diff options
Diffstat (limited to 'debian/tests/cryptroot-nested.d')
| -rw-r--r-- | debian/tests/cryptroot-nested.d/bottom | 17 | ||||
| -rw-r--r-- | debian/tests/cryptroot-nested.d/config | 7 | ||||
| -rwxr-xr-x | debian/tests/cryptroot-nested.d/mock | 44 | ||||
| -rw-r--r-- | debian/tests/cryptroot-nested.d/preinst | 21 | ||||
| -rw-r--r-- | debian/tests/cryptroot-nested.d/setup | 107 |
5 files changed, 196 insertions, 0 deletions
diff --git a/debian/tests/cryptroot-nested.d/bottom b/debian/tests/cryptroot-nested.d/bottom new file mode 100644 index 0000000..9c2e07a --- /dev/null +++ b/debian/tests/cryptroot-nested.d/bottom @@ -0,0 +1,17 @@ +umount "$ROOT/boot" +umount "$ROOT/home" +umount "$ROOT/usr" +umount "$ROOT/var" +umount "$ROOT" + +swapoff /dev/mapper/testvg-lv0_crypt +cryptsetup close "testvg-lv0_crypt" +cryptsetup close "vdd_crypt" + +cryptsetup close "md0_crypt" +mdadm --stop /dev/md0 + +cryptsetup close "testvg-lv1_crypt" +lvm vgchange -an "testvg" + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-nested.d/config b/debian/tests/cryptroot-nested.d/config new file mode 100644 index 0000000..995200c --- /dev/null +++ b/debian/tests/cryptroot-nested.d/config @@ -0,0 +1,7 @@ +PKGS_EXTRA+=( btrfs-progs lvm2 mdadm ) +PKGS_EXTRA+=( cryptsetup-initramfs ) + +# /dev/mapper/testvg-lv1_crypt and /dev/vdc are both 1G and used in RAID1 mode +DRIVE_SIZES=( "1G" "264M" "1G" "512M" ) + +# vim: set filetype=bash : diff --git a/debian/tests/cryptroot-nested.d/mock b/debian/tests/cryptroot-nested.d/mock new file mode 100755 index 0000000..cccb35f --- /dev/null +++ b/debian/tests/cryptroot-nested.d/mock @@ -0,0 +1,44 @@ +#!/usr/bin/perl -T + +BEGIN { + require "./debian/tests/utils/mock.pm"; + CryptrootTest::Mock::->import(); +} + +my %passphrases; +$passphrases{$_} = $_ foreach qw/testvg-lv0_crypt testvg-lv1_crypt md0_crypt vdd_crypt/; +unlock_disk(\%passphrases) for 1 .. scalar(%passphrases); + +# check that the above was done at initramfs stage +expect($SERIAL => qr#\bRunning /scripts/init-bottom\s*\.\.\. #); + +login("root"); + +# make sure the root FS and swap are help by dm-crypt devices +shell(q{cryptsetup luksOpen --test-passphrase /dev/md0 <<<md0_crypt}, rv => 0); +shell(q{cryptsetup luksOpen --test-passphrase /dev/vdd <<<vdd_crypt}, rv => 0); +shell(q{cryptsetup luksOpen --test-passphrase /dev/testvg/lv1 <<<testvg-lv1_crypt}, rv => 0); + +my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3}); +die unless $out =~ m#^[`|]-testvg-lv0\s+lvm\s*$#m; +die unless $out =~ m#^[| ] `-testvg-lv0_crypt\s+crypt\s+\[SWAP\]\s*$#m; +die unless $out =~ m#^[`|]-testvg-lv1\s+lvm\s*$#m; +die unless $out =~ m#^[| ] `-testvg-lv1_crypt\s+crypt\s*$#m; +die unless $out =~ m#^[| ] `-md0\s+raid1\s*$#m; +die unless $out =~ m#^[| ] `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m; + +$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdb}); +die unless $out =~ m#^`-testvg-lv1\s+lvm\s*$#m; +die unless $out =~ m#^ `-testvg-lv1_crypt\s+crypt\s*$#m; +die unless $out =~ m#^ `-md0\s+raid1\s*$#m; +die unless $out =~ m#^ `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m; + +$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdc}); +die unless $out =~ m#^`-md0\s+raid1\s*$#m; +die unless $out =~ m#^ `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m; + +$out = shell(q{btrfs filesystem show /}); +die unless $out =~ m#^\s*devid\s+1\s.*\s/dev/mapper/vdd_crypt\s*$#m; +die unless $out =~ m#^\s*devid\s+2\s.*\s/dev/mapper/md0_crypt\s*$#m; + +QMP::quit(); diff --git a/debian/tests/cryptroot-nested.d/preinst b/debian/tests/cryptroot-nested.d/preinst new file mode 100644 index 0000000..c5f576b --- /dev/null +++ b/debian/tests/cryptroot-nested.d/preinst @@ -0,0 +1,21 @@ +# check both UUID= and /dev/mapper/NAME sources for testvg-*_crypt to test for regressions a la #902943 +cat >/etc/crypttab <<-EOF + md0_crypt UUID=$(blkid -s UUID -o value /dev/md0) none + vdd_crypt UUID=$(blkid -s UUID -o value /dev/vdd) none + testvg-lv0_crypt /dev/mapper/testvg-lv0 none plain,cipher=aes-cbc-essiv:sha256,size=256,hash=ripemd160 + testvg-lv1_crypt UUID=$(blkid -s UUID -o value /dev/testvg/lv1) none +EOF + +cat >/etc/fstab <<-EOF + /dev/mapper/vdd_crypt / btrfs compress=lzo,subvol=@ 0 1 + /dev/mapper/vdd_crypt /home btrfs compress=lzo,subvol=@home 0 2 + /dev/mapper/vdd_crypt /usr btrfs compress=lzo,subvol=@usr 0 2 + /dev/mapper/vdd_crypt /var btrfs compress=lzo,subvol=@var 0 2 + UUID=$(blkid -s UUID -o value /dev/vda2) /boot ext2 defaults 0 2 + /dev/mapper/testvg-lv0_crypt none swap sw 0 0 +EOF + +mkdir -p /etc/initramfs-tools/conf.d +echo "RESUME=/dev/mapper/testvg-lv0_crypt" >/etc/initramfs-tools/conf.d/resume + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-nested.d/setup b/debian/tests/cryptroot-nested.d/setup new file mode 100644 index 0000000..6fb6ccd --- /dev/null +++ b/debian/tests/cryptroot-nested.d/setup @@ -0,0 +1,107 @@ +# Unrealistic (and frankly stupid) layout with a complex block device +# stack involving multi-device btrfs and btrfs subvolumes, LUKS-on-MD, +# MD-on-LUKS and LUKS-on-LVM incl. nested dm-crypt volumes: + +# NAME TYPE MOUNTPOINTS +# vda disk +# ├─vda1 part +# ├─vda2 part /boot +# └─vda3 part +# ├─testvg-lv0 lvm +# │ └─testvg-lv0_crypt crypt [SWAP] +# └─testvg-lv1 lvm +# └─testvg-lv1_crypt crypt +# └─md0 raid1 +# └─md0_crypt crypt /, /home, /usr, /var +# vdb disk +# └─testvg-lv1 lvm +# └─testvg-lv1_crypt crypt +# └─md0 raid1 +# └─md0_crypt crypt /, /home, /usr, /var +# vdc disk +# └─md0 raid1 +# └─md0_crypt crypt /, /home, /usr, /var +# vdd disk +# └─vdd_crypt crypt /, /home, /usr, /var + +sfdisk --append /dev/vda <<-EOF + unit: sectors + + start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS} + start=$(((64+128)*1024*2)), type=${GUID_TYPE_LUKS} +EOF +udevadm settle + +lvm pvcreate /dev/vda3 +lvm pvcreate /dev/vdb +lvm vgcreate "testvg" /dev/vda3 /dev/vdb +lvm lvcreate -Zn --size 64m --name "lv0" "testvg" +lvm lvcreate -Zn --size 1024m --name "lv1" "testvg" +lvm vgchange -ay "testvg" +lvm vgmknodes +udevadm settle + +echo -n "testvg-lv0_crypt" >/keyfile +cryptsetup open --batch-mode \ + --type=plain \ + --cipher="aes-cbc-essiv:sha256" \ + --key-size=256 \ + --hash="ripemd160" \ + -- "/dev/testvg/lv0" "testvg-lv0_crypt" </keyfile +udevadm settle + +echo -n "testvg-lv1_crypt" >/keyfile +cryptsetup luksFormat --batch-mode \ + --key-file=/keyfile \ + --type=luks1 \ + --pbkdf-force-iterations=1000 \ + -- "/dev/testvg/lv1" +cryptsetup luksOpen --key-file=/keyfile --allow-discards \ + -- "/dev/testvg/lv1" "testvg-lv1_crypt" +udevadm settle + +mdadm --create /dev/md0 --metadata=default --level=1 --raid-devices=2 \ + /dev/mapper/testvg-lv1_crypt /dev/vdc +udevadm settle + +for d in md0 vdd; do + echo -n "${d}_crypt" >/keyfile + cryptsetup luksFormat --batch-mode \ + --key-file=/keyfile \ + --type=luks2 \ + --pbkdf=argon2id \ + --pbkdf-force-iterations=4 \ + --pbkdf-memory=32 \ + -- "/dev/$d" + cryptsetup luksOpen --key-file=/keyfile --allow-discards \ + -- "/dev/${d}" "${d}_crypt" + udevadm settle +done + +# create multi-device btrfs filesystem for the root FS; we list /dev/mapper/vdd_crypt +# first since it's smaller and we want data to span across both devices +mkfs.btrfs -d single /dev/mapper/vdd_crypt /dev/mapper/md0_crypt + +# create subvolumes +mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt /dev/mapper/vdd_crypt "$ROOT" +btrfs subvol create "$ROOT/@" +btrfs subvol create "$ROOT/@usr" +btrfs subvol create "$ROOT/@var" +btrfs subvol create "$ROOT/@home" +umount "$ROOT" + +# now mount the subvolumes +mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt,subvol="@" /dev/mapper/vdd_crypt "$ROOT" +for s in home usr var; do + mkdir -m0755 "$ROOT/$s" + mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt,subvol="@$s" /dev/mapper/vdd_crypt "$ROOT/$s" +done + +mkdir "$ROOT/boot" +mke2fs -Ft ext2 -m0 /dev/vda2 +mount -t ext2 /dev/vda2 "$ROOT/boot" + +mkswap /dev/mapper/testvg-lv0_crypt +swapon /dev/mapper/testvg-lv0_crypt + +# vim: set filetype=sh : |