curtin

Merge ~ogayot/curtin:recovery-key into curtin:master

  1. Git
  2. lp:~ogayot/curtin
  3. recovery-key
  4. Merge into master
Proposed by Olivier Gayot
Status: Merged
Approved by: Olivier Gayot
Approved revision: 2bfebabc9aa8be019b05d9c2eb0077f83f1a96de
Merge reported by: Server Team CI bot
Merged at revision: not available
Proposed branch: ~ogayot/curtin:recovery-key
Merge into: curtin:master
Diff against target: 97 lines (+66/-0)
2 files modified
curtin/commands/block_meta.py (+14/-0)
tests/unittests/test_commands_block_meta.py (+52/-0)
Reviewer Review Type Date Requested Status
Server Team CI bot continuous-integration Needs Fixing
Dan Bungert Approve
Michael Hudson-Doyle Approve
Review via email: mp+449362@code.launchpad.net

Commit message

block_meta: add luks recovery key if requested

If the storage configuration contains the key "recovery_keyfile", call
cryptsetup luksAddKey after cryptsetup luksFormat so that the key
specified is added as a recovery key (i.e., a normal key in the second
key slot).

Signed-off-by: Olivier Gayot <email address hidden>

Description of the change

This adds support for adding a LUKS recovery key. Something special probably needs to be done for s390x but that's all I have at the moment.

To post a comment you must log in.
Revision history for this message
Server Team CI bot (server-team-bot) wrote :

PASSED: Continuous integration, rev:5d6aed93658f5fb85b4277bdf21c9f10c80d8ebb
https://jenkins.canonical.com/server-team/job/curtin-ci/171/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/server-team/job/curtin-ci/nodes=metal-amd64/171/
    SUCCESS: https://jenkins.canonical.com/server-team/job/curtin-ci/nodes=metal-arm64/171/
    SUCCESS: https://jenkins.canonical.com/server-team/job/curtin-ci/nodes=metal-ppc64el/171/
    SUCCESS: https://jenkins.canonical.com/server-team/job/curtin-ci/nodes=metal-s390x/171/

Click here to trigger a rebuild:
https://jenkins.canonical.com/server-team/job/curtin-ci/171//rebuild

review: Approve (continuous-integration)
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

lgtm

review: Approve
Revision history for this message
Dan Bungert (dbungert) wrote :

I think it's fine to not have the zkey part sorted out yet, so long as the Subiquity side is programmed in a way that is consistent.

I suppose in this case it means we shouldn't be asking for a recovery key on s390x if we can't act on it.

review: Approve
Revision history for this message
Server Team CI bot (server-team-bot) wrote :

PASSED: Continuous integration, rev:2bfebabc9aa8be019b05d9c2eb0077f83f1a96de
https://jenkins.canonical.com/server-team/job/curtin-ci/187/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/server-team/job/curtin-ci/nodes=metal-amd64/187/
    SUCCESS: https://jenkins.canonical.com/server-team/job/curtin-ci/nodes=metal-arm64/187/
    SUCCESS: https://jenkins.canonical.com/server-team/job/curtin-ci/nodes=metal-ppc64el/187/
    SUCCESS: https://jenkins.canonical.com/server-team/job/curtin-ci/nodes=metal-s390x/187/

Click here to trigger a rebuild:
https://jenkins.canonical.com/server-team/job/curtin-ci/187//rebuild

review: Approve (continuous-integration)
Revision history for this message
Server Team CI bot (server-team-bot) wrote :

Autolanding: FAILED
More details in the following jenkins job:
https://jenkins.canonical.com/server-team/job/curtin-autoland-test/101/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/server-team/job/curtin-autoland-test/nodes=metal-amd64/101/
    FAILURE: https://jenkins.canonical.com/server-team/job/curtin-autoland-test/nodes=metal-arm64/101/
    FAILURE: https://jenkins.canonical.com/server-team/job/curtin-autoland-test/nodes=metal-ppc64el/101/
    FAILURE: https://jenkins.canonical.com/server-team/job/curtin-autoland-test/nodes=metal-s390x/101/

review: Needs Fixing (continuous-integration)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/curtin/commands/block_meta.py b/curtin/commands/block_meta.py
index dd6992d..64bf393 100644
--- a/curtin/commands/block_meta.py
+++ b/curtin/commands/block_meta.py
@@ -1645,6 +1645,8 @@ def dm_crypt_handler(info, storage_config, context):
1645 else:1645 else:
1646 raise ValueError("encryption key or keyfile must be specified")1646 raise ValueError("encryption key or keyfile must be specified")
16471647
1648 recovery_keyfile = info.get('recovery_keyfile')
1649
1648 create_dmcrypt = True1650 create_dmcrypt = True
1649 if preserve:1651 if preserve:
1650 dm_crypt_verify(dmcrypt_dev, volume_path)1652 dm_crypt_verify(dmcrypt_dev, volume_path)
@@ -1688,8 +1690,20 @@ def dm_crypt_handler(info, storage_config, context):
1688 if keysize:1690 if keysize:
1689 cmd.extend(["--key-size", keysize])1691 cmd.extend(["--key-size", keysize])
1690 cmd.extend(["luksFormat", volume_path, keyfile])1692 cmd.extend(["luksFormat", volume_path, keyfile])
1693
1691 util.subp(cmd)1694 util.subp(cmd)
16921695
1696 # Should this be done as well if we are using zkey?
1697 if recovery_keyfile is not None:
1698 LOG.debug("Adding recovery key to %s", volume_path)
1699
1700 cmd = [
1701 "cryptsetup", "luksAddKey",
1702 "--key-file", keyfile,
1703 volume_path, recovery_keyfile]
1704
1705 util.subp(cmd)
1706
1693 cmd = ["cryptsetup", "open", "--type", luks_type, volume_path, dm_name,1707 cmd = ["cryptsetup", "open", "--type", luks_type, volume_path, dm_name,
1694 "--key-file", keyfile]1708 "--key-file", keyfile]
16951709
diff --git a/tests/unittests/test_commands_block_meta.py b/tests/unittests/test_commands_block_meta.py
index 87e46eb..1a1f65d 100644
--- a/tests/unittests/test_commands_block_meta.py
+++ b/tests/unittests/test_commands_block_meta.py
@@ -2100,6 +2100,58 @@ class TestDmCryptHandler(CiTestCase):
2100 self.m_subp.assert_has_calls(expected_calls)2100 self.m_subp.assert_has_calls(expected_calls)
2101 self.assertEqual(len(util.load_file(self.crypttab).splitlines()), 1)2101 self.assertEqual(len(util.load_file(self.crypttab).splitlines()), 1)
21022102
2103 def test_dm_crypt_calls_cryptsetup_with_recovery_key(self):
2104 """ verify dm_crypt calls (format, addKey, open) w/ correct params"""
2105 volume_path = self.random_string()
2106 self.m_getpath.return_value = volume_path
2107
2108 recovery_keyfile = self.random_string()
2109 config = {
2110 'storage': {
2111 'version': 1,
2112 'config': [
2113 {'grub_device': True,
2114 'id': 'sda',
2115 'name': 'sda',
2116 'path': '/wark/xxx',
2117 'ptable': 'msdos',
2118 'type': 'disk',
2119 'wipe': 'superblock'},
2120 {'device': 'sda',
2121 'id': 'sda-part1',
2122 'name': 'sda-part1',
2123 'number': 1,
2124 'size': '511705088B',
2125 'type': 'partition'},
2126 {'id': 'dmcrypt0',
2127 'type': 'dm_crypt',
2128 'dm_name': 'cryptroot',
2129 'volume': 'sda-part1',
2130 'cipher': self.cipher,
2131 'keysize': self.keysize,
2132 'keyfile': self.keyfile,
2133 'recovery_keyfile': recovery_keyfile},
2134 ],
2135 }
2136 }
2137 storage_config = block_meta.extract_storage_ordered_dict(config)
2138
2139 info = storage_config['dmcrypt0']
2140
2141 block_meta.dm_crypt_handler(info, storage_config, empty_context)
2142 expected_calls = [
2143 call(['cryptsetup', '--cipher', self.cipher,
2144 '--key-size', self.keysize,
2145 'luksFormat', volume_path, self.keyfile]),
2146 call(['cryptsetup', 'luksAddKey',
2147 '--key-file', self.keyfile,
2148 volume_path, recovery_keyfile]),
2149 call(['cryptsetup', 'open', '--type', 'luks', volume_path,
2150 info['dm_name'], '--key-file', self.keyfile])
2151 ]
2152 self.m_subp.assert_has_calls(expected_calls)
2153 self.assertEqual(len(util.load_file(self.crypttab).splitlines()), 1)
2154
2103 def test_dm_crypt_defaults_dm_name_to_id(self):2155 def test_dm_crypt_defaults_dm_name_to_id(self):
2104 """ verify dm_crypt_handler falls back to id with no dm_name. """2156 """ verify dm_crypt_handler falls back to id with no dm_name. """
2105 volume_path = self.random_string()2157 volume_path = self.random_string()

Subscribers

People subscribed via source and target branches