Merge pull request #3249 from chriswue/master

Adding support to mount an encrypted filesystem
2025-09-20 12:07:54 +00:00 · 2019-01-18 01:28:50 +01:00
parent 6412cfa117 a9bc7372de
commit eeb2d546d1
22 changed files with 664 additions and 0 deletions
--- a/pkg/dm-crypt/Dockerfile
+++ b/pkg/dm-crypt/Dockerfile
@@ -0,0 +1,19 @@
+FROM linuxkit/alpine:3683c9a66cd4da40bd7d6c7da599b2dcd738b559 AS mirror
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out  \
+    alpine-baselayout \
+    cryptsetup \
+    e2fsprogs
+
+# Remove apk residuals
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+ENTRYPOINT []
+WORKDIR /
+COPY --from=mirror /out/ /
+
+COPY crypto.sh /usr/bin/crypto
+RUN chmod +x /usr/bin/crypto
+
+CMD ["/usr/bin/crypto"]
--- a/pkg/dm-crypt/build.yml
+++ b/pkg/dm-crypt/build.yml
@@ -0,0 +1,8 @@
+image: dm-crypt
+config:
+  binds:
+    - /dev:/dev
+    - /etc/dm-crypt:/etc/dm-crypt
+  capabilities:
+    - CAP_SYS_ADMIN
+    - CAP_MKNOD
--- a/pkg/dm-crypt/crypto.sh
+++ b/pkg/dm-crypt/crypto.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+
+set -e
+
+help()
+{
+    echo "Usage: $0 [options] <dm_name> <device>"
+    echo
+    echo "Options:"
+    echo "    -l|--luks       Use LUKS extension"
+    echo "    -k|--key-file   Name of the key file, default: key"
+    echo "    <dm_name>       Name of the device mapper file, the encrypted device will become available under /dev/mapper/<dm_name>"
+    echo "    <device>        The encrypted device (e.g. /dev/sda1, /dev/loop0, etc)"
+    echo
+}
+
+luks=false
+key_file="key"
+
+O=`getopt -l key-file:luks,help -- k:lh "$@"` || exit 1
+eval set -- "$O"
+while true; do
+    case "$1" in
+        -l|--luks)      luks=true; shift;;
+        -k|--key-file)  key_file=$2; shift 2;;
+        -h|--help)      help; exit 0;;
+        --)             shift; break;;
+        *)              echo "Unknown option $1"; help; exit 1;;
+        esac
+done
+
+if [ -z "$1" ]; then
+    echo "Missing argument <dm_name>"
+    help
+    exit 1
+fi
+
+if [ -z "$2" ]; then
+    echo "Missing argument <device>"
+    help
+    exit 1
+fi
+
+dm_name=$1
+device=$2
+dmdev_name="/dev/mapper/$dm_name"
+cipher="aes-cbc-essiv:sha256"
+
+case "$key_file" in
+    /*) ;;
+    *)  key_file="/etc/dm-crypt/$key_file" ;;
+esac
+
+if [ ! -f "$key_file" ]; then
+    echo "Couldn't find encryption keyfile $key_file!"
+    exit 1
+fi
+
+if [ ! -d "/run/cryptsetup" ]; then
+    echo "Creating cryptsetup lock directory"
+    mkdir /run/cryptsetup
+fi
+
+if [ $luks = true ]; then
+    echo "Creating dm-crypt LUKS mapping for $device under $dmdev_name"
+    if ! cryptsetup isLuks $device; then
+        echo "Device $device doesn't seem to have a valid LUKS setup so one will be created."
+        cryptsetup --key-file "$key_file" --cipher "$cipher" luksFormat "$device"
+    fi
+    cryptsetup --key-file "$key_file" luksOpen "$device" "$dm_name"
+else
+    echo "Creating dm-crypt mapping for $device under $dmdev_name"
+    cryptsetup --key-file "$key_file" --cipher "$cipher" create "$dm_name" "$device"
+fi
+
+o=`blkid $dmdev_name`
+if [ -z "$o" ]; then
+	echo "Device $dmdev_name doesn't seem to contain a filesystem, creating one."
+    # dd will write the device until it's full and then return with an error because "no space left"
+    dd if=/dev/zero of="$dmdev_name" || true
+    mkfs.ext4 "$dmdev_name"
+else
+	echo "Device $dmdev_name seems to contain filesystem: $o"
+fi
--- a/pkg/losetup/Dockerfile
+++ b/pkg/losetup/Dockerfile
@@ -0,0 +1,18 @@
+FROM linuxkit/alpine:3683c9a66cd4da40bd7d6c7da599b2dcd738b559 AS mirror
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out  \
+    alpine-baselayout \
+    busybox
+
+# Remove apk residuals
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+ENTRYPOINT []
+WORKDIR /
+COPY --from=mirror /out/ /
+
+COPY loopy.sh /usr/bin/loopy
+RUN chmod +x /usr/bin/loopy
+
+CMD ["/usr/bin/loopy"]
--- a/pkg/losetup/build.yml
+++ b/pkg/losetup/build.yml
@@ -0,0 +1,7 @@
+image: losetup
+config:
+  binds:
+    - /dev:/dev
+    - /var:/var
+  capabilities:
+    - CAP_SYS_ADMIN
--- a/pkg/losetup/loopy.sh
+++ b/pkg/losetup/loopy.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+set -e
+
+help()
+{
+    echo "Usage: $0 [options] <file>"
+    echo
+    echo "Options:"
+    echo "    -c, --create          Create <file> if not present, default: false"
+    echo "    -s, --size NUM        Size of <file> in MiB if it gets created, default: 10"
+    echo "    -d, --dev DEVICE      Use DEVICE as loop device, default: /dev/loop0"
+    echo
+}
+
+create=false
+size_mib=10
+loop_device="/dev/loop0"
+
+O=`getopt -l create,size:,dev:,help -- cs:d:h "$@"` || exit 1
+eval set -- "$O"
+while true; do
+    case "$1" in
+        -c|--create)   create=true; shift;;
+        -s|--size)     size_mib=$2; shift 2;;
+        -d|--dev)      loop_device=$2; shift 2;;
+        -h|--help)     help; exit 0;;
+        --)            shift; break;;
+        *)             echo "Unknown option $1"; help; exit 1;;
+	esac
+done
+
+if [ -z "$1" ]; then
+    echo "Missing argument <file>"
+    help
+    exit 1
+fi
+
+container_file=$1
+
+if [ ! -b "$loop_device" ]; then
+    echo "Loop device $loop_device doesn't exist! Did you forget to bind-mount '/dev'?"
+    exit 2
+fi
+
+if [ ! -f "$container_file" ]; then
+    if [ $create = true ]; then
+        echo "File $container_file not found, creating new one of size $size_mib MiB"
+        dd if="/dev/zero" of="$container_file" bs=1M count=$size_mib
+    else
+        echo "File $container_file not found. Please specify --create or ensure it's present."
+        exit 2
+    fi
+fi
+
+echo "Associating file $container_file with loop device $loop_device"
+losetup "$loop_device" "$container_file"