Re: Customise settings for cryptsetup

[Andrew Ruthven]

On Thu, 2016-09-22 at 00:48 +0200, Thomas Lange wrote:
> 
> Sure. I plan to release FAI 5.2 in one week, so if you like to get
> this included, sent a patch soon.

Patch attached. I'm happily building servers with it.

This is my first time using RecDescent, so there may be a better
approach than that I've done.

Cheers,
Andrew

-- 
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz             | linux.conf.au 2017, Hobart, AU 
  New Zealand's only Cloud:   |   The Future of Open Source
https://catalyst.net.nz/cloud |     http://linux.conf.au
From d2a718357da1d46b8ef5494709f4403172d4c353 Mon Sep 17 00:00:00 2001
From: Andrew Ruthven <and...@etc.gen.nz>
Date: Mon, 26 Sep 2016 12:09:29 +1300
Subject: [PATCH] Allow specifying options to cryptsetup

---
 debian/changelog              |  3 +++
 lib/setup-storage/Commands.pm | 16 +++++++++++++---
 lib/setup-storage/Parser.pm   |  8 +++++++-
 man/setup-storage.8           |  9 ++++++++-
 4 files changed, 31 insertions(+), 5 deletions(-)
 mode change 100644 => 100755 lib/setup-storage/Commands.pm

diff --git a/debian/changelog b/debian/changelog
index 76c7e82..b048769 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -52,6 +52,9 @@ fai (5.2~beta19) UNRELEASED; urgency=low
   [ Paul Schulz ]
   * setup-storage.8: add documentation for luks:
 
+  [ Andrew Ruthven ]
+  * setup-storage: Add lukscreateopts to disk config file.
+
  -- Thomas Lange <la...@debian.org>  Thu, 15 Sep 2016 04:09:52 +0200
 
 fai (5.1.2) unstable; urgency=low
diff --git a/lib/setup-storage/Commands.pm b/lib/setup-storage/Commands.pm
old mode 100644
new mode 100755
index 9606ed5..31898ca
--- a/lib/setup-storage/Commands.pm
+++ b/lib/setup-storage/Commands.pm
@@ -164,6 +164,7 @@ sub handle_oldstyle_encrypt_device {
     mount_options => $partition->{mount_options},
     filesystem => $partition->{filesystem},
     createopts => $partition->{createopts},
+    lukscreateopts => $partition->{lukscreateopts},
     tuneopts => $partition->{tuneopts}
   };
 
@@ -243,21 +244,30 @@ sub build_cryptsetup_commands {
 
       if ($mode =~ /^luks(:"([^"]+)")?$/) {
         my $keyfile = "$FAI::DATADIR/$enc_dev_short_name";
+        my $luksoption = $1;
+        my $passphrase = $2;
 
         # generate a key for encryption
         &FAI::push_command(
           "head -c 2048 /dev/urandom | od | tee $keyfile",
           "", "keyfile_$real_dev" );
+
+        my $lukscreateopts = $vol->{lukscreateopts} // "";
+        if ($lukscreateopts !~ /(^|\s)-c\s+\S+/) {
+          $lukscreateopts .= " -c aes-cbc-essiv:sha256";
+        }
+        if ($lukscreateopts !~ /(^|\s)-s\s+\d+/) {
+          $lukscreateopts .= " -s 256";
+        }
         # encrypt
         &FAI::push_command(
-          "yes YES | cryptsetup luksFormat $real_dev $keyfile -c aes-cbc-essiv:sha256 -s 256",
+          "yes YES | cryptsetup luksFormat $real_dev $keyfile $lukscreateopts",
           "$pre_dep,keyfile_$real_dev", "crypt_format_$real_dev" );
         &FAI::push_command(
           "cryptsetup luksOpen $real_dev $enc_dev_short_name --key-file $keyfile",
           "crypt_format_$real_dev", "exist_$enc_dev_name" );
 
-        if (defined($1)) {
-          my $passphrase = $2;
+        if (defined($luksoption)) {
 
           # add user-defined key
           &FAI::push_command(
diff --git a/lib/setup-storage/Parser.pm b/lib/setup-storage/Parser.pm
index 4373364..943eaa5 100755
--- a/lib/setup-storage/Parser.pm
+++ b/lib/setup-storage/Parser.pm
@@ -812,7 +812,7 @@ $FAI::Parser = Parse::RecDescent->new(
           $FAI::partition_pointer = (\%FAI::configs)->{CRYPT}->{volumes}->{$vol_id};
           $FAI::partition_pointer_dev_name = "CRYPT$vol_id";
         }
-        mountpoint devices filesystem mount_options lv_or_fsopts
+        mountpoint devices filesystem mount_options lukscreate_or_lvopts
         | /^tmpfs\s+/
         {
           ($FAI::device eq "TMPFS") or die "tmpfs entry invalid in this context\n";
@@ -1112,6 +1112,12 @@ $FAI::Parser = Parse::RecDescent->new(
         }
         | createtuneopt(s?)
 
+   lukscreate_or_lvopts: /lukscreateopts="([^"]*)"/ lv_or_fsopts(s?)
+        {
+          $FAI::partition_pointer->{lukscreateopts} = $1;
+        }
+        | lv_or_fsopts(s?)
+
     lv_or_fsopts: /lvcreateopts="([^"]*)"/ createtuneopt(s?)
         {
           $FAI::partition_pointer->{lvcreateopts} = $1;
diff --git a/man/setup-storage.8 b/man/setup-storage.8
index f0e14de..5ded92a 100644
--- a/man/setup-storage.8
+++ b/man/setup-storage.8
@@ -613,7 +613,7 @@ option ::= /* empty */
 .br
 
 
-volume ::= <type> <mountpoint> <size> <filesystem> <mount_options> <fs_options>
+volume ::= <type> <mountpoint> <size> <filesystem> <mount_options> <luks_options> <fs_options>
 .br
            | vg <name> <size> <fs_options>
 .br
@@ -733,6 +733,13 @@ filesystem ::= -
                /* mkfs.xxx must exist */
 .br
 
+luks_options ::= (lukscreateoptions=".*")
+.br
+                 /* options to supply to cryptsetup when creating a LUKS
+                  * encrypted filesystem. If no ciper (-c) is specified, then
+                  * aes-cbc-essiv:sha2 is used. If no key size (-s) is
+                  * specified then 256 is used. */
+.br
 
 fs_options ::= (createopts=".*"|tuneopts=".*"|(pv|vg|lv|md)createopts=".*")*
 .br
-- 
2.9.3