On Thu, 2016-09-22 at 00:48 +0200, Thomas Lange wrote:
>
> Sure. I plan to release FAI 5.2 in one week, so if you like to get
> this included, sent a patch soon.
Patch attached. I'm happily building servers with it.
This is my first time using RecDescent, so there may be a better
approach than that I've done.
Cheers,
Andrew
--
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz | linux.conf.au 2017, Hobart, AU
New Zealand's only Cloud: | The Future of Open Source
https://catalyst.net.nz/cloud | http://linux.conf.au
From d2a718357da1d46b8ef5494709f4403172d4c353 Mon Sep 17 00:00:00 2001
From: Andrew Ruthven <and...@etc.gen.nz>
Date: Mon, 26 Sep 2016 12:09:29 +1300
Subject: [PATCH] Allow specifying options to cryptsetup
---
debian/changelog | 3 +++
lib/setup-storage/Commands.pm | 16 +++++++++++++---
lib/setup-storage/Parser.pm | 8 +++++++-
man/setup-storage.8 | 9 ++++++++-
4 files changed, 31 insertions(+), 5 deletions(-)
mode change 100644 => 100755 lib/setup-storage/Commands.pm
diff --git a/debian/changelog b/debian/changelog
index 76c7e82..b048769 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -52,6 +52,9 @@ fai (5.2~beta19) UNRELEASED; urgency=low
[ Paul Schulz ]
* setup-storage.8: add documentation for luks:
+ [ Andrew Ruthven ]
+ * setup-storage: Add lukscreateopts to disk config file.
+
-- Thomas Lange <la...@debian.org> Thu, 15 Sep 2016 04:09:52 +0200
fai (5.1.2) unstable; urgency=low
diff --git a/lib/setup-storage/Commands.pm b/lib/setup-storage/Commands.pm
old mode 100644
new mode 100755
index 9606ed5..31898ca
--- a/lib/setup-storage/Commands.pm
+++ b/lib/setup-storage/Commands.pm
@@ -164,6 +164,7 @@ sub handle_oldstyle_encrypt_device {
mount_options => $partition->{mount_options},
filesystem => $partition->{filesystem},
createopts => $partition->{createopts},
+ lukscreateopts => $partition->{lukscreateopts},
tuneopts => $partition->{tuneopts}
};
@@ -243,21 +244,30 @@ sub build_cryptsetup_commands {
if ($mode =~ /^luks(:"([^"]+)")?$/) {
my $keyfile = "$FAI::DATADIR/$enc_dev_short_name";
+ my $luksoption = $1;
+ my $passphrase = $2;
# generate a key for encryption
&FAI::push_command(
"head -c 2048 /dev/urandom | od | tee $keyfile",
"", "keyfile_$real_dev" );
+
+ my $lukscreateopts = $vol->{lukscreateopts} // "";
+ if ($lukscreateopts !~ /(^|\s)-c\s+\S+/) {
+ $lukscreateopts .= " -c aes-cbc-essiv:sha256";
+ }
+ if ($lukscreateopts !~ /(^|\s)-s\s+\d+/) {
+ $lukscreateopts .= " -s 256";
+ }
# encrypt
&FAI::push_command(
- "yes YES | cryptsetup luksFormat $real_dev $keyfile -c aes-cbc-essiv:sha256 -s 256",
+ "yes YES | cryptsetup luksFormat $real_dev $keyfile $lukscreateopts",
"$pre_dep,keyfile_$real_dev", "crypt_format_$real_dev" );
&FAI::push_command(
"cryptsetup luksOpen $real_dev $enc_dev_short_name --key-file $keyfile",
"crypt_format_$real_dev", "exist_$enc_dev_name" );
- if (defined($1)) {
- my $passphrase = $2;
+ if (defined($luksoption)) {
# add user-defined key
&FAI::push_command(
diff --git a/lib/setup-storage/Parser.pm b/lib/setup-storage/Parser.pm
index 4373364..943eaa5 100755
--- a/lib/setup-storage/Parser.pm
+++ b/lib/setup-storage/Parser.pm
@@ -812,7 +812,7 @@ $FAI::Parser = Parse::RecDescent->new(
$FAI::partition_pointer = (\%FAI::configs)->{CRYPT}->{volumes}->{$vol_id};
$FAI::partition_pointer_dev_name = "CRYPT$vol_id";
}
- mountpoint devices filesystem mount_options lv_or_fsopts
+ mountpoint devices filesystem mount_options lukscreate_or_lvopts
| /^tmpfs\s+/
{
($FAI::device eq "TMPFS") or die "tmpfs entry invalid in this context\n";
@@ -1112,6 +1112,12 @@ $FAI::Parser = Parse::RecDescent->new(
}
| createtuneopt(s?)
+ lukscreate_or_lvopts: /lukscreateopts="([^"]*)"/ lv_or_fsopts(s?)
+ {
+ $FAI::partition_pointer->{lukscreateopts} = $1;
+ }
+ | lv_or_fsopts(s?)
+
lv_or_fsopts: /lvcreateopts="([^"]*)"/ createtuneopt(s?)
{
$FAI::partition_pointer->{lvcreateopts} = $1;
diff --git a/man/setup-storage.8 b/man/setup-storage.8
index f0e14de..5ded92a 100644
--- a/man/setup-storage.8
+++ b/man/setup-storage.8
@@ -613,7 +613,7 @@ option ::= /* empty */
.br
-volume ::= <type> <mountpoint> <size> <filesystem> <mount_options> <fs_options>
+volume ::= <type> <mountpoint> <size> <filesystem> <mount_options> <luks_options> <fs_options>
.br
| vg <name> <size> <fs_options>
.br
@@ -733,6 +733,13 @@ filesystem ::= -
/* mkfs.xxx must exist */
.br
+luks_options ::= (lukscreateoptions=".*")
+.br
+ /* options to supply to cryptsetup when creating a LUKS
+ * encrypted filesystem. If no ciper (-c) is specified, then
+ * aes-cbc-essiv:sha2 is used. If no key size (-s) is
+ * specified then 256 is used. */
+.br
fs_options ::= (createopts=".*"|tuneopts=".*"|(pv|vg|lv|md)createopts=".*")*
.br
--
2.9.3