mirror of
https://github.com/linka-cloud/d2vm.git
synced 2024-11-24 16:46:24 +00:00
luks: do not support ubuntu < 20.04 and debian < 10
Signed-off-by: Adphi <philippe.adrien.nousse@gmail.com>
This commit is contained in:
parent
8c36d42e06
commit
fb33b2a74e
@ -8,3 +8,4 @@ dist
|
|||||||
images
|
images
|
||||||
examples/build
|
examples/build
|
||||||
e2e
|
e2e
|
||||||
|
**/*_test.go
|
||||||
|
@ -38,7 +38,7 @@ RUN apt-get update && \
|
|||||||
mount \
|
mount \
|
||||||
tar \
|
tar \
|
||||||
extlinux \
|
extlinux \
|
||||||
cryptsetup \
|
cryptsetup-bin \
|
||||||
qemu-utils && \
|
qemu-utils && \
|
||||||
apt-get clean && \
|
apt-get clean && \
|
||||||
rm -rf /var/lib/apt/lists/*
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
@ -29,7 +29,9 @@ or when running without *root* privileges.
|
|||||||
Working and tested:
|
Working and tested:
|
||||||
|
|
||||||
- [x] Ubuntu (18.04+)
|
- [x] Ubuntu (18.04+)
|
||||||
|
Luks support is available only on Ubuntu 20.04+
|
||||||
- [x] Debian (stretch+)
|
- [x] Debian (stretch+)
|
||||||
|
Luks support is available only on Debian buster+
|
||||||
- [x] Alpine
|
- [x] Alpine
|
||||||
- [x] CentOS (8+)
|
- [x] CentOS (8+)
|
||||||
|
|
||||||
|
@ -153,6 +153,9 @@ func NewBuilder(ctx context.Context, workdir, imgTag, disk string, size uint64,
|
|||||||
if !splitBoot {
|
if !splitBoot {
|
||||||
return nil, fmt.Errorf("luks encryption requires split boot")
|
return nil, fmt.Errorf("luks encryption requires split boot")
|
||||||
}
|
}
|
||||||
|
if !osRelease.SupportsLUKS() {
|
||||||
|
return nil, fmt.Errorf("luks encryption not supported on %s %s", osRelease.ID, osRelease.VersionID)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
f := strings.ToLower(format)
|
f := strings.ToLower(format)
|
||||||
valid := false
|
valid := false
|
||||||
@ -505,7 +508,7 @@ func (b *builder) installKernel(ctx context.Context) error {
|
|||||||
case ReleaseCentOS:
|
case ReleaseCentOS:
|
||||||
cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s rd.luks.name=UUID=%s rd.luks.uuid=%s rd.luks.crypttab=0", b.cmdLineExtra, b.rootUUID, b.cryptUUID))
|
cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s rd.luks.name=UUID=%s rd.luks.uuid=%s rd.luks.crypttab=0", b.cmdLineExtra, b.rootUUID, b.cryptUUID))
|
||||||
default:
|
default:
|
||||||
// for some versions of debian, the cryptopts parameter MUST contain all the following: target,srouce,key,opts...
|
// for some versions of debian, the cryptopts parameter MUST contain all the following: target,source,key,opts...
|
||||||
// see https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/buster/debian/functions
|
// see https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/buster/debian/functions
|
||||||
// and https://cryptsetup-team.pages.debian.net/cryptsetup/README.initramfs.html
|
// and https://cryptsetup-team.pages.debian.net/cryptsetup/README.initramfs.html
|
||||||
cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s root=/dev/mapper/root cryptopts=target=root,source=UUID=%s,key=none,luks", b.cmdLineExtra, b.cryptUUID))
|
cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s root=/dev/mapper/root cryptopts=target=root,source=UUID=%s,key=none,luks", b.cmdLineExtra, b.cryptUUID))
|
||||||
|
@ -45,6 +45,11 @@ func Convert(ctx context.Context, img string, opts ...ConvertOption) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if o.luksPassword != "" && !r.SupportsLUKS() {
|
||||||
|
return fmt.Errorf("luks is not supported for %s %s", r.Name, r.Version)
|
||||||
|
}
|
||||||
|
|
||||||
if !o.raw {
|
if !o.raw {
|
||||||
d, err := NewDockerfile(r, img, o.password, o.networkManager, o.luksPassword != "")
|
d, err := NewDockerfile(r, img, o.password, o.networkManager, o.luksPassword != "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -45,8 +45,9 @@ type img struct {
|
|||||||
|
|
||||||
var images = []img{
|
var images = []img{
|
||||||
{name: "alpine:3.17", luks: "Enter passphrase for /dev/sda2:"},
|
{name: "alpine:3.17", luks: "Enter passphrase for /dev/sda2:"},
|
||||||
{name: "ubuntu:18.04", luks: "Please unlock disk root:"},
|
{name: "ubuntu:20.04", luks: "Please unlock disk root:"},
|
||||||
{name: "ubuntu:22.04", luks: "Please unlock disk root:"},
|
{name: "ubuntu:22.04", luks: "Please unlock disk root:"},
|
||||||
|
{name: "debian:10", luks: "Please unlock disk root:"},
|
||||||
{name: "debian:11", luks: "Please unlock disk root:"},
|
{name: "debian:11", luks: "Please unlock disk root:"},
|
||||||
{name: "centos:8", luks: "Please enter passphrase for disk"},
|
{name: "centos:8", luks: "Please enter passphrase for disk"},
|
||||||
}
|
}
|
||||||
|
@ -19,6 +19,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"text/template"
|
"text/template"
|
||||||
|
|
||||||
@ -66,6 +67,31 @@ type OSRelease struct {
|
|||||||
VersionCodeName string
|
VersionCodeName string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (r OSRelease) SupportsLUKS() bool {
|
||||||
|
switch r.ID {
|
||||||
|
case ReleaseUbuntu:
|
||||||
|
return r.VersionID >= "20.04"
|
||||||
|
case ReleaseDebian:
|
||||||
|
v, err := strconv.Atoi(r.VersionID)
|
||||||
|
if err != nil {
|
||||||
|
logrus.Warnf("%s: failed to parse version id: %v", r.Version, err)
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return v >= 10
|
||||||
|
case ReleaseKali:
|
||||||
|
// TODO: check version
|
||||||
|
return true
|
||||||
|
case ReleaseCentOS:
|
||||||
|
return true
|
||||||
|
case ReleaseAlpine:
|
||||||
|
return true
|
||||||
|
case ReleaseRHEL:
|
||||||
|
return false
|
||||||
|
default:
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func ParseOSRelease(s string) (OSRelease, error) {
|
func ParseOSRelease(s string) (OSRelease, error) {
|
||||||
env, err := godotenv.Parse(strings.NewReader(s))
|
env, err := godotenv.Parse(strings.NewReader(s))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -45,5 +45,6 @@ iface eth0 inet dhcp\n\
|
|||||||
|
|
||||||
{{- if .Luks }}
|
{{- if .Luks }}
|
||||||
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cryptsetup-initramfs && \
|
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cryptsetup-initramfs && \
|
||||||
update-initramfs -u -v
|
echo "CRYPTSETUP=y" >> /etc/cryptsetup-initramfs/conf-hook && \
|
||||||
|
update-initramfs -u -v
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -43,5 +43,5 @@ iface eth0 inet dhcp\n\
|
|||||||
|
|
||||||
{{- if .Luks }}
|
{{- if .Luks }}
|
||||||
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cryptsetup-initramfs && \
|
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cryptsetup-initramfs && \
|
||||||
update-initramfs -u -v
|
update-initramfs -u -v
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
Loading…
Reference in New Issue
Block a user