Re: Customise settings for cryptsetup

2016-09-26 Diskussionsfäden Thomas Lange 
> On Mon, 26 Sep 2016 13:08:28 +1300, Andrew Ruthven  
> said:

> Patch attached. I'm happily building servers with it.
Patch applied. Thanks for your patch.

-- 
regards Thomas

Re: Customise settings for cryptsetup

2016-09-25 Diskussionsfäden Andrew Ruthven 
On Thu, 2016-09-22 at 00:48 +0200, Thomas Lange wrote:
> 
> Sure. I plan to release FAI 5.2 in one week, so if you like to get
> this included, sent a patch soon.

Patch attached. I'm happily building servers with it.

This is my first time using RecDescent, so there may be a better
approach than that I've done.

Cheers,
Andrew

-- 
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz | linux.conf.au 2017, Hobart, AU 
  New Zealand's only Cloud:   |   The Future of Open Source
https://catalyst.net.nz/cloud |     http://linux.conf.auFrom d2a718357da1d46b8ef5494709f4403172d4c353 Mon Sep 17 00:00:00 2001
From: Andrew Ruthven 
Date: Mon, 26 Sep 2016 12:09:29 +1300
Subject: [PATCH] Allow specifying options to cryptsetup

---
 debian/changelog  |  3 +++
 lib/setup-storage/Commands.pm | 16 +---
 lib/setup-storage/Parser.pm   |  8 +++-
 man/setup-storage.8   |  9 -
 4 files changed, 31 insertions(+), 5 deletions(-)
 mode change 100644 => 100755 lib/setup-storage/Commands.pm

diff --git a/debian/changelog b/debian/changelog
index 76c7e82..b048769 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -52,6 +52,9 @@ fai (5.2~beta19) UNRELEASED; urgency=low
   [ Paul Schulz ]
   * setup-storage.8: add documentation for luks:
 
+  [ Andrew Ruthven ]
+  * setup-storage: Add lukscreateopts to disk config file.
+
  -- Thomas Lange   Thu, 15 Sep 2016 04:09:52 +0200
 
 fai (5.1.2) unstable; urgency=low
diff --git a/lib/setup-storage/Commands.pm b/lib/setup-storage/Commands.pm
old mode 100644
new mode 100755
index 9606ed5..31898ca
--- a/lib/setup-storage/Commands.pm
+++ b/lib/setup-storage/Commands.pm
@@ -164,6 +164,7 @@ sub handle_oldstyle_encrypt_device {
 mount_options => $partition->{mount_options},
 filesystem => $partition->{filesystem},
 createopts => $partition->{createopts},
+lukscreateopts => $partition->{lukscreateopts},
 tuneopts => $partition->{tuneopts}
   };
 
@@ -243,21 +244,30 @@ sub build_cryptsetup_commands {
 
   if ($mode =~ /^luks(:"([^"]+)")?$/) {
 my $keyfile = "$FAI::DATADIR/$enc_dev_short_name";
+my $luksoption = $1;
+my $passphrase = $2;
 
 # generate a key for encryption
 ::push_command(
   "head -c 2048 /dev/urandom | od | tee $keyfile",
   "", "keyfile_$real_dev" );
+
+my $lukscreateopts = $vol->{lukscreateopts} // "";
+if ($lukscreateopts !~ /(^|\s)-c\s+\S+/) {
+  $lukscreateopts .= " -c aes-cbc-essiv:sha256";
+}
+if ($lukscreateopts !~ /(^|\s)-s\s+\d+/) {
+  $lukscreateopts .= " -s 256";
+}
 # encrypt
 ::push_command(
-  "yes YES | cryptsetup luksFormat $real_dev $keyfile -c aes-cbc-essiv:sha256 -s 256",
+  "yes YES | cryptsetup luksFormat $real_dev $keyfile $lukscreateopts",
   "$pre_dep,keyfile_$real_dev", "crypt_format_$real_dev" );
 ::push_command(
   "cryptsetup luksOpen $real_dev $enc_dev_short_name --key-file $keyfile",
   "crypt_format_$real_dev", "exist_$enc_dev_name" );
 
-if (defined($1)) {
-  my $passphrase = $2;
+if (defined($luksoption)) {
 
   # add user-defined key
   ::push_command(
diff --git a/lib/setup-storage/Parser.pm b/lib/setup-storage/Parser.pm
index 4373364..943eaa5 100755
--- a/lib/setup-storage/Parser.pm
+++ b/lib/setup-storage/Parser.pm
@@ -812,7 +812,7 @@ $FAI::Parser = Parse::RecDescent->new(
   $FAI::partition_pointer = (\%FAI::configs)->{CRYPT}->{volumes}->{$vol_id};
   $FAI::partition_pointer_dev_name = "CRYPT$vol_id";
 }
-mountpoint devices filesystem mount_options lv_or_fsopts
+mountpoint devices filesystem mount_options lukscreate_or_lvopts
 | /^tmpfs\s+/
 {
   ($FAI::device eq "TMPFS") or die "tmpfs entry invalid in this context\n";
@@ -1112,6 +1112,12 @@ $FAI::Parser = Parse::RecDescent->new(
 }
 | createtuneopt(s?)
 
+   lukscreate_or_lvopts: /lukscreateopts="([^"]*)"/ lv_or_fsopts(s?)
+{
+  $FAI::partition_pointer->{lukscreateopts} = $1;
+}
+| lv_or_fsopts(s?)
+
 lv_or_fsopts: /lvcreateopts="([^"]*)"/ createtuneopt(s?)
 {
   $FAI::partition_pointer->{lvcreateopts} = $1;
diff --git a/man/setup-storage.8 b/man/setup-storage.8
index f0e14de..5ded92a 100644
--- a/man/setup-storage.8
+++ b/man/setup-storage.8
@@ -613,7 +613,7 @@ option ::= /* empty */
 .br
 
 
-volume ::=  
+volume ::=   
 .br
| vg   
 .br
@@ -733,6 +733,13 @@ filesystem ::= -
/* mkfs.xxx must exist */
 .br
 
+luks_options ::= (lukscreateoptions=".*")
+.br
+ /* options to supply to cryptsetup when creating a LUKS
+  * encrypted filesystem. If no ciper (-c) is specified, then
+  * aes-cbc-essiv:sha2 is used. If no key size (-s) is
+

Re: Customise settings for cryptsetup

2016-09-22 Diskussionsfäden Andrew Ruthven 
On Thu, 2016-09-22 at 00:48 +0200, Thomas Lange wrote:
> > 
> > > 
> > > > 
> > > > > 
> > > > > > 
> > > > > > On Thu, 22 Sep 2016 10:39:57 +1200, Andrew Ruthven  > > > > > etc.gen.nz> said:
> 
> > I have a requirement to change some of the settings that are
> passed to
> > cryptsetup. I could add in a createopts similar to the various
> other
> > options what'd allow changing the cipher and size (and whatever
> else).
> > Would this be of interest?
> Sure. I plan to release FAI 5.2 in one week, so if you like to get
> this included, sent a patch soon.

Great, I have a patch that looks legit. I'll test it on some real
hardware tomorrow.

Cheers,
Andrew

-- 
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz | linux.conf.au 2017, Hobart, AU 
  New Zealand's only Cloud:   |   The Future of Open Source
https://catalyst.net.nz/cloud |     http://linux.conf.au

Re: Customise settings for cryptsetup

2016-09-21 Diskussionsfäden Paul Schulz 
+1

On Thu, 22 Sep 2016, 08:10 Andrew Ruthven  wrote:

> Hey,
>
> I have a requirement to change some of the settings that are passed to
> cryptsetup. I could add in a createopts similar to the various other
> options what'd allow changing the cipher and size (and whatever else).
> Would this be of interest?
>
> Cheers,
> Andrew
> --
> Andrew Ruthven, Wellington, New Zealand
> and...@etc.gen.nz | linux.conf.au 2017, Hobart, AU
>   New Zealand's only Cloud:   |   The Future of Open Source
> https://catalyst.net.nz/cloud | http://linux.conf.au
>
>
>
>