2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-28 20:39:40 +00:00

Create encrypted image and private profile data

Prepare for securing os profile witht custom images
This commit is contained in:
Jarrod Johnson 2021-07-23 16:13:24 -04:00
parent 364085801a
commit 54667570bd
3 changed files with 65 additions and 8 deletions

View File

@ -60,11 +60,23 @@ int main(int argc, char* argv[]) {
printf("Format: squashfs\n");
exit(0);
}
if (memcmp(buffer, "\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1", 16) != 0) {
fprintf(stderr, "Unrecognized image format\n");
exit(1);
if (memcmp(buffer, "\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1", 16) == 0) {
printf("Format: confluent_multisquash\nminsize\tdefsize\toffset\tsize\tfstype\torigdev\tmount\n");
fread(buffer, 1, 1, img);
fseek(img, buffer[0], SEEK_CUR);
while (read_part(img, imgsize));
exit(0);
}
printf("Format: confluent_multisquash\nminsize\tdefsize\toffset\tsize\tfstype\torigdev\tmount\n");
fseek(img, 31, SEEK_SET);
while (read_part(img, imgsize));
if (memcmp(buffer, "\xaa\xd5\x0f\x7e\x5d\xfb\x4b\x7c\xa1\x2a\xf4\x0b\x6d\x94\xf7\xfc", 16) == 0) {
fread(buffer, 1, 1, img);
fseek(img, buffer[0], SEEK_CUR);
fread(buffer, 1, 1, img);
if (buffer[0] == 0) {
printf("Format: confluent_crypted\n");
exit(0);
}
}
fprintf(stderr, "Unrecognized image format\n");
exit(1);
}

View File

@ -324,6 +324,27 @@ def handle_request(env, start_response):
else:
start_response('200 OK', ())
yield ''
elif env['PATH_INFO'].startswith('/self/profileprivate/pending/'):
fname = env['PATH_INFO'].replace('/self/profileprivate/', '')
deployinfo = cfg.get_node_attributes(
nodename, ('deployment.*',))
deployinfo = deployinfo.get(nodename, {})
profile = deployinfo.get(
'deployment.pendingprofile', {}).get('value', '')
if not profile:
start_response('400 No pending profile', ())
yield 'No profile'
return
fname = '/var/lib/confluent/private/os/{}/{}'.format(profile, fname)
try:
with open(fname, 'rb') as privdata:
start_response('200 OK', ())
yield privdata.read()
return
except IOError:
start_response('404 Not Found', ())
yield 'Not found'
return
else:
start_response('404 Not Found', ())
yield 'Not found'

View File

@ -212,9 +212,9 @@ def capture_system_back(args):
pass
i = 0
todelete = []
with open('/run/imgutil/capout/rootimg.sfs', 'wb') as outimg:
with open('/run/imgutil/capout/rootimg.sfs.plain', 'wb') as outimg:
# Signature
outimg.write(b'\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1CONFLUENT_IMAGE')
outimg.write(b'\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1\x0fCONFLUENT_IMAGE')
for fs in get_partition_info():
fname = '{0:03d}'.format(i) + fs['mount']
i += 1
@ -259,6 +259,30 @@ def capture_system_back(args):
outimg.write(b'\x00' * pad)
for fname in todelete:
os.remove(fname)
imgsize = os.stat('/run/imgutil/capout/rootimg.sfs.plain').st_size
with open('/run/imgutil/capout/rootimg.sfs', 'wb') as outimg:
outimg.write(b'\xaa\xd5\x0f\x7e\x5d\xfb\x4b\x7c\xa1\x2a\xf4\x0b\x6d\x94\xf7\xfc\x14CONFLUENT_CRYPTIMAGE')
outimg.seek(imgsize + 4095)
outimg.write(b'\x00')
dmname = os.path.basename(tempfile.mktemp())
key = os.urandom(32).hex()
neededblocks = imgsize // 512
if imgsize % 512:
neededblocks += 1
loopdev = subprocess.check_output(['losetup', '-f']).decode('utf8').strip()
subprocess.check_call(['losetup', loopdev, '/run/imgutil/capout/rootimg.sfs'])
subprocess.check_call(['dmsetup', 'create', dmname, '--table', '0 {} crypt aes-xts-plain64 {} 0 {} 4096'.format(neededblocks, key, loopdev)])
with open('/dev/mapper/{}'.format(dmname), 'wb') as cryptout:
with open('/run/imgutil/capout/rootimg.sfs.plain', 'rb') as plainin:
chunk = plainin.read(65536)
while chunk:
cryptout.write(chunk)
chunk = plainin.read(65536)
os.remove('/run/imgutil/capout/rootimg.sfs.plain')
with open('/run/imgutil/private.key', 'w') as keyout:
keyout.write('aes-xts-plain64\n')
keyout.write(key + '\n')
def create_yumconf(sourcedir):