git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Tree: f8286be5a8
Branches Tags
clevis
/
.travis
/
dracut
/
dracut-unlocker

dracut-unlocker 4.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166 
  1. #!/bin/bash
    2. 

  2. set -euo pipefail
    3. 

  3. 

  4. export VM=clevis
    5. 

  5. 

  6. title() {
    7. 

  7.     [ -z "${1}" ] && return 0
    8. 

  8.     printf '\n\n\n### %s\n' "${@}"
    9. 

  9.     return 0
    10. 

  10. }
    11. 

  11. 

  12. cmd() {
    13. 

  13.     [ -z "${1}" ] && return 0
    14. 

  14.     ssh "${VM}" "${@}"
    15. 

  15. }
    16. 

  16. 

  17. is_unlocked() {
    18. 

  18.     dev=${1:-}
    19. 

  19.     [ -z "${dev}" ] && echo "ERROR" && return 0
    20. 

  20.     luks_uuid="$(cmd cryptsetup luksUUID ${dev} | sed -e 's/-//'g)"
    21. 

  21.     if cmd test -b /dev/disk/by-id/dm-uuid-*"${luks_uuid}"*; then
    22. 

  22.         echo "YES"
    23. 

  23.         return 0
    24. 

  24.     fi
    25. 

  25.     echo "NO"
    26. 

  26. }
    27. 

  27. 

  28. wait_for_vm() {
    29. 

  29.     local _timeout=${1:-120}
    30. 

  30.     echo "[$(date)] Waiting up to ${_timeout} seconds for VM to respond..." >&2
    31. 

  31.     local _start _elapsed
    32. 

  32.     _start=${SECONDS}
    33. 

  33.     while /bin/true; do
    34. 

  34.         cmd ls 2>/dev/null >/dev/null && break
    35. 

  35.         _elapsed=$((SECONDS - _start))
    36. 

  36.         [ "${_elapsed}" -gt "${_timeout}" ] && echo "[$(date)] TIMEOUT reached" >&2 && return 1
    37. 

  37. 

  38.         sleep 0.1
    39. 

  39.     done
    40. 

  40.     _elapsed=$((SECONDS - _start))
    41. 

  41.     echo "[$(date)] VM is up in ${_elapsed} seconds!" >&2
    42. 

  42.     return 0
    43. 

  43. }
    44. 

  44. 

  45. setup_host() {
    46. 

  46.     ip a >&2
    47. 

  47.     free -m >&2
    48. 

  48. 

  49.     sudo systemctl restart tangd-update
    50. 

  50. }
    51. 

  51. 

  52. setup_vm() {
    53. 

  53.     CWD="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
    54. 

  54.     set -x
    55. 

  55. 

  56.     mkdir -p ~/.ssh
    57. 

  57.     chmod 700 ~/.ssh
    58. 

  58.     ssh-keygen -q -t rsa -b 4096 -N '' -f ~/.ssh/id_rsa <<<y 2>&1 >/dev/null
    59. 

  59.     rm -f ~/.ssh/known_hosts
    60. 

  60. 

  61.     cat << EOF > ~/.ssh/config
    62. 

  62. host clevis
    63. 

  63.         user root
    64. 

  64.         hostname 192.168.122.100
    65. 

  65.         StrictHostKeyChecking no
    66. 

  66.         ConnectTimeout 20
    67. 

  67.         PasswordAuthentication no
    68. 

  68.         PreferredAuthentications publickey
    69. 

  69.         GSSAPIAuthentication no
    70. 

  70. EOF
    71. 

  71. 

  72.     chmod 600 ~/.ssh/config
    73. 

  73.     PUBKEY="$(< ~/.ssh/id_rsa.pub)"
    74. 

  74. 

  75.     NAME=clevis-vm
    76. 

  76.     DATA=/data
    77. 

  77.     DISK=${DATA}/disk.qcow2
    78. 

  78. 

  79.     KS=${DATA}/ks.cfg
    80. 

  80. 

  81.     case "${DISTRO}" in
    82. 

  82.     fedora:32)
    83. 

  83.         COMPOSE=https://download.fedoraproject.org/pub/fedora/linux/releases/32/Everything/x86_64/os/
    84. 

  84.         KS_TEMPLATE=${CWD}/fedora.cfg.in
    85. 

  85.         ;;
    86. 

  86.     fedora:rawhide)
    87. 

  87.         COMPOSE=https://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/
    88. 

  88.         KS_TEMPLATE=${CWD}/fedora.cfg.in
    89. 

  89.         ;;
    90. 

  90.     centos:8)
    91. 

  91.         COMPOSE=http://mirror.centos.org/centos/8/BaseOS/x86_64/os/
    92. 

  92.         KS_TEMPLATE=${CWD}/centos.cfg.in
    93. 

  93.         ;;
    94. 

  94.     centos:8-stream)
    95. 

  95.         COMPOSE=http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/
    96. 

  96.         KS_TEMPLATE=${CWD}/centos.cfg.in
    97. 

  97.         ;;
    98. 

  98.     *)
    99. 

  99.         echo "Unsupported distro [${DISTRO}]" >&2
    100. 

  100.         exit 1
    101. 

  101.         ;;
    102. 

  102.     esac
    103. 

  103. 

  104.     sudo mkdir -m755 -p "${DATA}"
    105. 

  105.     pushd "${DATA}"
    106. 

  106. 

  107.     cat "${KS_TEMPLATE}" \
    108. 

  108.         | sed -e "s#@PUBKEY@#${PUBKEY}#g" \
    109. 

  109.         | sed -e "s#@COMPOSE@#${COMPOSE}#g" \
    110. 

  110.         | sed -e "s#@TRAVIS_REPO_SLUG@#${TRAVIS_REPO_SLUG}#g" \
    111. 

  111.         | sed -e "s#@TRAVIS_COMMIT@#${TRAVIS_COMMIT}#g" \
    112. 

  112.         | sudo tee ${KS}
    113. 

  113. 

  114.     sudo chown libvirt-qemu:kvm "${DATA}" -R
    115. 

  115. 

  116.     sudo virt-install --name=${NAME} --ram=2048 \
    117. 

  117.         --os-variant=generic --os-type=linux --vcpus=1 --graphics=none \
    118. 

  118.         --disk=path="${DISK}",size=7,bus=virtio,format=qcow2 \
    119. 

  119.         --location="${COMPOSE}" --initrd-inject="${KS}" \
    120. 

  120.         --extra-args="ip=dhcp ks=file:/ks.cfg inst.repo=${COMPOSE} net.ifnames=0 biosdevname=0 console=tty0 console=ttyS0,115200n8 serial" \
    121. 

  121.         --console pty,target_type=serial --noreboot
    122. 

  122. 

  123.     set +x
    124. 

  124. }
    125. 

  125. 

  126. title "host setup"
    127. 

  127. setup_host
    128. 

  128. 

  129. title "VM setup"
    130. 

  130. setup_vm
    131. 

  131. 

  132. # Start VM.
    133. 

  133. title "Start VM"
    134. 

  134. sudo virsh start "${NAME}"
    135. 

  135. 

  136. title "Verify dracut boot unlocker"
    137. 

  137. # Check if it booted properly (i.e. unlocked on boot).
    138. 

  138. if ! wait_for_vm; then
    139. 

  139.     echo "[FAIL] Unable to verify the VM booted properly" >&2
    140. 

  140.     exit 1
    141. 

  141. fi
    142. 

  142. 

  143. title "fstab"
    144. 

  144. cmd "cat /etc/fstab"
    145. 

  145. 

  146. title "crypttab"
    147. 

  147. cmd "cat /etc/crypttab"
    148. 

  148. 

  149. title "Block devices"
    150. 

  150. cmd "lsblk --fs"
    151. 

  151. 

  152. title "LUKS devices"
    153. 

  153. 

  154. # Check LUKS devices and config.
    155. 

  155. for dev in $(cmd "lsblk -p -n -s -r " \
    156. 

  156.             | awk '$6 == "crypt" { getline; print $1 }' | sort -u); do
    157. 

  157.     echo "DEVICE[${dev}] CONFIG[$(cmd clevis luks list -d ${dev})] UNLOCKED[$(is_unlocked "${dev}")]"
    158. 

  158. done
    159. 

  159. 

  160. title "clevis-luks-askpass journal"
    161. 

  161. 

  162. cmd "journalctl -xe -u clevis-luks-askpass"
    163. 

  163. 

  164. echo
    165. 

  165. echo "[PASS] Test completed successfully" >&2
    166. 

  166. exit 0
    167.