Skip to content
This repository was archived by the owner on Aug 25, 2021. It is now read-only.

*: add LUKS#192

Merged
arithx merged 1 commit intocoreos:masterfrom
arithx:luks
Jul 10, 2020
Merged

*: add LUKS#192
arithx merged 1 commit intocoreos:masterfrom
arithx:luks

Conversation

@arithx
Copy link
Contributor

@arithx arithx commented Jun 10, 2020

Adds LUKS related binaries to dracut, a new unit that copies keyfiles
from the initramfs to the real root, a generator for unlocking clevis
devices, a udev rule to discover unformatted encrypted devices, and two
cracklib files needed by clevis in the initramfs.

@arithx arithx mentioned this pull request Jun 10, 2020
Closed
@arithx
Copy link
Contributor Author

arithx commented Jun 10, 2020

Ignition LUKS Overview:

PR Links:
Ignition
Ignition-Dracut
fedora-coreos-config

Ignition now supports configuring LUKS devices that can be unlocked via either key-files, TPM2, or tang. TPM2 & tang based devices are handled internally via clevis while key-file based devices are entirely handled via cryptsetup.

First boot workflow:

  1. Ignition Disks creates LUKS devices
    • Every device has a key-file, if one was not provided to Ignition then one will be created (NOTE: this can only happen for clevis based devices). If the key-file was created via Ignition it will be removed, provided key-files will be persisted to the real root at /etc/luks/<device_name>
    • Devices are closed when the Disks stage ends
  2. A new script ignition-copy-keyfiles runs copying the key-files to the real root
  3. Ignition Mount unlocks all LUKS devices before attempting mounts
  4. Ignition Files runs, appends content based on LUKS devices into /etc/crypttab (for key-file based devices) & /etc/clevistab (for clevis based devices).
    • /etc/crypttab format: <name> UUID=<device_uuid> <key_file_path> luks
    • /etc/clevistab format: <name> UUID=<device_uuid> <is_net>, if <is_net> is _netdev then the resulting unlock unit will be generated targeting running before remote-cryptsetup.target instead of the default cryptsetup.target (NOTE: the mount unit for the filesystem will also need to contain Before=remote-fs.target, After=network-online.target and DefaultDependencies=no)
  5. Ignition Umount runs and closes LUKS devices after unmounting filesystems

This set of changes will require updates to the Ignition specfile. In the ignition-dracut change set the ignition-firstboot-complete unit has it's directory moved (from systemd/ to systemd/system/) and a new generator unit ignition-clevis-generator (in systemd/system-generators/). Example change from my local setup:

%files
%license LICENSE LICENSE.dracut
%doc README.md doc/
%{dracutlibdir}/modules.d/*
%{_prefix}/lib/systemd/system/*.service
%{_prefix}/lib/systemd/system-generators/*

&

%install
# ignition-dracut
install -d -p %{buildroot}/%{dracutlibdir}/modules.d
install -d -p %{buildroot}/%{_prefix}/lib/systemd/system
install -d -p %{buildroot}/%{_prefix}/lib/systemd/system-generators
pushd %{dracutrepo}-%{dracutcommit} >/dev/null
cp -r dracut/* %{buildroot}/%{dracutlibdir}/modules.d/
install -m 0644 -t %{buildroot}/%{_prefix}/lib/systemd/system/ systemd/system/*
install -m 0755 -t %{buildroot}/%{_prefix}/lib/systemd/system-generators/ systemd/system-generators/*
popd >/dev/null

@arithx arithx mentioned this pull request Jun 10, 2020
Merged
@arithx arithx force-pushed the luks branch 2 times, most recently from 7b64450 to 2bedf66 Compare July 3, 2020 03:44
jlebon
jlebon reviewed Jul 3, 2020
View reviewed changes
jlebon
jlebon reviewed Jul 3, 2020
View reviewed changes
@arithx arithx force-pushed the luks branch 2 times, most recently from b1286a6 to 5b6c3b1 Compare July 7, 2020 19:12
jlebon
jlebon approved these changes Jul 8, 2020
View reviewed changes
Copy link
Member

@jlebon jlebon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Tested working. And CI is at least giving us confidence it's not somehow breaking non-LUKS cases, so let's get this in.

(One optional nit: now that it's been pared down quite a bit from the original PR, I think we can rename the commit message to e.g. 30ignition: add support for LUKS or something?).

@arithx
Copy link
Contributor Author

arithx commented Jul 8, 2020

+1 to the commit title change.

bgilbert
bgilbert reviewed Jul 9, 2020
View reviewed changes
@arithx
dracut/30ignition: add Ignition LUKS
fdc7e51 
Adds LUKS related binaries to dracut & a udev rule to discover
unformatted encrypted devices.
@arithx
Copy link
Contributor Author

arithx commented Jul 10, 2020

Updated

jlebon
jlebon approved these changes Jul 10, 2020
View reviewed changes
Copy link
Member

@jlebon jlebon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great now! Will let you do the honours. :)

@arithx arithx merged commit e75fef0 into coreos:master Jul 10, 2020
@arithx arithx mentioned this pull request Jul 10, 2020
Closed
@jlebon
Copy link
Member

jlebon commented Jul 15, 2020

I saw this go by while investigating something unrelated:

[    4.158328] systemd-udevd[384]: /usr/lib/udev/rules.d/99-xx-ignition-systemd-cryptsetup.rules:6 ENV key takes '==', '!=', '=', or '+=' operator, assuming '=', but please fix it.

@arithx
Copy link
Contributor Author

arithx commented Jul 16, 2020

#199

@jlebon jlebon mentioned this pull request Mar 8, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@bgilbert bgilbert bgilbert approved these changes

@jlebon jlebon jlebon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arithx @jlebon @bgilbert