mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-28 20:39:40 +00:00
Create encrypted image and private profile data
Prepare for securing os profile witht custom images
This commit is contained in:
parent
364085801a
commit
54667570bd
@ -60,11 +60,23 @@ int main(int argc, char* argv[]) {
|
||||
printf("Format: squashfs\n");
|
||||
exit(0);
|
||||
}
|
||||
if (memcmp(buffer, "\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1", 16) != 0) {
|
||||
fprintf(stderr, "Unrecognized image format\n");
|
||||
exit(1);
|
||||
if (memcmp(buffer, "\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1", 16) == 0) {
|
||||
printf("Format: confluent_multisquash\nminsize\tdefsize\toffset\tsize\tfstype\torigdev\tmount\n");
|
||||
fread(buffer, 1, 1, img);
|
||||
fseek(img, buffer[0], SEEK_CUR);
|
||||
while (read_part(img, imgsize));
|
||||
exit(0);
|
||||
}
|
||||
printf("Format: confluent_multisquash\nminsize\tdefsize\toffset\tsize\tfstype\torigdev\tmount\n");
|
||||
fseek(img, 31, SEEK_SET);
|
||||
while (read_part(img, imgsize));
|
||||
if (memcmp(buffer, "\xaa\xd5\x0f\x7e\x5d\xfb\x4b\x7c\xa1\x2a\xf4\x0b\x6d\x94\xf7\xfc", 16) == 0) {
|
||||
fread(buffer, 1, 1, img);
|
||||
fseek(img, buffer[0], SEEK_CUR);
|
||||
fread(buffer, 1, 1, img);
|
||||
if (buffer[0] == 0) {
|
||||
printf("Format: confluent_crypted\n");
|
||||
exit(0);
|
||||
}
|
||||
}
|
||||
fprintf(stderr, "Unrecognized image format\n");
|
||||
exit(1);
|
||||
|
||||
}
|
||||
|
@ -324,6 +324,27 @@ def handle_request(env, start_response):
|
||||
else:
|
||||
start_response('200 OK', ())
|
||||
yield ''
|
||||
elif env['PATH_INFO'].startswith('/self/profileprivate/pending/'):
|
||||
fname = env['PATH_INFO'].replace('/self/profileprivate/', '')
|
||||
deployinfo = cfg.get_node_attributes(
|
||||
nodename, ('deployment.*',))
|
||||
deployinfo = deployinfo.get(nodename, {})
|
||||
profile = deployinfo.get(
|
||||
'deployment.pendingprofile', {}).get('value', '')
|
||||
if not profile:
|
||||
start_response('400 No pending profile', ())
|
||||
yield 'No profile'
|
||||
return
|
||||
fname = '/var/lib/confluent/private/os/{}/{}'.format(profile, fname)
|
||||
try:
|
||||
with open(fname, 'rb') as privdata:
|
||||
start_response('200 OK', ())
|
||||
yield privdata.read()
|
||||
return
|
||||
except IOError:
|
||||
start_response('404 Not Found', ())
|
||||
yield 'Not found'
|
||||
return
|
||||
else:
|
||||
start_response('404 Not Found', ())
|
||||
yield 'Not found'
|
||||
|
@ -212,9 +212,9 @@ def capture_system_back(args):
|
||||
pass
|
||||
i = 0
|
||||
todelete = []
|
||||
with open('/run/imgutil/capout/rootimg.sfs', 'wb') as outimg:
|
||||
with open('/run/imgutil/capout/rootimg.sfs.plain', 'wb') as outimg:
|
||||
# Signature
|
||||
outimg.write(b'\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1CONFLUENT_IMAGE')
|
||||
outimg.write(b'\x63\x7b\x9d\x26\xb7\xfd\x48\x30\x89\xf9\x11\xcf\x18\xfd\xff\xa1\x0fCONFLUENT_IMAGE')
|
||||
for fs in get_partition_info():
|
||||
fname = '{0:03d}'.format(i) + fs['mount']
|
||||
i += 1
|
||||
@ -259,6 +259,30 @@ def capture_system_back(args):
|
||||
outimg.write(b'\x00' * pad)
|
||||
for fname in todelete:
|
||||
os.remove(fname)
|
||||
imgsize = os.stat('/run/imgutil/capout/rootimg.sfs.plain').st_size
|
||||
with open('/run/imgutil/capout/rootimg.sfs', 'wb') as outimg:
|
||||
outimg.write(b'\xaa\xd5\x0f\x7e\x5d\xfb\x4b\x7c\xa1\x2a\xf4\x0b\x6d\x94\xf7\xfc\x14CONFLUENT_CRYPTIMAGE')
|
||||
outimg.seek(imgsize + 4095)
|
||||
outimg.write(b'\x00')
|
||||
dmname = os.path.basename(tempfile.mktemp())
|
||||
key = os.urandom(32).hex()
|
||||
neededblocks = imgsize // 512
|
||||
if imgsize % 512:
|
||||
neededblocks += 1
|
||||
loopdev = subprocess.check_output(['losetup', '-f']).decode('utf8').strip()
|
||||
subprocess.check_call(['losetup', loopdev, '/run/imgutil/capout/rootimg.sfs'])
|
||||
subprocess.check_call(['dmsetup', 'create', dmname, '--table', '0 {} crypt aes-xts-plain64 {} 0 {} 4096'.format(neededblocks, key, loopdev)])
|
||||
with open('/dev/mapper/{}'.format(dmname), 'wb') as cryptout:
|
||||
with open('/run/imgutil/capout/rootimg.sfs.plain', 'rb') as plainin:
|
||||
chunk = plainin.read(65536)
|
||||
while chunk:
|
||||
cryptout.write(chunk)
|
||||
chunk = plainin.read(65536)
|
||||
os.remove('/run/imgutil/capout/rootimg.sfs.plain')
|
||||
with open('/run/imgutil/private.key', 'w') as keyout:
|
||||
keyout.write('aes-xts-plain64\n')
|
||||
keyout.write(key + '\n')
|
||||
|
||||
|
||||
|
||||
def create_yumconf(sourcedir):
|
||||
|
Loading…
Reference in New Issue
Block a user