luks: do not support ubuntu < 20.04 and debian < 10

Signed-off-by: Adphi <philippe.adrien.nousse@gmail.com>
2023-03-01 13:29:10 +01:00 · 2023-03-01 13:29:10 +01:00 · fb33b2a74e
parent 8c36d42e06
commit fb33b2a74e
9 changed files with 44 additions and 5 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -8,3 +8,4 @@ dist
 images
 examples/build
 e2e
+**/*_test.go
--- a/2
+++ b/2
@ -38,7 +38,7 @@ RUN apt-get update && \
        mount \
        tar \
        extlinux \
-        cryptsetup \
+        cryptsetup-bin \
        qemu-utils && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*
--- a/README.md
+++ b/README.md
@ -29,7 +29,9 @@ or when running without *root* privileges.
 Working and tested:

 - [x] Ubuntu (18.04+)
+  Luks support is available only on Ubuntu 20.04+
 - [x] Debian (stretch+)
+  Luks support is available only on Debian buster+
 - [x] Alpine
 - [x] CentOS (8+)

--- a/builder.go
+++ b/builder.go
@ -153,6 +153,9 @@ func NewBuilder(ctx context.Context, workdir, imgTag, disk string, size uint64,
 		if !splitBoot {
 			return nil, fmt.Errorf("luks encryption requires split boot")
 		}
+		if !osRelease.SupportsLUKS() {
+			return nil, fmt.Errorf("luks encryption not supported on %s %s", osRelease.ID, osRelease.VersionID)
+		}
 	}
 	f := strings.ToLower(format)
 	valid := false
@ -505,7 +508,7 @@ func (b *builder) installKernel(ctx context.Context) error {
 		case ReleaseCentOS:
 			cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s rd.luks.name=UUID=%s rd.luks.uuid=%s rd.luks.crypttab=0", b.cmdLineExtra, b.rootUUID, b.cryptUUID))
 		default:
-			// for some versions of debian, the cryptopts parameter MUST contain all the following: target,srouce,key,opts...
+			// for some versions of debian, the cryptopts parameter MUST contain all the following: target,source,key,opts...
 			// see https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/buster/debian/functions
 			// and https://cryptsetup-team.pages.debian.net/cryptsetup/README.initramfs.html
 			cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s root=/dev/mapper/root cryptopts=target=root,source=UUID=%s,key=none,luks", b.cmdLineExtra, b.cryptUUID))
--- a/convert.go
+++ b/convert.go
@ -45,6 +45,11 @@ func Convert(ctx context.Context, img string, opts ...ConvertOption) error {
 	if err != nil {
 		return err
 	}
+
+	if o.luksPassword != "" && !r.SupportsLUKS() {
+		return fmt.Errorf("luks is not supported for %s %s", r.Name, r.Version)
+	}
+
 	if !o.raw {
 		d, err := NewDockerfile(r, img, o.password, o.networkManager, o.luksPassword != "")
 		if err != nil {
--- a/e2e/e2e_test.go
+++ b/e2e/e2e_test.go
@ -45,8 +45,9 @@ type img struct {

 var images = []img{
 	{name: "alpine:3.17", luks: "Enter passphrase for /dev/sda2:"},
-	{name: "ubuntu:18.04", luks: "Please unlock disk root:"},
+	{name: "ubuntu:20.04", luks: "Please unlock disk root:"},
 	{name: "ubuntu:22.04", luks: "Please unlock disk root:"},
+	{name: "debian:10", luks: "Please unlock disk root:"},
 	{name: "debian:11", luks: "Please unlock disk root:"},
 	{name: "centos:8", luks: "Please enter passphrase for disk"},
 }
--- a/os_release.go
+++ b/os_release.go
@ -19,6 +19,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"text/template"

@ -66,6 +67,31 @@ type OSRelease struct {
 	VersionCodeName string
 }

+func (r OSRelease) SupportsLUKS() bool {
+	switch r.ID {
+	case ReleaseUbuntu:
+		return r.VersionID >= "20.04"
+	case ReleaseDebian:
+		v, err := strconv.Atoi(r.VersionID)
+		if err != nil {
+			logrus.Warnf("%s: failed to parse version id: %v", r.Version, err)
+			return false
+		}
+		return v >= 10
+	case ReleaseKali:
+		// TODO: check version
+		return true
+	case ReleaseCentOS:
+		return true
+	case ReleaseAlpine:
+		return true
+	case ReleaseRHEL:
+		return false
+	default:
+		return false
+	}
+}
+
 func ParseOSRelease(s string) (OSRelease, error) {
 	env, err := godotenv.Parse(strings.NewReader(s))
 	if err != nil {
--- a/templates/debian.Dockerfile
+++ b/templates/debian.Dockerfile
@ -45,5 +45,6 @@ iface eth0 inet dhcp\n\

 {{- if .Luks }}
 RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cryptsetup-initramfs && \
-     update-initramfs -u -v
+    echo "CRYPTSETUP=y" >> /etc/cryptsetup-initramfs/conf-hook && \
+    update-initramfs -u -v
 {{- end }}
--- a/templates/ubuntu.Dockerfile
+++ b/templates/ubuntu.Dockerfile
@ -43,5 +43,5 @@ iface eth0 inet dhcp\n\

 {{- if .Luks }}
 RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cryptsetup-initramfs && \
-     update-initramfs -u -v
+    update-initramfs -u -v
 {{- end }}