dracut-unlocker 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166
  1. #!/bin/bash
  2. set -euo pipefail
  3. export VM=clevis
  4. title() {
  5. [ -z "${1}" ] && return 0
  6. printf '\n\n\n### %s\n' "${@}"
  7. return 0
  8. }
  9. cmd() {
  10. [ -z "${1}" ] && return 0
  11. ssh "${VM}" "${@}"
  12. }
  13. is_unlocked() {
  14. dev=${1:-}
  15. [ -z "${dev}" ] && echo "ERROR" && return 0
  16. luks_uuid="$(cmd cryptsetup luksUUID ${dev} | sed -e 's/-//'g)"
  17. if cmd test -b /dev/disk/by-id/dm-uuid-*"${luks_uuid}"*; then
  18. echo "YES"
  19. return 0
  20. fi
  21. echo "NO"
  22. }
  23. wait_for_vm() {
  24. local _timeout=${1:-120}
  25. echo "[$(date)] Waiting up to ${_timeout} seconds for VM to respond..." >&2
  26. local _start _elapsed
  27. _start=${SECONDS}
  28. while /bin/true; do
  29. cmd ls 2>/dev/null >/dev/null && break
  30. _elapsed=$((SECONDS - _start))
  31. [ "${_elapsed}" -gt "${_timeout}" ] && echo "[$(date)] TIMEOUT reached" >&2 && return 1
  32. sleep 0.1
  33. done
  34. _elapsed=$((SECONDS - _start))
  35. echo "[$(date)] VM is up in ${_elapsed} seconds!" >&2
  36. return 0
  37. }
  38. setup_host() {
  39. ip a >&2
  40. free -m >&2
  41. sudo systemctl restart tangd-update
  42. }
  43. setup_vm() {
  44. CWD="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
  45. set -x
  46. mkdir -p ~/.ssh
  47. chmod 700 ~/.ssh
  48. ssh-keygen -q -t rsa -b 4096 -N '' -f ~/.ssh/id_rsa <<<y 2>&1 >/dev/null
  49. rm -f ~/.ssh/known_hosts
  50. cat << EOF > ~/.ssh/config
  51. host clevis
  52. user root
  53. hostname 192.168.122.100
  54. StrictHostKeyChecking no
  55. ConnectTimeout 20
  56. PasswordAuthentication no
  57. PreferredAuthentications publickey
  58. GSSAPIAuthentication no
  59. EOF
  60. chmod 600 ~/.ssh/config
  61. PUBKEY="$(< ~/.ssh/id_rsa.pub)"
  62. NAME=clevis-vm
  63. DATA=/data
  64. DISK=${DATA}/disk.qcow2
  65. KS=${DATA}/ks.cfg
  66. case "${DISTRO}" in
  67. fedora:32)
  68. COMPOSE=https://download.fedoraproject.org/pub/fedora/linux/releases/32/Everything/x86_64/os/
  69. KS_TEMPLATE=${CWD}/fedora.cfg.in
  70. ;;
  71. fedora:rawhide)
  72. COMPOSE=https://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/
  73. KS_TEMPLATE=${CWD}/fedora.cfg.in
  74. ;;
  75. centos:8)
  76. COMPOSE=http://mirror.centos.org/centos/8/BaseOS/x86_64/os/
  77. KS_TEMPLATE=${CWD}/centos.cfg.in
  78. ;;
  79. centos:8-stream)
  80. COMPOSE=http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/
  81. KS_TEMPLATE=${CWD}/centos.cfg.in
  82. ;;
  83. *)
  84. echo "Unsupported distro [${DISTRO}]" >&2
  85. exit 1
  86. ;;
  87. esac
  88. sudo mkdir -m755 -p "${DATA}"
  89. pushd "${DATA}"
  90. cat "${KS_TEMPLATE}" \
  91. | sed -e "s#@PUBKEY@#${PUBKEY}#g" \
  92. | sed -e "s#@COMPOSE@#${COMPOSE}#g" \
  93. | sed -e "s#@TRAVIS_REPO_SLUG@#${TRAVIS_REPO_SLUG}#g" \
  94. | sed -e "s#@TRAVIS_COMMIT@#${TRAVIS_COMMIT}#g" \
  95. | sudo tee ${KS}
  96. sudo chown libvirt-qemu:kvm "${DATA}" -R
  97. sudo virt-install --name=${NAME} --ram=2048 \
  98. --os-variant=generic --os-type=linux --vcpus=1 --graphics=none \
  99. --disk=path="${DISK}",size=7,bus=virtio,format=qcow2 \
  100. --location="${COMPOSE}" --initrd-inject="${KS}" \
  101. --extra-args="ip=dhcp ks=file:/ks.cfg inst.repo=${COMPOSE} net.ifnames=0 biosdevname=0 console=tty0 console=ttyS0,115200n8 serial" \
  102. --console pty,target_type=serial --noreboot
  103. set +x
  104. }
  105. title "host setup"
  106. setup_host
  107. title "VM setup"
  108. setup_vm
  109. # Start VM.
  110. title "Start VM"
  111. sudo virsh start "${NAME}"
  112. title "Verify dracut boot unlocker"
  113. # Check if it booted properly (i.e. unlocked on boot).
  114. if ! wait_for_vm; then
  115. echo "[FAIL] Unable to verify the VM booted properly" >&2
  116. exit 1
  117. fi
  118. title "fstab"
  119. cmd "cat /etc/fstab"
  120. title "crypttab"
  121. cmd "cat /etc/crypttab"
  122. title "Block devices"
  123. cmd "lsblk --fs"
  124. title "LUKS devices"
  125. # Check LUKS devices and config.
  126. for dev in $(cmd "lsblk -p -n -s -r " \
  127. | awk '$6 == "crypt" { getline; print $1 }' | sort -u); do
  128. echo "DEVICE[${dev}] CONFIG[$(cmd clevis luks list -d ${dev})] UNLOCKED[$(is_unlocked "${dev}")]"
  129. done
  130. title "clevis-luks-askpass journal"
  131. cmd "journalctl -xe -u clevis-luks-askpass"
  132. echo
  133. echo "[PASS] Test completed successfully" >&2
  134. exit 0