From 55b4931b80b5b740f595efd82dc6bf0e9aceda5b Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sat, 1 Jan 2022 10:36:58 +0200 Subject: feat: cryptsetup step This adds a step to use cryptsetup to encrypt a block device with LUKS, using the cryptsetup tool. A crypttab is written by the fstab step. Sponsored-by: author --- vmdb/__init__.py | 3 ++ vmdb/plugins/cryptsetup.mdwn | 18 +++++++++++ vmdb/plugins/cryptsetup_plugin.py | 63 +++++++++++++++++++++++++++++++++++++++ vmdb/plugins/fstab_plugin.py | 41 ++++++++++++++++++------- vmdb/plugins/mkfs_plugin.py | 17 ++++++++++- vmdb/tags.py | 48 +++++++++++++++++++++++++++++ vmdb/tags_tests.py | 39 ++++++++++++++++++++++++ without-tests | 1 + 8 files changed, 219 insertions(+), 11 deletions(-) create mode 100644 vmdb/plugins/cryptsetup.mdwn create mode 100644 vmdb/plugins/cryptsetup_plugin.py diff --git a/vmdb/__init__.py b/vmdb/__init__.py index 2bc32f2..c308950 100644 --- a/vmdb/__init__.py +++ b/vmdb/__init__.py @@ -42,6 +42,9 @@ from .tags import ( TagInUse, AlreadyHasDev, AlreadyHasFsType, + AlreadyHasFsUuid, + AlreadyHasLuksUuid, + AlreadyHasDeviceMapper, AlreadyHasTargetMountPoint, AlreadyMounted, NeedBothMountPoints, diff --git a/vmdb/plugins/cryptsetup.mdwn b/vmdb/plugins/cryptsetup.mdwn new file mode 100644 index 0000000..f438e4f --- /dev/null +++ b/vmdb/plugins/cryptsetup.mdwn @@ -0,0 +1,18 @@ +Step: cryptsetup +----------------------------------------------------------------------------- + +Use cryptsetup to set up encryption of a block device. + +Step keys: + +* `cryptsetup` — REQUIRED; tag of block device + +* `password` — REQUIRED; the encryption password + +* `name` — REQUIRED; name of the encrypted device when opened + +Example (in the .vmdb file): + + - cryptsetup: cleartext_pv0 + password: hunter2 + name: pv0 diff --git a/vmdb/plugins/cryptsetup_plugin.py b/vmdb/plugins/cryptsetup_plugin.py new file mode 100644 index 0000000..238d7ab --- /dev/null +++ b/vmdb/plugins/cryptsetup_plugin.py @@ -0,0 +1,63 @@ +# Copyright 2022 Lars Wirzenius +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# =*= License: GPL-3+ =*= + + +import os +import shutil +import tempfile + +import vmdb + + +class CryptsetupPlugin(vmdb.Plugin): + def enable(self): + self.app.step_runners.add(CryptsetupStepRunner()) + + +class CryptsetupStepRunner(vmdb.StepRunnerInterface): + def get_key_spec(self): + return {"cryptsetup": str, "password": str, "name": str} + + def run(self, step, settings, state): + cleartext_tag = step["cryptsetup"] + password = step["password"] + name = step["name"] + + device = state.tags.get_dev(cleartext_tag) + tmp = tempfile.mkdtemp() + key = os.path.join(tmp, "key") + with open(key, "w") as f: + f.write(password) + + vmdb.runcmd(["cryptsetup", "luksFormat", "--batch-mode", device, key]) + vmdb.runcmd( + ["cryptsetup", "open", "--type=luks", "--key-file", key, device, name] + ) + crypt_device = f"/dev/mapper/{name}" + assert os.path.exists(crypt_device) + + uuid = vmdb.runcmd(["cryptsetup", "luksUUID", device]).decode("UTF8").strip() + + state.tags.append(name) + state.tags.set_dev(name, crypt_device) + state.tags.set_luksuuid(name, uuid) + state.tags.set_dm(name, name) + vmdb.progress(f"LUKS: name={name} dev={crypt_device} luksuuid={uuid} dm={name}") + vmdb.progress(f"LUKS: {state.tags._tags}") + vmdb.progress("remembering LUKS device {} as {}".format(crypt_device, name)) + + shutil.rmtree(tmp) diff --git a/vmdb/plugins/fstab_plugin.py b/vmdb/plugins/fstab_plugin.py index de21ed7..fdc358c 100644 --- a/vmdb/plugins/fstab_plugin.py +++ b/vmdb/plugins/fstab_plugin.py @@ -34,29 +34,50 @@ class FstabStepRunner(vmdb.StepRunnerInterface): chroot = state.tags.get_builder_mount_point(tag) filesystems = [] + crypts = [] for tag in state.tags.get_tags(): device = state.tags.get_dev(tag) mount_point = state.tags.get_target_mount_point(tag) + + fstype = state.tags.get_fstype(tag) + fsuuid = state.tags.get_fsuuid(tag) + luksuuid = state.tags.get_luksuuid(tag) + dm = state.tags.get_dm(tag) + if mount_point is not None: - fstype = state.tags.get_fstype(tag) - output = vmdb.runcmd( - ["blkid", "-c", "/dev/null", "-o", "value", "-s", "UUID", device] - ) - if output: - uuid = output.decode().strip() - filesystems.append( - {"uuid": uuid, "mount_point": mount_point, "fstype": fstype} - ) - else: + if fsuuid is None: raise Exception( "Unknown UUID for device {} (to be mounted on {})".format( device, mount_point ) ) + filesystems.append( + { + "uuid": fsuuid, + "mount_point": mount_point, + "fstype": fstype, + } + ) + elif luksuuid is not None and dm is not None: + crypts.append( + { + "dm": dm, + "luksuuid": luksuuid, + } + ) + fstab_path = os.path.join(chroot, "etc/fstab") line = "UUID={uuid} {mount_point} {fstype} errors=remount-ro 0 1\n" with open(fstab_path, "w") as fstab: for entry in filesystems: fstab.write(line.format(**entry)) + + vmdb.progress(f"crypts: {crypts}") + if crypts: + crypttab_path = os.path.join(chroot, "etc/crypttab") + line = "{dm} UUID={luksuuid} none luks,discard\n" + with open(crypttab_path, "w") as crypttab: + for entry in crypts: + crypttab.write(line.format(**entry)) diff --git a/vmdb/plugins/mkfs_plugin.py b/vmdb/plugins/mkfs_plugin.py index 83c6aff..7bb32b6 100644 --- a/vmdb/plugins/mkfs_plugin.py +++ b/vmdb/plugins/mkfs_plugin.py @@ -53,10 +53,25 @@ class MkfsStepRunner(vmdb.StepRunnerInterface): options = values["options"] or None if options: - for opt in options.split(' '): + for opt in options.split(" "): cmd.append(opt) cmd.append(device) vmdb.runcmd(cmd) + uuid = ( + vmdb.runcmd( + [ + "blkid", + "-c/dev/null", + "-ovalue", + "-sUUID", + device, + ] + ) + .decode() + .strip() + ) + state.tags.set_fstype(tag, fstype) + state.tags.set_fsuuid(tag, uuid) diff --git a/vmdb/tags.py b/vmdb/tags.py index 0e59f1a..60001d1 100644 --- a/vmdb/tags.py +++ b/vmdb/tags.py @@ -34,6 +34,18 @@ class Tags: item = self._get(tag) return item["dev"] + def get_fsuuid(self, tag): + item = self._get(tag) + return item["fsuuid"] + + def get_luksuuid(self, tag): + item = self._get(tag) + return item["luksuuid"] + + def get_dm(self, tag): + item = self._get(tag) + return item["dm"] + def get_builder_mount_point(self, tag): item = self._get(tag) return item["builder_mount_point"] @@ -59,6 +71,9 @@ class Tags: "builder_mount_point": None, "fstype": None, "target_mount_point": None, + "fsuuid": None, + "luksuuid": None, + "dm": None, } def set_dev(self, tag, dev): @@ -80,6 +95,24 @@ class Tags: raise AlreadyHasFsType(tag) item["fstype"] = fstype + def set_fsuuid(self, tag, uuid): + item = self._get(tag) + if item["fsuuid"] is not None: + raise AlreadyHasFsUuid(tag) + item["fsuuid"] = uuid + + def set_luksuuid(self, tag, uuid): + item = self._get(tag) + if item["luksuuid"] is not None: + raise AlreadyHasLuksUuid(tag) + item["luksuuid"] = uuid + + def set_dm(self, tag, name): + item = self._get(tag) + if item["dm"] is not None: + raise AlreadyHasDeviceMapper(tag) + item["dm"] = name + def set_target_mount_point(self, tag, target_mount_point): item = self._get(tag) if item["target_mount_point"] is not None: @@ -129,6 +162,21 @@ class AlreadyHasTargetMountPoint(Exception): super().__init__("Already has target mount point: {}".format(tag)) +class AlreadyHasFsUuid(Exception): + def __init__(self, tag): + super().__init__("Already has fs UUID: {}".format(tag)) + + +class AlreadyHasLuksUuid(Exception): + def __init__(self, tag): + super().__init__("Already has LuksUUID: {}".format(tag)) + + +class AlreadyHasDeviceMapper(Exception): + def __init__(self, tag): + super().__init__("Already has device-mapper name: {}".format(tag)) + + class NeedBothMountPoints(Exception): def __init__(self, target_mp): super().__init__("Need both mount points set, target: {}".format(target_mp)) diff --git a/vmdb/tags_tests.py b/vmdb/tags_tests.py index fdcebf3..5264c95 100644 --- a/vmdb/tags_tests.py +++ b/vmdb/tags_tests.py @@ -121,6 +121,45 @@ class TagsTests(unittest.TestCase): with self.assertRaises(vmdb.AlreadyHasFsType): tags.set_fstype("first", "ext4") + def test_set_fsuuid(self): + tags = vmdb.Tags() + tags.append("first") + tags.set_fsuuid("first", "uuid") + self.assertEqual(tags.get_fsuuid("first"), "uuid") + + def test_set_fsuuid_raises_error_for_double_fstype(self): + tags = vmdb.Tags() + tags.append("first") + tags.set_fsuuid("first", "uuid") + with self.assertRaises(vmdb.AlreadyHasFsUuid): + tags.set_fsuuid("first", "other") + + def test_set_luksuuid(self): + tags = vmdb.Tags() + tags.append("first") + tags.set_luksuuid("first", "uuid") + self.assertEqual(tags.get_luksuuid("first"), "uuid") + + def test_set_luksuuid_raises_error_for_double_fstype(self): + tags = vmdb.Tags() + tags.append("first") + tags.set_luksuuid("first", "uuid") + with self.assertRaises(vmdb.AlreadyHasLuksUuid): + tags.set_luksuuid("first", "other") + + def test_set_dm(self): + tags = vmdb.Tags() + tags.append("first") + tags.set_dm("first", "dm") + self.assertEqual(tags.get_dm("first"), "dm") + + def test_set_dm_raises_error_for_double_fstype(self): + tags = vmdb.Tags() + tags.append("first") + tags.set_dm("first", "dm") + with self.assertRaises(vmdb.AlreadyHasDeviceMapper): + tags.set_dm("first", "other") + def test_set_target_mount_point(self): tags = vmdb.Tags() tags.append("first") diff --git a/without-tests b/without-tests index 978ec61..520f822 100644 --- a/without-tests +++ b/without-tests @@ -30,6 +30,7 @@ vmdb/plugins/unpack_rootfs_plugin.py vmdb/plugins/vgcreate_plugin.py vmdb/plugins/virtualfs_plugin.py vmdb/plugins/zerofree_plugin.py +vmdb/plugins/cryptsetup_plugin.py vmdb/runcmd.py vmdb/state.py vmdb/version.py -- cgit v1.2.1