From: Stuart Cardall <developer@it-offshore.co.uk>
To: alpine-aports@lists.alpinelinux.org
Cc: Stuart Cardall <developer@it-offshore.co.uk>
Subject: [alpine-aports] [PATCH] main/alpine-conf: setup-disk + support for LUKS installs
Date: Fri, 27 Feb 2015 17:15:07 +0000
Message-Id: <1425057307-1857-1-git-send-email-developer@it-offshore.co.uk>
Precedence: list

Adds support for installing Alpine to multiple LUKS partitions
(& optionally set up keys for auto mounting non root partitions).

Also supports installing to LVM on LUKS.

Mount the LUKS devices & 'setup-disk -E $MNT' or just 'setup-disk -E'
---
 .../0002-setup-disk-add-luks-support.patch         | 242 +++++++++++++++++++++
 main/alpine-conf/APKBUILD                          |  12 +-
 2 files changed, 250 insertions(+), 4 deletions(-)
 create mode 100644 main/alpine-conf/0002-setup-disk-add-luks-support.patch

diff --git a/main/alpine-conf/0002-setup-disk-add-luks-support.patch b/main/alpine-conf/0002-setup-disk-add-luks-support.patch
new file mode 100644
index 0000000..9ef2d90
--- /dev/null
+++ b/main/alpine-conf/0002-setup-disk-add-luks-support.patch
@@ -0,0 +1,242 @@
+--- alpine-conf*/setup-disk.in
++++ alpine-conf*/setup-disk.new
+@@ -43,6 +43,14 @@
+ 	case "$1" in
+ 		/dev/md*) echo "$1" && return 0;;
+ 	esac
++	# crypted devices need a device mapper in fstab not an LVM volume
++	if [ -n "$CRYPTDM" ]; then
++		if echo $1| grep "^/dev/$(find_luks_vg)/" 1> /dev/null; then
++	                echo "$(convert_vg_to_mapper $1)" && return 0
++		elif echo $1| grep "^/dev/mapper/" 1>/dev/null; then
++			echo "$1" && return 0
++		fi
++	fi
+ 	for i in $(_blkid "$1"); do
+ 		case "$i" in
+ 			UUID=*) eval $i;;
+@@ -214,6 +222,14 @@
+ 		pvs=$(find_pvs_in_vg $vg)
+ 	fi
+ 
++	if [ -n "$CRYPTDM" ]; then
++		initfs_features="$initfs_features cryptsetup"
++		if is_luks_pv "$CRYPTDM" && [ -z $(echo $initfs_features| grep -w "lvm") ]; then
++			initfs_features="$initfs_features lvm"
++			local vg=$(find_luks_vg)
++			pvs=$(find_pvs_in_vg $vg)
++		fi
++	fi
+ 
+ 	bootdev=$(find_mount_dev "$mnt"/boot)
+ 	if [ -z "$bootdev" ]; then
+@@ -287,6 +303,10 @@
+ 	if has_bootopt nomodeset; then
+ 		kernel_opts="nomodeset $kernel_opts"
+ 	fi
++	if [ -n "$CRYPTDM" ]; then
++		kernel_opts="$kernel_opts cryptroot=$CRYPTROOT cryptdm=$CRYPTDM"
++		setup_crypttab
++	fi
+ 	modules="sd-mod,usb-storage,${root_fs}${raidmod}"
+ 	sed -e "s:^root=.*:root=$root:" \
+ 		-e "s:^default_kernel_opts=.*:default_kernel_opts=\"$kernel_opts\":" \
+@@ -460,7 +480,7 @@
+ 	local answer=
+ 	local erasedisks="$@"
+ 	if [ "$ERASE_DISKS" = "$erasedisks" ]; then
+-		reeturn 0
++		return 0
+ 	fi
+ 	echo "WARNING: The following disk(s) will be erased:"
+ 	show_disk_info $@
+@@ -506,7 +526,7 @@
+ 
+ # find the bootable partition on given disk
+ find_boot_partition() {
+-	sfdisk -d $1 | awk '/bootable/ {print $1}'
++	sfdisk -L -d $1 | awk '/bootable/ {print $1}'
+ }
+ 
+ # find the partition(s) for LVM
+@@ -659,6 +679,95 @@
+ 	fi
+ }
+ 
++find_mount_point() {
++	local device=$1
++	awk "\$1 == \"$device\" {print \$2}" /proc/mounts | tail -n 1
++}
++
++find_mapper_disk() {
++	cryptsetup status $1|grep device|awk '{ print $2 }'
++}
++
++find_luks_vg() {
++	if is_luks_pv; then
++		pvs --noheadings /dev/mapper/$CRYPTDM |awk '{ print $2 }'
++	fi
++}
++
++is_luks_pv() {
++	pvs --noheadings|awk '{ print $1 }'| grep -w $CRYPTDM &>/dev/null
++}
++
++convert_vg_to_mapper() {
++	local mapper="${1##*/}"	local vg=$(find_luks_vg)
++	echo "/dev/mapper/$vg-$mapper"
++}
++
++convert_lv_to_device() {
++	local lv="${1##*/}" local vg=$(find_luks_vg)
++	if [ -n "$(find_mount_point /dev/$vg/$lv)" ]; then
++		echo "/dev/$vg/$lv"
++	elif [ -n "$(find_mount_point /dev/mapper/$vg-$lv)" ]; then
++		echo "/dev/mapper/$vg-$lv"
++	fi
++}
++
++setup_crypttab() {
++	local keysdir=${keysdir:-$mnt/etc/luks-keys}
++	local keyfile= local answer= local i=
++	local config=$mnt/etc/conf.d/dmcrypt
++
++	if [ -f "$mnt"/etc/crypttab ]; then
++		mv "$mnt"/etc/crypttab "$mnt"/etc/crypttab.old
++	fi
++
++	if [ $(echo $DMLIST|wc -w) -gt 1 ]; then
++		read -p "Setup LUKS keyfiles for automatic mounting? [y/N]: " answer
++		case "$answer" in
++	        y*|Y*) mkdir -p $mnt/etc/conf.d; cp ${config#$mnt} $config
++		       ln -s /etc/init.d/dmcrypt $mnt/etc/runlevels/boot/dmcrypt 2>/dev/null
++		       read -p "Enter directory for keys [ ${keysdir#$mnt} ]: " answer
++		       until [ -d "$keysdir" ]; do
++				if [ -n "$answer" ]; then keysdir=$mnt$answer; fi
++				mkdir -p $keysdir
++		       done; echo "Creating $keysdir"
++		       for i in $DMLIST; do
++				if [ "$i" != "$CRYPTDM" ]; then
++					read -p "Create key for /dev/mapper/$i [y/N]? : " answer
++					case "$answer" in
++					   y*|Y*) if ! cryptsetup luksDump $(find_mapper_disk $i)|grep ": DISABLED" 1>/dev/null; then
++						echo "All keyslots full: Choose slot to wipe? [1-7]:"
++						until [ $answer -ge 1 2>/dev/null ] && [ $answer -le 7 2>/dev/null ]; do
++							echo -en "\033[1;31m>>>\033[37m: \033[0m"; read answer
++							echo -en "\033[1A\033[K" #move the cursor & clear the line
++						done
++						cryptsetup luksKillSlot $(find_mapper_disk $i) $answer
++						fi
++						dd if=/dev/urandom of=$keysdir/$i bs=1024 count=4
++						cryptsetup luksAddKey $(find_mapper_disk $i) $keysdir/$i
++						echo -e "\n## Settings from /sbin/setup-disk" >> $config
++						echo "target=$i" >> $config
++						echo "source=$(find_mapper_disk $i)" >> $config
++						echo "key=${keysdir#$mnt}/$i" >> $config
++					esac
++				fi
++			done
++			chmod -R 400 $keysdir;chown -R root:root $keysdir
++		esac
++	fi
++
++	for i in $DMLIST; do
++		if [ -f "$keysdir/$i" ];then
++			keyfile="$keysdir/$i"
++		else
++			keyfile="none"
++		fi
++		# crypttab needs the UUID of the physical device
++		echo "# $i is on $(find_mapper_disk $i)" >> $mnt/etc/crypttab
++		echo "$i $(_blkid $(find_mapper_disk $i)|awk '{ print $2 }') $keyfile luks" >> $mnt/etc/crypttab
++	done
++}
++
+ data_only_disk_install_lvm() {
+ 	local diskdev=
+ 	local vgname=vg0
+@@ -902,6 +1011,7 @@
+  -q  Exit quietly if no disks are found
+  -r  Enable software raid1 with single disk
+  -s  Use SWAPSIZE MB instead of autodetecting swap size (Use 0 to disable swap)
++ -E  Use Encrypted LUKS devices (LVM or Standard Partitions are supported)
+  -v  Be more verbose about what is happening
+ 
+ __EOF__
+@@ -918,7 +1028,7 @@
+ DISK_MODE=
+ USE_LVM=
+ # Parse args
+-while getopts "hk:Lm:o:qrs:v" opt; do
++while getopts "hk:Lm:o:qrs:vE" opt; do
+ 	case $opt in
+ 		m) DISK_MODE="$OPTARG";;
+ 		k) KERNEL_FLAVOR="$OPTARG";;
+@@ -928,10 +1038,67 @@
+ 		r) USE_RAID=1;;
+ 		s) SWAP_SIZE="$OPTARG";;
+ 		v) VERBOSE=1;;
++		E) CRYPTROOT=1;;
+ 		*) usage;;
+ 	esac
+ done
+ shift $(( $OPTIND - 1))
++
++if [ -n "$CRYPTROOT" ]; then
++	DMLIST=$(dmsetup ls --target crypt|awk '{ print $1 }')
++	if [ -z "$DMLIST" ]; then echo "No Crypt Devices found."; exit 1; fi
++	echo -en "\033[1;4m\nSelect LUKS ROOT Device Mapper:\033[0m\n\n\033[1m$DMLIST\033[0m\n\n"
++
++	until echo "$DMLIST" | grep -w "$CRYPTDM" 1>/dev/null; do
++		echo -en "\033[1;32m>>>\033[37m: \033[0m"; read CRYPTDM;
++		echo -en "\033[1A\033[K" #move the cursor & clear the line
++	done
++
++	CRYPTROOT=$(find_mapper_disk $CRYPTDM)
++	CRYPTDISK=$(echo $CRYPTROOT | tr -d '[:digit:]')
++
++	apk add --quiet sfdisk
++	if [ -z $(find_boot_partition) ]; then
++		echo "No Boot Device detected."; exit 1
++	fi
++	if ! grep "$(find_boot_partition)" /proc/mounts 1>/dev/null; then
++		echo "Boot Device '$(find_boot_partition)' is not mounted."; exit 1
++	fi
++
++	if is_luks_pv; then
++		if [ -z "$(find_lvm_partition $CRYPTDISK)" ]; then
++			echo "$CRYPTROOT partition is not set to type 8e."; exit 1
++		fi
++	fi
++
++	if [ ! "$1" ]; then
++		if is_luks_pv; then
++			lvscan |awk '{ print $2,$3,$4 }' |sed "s/'//g"
++			echo -en "\nSelect root device?\n\n"					# rows to columns
++			part_list=$(lvscan |awk '{ print $2 }' |sed "s:/dev/$(find_luks_vg)/::g"|tr "\n" " ")
++			until [ -n "$(find_mount_point $(convert_lv_to_device $answer))" &>/dev/null ]; do
++				if [ -n "$answer" ]; then echo -e "\033[1;31m$answer: not mounted";sleep 1;echo -en "\033[1A\033[K";fi
++				echo -en "\033[1;32m>>>\033[37m[ $part_list]: \033[0m"; read answer
++				echo -en "\033[1A\033[K"
++			done
++			SYSROOT=$(find_mount_point $(convert_lv_to_device $answer))
++			rc-update add lvm boot
++		else
++			SYSROOT=$(find_mount_point /dev/mapper/$CRYPTDM)
++		fi
++		if [ -n "$SYSROOT" ]; then
++			set $SYSROOT
++		else
++			echo "Device '$CRYPTDM' is not mounted."; exit 1
++		fi
++	fi
++
++	if is_luks_pv; then
++		echo "root device = $(convert_lv_to_device $answer)"
++	fi
++	echo "cryptdm = $CRYPTDM"
++	echo "cryptroot = $CRYPTROOT mounted@: $1"
++fi
+ 
+ if [ -d "$1" ]; then
+ 	# install to given mounted root
diff --git a/main/alpine-conf/APKBUILD b/main/alpine-conf/APKBUILD
index fad1892..9583f83 100644
--- a/main/alpine-conf/APKBUILD
+++ b/main/alpine-conf/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=alpine-conf
 pkgver=3.1.0
-pkgrel=2
+pkgrel=3
 pkgdesc="Alpine configuration management scripts"
 url=http://git.alpinelinux.org/cgit/$pkgname
 arch="all"
@@ -10,6 +10,7 @@ depends="openrc"
 source="http://dev.alpinelinux.org/archive/alpine-conf/alpine-conf-$pkgver.tar.xz
 	0001-update-kernel-fix-typo.patch
 	0001-setup-disk-pass-nomodeset-boot-option.patch
+	0002-setup-disk-add-luks-support.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -38,10 +39,13 @@ package() {
 
 md5sums="d48adaa13dbba0e4c461b39a59fb1c10  alpine-conf-3.1.0.tar.xz
 fe4a81cdf9d30c1f0bbcc9977e96410a  0001-update-kernel-fix-typo.patch
-4b7844387da57e3ffdcd1e09c0a45fb6  0001-setup-disk-pass-nomodeset-boot-option.patch"
+4b7844387da57e3ffdcd1e09c0a45fb6  0001-setup-disk-pass-nomodeset-boot-option.patch
+b5f04d1ebe1f4dcbb8a520f1184d9a41  0002-setup-disk-add-luks-support.patch"
 sha256sums="5c5c3081fba18c0303bd29ccf8caab5d550c0a767f9b3b1e6a0644b717661122  alpine-conf-3.1.0.tar.xz
 cc1a2254eae01c2cde362cc7cf65d6e5ba7d53a7ced8a170b0502130af6877be  0001-update-kernel-fix-typo.patch
-a5e486f41dafdca904e1d67b2bb26d871e6ec9597295e1fc21ea5d8995986570  0001-setup-disk-pass-nomodeset-boot-option.patch"
+a5e486f41dafdca904e1d67b2bb26d871e6ec9597295e1fc21ea5d8995986570  0001-setup-disk-pass-nomodeset-boot-option.patch
+8befff4156c1f6155ad0b59082bb60d9d418806151d7450977c01b2cbac6c2bd  0002-setup-disk-add-luks-support.patch"
 sha512sums="22ce9a149171cf8503937b60d36ec2b69fb95123d3e3f7776cc3c9e0f14cdc8a9a2338be8c223233652cd1456f6b55bbc71ed0deda2efb75f0e62b67a4c40088  alpine-conf-3.1.0.tar.xz
 7f30c7ecb696b4fbf815802bd9d369f2d21a2b2502efdeac3af260df72195c19199fddc81702eb204746146433a23c0649bcf1b8a71c57a34971c4457f0ac33f  0001-update-kernel-fix-typo.patch
-3ff38ab78bc0a07762c7c3668cf4daaa4ca2d030ef148e61de6dbb1df4589fd2c844c992f35ce64aa9cc3125d7422ba9deb727259cc68a61e7f6d6ff22de16f7  0001-setup-disk-pass-nomodeset-boot-option.patch"
+3ff38ab78bc0a07762c7c3668cf4daaa4ca2d030ef148e61de6dbb1df4589fd2c844c992f35ce64aa9cc3125d7422ba9deb727259cc68a61e7f6d6ff22de16f7  0001-setup-disk-pass-nomodeset-boot-option.patch
+96a7e993879a676d32d41a0c29b31803b04731f64107eb651147560aef8de9c179883d1d55eb23fad0ad4347b535c5fe94ccd2135f3b744ecddfa6f34ee22c99  0002-setup-disk-add-luks-support.patch"
-- 
2.2.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---