificates and keys.
|
||||
|
||||
Enabling this element will mean that the amphroa can no longer recover from a
|
||||
reboot.
|
@ -1,15 +0,0 @@
|
||||
[unit]
|
||||
Description=Creates an encrypted ramfs for Octavia certs
|
||||
After=cloud-config.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path'
|
||||
ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path'
|
||||
RemainAfterExit=yes
|
||||
TimeoutSec=0
|
||||
|
||||
[Install]
|
||||
# TODO(johnsom) Fix when amphora-agent has a systemd script
|
||||
WantedBy=multi-user.target
|
||||
|
@ -1,19 +0,0 @@
|
||||
description "Creates an encrypted ramfs for Octavia certs"
|
||||
|
||||
start on started cloud-config
|
||||
stop on runlevel [!2345]
|
||||
|
||||
pre-start script
|
||||
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
|
||||
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
|
||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
||||
mkdir -p $certs_path
|
||||
mount -t ramfs -o size=1m ramfs $certs_path
|
||||
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
|
||||
end script
|
||||
|
||||
post-stop script
|
||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
||||
umount $certs_path
|
||||
umount $certs_path
|
||||
end script
|
@ -1 +0,0 @@
|
||||
ecryptfs-utils:
|
@ -1,2 +0,0 @@
|
||||
cert-ramfs-ecrypt:
|
||||
default: cert-ramfs-ecrypt
|
4
elements/certs-ramfs/README.rst
Normal file
4
elements/certs-ramfs/README.rst
Normal file
@ -0,0 +1,4 @@
|
||||
Element to setup an encrypted ramfs to store the TLS certificates and keys.
|
||||
|
||||
Enabling this element will mean that the amphora can no longer recover from a
|
||||
reboot.
|
@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=Creates an encrypted ramfs for Octavia certs
|
||||
After=cloud-config.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/bin/sh -c 'modprobe brd; passphrase=$$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1); certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); mkdir -p "$${certs_path}"; echo -n "$${passphrase}" | cryptsetup luksFormat /dev/ram0 -; echo -n "$${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -; mkfs.ext2 /dev/mapper/certfs-ramfs; mount /dev/mapper/certfs-ramfs "$${certs_path}"'
|
||||
ExecStop=/bin/sh -c 'certs_path=$$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf); umount "$${certs_path}"; cryptsetup luksClose /dev/mapper/certfs-ramfs;'
|
||||
RemainAfterExit=yes
|
||||
TimeoutSec=0
|
||||
|
||||
[Install]
|
||||
WantedBy=amphora-agent.service
|
@ -1,5 +1,5 @@
|
||||
### BEGIN INIT INFO
|
||||
# Provides: cert-ramfs-ecrypt
|
||||
# Provides: certs-ramfs
|
||||
# Required-Start: $remote_fs $syslog $network cloud-config
|
||||
# Required-Stop: $remote_fs $syslog $network
|
||||
# Default-Start: 2 3 4 5
|
||||
@ -12,25 +12,26 @@
|
||||
# Using the lsb functions to perform the operations.
|
||||
. /lib/lsb/init-functions
|
||||
# Process name ( For display )
|
||||
NAME=cert-ramfs-ecrypt
|
||||
NAME=certs-ramfs
|
||||
|
||||
case $1 in
|
||||
start)
|
||||
log_daemon_msg "Starting the process" "$NAME"
|
||||
passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
|
||||
token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
|
||||
|
||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
||||
mkdir -p $certs_path
|
||||
mount -t ramfs -o size=1m ramfs $certs_path
|
||||
mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
|
||||
modprobe brd
|
||||
passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
|
||||
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
|
||||
mkdir -p "${certs_path}"
|
||||
echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
|
||||
echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
|
||||
mkfs.ext2 /dev/mapper/certfs-ramfs
|
||||
mount /dev/mapper/certfs-ramfs "${certs_path}"
|
||||
log_end_msg 0
|
||||
;;
|
||||
stop)
|
||||
log_daemon_msg "Stopping the process" "$NAME"
|
||||
certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
|
||||
umount $certs_path
|
||||
umount $certs_path
|
||||
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
|
||||
umount "${certs_path}"
|
||||
cryptsetup luksClose /dev/mapper/certfs-ramfs
|
||||
log_end_msg 0
|
||||
;;
|
||||
restart)
|
21
elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf
Normal file
21
elements/certs-ramfs/init-scripts/upstart/certs-ramfs.conf
Normal file
@ -0,0 +1,21 @@
|
||||
description "Creates an encrypted ramfs for Octavia certs"
|
||||
|
||||
start on started cloud-config
|
||||
stop on runlevel [!2345]
|
||||
|
||||
pre-start script
|
||||
modprobe brd
|
||||
passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
|
||||
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
|
||||
mkdir -p "${certs_path}"
|
||||
echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
|
||||
echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
|
||||
mkfs.ext2 /dev/mapper/certfs-ramfs
|
||||
mount /dev/mapper/certfs-ramfs "${certs_path}"
|
||||
end script
|
||||
|
||||
post-stop script
|
||||
certs_path=$(awk "/base_cert_dir / {printf \$3}" /etc/octavia/amphora-agent.conf)
|
||||
umount "${certs_path}"
|
||||
cryptsetup luksClose /dev/mapper/certfs-ramfs
|
||||
end script
|
1
elements/certs-ramfs/package-installs.yaml
Normal file
1
elements/certs-ramfs/package-installs.yaml
Normal file
@ -0,0 +1 @@
|
||||
cryptsetup:
|
21
elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service
Executable file
21
elements/certs-ramfs/post-install.d/30-enable-certs-ramfs-service
Executable file
@ -0,0 +1,21 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
||||
set -x
|
||||
fi
|
||||
set -eu
|
||||
set -o pipefail
|
||||
|
||||
case "$DIB_INIT_SYSTEM" in
|
||||
upstart|sysv)
|
||||
# nothing to do
|
||||
exit 0
|
||||
;;
|
||||
systemd)
|
||||
systemctl enable certs-ramfs.service
|
||||
;;
|
||||
*)
|
||||
echo "Unsupported init system $DIB_INIT_SYSTEM"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
2
elements/certs-ramfs/svc-map
Normal file
2
elements/certs-ramfs/svc-map
Normal file
@ -0,0 +1,2 @@
|
||||
certs-ramfs:
|
||||
default: certs-ramfs
|
Loading…
x
Reference in New Issue
Block a user