vdb parameter does not work with randomly generated passphrase

Scott Moser Wed, 30 Nov 2016 07:21:44 -0800

I verified this functional in xenial with the test case as described in the sru 
template.
$ dpkg-query --show overlayroot
overlayroot 0.27ubuntu1.3



** Description changed:

  === Begin SRU Template ===
  [Impact]
  Using overlay to put overlay data onto an encrypted volume with a randomly
  generated password does not function as documented.
  
  [Test Case]
  The following should work, but currently does not.
  Note, to test the fix, between step 1 and 2, you'll need to enable
  proposed and install overlayroot.
  
  1. Start an instance of a cloud image with 2 disks.
-    One disk is the root disk, one disk is the target.
-    This can be done locally with qemu or within openstack or any other cloud.
+    One disk is the root disk, one disk is the target.
+    This can be done locally with qemu or within openstack or any other cloud.
  
  2. configure overlayroot to write to target disk, reboot
  
-    $ target=/dev/vdb
-    $ echo "overlayroot=crypt:dev=$target" | sudo tee 
/etc/overlayroot.local.conf
-    $ sudo reboot
+    # remove the entry in /etc/fstab for the device we're using
+    $ sudo sed -i.dist '/comment=cloudconfig/d' /etc/fstab
+ 
+    $ target=/dev/vdb
+    $ echo "overlayroot=crypt:dev=$target" | sudo tee 
/etc/overlayroot.local.conf
+    $ sudo reboot
  
  3. log back in and look around
  
-    a.) check that 'overlayroot' is in /proc/mounts
-        $ awk '$1 == "overlayroot" { print $0 }' /proc/mounts
-        overlayroot / overlay 
rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_
 0 0
+    a.) check that 'overlayroot' is in /proc/mounts
+        $ awk '$1 == "overlayroot" { print $0 }' /proc/mounts
+        overlayroot / overlay 
rw,relatime,lowerdir=/media/root-ro,upperdir=/media/root-rw/overlay,workdir=/media/root-rw/overlay-workdir/_
 0 0
  
-    b.) check that the upperdir listed (/media/root-rw) is encrypted
-        $ df -h /media/root-rw/
-        Filesystem          Size  Used Avail Use% Mounted on
-        /dev/mapper/secure   40G   50M   38G   1% /media/root-rw
+    b.) check that the upperdir listed (/media/root-rw) is encrypted
+        $ df -h /media/root-rw/
+        Filesystem          Size  Used Avail Use% Mounted on
+        /dev/mapper/secure   40G   50M   38G   1% /media/root-rw
  
-    c.) check /run/initramfs/overlayroot.log
-        $ grep success /run/initramfs/overlayroot.log
-        [success]: configured root with 'crypt:dev=/dev/vdb' using overlay per 
/dev/vda1/etc/overlayroot.local.conf
-    d.) show password file.
-        $ pf=$(echo /run/initramfs/overlayroot.??????);
-        $ for f in $pf; do ls -l $f; sudo cat $f; done
-        -rw------- 1 root root 128 Nov 29 20:22 
/run/initramfs/overlayroot.4bHuqg
-        8c420e20a49254.<snip>.659eb663e
+    c.) check /run/initramfs/overlayroot.log
+        $ grep success /run/initramfs/overlayroot.log
+        [success]: configured root with 'crypt:dev=/dev/vdb' using overlay per 
/dev/vda1/etc/overlayroot.local.conf
+    d.) show password file.
+        $ pf=$(echo /run/initramfs/overlayroot.??????);
+        $ for f in $pf; do ls -l $f; sudo cat $f; done
+        -rw------- 1 root root 128 Nov 29 20:22 
/run/initramfs/overlayroot.4bHuqg
+        8c420e20a49254.<snip>.659eb663e
  
  [Regression Potential]
  The most likely path for failure on this I would think is related to setting
  of PERSIST_DIR.  If PERSIST_DIR was not set correctly, then the logging
  would likely fail and the password file would not be created.
  That should be caught and logged with:
-  log_fail "failed creation of password file";
+  log_fail "failed creation of password file";
  
  [Other Info]
  The full overlayroot/init-bottom/overlayroot can be seen at [1].  The
  specific change that fixed the issue is in revision 126 at [2]
  
  [1] 
http://bazaar.launchpad.net/~cloud-initramfs-tools/cloud-initramfs-tools/trunk/view/head:/overlayroot/scripts/init-bottom/overlayroot
  [2] 
http://bazaar.launchpad.net/~cloud-initramfs-tools/cloud-initramfs-tools/trunk/revision/126
  === End SRU Template ===
- 
  
  For the life of me I cannot get the parameter crypt:dev=/dev/vdb to work
  in /etc/overlayroot.conf.
  
  I have tried the line
  
  overlayroot=crypt:dev=/dev/vdb,pass=somepass,mkfs=0
  
  Which works when I create the LUKS device ahead of time, and set the
  passphrase 'somepass'. But when I try
  
  overlayroot=crypt:dev=/dev/vdb,mkfs=1
  
  or just
  
  overlayroot=crypt:dev=/dev/vdb
  
  I get no overlay after reboot. I have also tried the "debug=1" parameter
  and I'm not getting any debug output either. Where are the logs and/or
  where should I be able to see the debug output?
  
  As Dustin has so eloquently documented, it defeats the privacy of your
  encryption if you have to specify the passphrase in clear text in your
  unencrypted read-only directory. So the only way I will be using this is
  if I can use the simple "overlayroot=crypt:dev=/dev/vdb" one-liner and
  have the passphrase generated automatically on boot.

** Tags removed: verification-needed
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1634310

Title:
  crypt:dev=/dev/vdb parameter does not work with randomly generated
  passphrase

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-initramfs-tools/+bug/1634310/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1634310] Re: crypt:dev=/dev/vdb parameter does not work with randomly generated passphrase

Reply via email to