From 3aecb24cda6710ec0c69e929e3fee2a6d6a2bdd9 Mon Sep 17 00:00:00 2001 From: Heather Garvison Date: Mon, 1 Apr 2024 14:42:30 -0400 Subject: [PATCH] update encfs to use cbl mariner --- .github/workflows/ci.yml | 4 +-- cmd/remotefs/azurefs.go | 16 +++++----- docker/encfs/Dockerfile.encfs | 6 ++-- docker/skr/Dockerfile.skr | 4 +-- tests/encfs/encfs.bicep | 4 +++ tests/encfs/encfs.py | 58 +++++++++++++++++++++++++++++++++-- 6 files changed, 76 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5e26f695..57ac4491 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,7 +43,7 @@ on: env: BASE_ID: ${{ github.run_id }}-${{ github.run_number }}-${{ inputs.location }}-${{ inputs.policy_type }} LOCATION: ${{ inputs.location || 'westeurope' }} - POLICY_TYPE: ${{ inputs.policy_type || 'generated' }} + POLICY_TYPE: 'debug' # ${{ inputs.policy_type || 'generated' }} jobs: analyze: @@ -224,7 +224,7 @@ jobs: test-encfs: name: Test EncFS - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout uses: actions/checkout@v4 diff --git a/cmd/remotefs/azurefs.go b/cmd/remotefs/azurefs.go index 1b542714..a753f9b7 100644 --- a/cmd/remotefs/azurefs.go +++ b/cmd/remotefs/azurefs.go @@ -289,14 +289,14 @@ func containerMountAzureFilesystem(tempDir string, index int, fs AzureFilesystem } } - defer func() { - // Delete keyfile on exit - if inErr := osRemoveAll(keyFilePath); inErr != nil { - logrus.WithError(inErr).Debugf("failed to delete keyfile: %s", keyFilePath) - } else { - logrus.Debugf("Deleted keyfile: %s", keyFilePath) - } - }() + // defer func() { + // // Delete keyfile on exit + // if inErr := osRemoveAll(keyFilePath); inErr != nil { + // logrus.WithError(inErr).Debugf("failed to delete keyfile: %s", keyFilePath) + // } else { + // logrus.Debugf("Deleted keyfile: %s", keyFilePath) + // } + // }() // 3) Open encrypted filesystem with cryptsetup. The result is a block // device in /dev/mapper/remote-crypt-[filesystem-index] so that it is diff --git a/docker/encfs/Dockerfile.encfs b/docker/encfs/Dockerfile.encfs index b4bdbdd6..2d086a01 100644 --- a/docker/encfs/Dockerfile.encfs +++ b/docker/encfs/Dockerfile.encfs @@ -7,9 +7,11 @@ RUN cd tools/get-snp-report && make && mv bin/get-snp-report / RUN CGO_ENABLED=0 GOOS=linux go build -o / ./cmd/azmount RUN CGO_ENABLED=0 GOOS=linux go build -o / ./cmd/remotefs -FROM alpine:3.18.6 +FROM mcr.microsoft.com/azurelinux/base/core:3.0 +#FROM alpine:3.18.6 -RUN apk update && apk upgrade --no-cache && apk add --no-cache cryptsetup fuse3 curl bash jq +RUN tdnf update -y && tdnf upgrade -y && tdnf install -y cryptsetup fuse3 jq && tdnf clean all +#RUN apk update && apk upgrade --no-cache && apk add --no-cache cryptsetup fuse3 curl bash jq COPY --from=build /get-snp-report /azmount /remotefs ./bin/ diff --git a/docker/skr/Dockerfile.skr b/docker/skr/Dockerfile.skr index 7c18bc7a..18b5a698 100644 --- a/docker/skr/Dockerfile.skr +++ b/docker/skr/Dockerfile.skr @@ -6,9 +6,9 @@ RUN cd tools/get-snp-report && make && mv bin/get-snp-report / && mv bin/get-fak RUN cd cmd/skr && CGO_ENABLED=0 GOOS=linux go build -o /skr -ldflags="-s -w" main.go -FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 +FROM mcr.microsoft.com/azurelinux/base/core:3.0 -RUN tdnf update -y && tdnf upgrade -y && tdnf install curl +RUN tdnf update -y && tdnf upgrade -y && tdnf install curl && tdnf clean all COPY --from=build /skr /get-snp-report /get-fake-snp-report ./bin/ diff --git a/tests/encfs/encfs.bicep b/tests/encfs/encfs.bicep index 8cf9a15d..620f83b0 100755 --- a/tests/encfs/encfs.bicep +++ b/tests/encfs/encfs.bicep @@ -91,6 +91,10 @@ resource containerGroup 'Microsoft.ContainerInstance/containerGroups@2023-05-01' name: 'EncfsSideCarArgs' value: sidecarArgsB64 } + { + name: 'LogLevel' + value: 'debug' + } ] resources: { requests: { diff --git a/tests/encfs/encfs.py b/tests/encfs/encfs.py index a19558b4..b3c07635 100644 --- a/tests/encfs/encfs.py +++ b/tests/encfs/encfs.py @@ -41,6 +41,7 @@ def __init__(self, key_path, image_path): def __enter__(self): try: + print("Creating encrypted filesystem") # Format self._run_command( "luksFormat", @@ -54,7 +55,7 @@ def __enter__(self): "--pbkdf pbkdf2", "--pbkdf-force-iterations 1000", ) - + print("decrypting") # Open self._run_command( "luksOpen", @@ -67,7 +68,7 @@ def __enter__(self): "--persistent", ) self.is_open = True - + print("Formatting") # Mount subprocess.check_call(f"sudo mkfs.ext4 {self.DEVICE_NAME_PATH}", shell=True) self._dir = tempfile.TemporaryDirectory() @@ -75,6 +76,59 @@ def __enter__(self): f"sudo mount -t ext4 {self.DEVICE_NAME_PATH} {self._dir.name} -o loop", shell=True, ) + print("mounted successfully") + + print("For debug only:") + try: + result = subprocess.run(f"cryptsetup --version", capture_output=True, universal_newlines=True, input="", shell=True) + print(f"cryptsetup --version: {result.stdout}") + except Exception as e: + print(f"error: {e}") + print(f"cryptsetup --version: {result.stderr}") + try: + result = subprocess.run(f"fusermount -V", capture_output=True, universal_newlines=True, input="", shell=True) + print(f"fusermount -V: {result.stdout}") + except Exception as e: + print(f"error: {e}") + print(f"fusermount3 -V: {result.stderr}") + try: + result = subprocess.run(f"cryptsetup luksDump {self.image_path}", capture_output=True, universal_newlines=True, input="", shell=True) + print(f"cryptsetup luksDump {self.image_path}: {result.stdout}") + except Exception as e: + print(f"error: {e}") + print(f"cryptsetup luksDump failed: {result.stderr}") + try: + result = subprocess.run(f"hexdump -n 16M {self.image_path} | sha256sum", capture_output=True, universal_newlines=True, input="", shell=True) + print(f"hexdump -n 16M {self.image_path} | sha256sum: {result.stdout}") + except Exception as e: + print(f"hexdump -n 16M {self.image_path} | sha256sum failed: {result.stderr}") + try: + result = subprocess.run(f"hexdump -C -n 4096 {self.image_path} | sha256sum", capture_output=True, universal_newlines=True, input="", shell=True) + print(f"hexdump -C -n 4096 {self.image_path} | sha256sum: {result.stdout}") + except Exception as e: + print(f"hexdump -C -n 4096 {self.image_path} | sha256sum failed: {result.stderr}") + try: + result = subprocess.run(f"hexdump -Cs 16384 -n 4096 {self.image_path} | sha256sum", capture_output=True, universal_newlines=True, input="", shell=True) + print(f"hexdump -Cs 16384 -n 4096 {self.image_path} | sha256sum: {result.stdout}") + except Exception as e: + print(f"hexdump -Cs 16384 -n 4096 {self.image_path} | sha256sum failed: {result.stderr}") + + try: + result = subprocess.run(f"hexdump -e '16/1 \"%02x \" \"\n\"' -n 4096 {self.image_path} > header1.txt", capture_output=True, universal_newlines=True, input="", shell=True) + print(f"hexdump -e '16/1 \"%02x \" \"\n\"' -n 4096 {self.image_path} > header1.txt: {result.stdout}") + except Exception as e: + print(f"hexdump -e '16/1 \"%02x \" \"\n\"' -n 4096 {self.image_path} > header1.txt failed: {result.stderr}") + try: + result = subprocess.run(f"hexdump -e '16/1 \"%02x \" \"\n\"' -s 16384 -n 4096 {self.image_path} > header2.txt", capture_output=True, universal_newlines=True, input="", shell=True) + print(f"hexdump -e '16/1 \"%02x \" \"\n\"' -s 16384 -n 4096 {self.image_path} > header2.txt: {result.stdout}") + except Exception as e: + print(f"hexdump -e '16/1 \"%02x \" \"\n\"' -s 16384 -n 4096 {self.image_path} > header2.txt failed: {result.stderr}") + + try: + result = subprocess.run(f"diff header1.txt header2.txt", capture_output=True, universal_newlines=True, input="", shell=True) + print(f"diff header1.txt header2.txt: {result.stdout}") + except Exception as e: + print(f"diff header1.txt header2.txt failed: {result.stderr}") return self._dir.name except Exception: