Manage /etc/crypttab entries for encrypted volumes.

linux-system-roles · Jun 10, 2020 · 7420bfb · 7420bfb
1 parent 6a74df8
commit 7420bfb
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 0 deletions.
diff --git a/library/blivet.py b/library/blivet.py
@@ -72,6 +72,9 @@
 mounts:
  description: list of dicts describing mounts to set up
  type: list of dict
+crypts:
+ description: list of dicts describing crypttab entries to set up
+ type: list of dict
 pools:
  description: list of dicts describing the pools w/ device path for each volume
  type: list of dict
@@ -785,6 +788,20 @@ def handle_new_mount(volume, fstab):
  return mount_info
 
 
+def get_crypt_info(actions):
+ info = list()
+ for action in actions:
+ if not (action.is_format and action.format.type == 'luks'):
+ continue
+
+ info.append(dict(backing_device=action.device.path,
+ name=action.format.map_name,
+ password=action.format.key_file or '-',
+ state='present' if action.is_create else 'absent'))
+
+ return sorted(info, key=lambda e: e['state'])
+
+
 def get_required_packages(b, pools, volumes):
  packages = list()
  for pool in pools:
@@ -861,6 +878,7 @@ def run_module():
  actions=list(),
  leaves=list(),
  mounts=list(),
+ crypts=list(),
  pools=list(),
  volumes=list(),
  packages=list(),
@@ -956,6 +974,7 @@ def action_dict(action):
  activate_swaps(b, module.params['pools'], module.params['volumes'])
 
  result['mounts'] = get_mount_info(module.params['pools'], module.params['volumes'], actions, fstab)
+ result['crypts'] = get_crypt_info(actions)
  result['leaves'] = [d.path for d in b.devicetree.leaves]
  result['pools'] = module.params['pools']
  result['volumes'] = module.params['volumes']

diff --git a/tasks/main-blivet.yml b/tasks/main-blivet.yml
@@ -165,6 +165,19 @@
  daemon_reload: yes
  when: blivet_output['mounts']
 
+#
+# Manage /etc/crypttab
+#
+- name: Manage /etc/crypttab to account for changes we just made
+ crypttab:
+ name: "{{ entry.name }}"
+ backing_device: "{{ entry.backing_device }}"
+ password: "{{ entry.password }}"
+ state: "{{ entry.state }}"
+ loop: "{{ blivet_output.crypts }}"
+ loop_control:
+ loop_var: entry
+
 #
 # Update facts since we may have changed system state.
 #

diff --git a/tests/test-verify-volume-encryption.yml b/tests/test-verify-volume-encryption.yml
@@ -33,3 +33,35 @@
  that: "{{ storage_test_blkinfo.info[storage_test_volume._device].type == 'crypt' }}"
  when: _storage_test_volume_present and storage_test_volume.encryption
 
+- set_fact:
+ _storage_test_expected_crypttab_entries: "{{ (storage_test_volume.encryption and _storage_test_volume_present)|ternary(1, 0) }}"
+ _storage_test_crypttab_entries: "{{ storage_test_crypttab.stdout_lines|map('regex_search', '^' + storage_test_volume._device|basename + ' .*$')|select('string')|list }}"
+ _storage_test_expected_crypttab_key_file: "{{ storage_test_volume.encryption_key_file or '-' }}"
+
+- name: Check for /etc/crypttab entry
+ assert:
+ that: "{{ _storage_test_crypttab_entries|length == _storage_test_expected_crypttab_entries|int }}"
+ msg: "Incorrect number of crypttab entries found for volume {{ storage_test_volume.name }}"
+
+- name: Validate the format of the crypttab entry
+ assert:
+ that: "{{ _storage_test_crypttab_entries[0].split()|length >= 3 }}"
+ msg: "Incorrectly formatted crypttab line for volume {{ storage_test_volume.name }}"
+ when: _storage_test_expected_crypttab_entries|int == 1
+
+- name: Check backing device of crypttab entry
+ assert:
+ that: "{{ _storage_test_crypttab_entries[0].split()[1] == storage_test_volume._raw_device }}"
+ msg: "Incorrect backing device in crypttab entry for volume {{ storage_test_volume.name }}"
+ when: _storage_test_expected_crypttab_entries|int == 1
+
+- name: Check key file of crypttab entry
+ assert:
+ that: "{{ _storage_test_crypttab_entries[0].split()[2] == _storage_test_expected_crypttab_key_file }}"
+ msg: "Incorrect key file in crypttab entry for volume {{ storage_test_volume.name }}"
+ when: _storage_test_expected_crypttab_entries|int == 1
+
+- set_fact:
+ _storage_test_expected_crypttab_entries: null
+ _storage_test_crypttab_entries: null
+ _storage_test_expected_crypttab_key_file: null
diff --git a/tests/verify-role-results.yml b/tests/verify-role-results.yml
@@ -21,6 +21,11 @@
  register: storage_test_fstab
  changed_when: false
 
+- name: Read the /etc/crypttab file
+ command: cat /etc/crypttab
+ register: storage_test_crypttab
+ changed_when: false
+
 #
 # Verify pools and the volumes they contain.
 #
@@ -51,5 +56,6 @@
 - name: Clean up variable namespace
  set_fact:
  storage_test_fstab: null
+ storage_test_crypttab: null
  storage_test_blkinfo: null
  storage_test_volume: null