diff options
Diffstat (limited to 'vmdb/plugins')
-rw-r--r-- | vmdb/plugins/cryptsetup.mdwn | 18 | ||||
-rw-r--r-- | vmdb/plugins/cryptsetup_plugin.py | 63 | ||||
-rw-r--r-- | vmdb/plugins/fstab_plugin.py | 41 | ||||
-rw-r--r-- | vmdb/plugins/mkfs_plugin.py | 17 |
4 files changed, 128 insertions, 11 deletions
diff --git a/vmdb/plugins/cryptsetup.mdwn b/vmdb/plugins/cryptsetup.mdwn new file mode 100644 index 0000000..f438e4f --- /dev/null +++ b/vmdb/plugins/cryptsetup.mdwn @@ -0,0 +1,18 @@ +Step: cryptsetup +----------------------------------------------------------------------------- + +Use cryptsetup to set up encryption of a block device. + +Step keys: + +* `cryptsetup` — REQUIRED; tag of block device + +* `password` — REQUIRED; the encryption password + +* `name` — REQUIRED; name of the encrypted device when opened + +Example (in the .vmdb file): + + - cryptsetup: cleartext_pv0 + password: hunter2 + name: pv0 diff --git a/vmdb/plugins/cryptsetup_plugin.py b/vmdb/plugins/cryptsetup_plugin.py new file mode 100644 index 0000000..238d7ab --- /dev/null +++ b/vmdb/plugins/cryptsetup_plugin.py @@ -0,0 +1,63 @@ +# Copyright 2022 Lars Wirzenius +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# =*= License: GPL-3+ =*= + + +import os +import shutil +import tempfile + +import vmdb + + +class CryptsetupPlugin(vmdb.Plugin): + def enable(self): + self.app.step_runners.add(CryptsetupStepRunner()) + + +class CryptsetupStepRunner(vmdb.StepRunnerInterface): + def get_key_spec(self): + return {"cryptsetup": str, "password": str, "name": str} + + def run(self, step, settings, state): + cleartext_tag = step["cryptsetup"] + password = step["password"] + name = step["name"] + + device = state.tags.get_dev(cleartext_tag) + tmp = tempfile.mkdtemp() + key = os.path.join(tmp, "key") + with open(key, "w") as f: + f.write(password) + + vmdb.runcmd(["cryptsetup", "luksFormat", "--batch-mode", device, key]) + vmdb.runcmd( + ["cryptsetup", "open", "--type=luks", "--key-file", key, device, name] + ) + crypt_device = f"/dev/mapper/{name}" + assert os.path.exists(crypt_device) + + uuid = vmdb.runcmd(["cryptsetup", "luksUUID", device]).decode("UTF8").strip() + + state.tags.append(name) + state.tags.set_dev(name, crypt_device) + state.tags.set_luksuuid(name, uuid) + state.tags.set_dm(name, name) + vmdb.progress(f"LUKS: name={name} dev={crypt_device} luksuuid={uuid} dm={name}") + vmdb.progress(f"LUKS: {state.tags._tags}") + vmdb.progress("remembering LUKS device {} as {}".format(crypt_device, name)) + + shutil.rmtree(tmp) diff --git a/vmdb/plugins/fstab_plugin.py b/vmdb/plugins/fstab_plugin.py index de21ed7..fdc358c 100644 --- a/vmdb/plugins/fstab_plugin.py +++ b/vmdb/plugins/fstab_plugin.py @@ -34,29 +34,50 @@ class FstabStepRunner(vmdb.StepRunnerInterface): chroot = state.tags.get_builder_mount_point(tag) filesystems = [] + crypts = [] for tag in state.tags.get_tags(): device = state.tags.get_dev(tag) mount_point = state.tags.get_target_mount_point(tag) + + fstype = state.tags.get_fstype(tag) + fsuuid = state.tags.get_fsuuid(tag) + luksuuid = state.tags.get_luksuuid(tag) + dm = state.tags.get_dm(tag) + if mount_point is not None: - fstype = state.tags.get_fstype(tag) - output = vmdb.runcmd( - ["blkid", "-c", "/dev/null", "-o", "value", "-s", "UUID", device] - ) - if output: - uuid = output.decode().strip() - filesystems.append( - {"uuid": uuid, "mount_point": mount_point, "fstype": fstype} - ) - else: + if fsuuid is None: raise Exception( "Unknown UUID for device {} (to be mounted on {})".format( device, mount_point ) ) + filesystems.append( + { + "uuid": fsuuid, + "mount_point": mount_point, + "fstype": fstype, + } + ) + elif luksuuid is not None and dm is not None: + crypts.append( + { + "dm": dm, + "luksuuid": luksuuid, + } + ) + fstab_path = os.path.join(chroot, "etc/fstab") line = "UUID={uuid} {mount_point} {fstype} errors=remount-ro 0 1\n" with open(fstab_path, "w") as fstab: for entry in filesystems: fstab.write(line.format(**entry)) + + vmdb.progress(f"crypts: {crypts}") + if crypts: + crypttab_path = os.path.join(chroot, "etc/crypttab") + line = "{dm} UUID={luksuuid} none luks,discard\n" + with open(crypttab_path, "w") as crypttab: + for entry in crypts: + crypttab.write(line.format(**entry)) diff --git a/vmdb/plugins/mkfs_plugin.py b/vmdb/plugins/mkfs_plugin.py index 83c6aff..7bb32b6 100644 --- a/vmdb/plugins/mkfs_plugin.py +++ b/vmdb/plugins/mkfs_plugin.py @@ -53,10 +53,25 @@ class MkfsStepRunner(vmdb.StepRunnerInterface): options = values["options"] or None if options: - for opt in options.split(' '): + for opt in options.split(" "): cmd.append(opt) cmd.append(device) vmdb.runcmd(cmd) + uuid = ( + vmdb.runcmd( + [ + "blkid", + "-c/dev/null", + "-ovalue", + "-sUUID", + device, + ] + ) + .decode() + .strip() + ) + state.tags.set_fstype(tag, fstype) + state.tags.set_fsuuid(tag, uuid) |