From ba5737a659be55a5e88f2cadcec867b00b8a53be Mon Sep 17 00:00:00 2001 From: Lloyd Brown Date: Fri, 4 Jun 2021 08:58:25 -0600 Subject: [PATCH 1/3] initial pass on supporting clevis-unlocked volumes --- heartbeat/crypt | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/heartbeat/crypt b/heartbeat/crypt index 56db379666..ab9d686b04 100755 --- a/heartbeat/crypt +++ b/heartbeat/crypt @@ -37,12 +37,14 @@ OCF_RESKEY_crypt_dev_default="" OCF_RESKEY_key_file_default="" OCF_RESKEY_crypt_type_default="" OCF_RESKEY_force_stop_default="false" +OCF_RESKEY_use_clevis_default="false" : ${OCF_RESKEY_encrypted_dev=${OCF_RESKEY_encrypted_dev_default}} : ${OCF_RESKEY_crypt_dev=${OCF_RESKEY_crypt_dev_default}} : ${OCF_RESKEY_key_file=${OCF_RESKEY_key_file_default}} : ${OCF_RESKEY_crypt_type=${OCF_RESKEY_crypt_type_default}} : ${OCF_RESKEY_force_stop=${OCF_RESKEY_force_stop_default}} +: ${OCF_RESKEY_use_clevis=${OCF_RESKEY_use_clevis_default}} ####################################################################### @@ -122,6 +124,16 @@ will fail and the node will be fenced. + + +If LUKS volume is set up to unlock automatically using Tang/Clevis, +then set this parameter to "true". This has the side-effect of ignoring +the "key_file", "disable_locks" and "crypt_type" parameters. + +use clevis tools to unlock volume + + + @@ -153,12 +165,17 @@ crypt_dev_path="/dev/mapper/$crypt_dev" key_file="${OCF_RESKEY_key_file}" crypt_type="${OCF_RESKEY_crypt_type}" force_stop="${OCF_RESKEY_force_stop}" +use_clevis="${OCF_RESKEY_use_clevis}" crypt_validate_all() { if ! have_binary cryptsetup; then ocf_exit_reason "Please install cryptsetup(8)" return $OCF_ERR_INSTALLED fi + if ocf_is_true "$use_clevis" && ! have_binary clevis ; then + ocf_exit_reason "Please install clevis tools" + return $OCF_ERR_INSTALLED + fi if [ -z "$encrypted_dev" ]; then ocf_exit_reason "Undefined OCF_RESKEY_encrypted_dev" return $OCF_ERR_CONFIGURED @@ -250,8 +267,13 @@ crypt_stop_one() { crypt_start() { local rc - cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type $disable_locks --key-file=$key_file - rc=$? + if ocf_is_true "$use_clevis"; then + clevis luks unlock -d $encrypted_dev -n $crypt_dev + rc=$? + else + cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type $disable_locks --key-file=$key_file + rc=$? + fi if [ $rc -eq 0 ];then crypt_monitor rc=$? From 7419b629429edacd16493a3baaca2c5481467bc5 Mon Sep 17 00:00:00 2001 From: Lloyd Brown Date: Mon, 7 Jun 2021 08:40:41 -0600 Subject: [PATCH 2/3] Attempting to detect clevis automatically --- heartbeat/crypt | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/heartbeat/crypt b/heartbeat/crypt index ab9d686b04..0b184305e8 100755 --- a/heartbeat/crypt +++ b/heartbeat/crypt @@ -227,6 +227,19 @@ crypt_validate_all() { return $OCF_SUCCESS } + +detect_clevis() { + if ! have_binary clevis; then + use_clevis="false" #We can't use clevis, if we don't have it installed + elif ! ocf_is_true "$use_clevis"; then #if not already specified by user to use clevis + #Try to detect whether clevis is available + if clevis luks list -d $encrypted_dev | grep -q '^[[:digit:]]\+:'; then + use_clevis="true" #if grep finds output that matches, we have clevis, therefore use it + fi + fi +} + + get_users_pids() { ocf_log debug "running lsof to list \"$crypt_dev\" users..." ocf_run -warn 'lsof $crypt_dev_path | tail -n +2 | awk "{print $2}" | sort -u' @@ -266,7 +279,8 @@ crypt_stop_one() { # crypt_start() { local rc - + detect_clevis + if ocf_is_true "$use_clevis"; then clevis luks unlock -d $encrypted_dev -n $crypt_dev rc=$? From c35a3d14656a7c52f32126b7646f4a78f2b33dff Mon Sep 17 00:00:00 2001 From: Oyvind Albrigtsen Date: Thu, 27 Feb 2025 15:00:17 +0100 Subject: [PATCH 3/3] crypt: fixes to validate-action and to avoid running as a cloned resource --- heartbeat/crypt | 67 ++++++++++++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 31 deletions(-) diff --git a/heartbeat/crypt b/heartbeat/crypt index 0b184305e8..4d4d6142ba 100755 --- a/heartbeat/crypt +++ b/heartbeat/crypt @@ -88,7 +88,7 @@ The resulting block device path is /dev/mapper/name. - + Key file path containing the encryption passphrase (aka key; see cryptsetup(8)). For LUKS, the passphrase as of the key_file @@ -98,7 +98,7 @@ parameter is used to decrypt a randomly selected key when the device was created - + Encryption (device) type (e.g. "luks" or "luks2"). @@ -128,7 +128,7 @@ will fail and the node will be fenced. If LUKS volume is set up to unlock automatically using Tang/Clevis, then set this parameter to "true". This has the side-effect of ignoring -the "key_file", "disable_locks" and "crypt_type" parameters. +the "key_file" and "crypt_type" parameters. use clevis tools to unlock volume @@ -147,10 +147,6 @@ the "key_file", "disable_locks" and "crypt_type" parameters. END } -# Disable cryptsetup auto-recovery if cloned. -disable_locks="" -ocf_is_clone && disable_locks="--disable-locks" - crypt_usage() { cat </dev/null if [ $? -eq 0 ] && [ -z "$crypt_dev" ]; then ocf_exit_reason "Crypt device \"$crypt_dev\" name has to at least 1 character long and without path" - return $OCF_ERR_ARGS + return $OCF_ERR_CONFIGURED fi - if [ ! -r "$key_file" ]; then + if ! ocf_is_true "$use_clevis" && [ ! -r "$key_file" ]; then ocf_exit_reason "Hash key file $key_file not accessible" - return $OCF_ERR_ARGS + return $OCF_ERR_CONFIGURED + fi + if ! ocf_is_true "$use_clevis" && [ ! -r "$crypt_type" ]; then + ocf_exit_reason "crypt_type not set" + return $OCF_ERR_CONFIGURED fi if ocf_is_true "$force_stop" && ! have_binary lsof; then ocf_exit_reason "Force stop requested, please install lsof(8)" @@ -270,7 +267,7 @@ show_users() { } crypt_stop_one() { - cryptsetup close $crypt_dev $disable_locks + cryptsetup close $crypt_dev } ####################################################################### @@ -278,21 +275,22 @@ crypt_stop_one() { # Action: START an encrypted resource # crypt_start() { - local rc + local out rc detect_clevis - + if ocf_is_true "$use_clevis"; then - clevis luks unlock -d $encrypted_dev -n $crypt_dev + out=$(clevis luks unlock -d $encrypted_dev -n $crypt_dev 2>&1) rc=$? else - cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type $disable_locks --key-file=$key_file + out=$(cryptsetup open $encrypted_dev $crypt_dev --type $crypt_type --key-file=$key_file 2>&1) rc=$? fi if [ $rc -eq 0 ];then crypt_monitor rc=$? else - rc=$OCF_ERR_GERNERIC + ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\": $out" + return $OCF_ERR_GENERIC fi [ $rc -ne $OCF_SUCCESS ] && ocf_exit_reason "Failed to start encrypted device \"$crypt_dev\"" @@ -315,7 +313,8 @@ crypt_stop() { if [ $rc -ne $OCF_NOT_RUNNING ] && ocf_is_true $force_stop; then stop_crypt_users case $? in - 2) rc=$OCF_SUCCESS;; + 2) crypt_monitor + rc=$?;; *) crypt_stop_one crypt_monitor rc=$?;; @@ -335,7 +334,7 @@ crypt_stop() { # Action: MONITOR an encrypted resource # crypt_monitor() { - cryptsetup status $crypt_dev $disable_locks >/dev/null 2>&1 + cryptsetup status $crypt_dev >/dev/null 2>&1 if [ $? -eq 0 ]; then if [ -b "$encrypted_dev" ] || [ -L $crypt_dev_path ]; then return $OCF_SUCCESS @@ -347,10 +346,10 @@ crypt_monitor() { return $OCF_NOT_RUNNING } -# Check for stange argument count. +# Check for strange argument count. if [ $# -ne 1 ]; then usage - exit $OCF_ERR_ARGS + exit $OCF_ERR_GENERIC fi case "$__OCF_ACTION" in @@ -363,7 +362,13 @@ esac # XME: remove once pacemaker is fixed and calls this action crypt_validate_all rc=$? -[ $rc -ne $OCF_SUCCESS ] && exit $rc +if [ $rc -ne $OCF_SUCCESS ]; then + if ! ocf_is_probe && [ "$__OCF_ACTION" != "stop" ]; then + exit $rc + else + $OCF_NOT_RUNNING + fi +fi case "$__OCF_ACTION" in start) crypt_start; rc=$?;;