diff options
Diffstat (limited to 'scripts/cryptctl')
| -rw-r--r-- | scripts/cryptctl/README.md | 56 | ||||
| -rw-r--r-- | scripts/cryptctl/main.yml | 70 |
2 files changed, 126 insertions, 0 deletions
diff --git a/scripts/cryptctl/README.md b/scripts/cryptctl/README.md new file mode 100644 index 0000000..13322c8 --- /dev/null +++ b/scripts/cryptctl/README.md @@ -0,0 +1,56 @@ +# cryptctl + +## Intorducion + +The cryptctl server daemon provides a LUKS-based disk encryption. This script aims to setup an HA environment for the cryptctl-server + +## Prerequsits + +The cryptctl server needs following resources + +* /etc/sysconfig/cryptctl-server The configuration of the server. This will be created once the server was setup and will be only modified if the configuration will be changed like changing the administrator password. It is sufficient to copy this file to all nodes when the cluster will be created. +* The server certificate files in the directory /etc/cryptctl/servertls/. The content of this directory will not be changed until the certifcates are valid. It is sufficient to copy these files to all nodes when the cluster will be created. +* /var/lib/cryptctl/keydb The content of this directory must be provided on shared storage like SAN NAS or NFS server. The encryption keys will be saved here. For these directory a Filesystem resource agent will be created. +* An IP address the cryptctl-server is listening on. An IPAddr2 resource agent will be created for this reason. + +## Setup + +### Setp cryptctl server +As first step you have to setup the cryptctl server: +```shell +cryptctl init-server +``` + +### Create a basic cluster +If not already done you have to setup a basic cluster with at last two nodes. It is very important that Node1 must be the server where you have confiugred the cryptctl server. + +```shell +crm cluster init -i <NetDev> -A <AdminIP> -n <ClusterName> -y +``` + +Join the cluster from other nodes: +```shell +ssh <Node2> +crm cluster join -y <Node1> +``` + +### Setup the resource group for the cryptctl server + +You can setup all needed resource agents and copy all files to all nodes whit the cryptcl crm-shell-script in one step. It is scrictly recommended to verify the setup in first step: + +```shell +crm script verify cryptctl \ + cert-path=</etc/cryptctl/servertls/certificate-name> \ + cert-key-path=</etc/cryptctl/servertls/certificate-key-name> \ + virtual-ip:ip=<IP-Address> \ + filesystem:device=<Path to the device> +``` + +If the check was succesfull you have to setup the cluster group by running the script: +```shell +crm script run cryptctl \ + cert-path=</etc/cryptctl/servertls/certificate-name> \ + cert-key-path=</etc/cryptctl/servertls/certificate-key-name> \ + virtual-ip:ip=<IP-Address> \ + filesystem:device=<Path to the device> +``` diff --git a/scripts/cryptctl/main.yml b/scripts/cryptctl/main.yml new file mode 100644 index 0000000..eabf88c --- /dev/null +++ b/scripts/cryptctl/main.yml @@ -0,0 +1,70 @@ +# Copyright (C) 2022 Peter Varkoly +# License: GNU General Public License (GPL) +version: 2.2 +category: System Management +shortdesc: A utility for setting up LUKS-based disk encryption +longdesc: | + Configure a resource group containing a virtual IP address, + a filesystem resource containing the disk encryption keys and records, + and a systemd instance of the cryptctl server. + + Furthermore a resource group will be created to bind all resources on the same node. +parameters: + - name: id + shortdesc: ID of the resource group + value: cryptctl + - name: cert-path + shortdesc: The path to the created certificate + required: true + - name: cert-key-path + shortdesc: The path to the created certificate key + required: true + +include: + - script: virtual-ip + shortdesc: The IP address configured here will start before the cryptctl instance. + required: true + parameters: + - name: id + value: "{{id}}-vip" + - script: filesystem + shortdesc: Filesystem resource containing the disk encryption keys and records + required: true + parameters: + - name: id + value: "{{id}}-filesystem" + - name: directory + value: "/var/lib/cryptctl/keydb" + - agent: systemd:cryptctl-server + name: cryptctl-server + parameters: + - name: id + value: cryptctl-server-service + ops: | + op monitor interval=10s + +actions: + - service: "cryptctl-server:disable" + nodes: all + shortdesc: "Disable cryptctl-server service on all nodes." + - copy: "/etc/sysconfig/cryptctl-server" + to: "/etc/sysconfig/cryptctl-server" + nodes: all + shortdesc: "Copy the configuration to all nodes" + - copy: "{{cert-path}}" + to: "{{cert-path}}" + nodes: all + shortdesc: "Copy the certificat file to all nodes" + - copy: "{{cert-key-path}}" + to: "{{cert-key-path}}" + nodes: all + shortdesc: "Copy the certificat key file to all nodes" + - include: virtual-ip + - include: filesystem + - include: cryptctl-server + - cib: | + group group-{{id}} + {{virtual-ip:id}} + {{filesystem:id}} + {{cryptctl-server:id}} + |