update encfs to use cbl mariner

.github/workflows/ci.yml

@@ -43,7 +43,7 @@ on:
 env:
   BASE_ID: ${{ github.run_id }}-${{ github.run_number }}-${{ inputs.location }}-${{ inputs.policy_type }}
   LOCATION: ${{ inputs.location || 'westeurope' }}
-  POLICY_TYPE: ${{ inputs.policy_type || 'generated' }}
+  POLICY_TYPE: 'debug' # ${{ inputs.policy_type || 'generated' }}
 
 jobs:
   analyze:
@@ -224,7 +224,7 @@ jobs:
 
   test-encfs:
     name: Test EncFS
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@v4

cmd/remotefs/azurefs.go

@@ -289,14 +289,14 @@ func containerMountAzureFilesystem(tempDir string, index int, fs AzureFilesystem
 		}
 	}
 
-	defer func() {
-		// Delete keyfile on exit
-		if inErr := osRemoveAll(keyFilePath); inErr != nil {
-			logrus.WithError(inErr).Debugf("failed to delete keyfile: %s", keyFilePath)
-		} else {
-			logrus.Debugf("Deleted keyfile: %s", keyFilePath)
-		}
-	}()
+	// defer func() {
+	// 	// Delete keyfile on exit
+	// 	if inErr := osRemoveAll(keyFilePath); inErr != nil {
+	// 		logrus.WithError(inErr).Debugf("failed to delete keyfile: %s", keyFilePath)
+	// 	} else {
+	// 		logrus.Debugf("Deleted keyfile: %s", keyFilePath)
+	// 	}
+	// }()
 
 	// 3) Open encrypted filesystem with cryptsetup. The result is a block
 	// device in /dev/mapper/remote-crypt-[filesystem-index] so that it is

docker/encfs/Dockerfile.encfs

@@ -7,9 +7,11 @@ RUN cd tools/get-snp-report && make && mv bin/get-snp-report /
 RUN CGO_ENABLED=0 GOOS=linux go build -o / ./cmd/azmount
 RUN CGO_ENABLED=0 GOOS=linux go build -o / ./cmd/remotefs
 
-FROM alpine:3.18.6
+FROM mcr.microsoft.com/azurelinux/base/core:3.0
+#FROM alpine:3.18.6
 
-RUN apk update && apk upgrade --no-cache && apk add --no-cache cryptsetup fuse3 curl bash jq
+RUN tdnf update -y && tdnf upgrade -y && tdnf install -y cryptsetup fuse3 jq && tdnf clean all
+#RUN apk update && apk upgrade --no-cache && apk add --no-cache cryptsetup fuse3 curl bash jq
 
 COPY --from=build /get-snp-report /azmount /remotefs ./bin/
 

docker/skr/Dockerfile.skr

@@ -6,9 +6,9 @@ RUN cd tools/get-snp-report && make && mv bin/get-snp-report / && mv bin/get-fak
 
 RUN cd cmd/skr && CGO_ENABLED=0 GOOS=linux go build -o /skr -ldflags="-s -w" main.go
 
-FROM mcr.microsoft.com/cbl-mariner/base/core:2.0
+FROM mcr.microsoft.com/azurelinux/base/core:3.0
 
-RUN tdnf update -y && tdnf upgrade -y && tdnf install curl
+RUN tdnf update -y && tdnf upgrade -y && tdnf install curl && tdnf clean all
 
 COPY --from=build /skr /get-snp-report /get-fake-snp-report ./bin/
 

tests/encfs/encfs.bicep

@@ -91,6 +91,10 @@ resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2023-05-01'
               name: 'EncfsSideCarArgs'
               value: sidecarArgsB64
             }
+            {
+              name: 'LogLevel'
+              value: 'debug'
+            }
           ]
           resources: {
             requests: {

tests/encfs/encfs.py

@@ -41,6 +41,7 @@ def __init__(self, key_path, image_path):
 
     def __enter__(self):
         try:
+            print("Creating encrypted filesystem")
             # Format
             self._run_command(
                 "luksFormat",
@@ -54,7 +55,7 @@ def __enter__(self):
                 "--pbkdf pbkdf2",
                 "--pbkdf-force-iterations 1000",
             )
-
+            print("decrypting")
             # Open
             self._run_command(
                 "luksOpen",
@@ -67,14 +68,67 @@ def __enter__(self):
                 "--persistent",
             )
             self.is_open = True
-
+            print("Formatting")
             # Mount
             subprocess.check_call(f"sudo mkfs.ext4 {self.DEVICE_NAME_PATH}", shell=True)
             self._dir = tempfile.TemporaryDirectory()
             subprocess.check_call(
                 f"sudo mount -t ext4 {self.DEVICE_NAME_PATH} {self._dir.name} -o loop",
                 shell=True,
             )
+            print("mounted successfully")
+
+            print("For debug only:")
+            try:
+                result = subprocess.run(f"cryptsetup --version", capture_output=True, universal_newlines=True, input="", shell=True)
+                print(f"cryptsetup --version: {result.stdout}")
+            except Exception as e:
+                print(f"error: {e}")
+                print(f"cryptsetup --version: {result.stderr}")
+            try:
+                result = subprocess.run(f"fusermount -V", capture_output=True, universal_newlines=True, input="", shell=True)
+                print(f"fusermount -V: {result.stdout}")
+            except Exception as e:
+                print(f"error: {e}")
+                print(f"fusermount3 -V: {result.stderr}")
+            try:
+                result = subprocess.run(f"cryptsetup luksDump {self.image_path}", capture_output=True, universal_newlines=True, input="", shell=True)
+                print(f"cryptsetup luksDump {self.image_path}: {result.stdout}")
+            except Exception as e:
+                print(f"error: {e}")
+                print(f"cryptsetup luksDump failed: {result.stderr}")
+            try:
+                result = subprocess.run(f"hexdump -n 16M {self.image_path} | sha256sum", capture_output=True, universal_newlines=True, input="", shell=True)
+                print(f"hexdump -n 16M {self.image_path} | sha256sum: {result.stdout}")
+            except Exception as e:
+                print(f"hexdump -n 16M {self.image_path} | sha256sum failed: {result.stderr}")
+            try:
+                result = subprocess.run(f"hexdump -C -n 4096 {self.image_path} | sha256sum", capture_output=True, universal_newlines=True, input="", shell=True)
+                print(f"hexdump -C -n 4096 {self.image_path} | sha256sum: {result.stdout}")
+            except Exception as e:
+                print(f"hexdump -C -n 4096 {self.image_path} | sha256sum failed: {result.stderr}")
+            try:
+                result = subprocess.run(f"hexdump -Cs 16384 -n 4096 {self.image_path} | sha256sum", capture_output=True, universal_newlines=True, input="", shell=True)
+                print(f"hexdump -Cs 16384 -n 4096 {self.image_path} | sha256sum: {result.stdout}")
+            except Exception as e:
+                print(f"hexdump -Cs 16384 -n 4096 {self.image_path} | sha256sum failed: {result.stderr}")
+
+            try:
+                result = subprocess.run(f"hexdump -e '16/1 \"%02x \" \"\n\"' -n 4096 {self.image_path} > header1.txt", capture_output=True, universal_newlines=True, input="", shell=True)
+                print(f"hexdump -e '16/1 \"%02x \" \"\n\"' -n 4096 {self.image_path} > header1.txt: {result.stdout}")
+            except Exception as e:
+                print(f"hexdump -e '16/1 \"%02x \" \"\n\"' -n 4096 {self.image_path} > header1.txt failed: {result.stderr}")
+            try:
+                result = subprocess.run(f"hexdump -e '16/1 \"%02x \" \"\n\"'  -s 16384 -n 4096 {self.image_path} > header2.txt", capture_output=True, universal_newlines=True, input="", shell=True)
+                print(f"hexdump -e '16/1 \"%02x \" \"\n\"'  -s 16384 -n 4096 {self.image_path} > header2.txt: {result.stdout}")
+            except Exception as e:
+                print(f"hexdump -e '16/1 \"%02x \" \"\n\"'  -s 16384 -n 4096 {self.image_path} > header2.txt failed: {result.stderr}")
+
+            try:
+                result = subprocess.run(f"diff header1.txt header2.txt", capture_output=True, universal_newlines=True, input="", shell=True)
+                print(f"diff header1.txt header2.txt: {result.stdout}")
+            except Exception as e:
+                print(f"diff header1.txt header2.txt failed: {result.stderr}")
             return self._dir.name
 
         except Exception: