Ricardo Marin Matinata
2010-Jul-21 22:11 UTC
[Ovirt-devel] [PATCH] RFC: Encrypted swap support
(depends on Advance Storage Configuration patch)
This patch adds the option of requesting, at install time, that swap LVs be
encrypted. The modifications include:
* Introduction of the ovirt_swap_encrypt install parameter
* Inclusion of all required packages
* Inclusion of required kernel modules
* Introduction of /etc/ovirt-crypttab to hold encrypted swap configuration
(Couldn't use /etc/crypttab since it happens in rc.sysinit, before
persistence is available
* Modification of ovirt-early so it automatically brings up encrypted swap, if
available
It works as follows:
ovirt_swap_encrypt={Swap|Swap2},cypher1[:cypher2...][;{Swap|Swap2},...]
the default cypher is set to aes-cbc-essiv:sha256
Signed-off-by: Ricardo Marin Matinata <matinata at br.ibm.com>
---
recipe/common-blacklist.ks | 4 +-
recipe/common-pkgs.ks | 1 +
recipe/common-post.ks | 12 +++++++++++
scripts/ovirt-config-storage | 19 ++++++++++++++---
scripts/ovirt-early | 37 ++++++++++++++++++++++++++++++++++-
scripts/ovirt-functions | 44 ++++++++++++++++++++++++++++++++++++++++++
6 files changed, 110 insertions(+), 7 deletions(-)
diff --git a/recipe/common-blacklist.ks b/recipe/common-blacklist.ks
index 7c08c39..4fb980e 100644
--- a/recipe/common-blacklist.ks
+++ b/recipe/common-blacklist.ks
@@ -15,7 +15,7 @@ RPMS="$RPMS mkinitrd isomd5sum dmraid checkpolicy"
# Remove additional RPMs forcefully
RPMS="$RPMS gamin pm-utils kbd usermode vbetool ConsoleKit hdparm \
efibootmgr linux-atm-libs fedora-release-notes \
- cryptsetup-luks pciutils mtools syslinux \
+ pciutils mtools syslinux \
wireless-tools radeontool libicu gnupg2 \
fedora-logos"
@@ -57,7 +57,7 @@ driver_mods="drivers/auxdisplay drivers/net/appletalk \
drivers/net/hamradio drivers/net/pcmcia drivers/net/tokenring \
drivers/net/wireless drivers/net/irda drivers/atm drivers/usb/atm \
drivers/acpi drivers/char/drm drivers/char/mwave \
- drivers/char/ipmp drivers/char/pcmcia drivers/crypto \
+ drivers/char/ipmp drivers/char/pcmcia \
drivers/firmware drivers/memstick drivers/mmc drivers/mfs \
drivers/parport drivers/video drivers/watchdog drivers/net/ppp* \
drivers/usb/serial drivers/usb/misc drivers/usb/class \
diff --git a/recipe/common-pkgs.ks b/recipe/common-pkgs.ks
index 7578335..126e26f 100644
--- a/recipe/common-pkgs.ks
+++ b/recipe/common-pkgs.ks
@@ -78,3 +78,4 @@ device-mapper-multipath
kpartx
dracut-network
patch
+cryptsetup-luks
diff --git a/recipe/common-post.ks b/recipe/common-post.ks
index c79e186..4fae515 100644
--- a/recipe/common-post.ks
+++ b/recipe/common-post.ks
@@ -221,3 +221,15 @@ mkdir -p /data2
mkdir -p /liveos
echo "/dev/HostVG/Config /config ext3 defaults,noauto,noatime 0 0"
>> /etc/fstab
+# load modules required by crypto swap
+cat > /etc/sysconfig/modules/swap-crypt.modules <<EOF
+#!/bin/sh
+
+modprobe aes >/dev/null 2>&1
+modprobe dm_mod >/dev/null 2>&1
+modprobe dm_crypt >/dev/null 2>&1
+modprobe cryptoloop >/dev/null 2>&1
+modprobe cbc >/dev/null 2>&1
+modprobe sha256 >/dev/null 2>&1
+
+EOF
diff --git a/scripts/ovirt-config-storage b/scripts/ovirt-config-storage
index e3bb57b..c984265 100755
--- a/scripts/ovirt-config-storage
+++ b/scripts/ovirt-config-storage
@@ -677,8 +677,12 @@ create_hostvg()
if [ "$SWAP_SIZE" -gt 0 ]; then
log "Creating swap partition"
lvcreate --name Swap --size ${SWAP_SIZE}M /dev/HostVG
- mkswap -L "SWAP" /dev/HostVG/Swap
- echo "/dev/HostVG/Swap swap swap defaults 0 0" >>
/etc/fstab
+ if [ -n ${OVIRT_CRYPT_SWAP} ]; then
+ echo "SWAP /dev/HostVG/Swap /dev/mapper/ovirt-crypt-swap
${OVIRT_CRYPT_SWAP}" >> /etc/ovirt-crypttab
+ else
+ mkswap -L "SWAP" /dev/HostVG/Swap
+ echo "/dev/HostVG/Swap swap swap defaults 0 0" >>
/etc/fstab
+ fi
fi
if [ "$CONFIG_SIZE" -gt 0 ]; then
log "Creating config partition"
@@ -769,8 +773,12 @@ create_appvg()
if [ "$SWAP2_SIZE" -gt 0 ]; then
log "Creating swap2 partition"
lvcreate --name Swap2 --size ${SWAP2_SIZE}M /dev/AppVG
- mkswap -L "SWAP2" /dev/AppVG/Swap2
- echo "/dev/AppVG/Swap2 swap swap defaults 0 0" >>
/etc/fstab
+ if [ -n ${OVIRT_CRYPT_SWAP2} ]; then
+ echo "SWAP2 /dev/AppVG/Swap2 /dev/mapper/ovirt-crypt-swap2
${OVIRT_CRYPT_SWAP2}" >> /etc/ovirt-crypttab
+ else
+ mkswap -L "SWAP2" /dev/AppVG/Swap2
+ echo "/dev/AppVG/Swap2 swap swap defaults 0 0" >>
/etc/fstab
+ fi
fi
local use_data=1
@@ -885,6 +893,9 @@ perform_partitioning()
done
create_hostvg
[ -n ${APPVGDRIVE} ] && create_appvg
+ if [ -n ${OVIRT_CRYPT_SWAP2} -o -n ${OVIRT_CRYPT_SWAP} ]; then
+ ovirt_store_config /etc/ovirt-crypttab
+ fi
stop_log
}
diff --git a/scripts/ovirt-early b/scripts/ovirt-early
index 23198b1..5c8793d 100755
--- a/scripts/ovirt-early
+++ b/scripts/ovirt-early
@@ -239,6 +239,12 @@ start_ovirt_early () {
vol_swap2_size vol_data2_size
+ # ovirt_swap_encrypt={Swap|Swap2},cypher1[:cypher2...][;{Swap|Swap2}...]
+ # request swap encryption
+ # the default cypher is set to aes-cbc-essiv:sha256
+ crypt_swap+ crypt_swap2+
# ovirt_upgrade
# install/update oVirt Node image on the local installation target disk
upgrade@@ -572,6 +578,32 @@ start_ovirt_early () {
BOOT_IMAGE=* | initrd=* | check | linux | liveimg | \
root=* | rootfstype=* | rootflags=* | ro)
;;
+ ovirt_swap_encrypt=*)
+ i=${i#ovirt_swap_encrypt=}
+ eval $(printf $i|awk -F\; '{ print "swap1="$1; print
"swap2="$2; }')
+ for p in 1 2; do
+ var=swap$p
+ swapdev+ swapcyph+ local
default_cypher="aes-cbc-essiv:sha256"
+ if [ -n ${!var} ]; then
+ eval $(printf ${!var} |awk -F, '{ print
"swapdev="$1; print "swapcyph="$2; }')
+ if [ "${swapdev}" = "Swap" ]; then
+ if [ -n ${swapcyph} ]; then
+ crypt_swap=${swapcyph}
+ else
+ crypt_swap=${default_cypher}
+ fi
+ elif [ "${swapdev}" = "Swap2" ]; then
+ if [ -n ${swapcyph} ]; then
+ crypt_swap2=${swapcyph}
+ else
+ crypt_swap2=${default_cypher}
+ fi
+ fi
+ fi
+ done
+ ;;
*)
bootparams="$bootparams $i"
;;
@@ -592,7 +624,7 @@ start_ovirt_early () {
ip_gateway=$gateway
fi
# save boot parameters as defaults for ovirt-config-*
- params="bootif init initapp vol_boot_size vol_swap_size vol_root_size
vol_config_size vol_logging_size vol_data_size vol_swap2_size vol_data2_size
upgrade standalone overcommit ip_address ip_netmask ip_gateway ipv6 dns ntp vlan
ssh_pwauth syslog_server syslog_port collectd_server collectd_port bootparams
hostname firstboot runtime_mode"
+ params="bootif init initapp vol_boot_size vol_swap_size vol_root_size
vol_config_size vol_logging_size vol_data_size vol_swap2_size vol_data2_size
crypt_swap crypt_swap2 upgrade standalone overcommit ip_address ip_netmask
ip_gateway ipv6 dns ntp vlan ssh_pwauth syslog_server syslog_port
collectd_server collectd_port bootparams hostname firstboot runtime_mode"
# mount /config unless firstboot is forced
if [ "$firstboot" != "1" ]; then
mount_config
@@ -610,6 +642,9 @@ start_ovirt_early () {
done
augtool $tmpaug
. $OVIRT_DEFAULTS
+ if [ "$firstboot" != "1" -a -f /etc/ovirt-crypttab ];
then
+ mount_crypt_swap
+ fi
if [ -f /etc/sysconfig/network ]; then
. /etc/sysconfig/network
if [ -n "$HOSTNAME" ]; then
diff --git a/scripts/ovirt-functions b/scripts/ovirt-functions
index 5c574f7..06611b6 100644
--- a/scripts/ovirt-functions
+++ b/scripts/ovirt-functions
@@ -447,6 +447,50 @@ mount_data2() {
fi
}
+mount_crypt_swap() {
+ crypttab="/etc/ovirt-crypttab"
+ rc=1
+ { [ -z "${crypttab}" ] || [ ! -f "${crypttab}" ] || [ !
$(cat "${crypttab}") ]; }
+&& return ${rc}
+ rc=0
+
+ while read label dev mapp cyph; do
+ if [ -n ${label} -a -n ${dev} -a -n ${mapp} -a -n ${cyph} ]; then
+ if grep -q "${dev}" /proc/swaps; then
+ swapoff ${dev} >/dev/null 2>&1
+ rc=$?
+ [ ${rc} -ne 0 ] && {
+ log "swapoff failed for Un-encrypted ${dev}";
+ continue;
+ }
+ fi
+ if [ ! -b ${mapp} ]; then
+ /sbin/cryptsetup -d /dev/urandom -c ${cyph} create ${mapp}
${dev} > /dev/null 2>&1
+ rc=$?
+ [ ${rc} -ne 0 ] && {
+ log "Creation of encrypted swap for ${dev}
failed";
+ continue;
+ }
+ fi
+ mkswap -L ${label} ${mapp} >/dev/null 2>&1
+ rc=$?
+ [ ${rc} -ne 0 ] && {
+ log "Creation of swap for ${mapp} failed";
+ continue;
+ }
+ swapon ${mapp} > /dev/null 2>&1
+ [ ${rc} -ne 0 ] && {
+ log "Activation of swap for ${mapp} failed";
+ continue;
+ }
+ else
+ continue
+ fi
+ done < ${cypttab}
+
+ return ${rc}
+}
+
# augtool wrapper
# workaround for bind-mounted files
# see https://fedorahosted.org/augeas/ticket/32
--
1.6.6.1
Possibly Parallel Threads
Wisdom of the Ancients
