support full disk luks. Fixes #550 #1716
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…#550 In order to appropriately identify a disk as hosting a LUKS container within one of it's partitions we label the base device with this canonical indicator. This is the same treatment used to identify mdraid disk members when any one of their partitions is an mdraid member. Predominantly used to accommodate default anaconda system disk encrypted (LUKS) installs (ie swap and btrfs system pool partitions as LUKS containers).
When installing via anakonda default "Encrypt my data" option we end up with our system pool rockstor_rockstor in a LUKS container (along with swap in it's own). Previous mdadmin root drive enhancements added non partition ''/' capability but for correct identification of the root drive in an open LUKS container and subsequent auto import of system subvols (/root /home) root_disk() required an additional clause.
…rockstor#550 For default anaconda ''Encrypt my data" installs ie swap and / btrfs pool in their own LUKS we need to recognise and appropriately flag via icons and tooltips the LUKS in partition exception made for system disk and include LUKS container flagging in main base flag if-else. Also reduced number of checks by combining mutually exclusive additional flags.
Extend the "hasUserRole" handlebars helper to identify future user configurable disk roles of full disk LUKS container and full disk backing and caching bcache devices which we already label internally via the recent roles system.
Reduces the number of redundant disk status checks re role and state of each disk and improve readability and logic of the associated checks. The intention is to fashion a user 'funnel' to accommodate early LUKS / bcache device role assignment while attempting to reduce the number of redundant or unwise configuration options offered. I.e. on freshly wiped devices a LUKS / bcache tooltip suggestion introduces the UI entry point to apply such whole disk configurations. Note also that a new flag is introduced, that of a drive mapping (essentially if the device is found to be part of a pool) this is intended to aid in identifying fresh or already pool committed drives from the flags alone and works in concert with LUKS / bcache flags, ie one will replace another.
…kstor#550 Includes minor cosmetic and code formatting improvements to existing disk role UI.
…tor#550 We already disable and hide LUKS options if any partitions are found so to cater for whole disk btrfs we also check Disk.btrfs_uuid; this also covers un-imported btrfs. Note this doesn't cover non btrfs full disk formats but they are unusual.
Intended as a hold-all for LUKS related utilities.
The front end already hides LUKS options if there are partitions but we should block all role changes combined with LUKS format as we do with the equivalent of disk wipe.
This way we separate these functions so that the user is encouraged to do one at a time and we only have to deal with each in turn and consequently monitor the result of each in turn.
Plus minor text changes.
This is the convention in all official LUKS text and encourages greater length.
Also reduce existing word count and condense formatting.
Also add links to online docs for roles and import details.
Emphasise exclusive nature of wipe or LUKS format by toggling options in xor which works well with shared wipe warning message.
Plus minor rename refactoring to more accurately reflect whole disk fstype variable.
We already have this in front end (UI) validation.
LUKS documentating suggests limiting char use to first 127 ASCII but removing control chars and DEL makes for easier communication. Includes front end user text and validation filter as well as backend validation. The reason this is advised is down to the standardized nature of these characters across string encoding formats.
Once unlocked a LUKS container gains a mapped open counterpart. We query the open LUKS volumes to identify all open LUKS containers by identifying which mapped counterpart relates to which container via uuid. This can then be used to inform the role system of the unlocked status of all LUKS containers/devices.
We extend the previously unused LUKS role value to host a dictionary which in turn has an unlocked boolean. Existing mechanism converts dict to json for front end javascript handlebars helper use. Contains minor name refactoring of helper function.
We already have a LUKS format extension on the roles page but that is akin to the existing wipe / delete function found there already. This page is intended as the home for existing LUKS containers and open LUKS volumes where we might put such utilities as luksHeaderBackup, passphrase facilities etc. Also the ability to open / close a given container / volume respectively.
A LUKS container, denoted by the LUKS role, can have /etc/crypttab entries that can define the boot unlock behaviour. Collect the current status and stash as crypttab index with value of 3rd column in /etc/crypttab.
Also adds dual mode to luks page: config for container mode, info for open volume mode.
Minor flag name change - mostly aesthetic - but should help with code readability by being consistent with consequent role and role constants lists.
Mirror formatting found on sister 'roles' config page
Boot up config pertains to LUKS containers only and as we have a dual personality LUKS config page we ony show this text for LUKS container.
Also ensure we avoid making changes to custom (non native) crypttab configurations, even during a LUKS config page submit when viewing these settings. Require a config change prior to defaulting to native keyfile creation.
Since we have partnered LUKS format with our existing wipe on this page we should add this key function to the page title.
Previously we had an unused placeholder of dm-name-uuid. Replace with output from: 'cryptsetup status dev-name' as a dict/json. The 'openLUKS' role signifies open LUKS volumes.
When our dual mode LUKS page is viewing an Open LUKS Volume, display the role value which equates to a slightly tailored cyptsetup status dev-name output where the backing device listed is converted to a by-id name.
Plus minor text enhancements for clarity.
Actively used by LUKS additions moving forward.
Add info logging when failing over to 'mount by dev' from 'mount by label' and specify the dev names as we go. Add error logging on missing devices.
As our 'source of truth' is /etc/crypttab but systemd generators now abstract the contents to /var/run/systemd/generators we should ensure that systemd re-generates the abstraction in a timely manner.
Less flexible than original but serves our current use. Required as upstream --template option is broken for all input cases.
When a full dev fs exists on an Open LUKS Volume and that fs is wiped via wipefs -a, systemd tears down the entire mapped block device. Re-assert there after by starting the associated generator service if it exists.
Intermittent failure of udev to update fstype, label, and uuid of dev after pool creation (1-2 times in 10) was observed for a luks mapped device. After this udev call no similar failures were observed. Also prior to patch many mount by label fails were observed with consequent fail-over mounts by dev, but with no consequent dev info updates the pool was not recognized by our UI. Where as after this patch no failures to mount by label were observed in the test scenarios. This same treatment has already been applied to adding disks to an existing pool in pr rockstor#1607 commit: 0358560
Given our NAS remit we favour headless operation and given LUKS volumes are closed upon wipe we must favour and recommend auto authentication via keyfile. Also add systemd command info for those favouring a non keyfile / command line management approach.
Best we point out "Auto unlock via keyfile" and location of this config with icon repeats to improve affordance and ease first time configuration.
|
All validation mechanisms and UI contextual behaviour was tested to behave as expected and as indicated in the pr description. Pre-pr encrypted install system drive iconography: Post-pr encrypted install system drive display (here also showing a btrfs in partition virtio dev): In addition a real life scenario involving purposefully slow and constrained hardware (2G RAM single core dual thread P4) with 35 GB of data on an existing 3 disk raid 1 pool totalling 225 GB was taken through the following semi typical scenario for moving an existing pool from non LUKS formatted devices to LUKS formatted devices and their consequent mapped counterpart Open LUKS Volumes.
|
|
Amazing job @phillxnet. Nice to see a PR from you again. Thoroughly done as usual :) |
|
@schakrava Thanks and Cheers. |
Closed
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Abstract:
Adds full disk LUKS UI components to perform initial LUKS format and set boot up configuration for the resulting container; with integral keyfile generation and registration where required. The consequent LUKS volumes also gain an ‘information only’ UI component to display their last recorded status which includes their backing container device. Further enhancements were required to the disk role improvements established in pr #1622 in order to meet the requirements of the UI components added. And to meet the expected pairing of LUKS data disk capability with encrypted system disk installs (via the “Encrypt my data” install option) the disk scan subsystem was improved to correctly propagate the otherwise incompatible LUKS in partition arrangement. Disk table view iconography was extended to indicate the open/closed status of LUKS containers.
Changes made:
Existing Pathologies:
Configuration caveats:
Noteworthy anticipated exclamations:
Testing methods employed are to follow in additional comments to this pr.
Fixes #550
Please see #550 for development history.
Ready for review.