summaryrefslogtreecommitdiffstats
path: root/debian/tests/cryptroot-nested.d
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/tests/cryptroot-nested.d/bottom17
-rw-r--r--debian/tests/cryptroot-nested.d/config7
-rwxr-xr-xdebian/tests/cryptroot-nested.d/mock44
-rw-r--r--debian/tests/cryptroot-nested.d/preinst21
-rw-r--r--debian/tests/cryptroot-nested.d/setup107
5 files changed, 196 insertions, 0 deletions
diff --git a/debian/tests/cryptroot-nested.d/bottom b/debian/tests/cryptroot-nested.d/bottom
new file mode 100644
index 0000000..9c2e07a
--- /dev/null
+++ b/debian/tests/cryptroot-nested.d/bottom
@@ -0,0 +1,17 @@
+umount "$ROOT/boot"
+umount "$ROOT/home"
+umount "$ROOT/usr"
+umount "$ROOT/var"
+umount "$ROOT"
+
+swapoff /dev/mapper/testvg-lv0_crypt
+cryptsetup close "testvg-lv0_crypt"
+cryptsetup close "vdd_crypt"
+
+cryptsetup close "md0_crypt"
+mdadm --stop /dev/md0
+
+cryptsetup close "testvg-lv1_crypt"
+lvm vgchange -an "testvg"
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-nested.d/config b/debian/tests/cryptroot-nested.d/config
new file mode 100644
index 0000000..995200c
--- /dev/null
+++ b/debian/tests/cryptroot-nested.d/config
@@ -0,0 +1,7 @@
+PKGS_EXTRA+=( btrfs-progs lvm2 mdadm )
+PKGS_EXTRA+=( cryptsetup-initramfs )
+
+# /dev/mapper/testvg-lv1_crypt and /dev/vdc are both 1G and used in RAID1 mode
+DRIVE_SIZES=( "1G" "264M" "1G" "512M" )
+
+# vim: set filetype=bash :
diff --git a/debian/tests/cryptroot-nested.d/mock b/debian/tests/cryptroot-nested.d/mock
new file mode 100755
index 0000000..cccb35f
--- /dev/null
+++ b/debian/tests/cryptroot-nested.d/mock
@@ -0,0 +1,44 @@
+#!/usr/bin/perl -T
+
+BEGIN {
+ require "./debian/tests/utils/mock.pm";
+ CryptrootTest::Mock::->import();
+}
+
+my %passphrases;
+$passphrases{$_} = $_ foreach qw/testvg-lv0_crypt testvg-lv1_crypt md0_crypt vdd_crypt/;
+unlock_disk(\%passphrases) for 1 .. scalar(%passphrases);
+
+# check that the above was done at initramfs stage
+expect($SERIAL => qr#\bRunning /scripts/init-bottom\s*\.\.\. #);
+
+login("root");
+
+# make sure the root FS and swap are help by dm-crypt devices
+shell(q{cryptsetup luksOpen --test-passphrase /dev/md0 <<<md0_crypt}, rv => 0);
+shell(q{cryptsetup luksOpen --test-passphrase /dev/vdd <<<vdd_crypt}, rv => 0);
+shell(q{cryptsetup luksOpen --test-passphrase /dev/testvg/lv1 <<<testvg-lv1_crypt}, rv => 0);
+
+my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3});
+die unless $out =~ m#^[`|]-testvg-lv0\s+lvm\s*$#m;
+die unless $out =~ m#^[| ] `-testvg-lv0_crypt\s+crypt\s+\[SWAP\]\s*$#m;
+die unless $out =~ m#^[`|]-testvg-lv1\s+lvm\s*$#m;
+die unless $out =~ m#^[| ] `-testvg-lv1_crypt\s+crypt\s*$#m;
+die unless $out =~ m#^[| ] `-md0\s+raid1\s*$#m;
+die unless $out =~ m#^[| ] `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdb});
+die unless $out =~ m#^`-testvg-lv1\s+lvm\s*$#m;
+die unless $out =~ m#^ `-testvg-lv1_crypt\s+crypt\s*$#m;
+die unless $out =~ m#^ `-md0\s+raid1\s*$#m;
+die unless $out =~ m#^ `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vdc});
+die unless $out =~ m#^`-md0\s+raid1\s*$#m;
+die unless $out =~ m#^ `-md0_crypt\s+crypt(?:\s+/(?:home|usr|var)?)?\s*$#m;
+
+$out = shell(q{btrfs filesystem show /});
+die unless $out =~ m#^\s*devid\s+1\s.*\s/dev/mapper/vdd_crypt\s*$#m;
+die unless $out =~ m#^\s*devid\s+2\s.*\s/dev/mapper/md0_crypt\s*$#m;
+
+QMP::quit();
diff --git a/debian/tests/cryptroot-nested.d/preinst b/debian/tests/cryptroot-nested.d/preinst
new file mode 100644
index 0000000..c5f576b
--- /dev/null
+++ b/debian/tests/cryptroot-nested.d/preinst
@@ -0,0 +1,21 @@
+# check both UUID= and /dev/mapper/NAME sources for testvg-*_crypt to test for regressions a la #902943
+cat >/etc/crypttab <<-EOF
+ md0_crypt UUID=$(blkid -s UUID -o value /dev/md0) none
+ vdd_crypt UUID=$(blkid -s UUID -o value /dev/vdd) none
+ testvg-lv0_crypt /dev/mapper/testvg-lv0 none plain,cipher=aes-cbc-essiv:sha256,size=256,hash=ripemd160
+ testvg-lv1_crypt UUID=$(blkid -s UUID -o value /dev/testvg/lv1) none
+EOF
+
+cat >/etc/fstab <<-EOF
+ /dev/mapper/vdd_crypt / btrfs compress=lzo,subvol=@ 0 1
+ /dev/mapper/vdd_crypt /home btrfs compress=lzo,subvol=@home 0 2
+ /dev/mapper/vdd_crypt /usr btrfs compress=lzo,subvol=@usr 0 2
+ /dev/mapper/vdd_crypt /var btrfs compress=lzo,subvol=@var 0 2
+ UUID=$(blkid -s UUID -o value /dev/vda2) /boot ext2 defaults 0 2
+ /dev/mapper/testvg-lv0_crypt none swap sw 0 0
+EOF
+
+mkdir -p /etc/initramfs-tools/conf.d
+echo "RESUME=/dev/mapper/testvg-lv0_crypt" >/etc/initramfs-tools/conf.d/resume
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-nested.d/setup b/debian/tests/cryptroot-nested.d/setup
new file mode 100644
index 0000000..6fb6ccd
--- /dev/null
+++ b/debian/tests/cryptroot-nested.d/setup
@@ -0,0 +1,107 @@
+# Unrealistic (and frankly stupid) layout with a complex block device
+# stack involving multi-device btrfs and btrfs subvolumes, LUKS-on-MD,
+# MD-on-LUKS and LUKS-on-LVM incl. nested dm-crypt volumes:
+
+# NAME TYPE MOUNTPOINTS
+# vda disk
+# ├─vda1 part
+# ├─vda2 part /boot
+# └─vda3 part
+# ├─testvg-lv0 lvm
+# │ └─testvg-lv0_crypt crypt [SWAP]
+# └─testvg-lv1 lvm
+# └─testvg-lv1_crypt crypt
+# └─md0 raid1
+# └─md0_crypt crypt /, /home, /usr, /var
+# vdb disk
+# └─testvg-lv1 lvm
+# └─testvg-lv1_crypt crypt
+# └─md0 raid1
+# └─md0_crypt crypt /, /home, /usr, /var
+# vdc disk
+# └─md0 raid1
+# └─md0_crypt crypt /, /home, /usr, /var
+# vdd disk
+# └─vdd_crypt crypt /, /home, /usr, /var
+
+sfdisk --append /dev/vda <<-EOF
+ unit: sectors
+
+ start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS}
+ start=$(((64+128)*1024*2)), type=${GUID_TYPE_LUKS}
+EOF
+udevadm settle
+
+lvm pvcreate /dev/vda3
+lvm pvcreate /dev/vdb
+lvm vgcreate "testvg" /dev/vda3 /dev/vdb
+lvm lvcreate -Zn --size 64m --name "lv0" "testvg"
+lvm lvcreate -Zn --size 1024m --name "lv1" "testvg"
+lvm vgchange -ay "testvg"
+lvm vgmknodes
+udevadm settle
+
+echo -n "testvg-lv0_crypt" >/keyfile
+cryptsetup open --batch-mode \
+ --type=plain \
+ --cipher="aes-cbc-essiv:sha256" \
+ --key-size=256 \
+ --hash="ripemd160" \
+ -- "/dev/testvg/lv0" "testvg-lv0_crypt" </keyfile
+udevadm settle
+
+echo -n "testvg-lv1_crypt" >/keyfile
+cryptsetup luksFormat --batch-mode \
+ --key-file=/keyfile \
+ --type=luks1 \
+ --pbkdf-force-iterations=1000 \
+ -- "/dev/testvg/lv1"
+cryptsetup luksOpen --key-file=/keyfile --allow-discards \
+ -- "/dev/testvg/lv1" "testvg-lv1_crypt"
+udevadm settle
+
+mdadm --create /dev/md0 --metadata=default --level=1 --raid-devices=2 \
+ /dev/mapper/testvg-lv1_crypt /dev/vdc
+udevadm settle
+
+for d in md0 vdd; do
+ echo -n "${d}_crypt" >/keyfile
+ cryptsetup luksFormat --batch-mode \
+ --key-file=/keyfile \
+ --type=luks2 \
+ --pbkdf=argon2id \
+ --pbkdf-force-iterations=4 \
+ --pbkdf-memory=32 \
+ -- "/dev/$d"
+ cryptsetup luksOpen --key-file=/keyfile --allow-discards \
+ -- "/dev/${d}" "${d}_crypt"
+ udevadm settle
+done
+
+# create multi-device btrfs filesystem for the root FS; we list /dev/mapper/vdd_crypt
+# first since it's smaller and we want data to span across both devices
+mkfs.btrfs -d single /dev/mapper/vdd_crypt /dev/mapper/md0_crypt
+
+# create subvolumes
+mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt /dev/mapper/vdd_crypt "$ROOT"
+btrfs subvol create "$ROOT/@"
+btrfs subvol create "$ROOT/@usr"
+btrfs subvol create "$ROOT/@var"
+btrfs subvol create "$ROOT/@home"
+umount "$ROOT"
+
+# now mount the subvolumes
+mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt,subvol="@" /dev/mapper/vdd_crypt "$ROOT"
+for s in home usr var; do
+ mkdir -m0755 "$ROOT/$s"
+ mount -t btrfs -o compress=lzo,device=/dev/mapper/md0_crypt,subvol="@$s" /dev/mapper/vdd_crypt "$ROOT/$s"
+done
+
+mkdir "$ROOT/boot"
+mke2fs -Ft ext2 -m0 /dev/vda2
+mount -t ext2 /dev/vda2 "$ROOT/boot"
+
+mkswap /dev/mapper/testvg-lv0_crypt
+swapon /dev/mapper/testvg-lv0_crypt
+
+# vim: set filetype=sh :
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-02 03:36:05 +0000