From 2df902e80e2df7782f6c594c3195862d1c04ea69 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Fri, 26 Jul 2024 14:07:54 -0400 Subject: [PATCH] Remove luks password from argv Pass the luks password by environment variable instead. --- .../ubuntu22.04/profiles/default/scripts/addcrypt | 4 ++-- .../ubuntu22.04/profiles/default/scripts/pre.sh | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt index 4f2ae905..750753c1 100644 --- a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt +++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/addcrypt @@ -1,11 +1,11 @@ import yaml -import sys +import os ainst = {} with open('/autoinstall.yaml', 'r') as allin: ainst = yaml.safe_load(allin) -ainst['storage']['layout']['password'] = sys.argv[1] +ainst['storage']['layout']['password'] = os.environ['lukspass'] with open('/autoinstall.yaml', 'w') as allout: yaml.safe_dump(ainst, allout) diff --git a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh index 77a16906..4ec3f822 100755 --- a/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh +++ b/confluent_osdeploy/ubuntu22.04/profiles/default/scripts/pre.sh @@ -42,7 +42,8 @@ fi sed -i s!%%INSTALLDISK%%!/dev/$(cat /tmp/installdisk)! /autoinstall.yaml if [ "$cryptboot" != "" ] && [ "$cryptboot" != "none" ] && [ "$cryptboot" != "null" ]; then lukspass=$(head -c 66 < /dev/urandom |base64 -w0) - run_remote_python addcrypt "$lukspass" + export lukspass + run_remote_python addcrypt if ! grep 'password:' /autoinstall.yaml > /dev/null; then echo "****Encrypted boot requested, but the user-data does not have a hook to enable,halting install" > /dev/console [ -f '/tmp/autoconsdev' ] && (echo "****Encryptod boot requested, but the user-data does not have a hook to enable,halting install" >> $(cat /tmp/autoconsdev))