Remove luks password from argv

Pass the luks password by environment variable instead.
2024-11-21 17:11:58 +00:00 · 2024-07-26 14:07:54 -04:00 · 2024-07-26 14:07:54 -04:00 · 2df902e80e
commit 2df902e80e
parent 7a602f58b2
2 changed files with 4 additions and 3 deletions
--- a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt
@ -1,11 +1,11 @@
 import yaml
-import sys
+import os

 ainst = {}
 with open('/autoinstall.yaml', 'r') as allin:
    ainst = yaml.safe_load(allin)

-ainst['storage']['layout']['password'] = sys.argv[1]
+ainst['storage']['layout']['password'] = os.environ['lukspass']

 with open('/autoinstall.yaml', 'w') as allout:
    yaml.safe_dump(ainst, allout)
--- a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh
+++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh
@ -42,7 +42,8 @@ fi
 sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml
 if [ "$cryptboot" != "" ]  && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then
    lukspass=$(head -c 66 < /dev/urandom |base64 -w0)
-    run_remote_python addcrypt "$lukspass"
+    export lukspass
+    run_remote_python addcrypt
    if ! grep 'password:' /autoinstall.yaml > /dev/null; then
        echo "****Encrypted boot requested, but the user-data does not have a hook to enable,halting install" > /dev/console
        [ -f '/tmp/autoconsdev' ] && (echo "****Encryptod boot requested, but the user-data does not have a hook to enable,halting install" >> $(cat /tmp/autoconsdev))