2
0
mirror of https://github.com/linka-cloud/d2vm.git synced 2024-11-25 17:16:25 +00:00

luks: implements support for centos

Signed-off-by: Adphi <philippe.adrien.nousse@gmail.com>
This commit is contained in:
Adphi 2023-02-28 12:01:18 +01:00 committed by Adphi
parent 2f34e19636
commit 4780228c95
3 changed files with 59 additions and 28 deletions

View File

@ -150,10 +150,6 @@ func NewBuilder(ctx context.Context, workdir, imgTag, disk string, size uint64,
return nil, err return nil, err
} }
if luksPassword != "" { if luksPassword != "" {
// TODO(adphi): remove this check when we support luks encryption on other distros
if osRelease.ID == ReleaseCentOS {
return nil, fmt.Errorf("luks encryption is not supported on centos")
}
if !splitBoot { if !splitBoot {
return nil, fmt.Errorf("luks encryption requires split boot") return nil, fmt.Errorf("luks encryption requires split boot")
} }
@ -314,11 +310,7 @@ func (b *builder) mountImg(ctx context.Context) error {
return err return err
} }
b.bootPart = fmt.Sprintf("/dev/mapper/%sp1", filepath.Base(b.loDevice)) b.bootPart = fmt.Sprintf("/dev/mapper/%sp1", filepath.Base(b.loDevice))
if b.splitBoot { b.rootPart = ifElse(b.splitBoot, fmt.Sprintf("/dev/mapper/%sp2", filepath.Base(b.loDevice)), b.bootPart)
b.rootPart = fmt.Sprintf("/dev/mapper/%sp2", filepath.Base(b.loDevice))
} else {
b.rootPart = b.bootPart
}
if b.isLuksEnabled() { if b.isLuksEnabled() {
logrus.Infof("encrypting root partition") logrus.Infof("encrypting root partition")
f, err := os.CreateTemp("", "key") f, err := os.CreateTemp("", "key")
@ -408,7 +400,10 @@ func diskUUID(ctx context.Context, disk string) (string, error) {
func (b *builder) setupRootFS(ctx context.Context) (err error) { func (b *builder) setupRootFS(ctx context.Context) (err error) {
logrus.Infof("setting up rootfs") logrus.Infof("setting up rootfs")
b.rootUUID, err = diskUUID(ctx, b.rootPart) b.rootUUID, err = diskUUID(ctx, ifElse(b.isLuksEnabled(), b.mappedCryptRoot, b.rootPart))
if err != nil {
return err
}
var fstab string var fstab string
if b.splitBoot { if b.splitBoot {
b.bootUUID, err = diskUUID(ctx, b.bootPart) b.bootUUID, err = diskUUID(ctx, b.bootPart)
@ -503,12 +498,15 @@ func (b *builder) installKernel(ctx context.Context) error {
} }
var cfg string var cfg string
if b.isLuksEnabled() { if b.isLuksEnabled() {
if b.osRelease.ID != ReleaseAlpine { switch b.osRelease.ID {
cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s root=/dev/mapper/root cryptopts=target=root,source=UUID=%s", b.cmdLineExtra, b.cryptUUID)) case ReleaseAlpine:
cfg = strings.Replace(cfg, "root=UUID="+b.rootUUID, "", 1)
} else {
cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s root=/dev/mapper/root cryptdm=root", b.cmdLineExtra)) cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s root=/dev/mapper/root cryptdm=root", b.cmdLineExtra))
cfg = strings.Replace(cfg, "root=UUID="+b.rootUUID, "cryptroot=UUID="+b.cryptUUID, 1) cfg = strings.Replace(cfg, "root=UUID="+b.rootUUID, "cryptroot=UUID="+b.cryptUUID, 1)
case ReleaseCentOS:
cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s rd.luks.name=UUID=%s rd.luks.uuid=%s rd.luks.crypttab=0", b.cmdLineExtra, b.rootUUID, b.cryptUUID))
default:
cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s root=/dev/mapper/root cryptopts=target=root,source=UUID=%s", b.cmdLineExtra, b.cryptUUID))
cfg = strings.Replace(cfg, "root=UUID="+b.rootUUID, "", 1)
} }
} else { } else {
cfg = fmt.Sprintf(sysconfig, b.rootUUID, b.cmdLineExtra) cfg = fmt.Sprintf(sysconfig, b.rootUUID, b.cmdLineExtra)
@ -577,3 +575,10 @@ func checkDependencies() error {
func OutputFormats() []string { func OutputFormats() []string {
return formats[:] return formats[:]
} }
func ifElse(v bool, t string, f string) string {
if v {
return t
}
return f
}

View File

@ -38,11 +38,16 @@ type test struct {
args []string args []string
} }
var images = []string{ type img struct {
"alpine:3.17", name string
"ubuntu:20.04", luks string
"debian:11", }
"centos:8",
var images = []img{
{name: "alpine:3.17", luks: "Enter passphrase for /dev/sda2:"},
{name: "ubuntu:20.04", luks: "Please unlock disk root:"},
{name: "debian:11", luks: "Please unlock disk root:"},
{name: "centos:8", luks: "Please enter passphrase for disk"},
} }
func TestConvert(t *testing.T) { func TestConvert(t *testing.T) {
@ -55,6 +60,10 @@ func TestConvert(t *testing.T) {
name: "split-boot", name: "split-boot",
args: []string{"--split-boot"}, args: []string{"--split-boot"},
}, },
{
name: "luks",
args: []string{"--luks-password=root"},
},
} }
for _, tt := range tests { for _, tt := range tests {
@ -64,21 +73,21 @@ func TestConvert(t *testing.T) {
require.NoError(os.MkdirAll(dir, os.ModePerm)) require.NoError(os.MkdirAll(dir, os.ModePerm))
defer os.RemoveAll(dir) defer os.RemoveAll(dir)
for _, i := range images { for _, img := range images {
t.Run(i, func(t *testing.T) { t.Run(img.name, func(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background()) ctx, cancel := context.WithCancel(context.Background())
defer cancel() defer cancel()
// t.Parallel() // t.Parallel()
require := require2.New(t) require := require2.New(t)
out := filepath.Join(dir, strings.NewReplacer(":", "-", ".", "-").Replace(i)+".qcow2") out := filepath.Join(dir, strings.NewReplacer(":", "-", ".", "-").Replace(img.name)+".qcow2")
if _, err := os.Stat(out); err == nil { if _, err := os.Stat(out); err == nil {
require.NoError(os.Remove(out)) require.NoError(os.Remove(out))
} }
require.NoError(docker.RunD2VM(ctx, d2vm.Image, d2vm.Version, dir, dir, "convert", append([]string{"-p", "root", "-o", "/out/" + filepath.Base(out), "-v", i}, tt.args...)...)) require.NoError(docker.RunD2VM(ctx, d2vm.Image, d2vm.Version, dir, dir, "convert", append([]string{"-p", "root", "-o", "/out/" + filepath.Base(out), "-v", "--keep-cache", img.name}, tt.args...)...))
inr, inw := io.Pipe() inr, inw := io.Pipe()
defer inr.Close() defer inr.Close()
@ -93,6 +102,9 @@ func TestConvert(t *testing.T) {
password := []byte("Password:") password := []byte("Password:")
s := bufio.NewScanner(outr) s := bufio.NewScanner(outr)
s.Split(func(data []byte, atEOF bool) (advance int, token []byte, err error) { s.Split(func(data []byte, atEOF bool) (advance int, token []byte, err error) {
if i := bytes.Index(data, []byte(img.luks)); i >= 0 {
return i + len(img.luks), []byte(img.luks), nil
}
if i := bytes.Index(data, login); i >= 0 { if i := bytes.Index(data, login); i >= 0 {
return i + len(login), login, nil return i + len(login), login, nil
} }
@ -106,8 +118,14 @@ func TestConvert(t *testing.T) {
}) })
for s.Scan() { for s.Scan() {
b := s.Bytes() b := s.Bytes()
if bytes.Contains(b, []byte(img.luks)) {
t.Logf("sending luks password")
if _, err := inw.Write([]byte("root\n")); err != nil {
t.Logf("failed to write luks password: %v", err)
cancel()
}
}
if bytes.Contains(b, login) { if bytes.Contains(b, login) {
t.Logf("vm ready")
t.Logf("sending login") t.Logf("sending login")
if _, err := inw.Write([]byte("root\n")); err != nil { if _, err := inw.Write([]byte("root\n")); err != nil {
t.Logf("failed to write login: %v", err) t.Logf("failed to write login: %v", err)
@ -134,7 +152,7 @@ func TestConvert(t *testing.T) {
cancel() cancel()
} }
}() }()
if err := qemu.Run(ctx, out, qemu.WithStdin(inr), qemu.WithStdout(io.MultiWriter(outw, os.Stdout)), qemu.WithStderr(io.Discard)); err != nil && !success.Load() { if err := qemu.Run(ctx, out, qemu.WithStdin(inr), qemu.WithStdout(io.MultiWriter(outw, os.Stdout)), qemu.WithStderr(io.Discard), qemu.WithMemory(2048)); err != nil && !success.Load() {
t.Fatalf("failed to run qemu: %v", err) t.Fatalf("failed to run qemu: %v", err)
} }
}) })

View File

@ -7,12 +7,20 @@ RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* && \
RUN yum update -y RUN yum update -y
RUN yum install -y kernel systemd NetworkManager e2fsprogs sudo && \ RUN yum install -y \
kernel \
systemd \
NetworkManager \
e2fsprogs \
{{- if .Luks }}
cryptsetup \
{{- end }}
sudo && \
systemctl enable NetworkManager && \ systemctl enable NetworkManager && \
systemctl unmask systemd-remount-fs.service && \ systemctl unmask systemd-remount-fs.service && \
systemctl unmask getty.target systemctl unmask getty.target
RUN dracut --no-hostonly --regenerate-all --force && \ RUN dracut --no-hostonly --regenerate-all --force {{ if .Luks }}--install="/usr/sbin/cryptsetup"{{ end }}&& \
cd /boot && \ cd /boot && \
ln -s $(find . -name 'vmlinuz-*') vmlinuz && \ ln -s $(find . -name 'vmlinuz-*') vmlinuz && \
ln -s $(find . -name 'initramfs-*.img') initrd.img ln -s $(find . -name 'initramfs-*.img') initrd.img