Merge pull request #3249 from chriswue/master

Adding support to mount an encrypted filesystem

docs/encrypted-disk.md

@@ -0,0 +1,86 @@
+# Device encryption with dm-crypt
+
+In the packages section you can find an image to setup dm-crypt encrypted devices in [linuxkit](https://github.com/linuxkit/linuxkit)-generated images.
+
+## Usage
+
+The setup is a one time step during boot:
+
+```yaml
+onboot:
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:<hash>
+    command: ["/usr/bin/crypto", "dm_crypt_name", "/dev/sda1"]
+  - name: mount
+    image: linuxkit/mount:<hash>
+    command: ["/usr/bin/mountie", "/dev/mapper/dm_crypt_name", "/var/secure_storage"]
+files:
+  - path: etc/dm-crypt/key
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+```
+
+The above will map `/dev/sda1` as an encrypted device under `/dev/mapper/dm_crypt_name` and mount it under `/var/secure_storage`
+
+The `dm-crypt` container by default bind-mounts `/dev:/dev` and `/etc/dm-crypt:/etc/dm-crypt`. It expects the encryption key to be present in the file `/etc/dm-crypt/key`. You can pass an alternative location as encryption key which can be either a file path relative to `/etc/dm-crypt` or an absolute path.
+
+Providing an alternative encryption key file name:
+
+```yaml
+onboot:
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:<hash>
+    command: ["/usr/bin/crypto", "-k", "some_other_key", "dm_crypt_name", "/dev/sda1"]
+  - name: mount
+    image: linuxkit/mount:<hash>
+    command: ["/usr/bin/mountie", "/dev/mapper/dm_crypt_name", "/var/secure_storage"]
+files:
+  - path: etc/dm-crypt/some_other_key
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+```
+
+Providing an alternative encryption key file name as absolute path:
+
+```yaml
+onboot:
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:<hash>
+    command: ["/usr/bin/crypto", "-k", "/some/other/key", "dm_crypt_name", "/dev/sda1"]
+    binds:
+      - /dev:/dev
+      - /etc/dm-crypt/some_other_key:/some/other/key
+  - name: mount
+    image: linuxkit/mount:<hash>
+    command: ["/usr/bin/mountie", "/dev/mapper/dm_crypt_name", "/var/secure_storage"]
+files:
+  - path: etc/dm-crypt/some_other_key
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+```
+
+Note that you have to also map `/dev:/dev` explicitly if you override the default bind-mounts.
+
+The `dm-crypt` container
+
+* Will create an `ext4` file system on the encrypted device if none is present.
+  * It will also initialize the encrypted device by filling it from `/dev/zero` prior to creating the filesystem. Which means if the device is being setup for the first time it might take a bit longer.
+* Uses the `aes-cbc-essiv:sha256` cipher (it's explicitly specified in case the default ever changes)
+  * Consequently the encryption key is expected to be 32 bytes long, a random one can be created via
+    ```shell
+    dd if=/dev/urandom of=dm-crypt.key bs=32 count=1
+    ```
+    If you see the error `Cannot read requested amount of data.` next to the log message `Creating dm-crypt mapping for ...` then this means your keyfile doesn't contain enough data.
+
+### Examples
+
+There are two examples in the `examples/` folder:
+
+1. `dm-crypt.yml` - formats an external disk and mounts it encrypted.
+2. `dm-crypt-loop.yml` - mounts an encrypted loop device backed by a regular file sitting on an external disk
+
+### Options
+
+|Option|Default|Required|Notes|
+|---|---|---|---|
+|`-k` or `--key`|`key`|No|Encryption key file name. Must be either relative to `/etc/dm-crypt` or an absolute file path.|
+|`-l` or `--luks`||No|Use LUKS format for encryption|
+|`<dm_name>`||**Yes**|The device-mapper device name to use. The device will be mapped under `/dev/mapper/<dm_name>`|
+|`<device>`||**Yes**|Device to encrypt.|

docs/losetup.md

@@ -0,0 +1,27 @@
+# LinuxKit losetup
+
+Image to setup a loop device backed by a regular file in a [linuxkit](https://github.com/linuxkit/linuxkit)-generated image. The typical use case is to have a portable storage location which can be used to persist settings or other files. Can be combined with the `linuxkit/dm-crypt` package for protection.
+
+## Usage
+
+The setup is a one time step during boot:
+
+```yaml
+onboot:
+  - name: losetup
+    image: linuxkit/losetup:<hash>
+    command: ["/usr/bin/loopy", "-c", "/var/test.img"]
+```
+
+The above will associate the file `/var/test.img` with `/dev/loop0` and will also create it if it's not present.
+
+The container by default bind-mounts `/var:/var` and `/dev:/dev`. Usually the loop-file will reside on external storage which should be typically mounted under `/var` hence the choice of the defaults. If the loop-file is located somewhere else and you need a different bind-mount for it then do not forget to explicitly bind-mount `/dev:/dev` as well or else `losetup` will fail.
+
+### Options
+
+|Option|Default|Required|Notes|
+|---|---|---|---|
+|`-c` or `--create`||No|Creates the file if not present. If `--create` is not specified and the file is missing then the loop setup will obviously fail.|
+|`-s` or `--size`|10|No|If `--create` was specified and the file is not present then this sets the size in MiB of the created file. The file will be filled from `/dev/zero`.|
+|`-d` or `--dev`|`/dev/loop0`|No|Loop device which should be associated with the file.|
+|`<file>`||**Yes**|The file to use as backing storage.|

examples/dm-crypt-loop.yml

@@ -0,0 +1,49 @@
+kernel:
+  image: linuxkit/kernel:4.14.88
+  cmdline: "console=tty0 console=ttyS0"
+init:
+  - linuxkit/init:c563953a2277eb73a89d89f70e4b6dcdcfebc2d1
+  - linuxkit/runc:83d0edb4552b1a5df1f0976f05f442829eac38fe
+  - linuxkit/containerd:326b096cd5fbab0f864e52721d036cade67599d6
+  - linuxkit/ca-certificates:v0.6
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:v0.6
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:v0.6
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: format
+    image: linuxkit/format:v0.6
+    command: ["/usr/bin/format", "/dev/sda"]
+  - name: mount
+    image: linuxkit/mount:v0.6
+    command: ["/usr/bin/mountie", "/dev/sda1", "/var/external"]
+  - name: loop
+    image: linuxkit/losetup:b05ffc8641cc955abe45f6730cbe6d723b63bd3f
+    command: ["/usr/bin/loopy", "--create", "/var/external/storage_file"]
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:9e41a164358b0235f0c242219b1a424c6552d46c
+    command: ["/usr/bin/crypto", "crypt_loop_dev", "/dev/loop0"]
+  - name: mount
+    image: linuxkit/mount:v0.6
+    command: ["/usr/bin/mountie", "/dev/mapper/crypt_loop_dev", "/var/secure_storage"]
+  - name: bbox
+    image: busybox
+    command: ["sh", "-c", "echo 'secret things' >/var/secure_storage/secrets"]
+    binds:
+      - /var:/var
+services:
+  - name: getty
+    image: linuxkit/getty:2eb742cd7a68e14cf50577c02f30147bc406e478
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:v0.6
+files:
+  - path: etc/dm-crypt/key
+    # the below key is just to keep the example self-contained
+    # !!! provide a proper key for production use here !!!
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+trust:
+  org:
+    - linuxkit

examples/dm-crypt.yml

@@ -0,0 +1,43 @@
+kernel:
+  image: linuxkit/kernel:4.14.88
+  cmdline: "console=tty0 console=ttyS0"
+init:
+  - linuxkit/init:c563953a2277eb73a89d89f70e4b6dcdcfebc2d1
+  - linuxkit/runc:83d0edb4552b1a5df1f0976f05f442829eac38fe
+  - linuxkit/containerd:326b096cd5fbab0f864e52721d036cade67599d6
+  - linuxkit/ca-certificates:v0.6
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:v0.6
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:v0.6
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: format
+    image: linuxkit/format:v0.6
+    command: ["/usr/bin/format", "/dev/sda"]
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:9e41a164358b0235f0c242219b1a424c6552d46c
+    command: ["/usr/bin/crypto", "crypt_dev", "/dev/sda1"]
+  - name: mount
+    image: linuxkit/mount:v0.6
+    command: ["/usr/bin/mountie", "/dev/mapper/crypt_dev", "/var/secure_storage"]
+  - name: bbox
+    image: busybox
+    command: ["sh", "-c", "echo 'secret things' >/var/secure_storage/secrets"]
+    binds:
+      - /var:/var
+services:
+  - name: getty
+    image: linuxkit/getty:2eb742cd7a68e14cf50577c02f30147bc406e478
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:v0.6
+files:
+  - path: etc/dm-crypt/key
+    # the below key is just to keep the example self-contained
+    # !!! provide a proper key for production use here !!!
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+trust:
+  org:
+    - linuxkit

pkg/dm-crypt/Dockerfile

@@ -0,0 +1,19 @@
+FROM linuxkit/alpine:3683c9a66cd4da40bd7d6c7da599b2dcd738b559 AS mirror
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out  \
+    alpine-baselayout \
+    cryptsetup \
+    e2fsprogs
+
+# Remove apk residuals
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+ENTRYPOINT []
+WORKDIR /
+COPY --from=mirror /out/ /
+
+COPY crypto.sh /usr/bin/crypto
+RUN chmod +x /usr/bin/crypto
+
+CMD ["/usr/bin/crypto"]

pkg/dm-crypt/build.yml

@@ -0,0 +1,8 @@
+image: dm-crypt
+config:
+  binds:
+    - /dev:/dev
+    - /etc/dm-crypt:/etc/dm-crypt
+  capabilities:
+    - CAP_SYS_ADMIN
+    - CAP_MKNOD

pkg/dm-crypt/crypto.sh

@@ -0,0 +1,84 @@
+#!/bin/sh
+
+set -e
+
+help()
+{
+    echo "Usage: $0 [options] <dm_name> <device>"
+    echo
+    echo "Options:"
+    echo "    -l|--luks       Use LUKS extension"
+    echo "    -k|--key-file   Name of the key file, default: key"
+    echo "    <dm_name>       Name of the device mapper file, the encrypted device will become available under /dev/mapper/<dm_name>"
+    echo "    <device>        The encrypted device (e.g. /dev/sda1, /dev/loop0, etc)"
+    echo
+}
+
+luks=false
+key_file="key"
+
+O=`getopt -l key-file:luks,help -- k:lh "$@"` || exit 1
+eval set -- "$O"
+while true; do
+    case "$1" in
+        -l|--luks)      luks=true; shift;;
+        -k|--key-file)  key_file=$2; shift 2;;
+        -h|--help)      help; exit 0;;
+        --)             shift; break;;
+        *)              echo "Unknown option $1"; help; exit 1;;
+        esac
+done
+
+if [ -z "$1" ]; then
+    echo "Missing argument <dm_name>"
+    help
+    exit 1
+fi
+
+if [ -z "$2" ]; then
+    echo "Missing argument <device>"
+    help
+    exit 1
+fi
+
+dm_name=$1
+device=$2
+dmdev_name="/dev/mapper/$dm_name"
+cipher="aes-cbc-essiv:sha256"
+
+case "$key_file" in
+    /*) ;;
+    *)  key_file="/etc/dm-crypt/$key_file" ;;
+esac
+
+if [ ! -f "$key_file" ]; then
+    echo "Couldn't find encryption keyfile $key_file!"
+    exit 1
+fi
+
+if [ ! -d "/run/cryptsetup" ]; then
+    echo "Creating cryptsetup lock directory"
+    mkdir /run/cryptsetup
+fi
+
+if [ $luks = true ]; then
+    echo "Creating dm-crypt LUKS mapping for $device under $dmdev_name"
+    if ! cryptsetup isLuks $device; then
+        echo "Device $device doesn't seem to have a valid LUKS setup so one will be created."
+        cryptsetup --key-file "$key_file" --cipher "$cipher" luksFormat "$device"
+    fi
+    cryptsetup --key-file "$key_file" luksOpen "$device" "$dm_name"
+else
+    echo "Creating dm-crypt mapping for $device under $dmdev_name"
+    cryptsetup --key-file "$key_file" --cipher "$cipher" create "$dm_name" "$device"
+fi
+
+o=`blkid $dmdev_name`
+if [ -z "$o" ]; then
+	echo "Device $dmdev_name doesn't seem to contain a filesystem, creating one."
+    # dd will write the device until it's full and then return with an error because "no space left"
+    dd if=/dev/zero of="$dmdev_name" || true
+    mkfs.ext4 "$dmdev_name"
+else
+	echo "Device $dmdev_name seems to contain filesystem: $o"
+fi

pkg/losetup/Dockerfile

@@ -0,0 +1,18 @@
+FROM linuxkit/alpine:3683c9a66cd4da40bd7d6c7da599b2dcd738b559 AS mirror
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --no-cache --initdb -p /out  \
+    alpine-baselayout \
+    busybox
+
+# Remove apk residuals
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+ENTRYPOINT []
+WORKDIR /
+COPY --from=mirror /out/ /
+
+COPY loopy.sh /usr/bin/loopy
+RUN chmod +x /usr/bin/loopy
+
+CMD ["/usr/bin/loopy"]

pkg/losetup/build.yml

@@ -0,0 +1,7 @@
+image: losetup
+config:
+  binds:
+    - /dev:/dev
+    - /var:/var
+  capabilities:
+    - CAP_SYS_ADMIN

pkg/losetup/loopy.sh

@@ -0,0 +1,57 @@
+#!/bin/sh
+
+set -e
+
+help()
+{
+    echo "Usage: $0 [options] <file>"
+    echo
+    echo "Options:"
+    echo "    -c, --create          Create <file> if not present, default: false"
+    echo "    -s, --size NUM        Size of <file> in MiB if it gets created, default: 10"
+    echo "    -d, --dev DEVICE      Use DEVICE as loop device, default: /dev/loop0"
+    echo
+}
+
+create=false
+size_mib=10
+loop_device="/dev/loop0"
+
+O=`getopt -l create,size:,dev:,help -- cs:d:h "$@"` || exit 1
+eval set -- "$O"
+while true; do
+    case "$1" in
+        -c|--create)   create=true; shift;;
+        -s|--size)     size_mib=$2; shift 2;;
+        -d|--dev)      loop_device=$2; shift 2;;
+        -h|--help)     help; exit 0;;
+        --)            shift; break;;
+        *)             echo "Unknown option $1"; help; exit 1;;
+	esac
+done
+
+if [ -z "$1" ]; then
+    echo "Missing argument <file>"
+    help
+    exit 1
+fi
+
+container_file=$1
+
+if [ ! -b "$loop_device" ]; then
+    echo "Loop device $loop_device doesn't exist! Did you forget to bind-mount '/dev'?"
+    exit 2
+fi
+
+if [ ! -f "$container_file" ]; then
+    if [ $create = true ]; then
+        echo "File $container_file not found, creating new one of size $size_mib MiB"
+        dd if="/dev/zero" of="$container_file" bs=1M count=$size_mib
+    else
+        echo "File $container_file not found. Please specify --create or ensure it's present."
+        exit 2
+    fi
+fi
+
+echo "Associating file $container_file with loop device $loop_device"
+losetup "$loop_device" "$container_file"

test/cases/040_packages/004_dm-crypt/000_simple/check.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+function failed {
+	printf "dm-crypt test suite FAILED\n" >&1
+	exit 1
+}
+
+[ -b /dev/mapper/it_is_encrypted ] || failed
+
+printf "dm-crypt test suite PASSED\n" >&1

test/cases/040_packages/004_dm-crypt/000_simple/test.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# SUMMARY: Check that the losetup package works
+# LABELS:
+# REPEAT:
+
+set -e
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=dm-crypt
+DISK=disk.img
+
+clean_up() {
+        rm -rf ${NAME}-* ${DISK}
+}
+trap clean_up EXIT
+
+# Test code goes here
+linuxkit build -format kernel+initrd -name ${NAME} test.yml
+RESULT="$(linuxkit run -disk file=${DISK},size=32M ${NAME})"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0

test/cases/040_packages/004_dm-crypt/000_simple/test.yml

@@ -0,0 +1,30 @@
+kernel:
+  image: linuxkit/kernel:4.14.88
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:c563953a2277eb73a89d89f70e4b6dcdcfebc2d1
+  - linuxkit/runc:83d0edb4552b1a5df1f0976f05f442829eac38fe
+onboot:
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:9e41a164358b0235f0c242219b1a424c6552d46c
+    command: ["/usr/bin/crypto", "it_is_encrypted", "/dev/sda"]
+  - name: test
+    image: alpine:3.8
+    net: host
+    binds:
+      - /check.sh:/check.sh
+      - /dev:/dev
+    command: ["sh", "./check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:afe8f7dd0d47a7991c54519b0f09124cb8c4e300
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+files:
+  - path: check.sh
+    source: ./check.sh
+  - path: etc/dm-crypt/key
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+trust:
+  org:
+    - linuxkit
+  image:
+    - alpine:3.8

test/cases/040_packages/004_dm-crypt/001_luks/check.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+function failed {
+	printf "dm-crypt test suite FAILED\n" >&1
+	exit 1
+}
+
+[ -b /dev/mapper/it_is_encrypted ] || failed
+
+printf "dm-crypt test suite PASSED\n" >&1

test/cases/040_packages/004_dm-crypt/001_luks/test.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# SUMMARY: Check that the losetup package works
+# LABELS:
+# REPEAT:
+
+set -e
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=dm-crypt
+DISK=disk.img
+
+clean_up() {
+        rm -rf ${NAME}-* ${DISK}
+}
+trap clean_up EXIT
+
+# Test code goes here
+linuxkit build -format kernel+initrd -name ${NAME} test.yml
+RESULT="$(linuxkit run -disk file=${DISK},size=8M ${NAME})"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0

test/cases/040_packages/004_dm-crypt/001_luks/test.yml

@@ -0,0 +1,30 @@
+kernel:
+  image: linuxkit/kernel:4.14.88
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:c563953a2277eb73a89d89f70e4b6dcdcfebc2d1
+  - linuxkit/runc:83d0edb4552b1a5df1f0976f05f442829eac38fe
+onboot:
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:9e41a164358b0235f0c242219b1a424c6552d46c
+    command: ["/usr/bin/crypto", "-l", "it_is_encrypted", "/dev/sda"]
+  - name: test
+    image: alpine:3.8
+    net: host
+    binds:
+      - /check.sh:/check.sh
+      - /dev:/dev
+    command: ["sh", "./check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:afe8f7dd0d47a7991c54519b0f09124cb8c4e300
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+files:
+  - path: check.sh
+    source: ./check.sh
+  - path: etc/dm-crypt/key
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+trust:
+  org:
+    - linuxkit
+  image:
+    - alpine:3.8

test/cases/040_packages/004_dm-crypt/002_key/check.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+function failed {
+	printf "dm-crypt test suite FAILED\n" >&1
+	exit 1
+}
+
+[ -b /dev/mapper/it_is_encrypted ] || failed
+
+printf "dm-crypt test suite PASSED\n" >&1

test/cases/040_packages/004_dm-crypt/002_key/test.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# SUMMARY: Check that the losetup package works
+# LABELS:
+# REPEAT:
+
+set -e
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=dm-crypt
+DISK=disk.img
+
+clean_up() {
+        rm -rf ${NAME}-* ${DISK}
+}
+trap clean_up EXIT
+
+# Test code goes here
+linuxkit build -format kernel+initrd -name ${NAME} test.yml
+RESULT="$(linuxkit run -disk file=${DISK},size=32M ${NAME})"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0

test/cases/040_packages/004_dm-crypt/002_key/test.yml

@@ -0,0 +1,33 @@
+kernel:
+  image: linuxkit/kernel:4.14.88
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:c563953a2277eb73a89d89f70e4b6dcdcfebc2d1
+  - linuxkit/runc:83d0edb4552b1a5df1f0976f05f442829eac38fe
+onboot:
+  - name: dm-crypt
+    image: linuxkit/dm-crypt:9e41a164358b0235f0c242219b1a424c6552d46c
+    command: ["/usr/bin/crypto", "-k", "/some/other/enc_key", "it_is_encrypted", "/dev/sda"]
+    binds:
+      - /dev/:/dev
+      - /some/other/enc_key:/some/other/enc_key
+  - name: test
+    image: alpine:3.8
+    net: host
+    binds:
+      - /check.sh:/check.sh
+      - /dev:/dev
+    command: ["sh", "./check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:afe8f7dd0d47a7991c54519b0f09124cb8c4e300
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+files:
+  - path: check.sh
+    source: ./check.sh
+  - path: some/other/enc_key
+    contents: "abcdefghijklmnopqrstuvwxyz123456"
+trust:
+  org:
+    - linuxkit
+  image:
+    - alpine:3.8

test/cases/040_packages/012_losetup/check.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+function failed {
+	printf "losetup test suite FAILED\n" >&1
+	exit 1
+}
+
+LOOPFILE=$(losetup /dev/loop0 2>/dev/null | cut -d' ' -f3)
+
+[ "$LOOPFILE" = "/var/test.img" ] || failed
+
+printf "losetup test suite PASSED\n" >&1

test/cases/040_packages/012_losetup/test.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+# SUMMARY: Check that the losetup package works
+# LABELS:
+# REPEAT:
+
+set -e
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+NAME=losetup
+
+clean_up() {
+	rm -rf ${NAME}-*
+}
+trap clean_up EXIT
+
+# Test code goes here
+linuxkit build -format kernel+initrd -name "${NAME}" test.yml
+RESULT="$(linuxkit run $NAME)"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0

test/cases/040_packages/012_losetup/test.yml

@@ -0,0 +1,28 @@
+kernel:
+  image: linuxkit/kernel:4.14.88
+  cmdline: "console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:c563953a2277eb73a89d89f70e4b6dcdcfebc2d1
+  - linuxkit/runc:83d0edb4552b1a5df1f0976f05f442829eac38fe
+onboot:
+  - name: losetup
+    image: linuxkit/losetup:b05ffc8641cc955abe45f6730cbe6d723b63bd3f
+    command: ["/usr/bin/loopy", "-c", "/var/test.img"]
+  - name: test
+    image: alpine:3.8
+    net: host
+    binds:
+      - /check.sh:/check.sh
+      - /dev:/dev
+    command: ["sh", "./check.sh"]
+  - name: poweroff
+    image: linuxkit/poweroff:afe8f7dd0d47a7991c54519b0f09124cb8c4e300
+    command: ["/bin/sh", "/poweroff.sh", "10"]
+files:
+  - path: check.sh
+    source: ./check.sh
+trust:
+  org:
+    - linuxkit
+  image:
+    - alpine:3.8