def __init__(self,patching,logger):
self.mounts = []
disk_util = DiskUtil(patching,logger)
device_items = disk_util.get_device_items(None);
for device_item in device_items:
mount = Mount(device_item.name, device_item.type, device_item.file_system, device_item.mount_point)
self.mounts.append(mount)
def __init__(self, patching, logger):
self.mounts = []
added_mount_point_names = []
disk_util = DiskUtil(patching, logger)
# Get mount points
mount_points, fs_types = disk_util.get_mount_points(None)
# Get lsblk devices
device_items = disk_util.get_device_items(None)
lsblk_mounts = []
lsblk_mount_points = []
lsblk_fs_types = []
# List to hold mount-points returned from lsblk command but not reurned from mount command
lsblk_mounts_not_in_mount = []
for device_item in device_items:
mount = Mount(device_item.name, device_item.type,
device_item.file_system, device_item.mount_point)
lsblk_mounts.append(mount)
logger.log(
"lsblk mount point " + str(device_item.mount_point) +
" added with fs type " + str(device_item.file_system), True)
lsblk_mount_points.append(device_item.mount_point)
lsblk_fs_types.append(device_item.file_system)
# If lsblk mount is not found in "mount command" mount-list, add it to the lsblk_mounts_not_in_mount array
if ((device_item.mount_point not in mount_points) and
(device_item.mount_point not in lsblk_mounts_not_in_mount)):
lsblk_mounts_not_in_mount.append(device_item.mount_point)
# Sort lsblk_mounts_not_in_mount array in ascending order
lsblk_mounts_not_in_mount.sort()
# Add the lsblk devices in the same order as they are returned in mount command output
for mount_point, fs_type in zip(mount_points, fs_types):
if ((mount_point in lsblk_mount_points)
and (mount_point not in added_mount_point_names)):
mountObj = lsblk_mounts[lsblk_mount_points.index(mount_point)]
if (mountObj.fstype is None or mountObj.fstype == ""
or mountObj.fstype == " "):
logger.log(
"fstype empty from lsblk for mount" + str(mount_point),
True)
mountObj.fstype = fs_type
self.mounts.append(mountObj)
added_mount_point_names.append(mount_point)
# Append all the lsblk devices corresponding to lsblk_mounts_not_in_mount list mount-points
for mount_point in lsblk_mounts_not_in_mount:
if ((mount_point in lsblk_mount_points)
and (mount_point not in added_mount_point_names)):
self.mounts.append(
lsblk_mounts[lsblk_mount_points.index(mount_point)])
added_mount_point_names.append(mount_point)
added_mount_point_names.reverse()
logger.log("added_mount_point_names :" + str(added_mount_point_names),
True)
# Reverse the mounts list
self.mounts.reverse()
def __init__(self,patching,logger):
self.mounts = []
added_mount_point_names = []
disk_util = DiskUtil(patching,logger)
# Get mount points
mount_points, fs_types = disk_util.get_mount_points()
# Get lsblk devices
device_items = disk_util.get_device_items(None);
lsblk_mounts = []
lsblk_mount_points = []
lsblk_fs_types = []
# List to hold mount-points returned from lsblk command but not reurned from mount command
lsblk_mounts_not_in_mount = []
for device_item in device_items:
mount = Mount(device_item.name, device_item.type, device_item.file_system, device_item.mount_point)
lsblk_mounts.append(mount)
logger.log("lsblk mount point "+str(device_item.mount_point)+" added with fs type "+str(device_item.file_system), True)
lsblk_mount_points.append(device_item.mount_point)
lsblk_fs_types.append(device_item.file_system)
# If lsblk mount is not found in "mount command" mount-list, add it to the lsblk_mounts_not_in_mount array
if((device_item.mount_point not in mount_points) and (device_item.mount_point not in lsblk_mounts_not_in_mount)):
lsblk_mounts_not_in_mount.append(device_item.mount_point)
# Sort lsblk_mounts_not_in_mount array in ascending order
lsblk_mounts_not_in_mount.sort()
# Add the lsblk devices in the same order as they are returned in mount command output
for mount_point, fs_type in zip(mount_points, fs_types):
if((mount_point in lsblk_mount_points) and (mount_point not in added_mount_point_names)):
mountObj = lsblk_mounts[lsblk_mount_points.index(mount_point)]
if(mountObj.fstype is None or mountObj.fstype == "" or mountObj.fstype == " "):
logger.log("fstype empty from lsblk for mount" + str(mount_point), True)
mountObj.fstype = fs_type
self.mounts.append(mountObj)
added_mount_point_names.append(mount_point)
# Append all the lsblk devices corresponding to lsblk_mounts_not_in_mount list mount-points
for mount_point in lsblk_mounts_not_in_mount:
if((mount_point in lsblk_mount_points) and (mount_point not in added_mount_point_names)):
self.mounts.append(lsblk_mounts[lsblk_mount_points.index(mount_point)])
added_mount_point_names.append(mount_point)
added_mount_point_names.reverse()
logger.log("added_mount_point_names :" + str(added_mount_point_names), True)
# Reverse the mounts list
self.mounts.reverse()
class ResourceDiskUtil(object):
""" Resource Disk Encryption Utilities """
RD_KEY_FILE = CommonVariables.PassphraseFileNameKey
RD_MOUNT_POINT = '/mnt/resource'
RD_BASE_DEV_PATH = '/dev/disk/azure/resource'
RD_DEV_PATH = '/dev/disk/azure/resource-part1'
DM_PREFIX = '/dev/mapper/'
# todo: consolidate this and other key file path references
# (BekUtil.py, ExtensionParameter.py, and dracut patches)
RD_KEY_FILE = '/mnt/azure_bek_disk/LinuxPassPhraseFileName'
RD_KEY_FILE_MOUNT_POINT = '/mnt/azure_bek_disk'
RD_KEY_VOLUME_LABEL = 'BEK VOLUME'
def __init__(self, hutil, logger, distro_patcher):
self.hutil = hutil
self.logger = logger
self.executor = CommandExecutor(self.logger)
self.disk_util = DiskUtil(hutil=self.hutil,
patching=distro_patcher,
logger=self.logger,
encryption_environment=None)
self.mapper_name = str(uuid.uuid4())
self.mapper_path = self.DM_PREFIX + self.mapper_name
def is_encrypt_format_all(self):
""" return true if current encryption operation is EncryptFormatAll """
try:
public_settings_str = self.hutil._context._config[
'runtimeSettings'][0]['handlerSettings'].get('publicSettings')
if isinstance(public_settings_str, basestring):
public_settings = json.loads(public_settings_str)
else:
public_settings = public_settings_str
encryption_operation = public_settings.get(
CommonVariables.EncryptionEncryptionOperationKey)
if encryption_operation in [
CommonVariables.EnableEncryptionFormatAll
]:
return True
except:
self.logger.log("unable to identify current encryption operation")
return False
def is_luks_device(self):
""" checks if the device is set up with a luks header """
if not self.resource_disk_partition_exists():
return False
cmd = 'cryptsetup isLuks ' + self.RD_DEV_PATH
return (int)(self.executor.Execute(
cmd, suppress_logging=True)) == CommonVariables.process_success
def is_luks_device_opened(self):
""" check for presence of luks uuid to see if device was already opened """
# suppress logging to avoid log clutter if the device is not open yet
if not self.resource_disk_partition_exists():
return False
cmd = 'test -b /dev/disk/by-uuid/$(cryptsetup luksUUID ' + self.RD_DEV_PATH + ')'
return (int)(self.executor.ExecuteInBash(
cmd, suppress_logging=True)) == CommonVariables.process_success
def is_valid_key(self):
""" test if current key can be used to open current partition """
# suppress logging to avoid log clutter if the key doesn't match
if not self.resource_disk_partition_exists():
return False
cmd = 'cryptsetup luksOpen ' + self.RD_DEV_PATH + ' --test-passphrase --key-file ' + self.RD_KEY_FILE
return (int)(self.executor.Execute(
cmd, suppress_logging=True)) == CommonVariables.process_success
def resource_disk_exists(self):
""" true if the udev name for resource disk exists """
cmd = 'test -b ' + self.RD_BASE_DEV_PATH
return (int)(self.executor.Execute(
cmd, suppress_logging=True)) == CommonVariables.process_success
def resource_disk_partition_exists(self):
""" true if udev name for resource disk partition exists """
cmd = 'test -b ' + self.RD_DEV_PATH
return (int)(self.executor.Execute(
cmd, suppress_logging=True)) == CommonVariables.process_success
def format_luks(self):
""" set up resource disk crypt device layer using disk util """
if not self.resource_disk_partition_exists():
self.logger.log(
'LUKS format operation requested, but resource disk partition does not exist'
)
return False
return (int)(self.disk_util.luks_format(
passphrase_file=self.RD_KEY_FILE,
dev_path=self.RD_DEV_PATH,
header_file=None)) == CommonVariables.process_success
def encrypt(self):
""" use disk util with the appropriate device mapper """
self.mount_key_volume()
return (int)(self.disk_util.encrypt_disk(
dev_path=self.RD_DEV_PATH,
passphrase_file=self.RD_KEY_FILE,
mapper_name=self.mapper_name,
header_file=None)) == CommonVariables.process_success
def make(self):
""" make a default file system on top of the crypt layer """
make_result = self.disk_util.format_disk(
dev_path=self.mapper_path,
file_system=CommonVariables.default_file_system)
if make_result != CommonVariables.process_success:
self.logger.log(msg="Failed to make file system on ephemeral disk",
level=CommonVariables.ErrorLevel)
return False
# todo - drop DATALOSS_WARNING_README.txt file to disk
return True
def mount_key_volume(self):
""" attempt to mount the key volume and verify existence of key file"""
if not os.path.exists(self.RD_KEY_FILE):
self.disk_util.make_sure_path_exists(self.RD_KEY_FILE_MOUNT_POINT)
key_volume_device_name = os.popen('blkid -L "' +
self.RD_KEY_VOLUME_LABEL +
'"').read().strip()
self.disk_util.mount_filesystem(key_volume_device_name,
self.RD_KEY_FILE_MOUNT_POINT)
return os.path.exists(self.RD_KEY_FILE)
def mount(self):
""" mount the file system previously made on top of the crypt layer """
#ensure that resource disk mount point directory has been created
cmd = 'mkdir -p ' + self.RD_MOUNT_POINT
if self.executor.Execute(
cmd, suppress_logging=True) != CommonVariables.process_success:
self.logger.log(msg='Failed to precreate mount point directory: ' +
cmd,
level=CommonVariables.ErrorLevel)
return False
# mount to mount point directory
mount_result = self.disk_util.mount_filesystem(
dev_path=self.mapper_path,
mount_point=self.RD_MOUNT_POINT,
file_system=CommonVariables.default_file_system)
if mount_result != CommonVariables.process_success:
self.logger.log(msg="Failed to mount file system on resource disk",
level=CommonVariables.ErrorLevel)
return False
return True
def configure_waagent(self):
""" turn off waagent.conf resource disk management """
# set ResourceDisk.MountPoint to standard mount point
cmd = "sed -i.rdbak1 's|ResourceDisk.MountPoint=.*|ResourceDisk.MountPoint=" + self.RD_MOUNT_POINT + "|' /etc/waagent.conf"
# set ResourceDiskFormat=n to ensure waagent does not attempt a simultaneous format
cmd = "sed -i.rdbak2 's|ResourceDisk.Format=y|ResourceDisk.Format=n|' /etc/waagent.conf"
if self.executor.ExecuteInBash(cmd) != CommonVariables.process_success:
self.logger.log(
msg="Failed to set ResourceDiskFormat in /etc/waagent.conf",
level=CommonVariables.WarningLevel)
return False
# todo: restart waagent if necessary to ensure changes are picked up?
return True
def configure_fstab(self):
""" remove resource disk from /etc/fstab if present """
cmd = "sed -i.bak '/azure_resource-part1/d' /etc/fstab"
if self.executor.ExecuteInBash(cmd) != CommonVariables.process_success:
self.logger.log(
msg="Failed to configure resource disk entry of /etc/fstab",
level=CommonVariables.WarningLevel)
return False
return True
def unmount_resource_disk(self):
""" unmount resource disk """
# after service healing multiple unmounts of key file mount point may be required
self.disk_util.umount(self.RD_KEY_FILE_MOUNT_POINT)
self.disk_util.umount(self.RD_KEY_FILE_MOUNT_POINT)
self.disk_util.umount(self.RD_MOUNT_POINT)
self.disk_util.umount('/mnt')
def is_crypt_mounted(self):
""" return true if mount point is already on a crypt layer """
mount_items = self.disk_util.get_mount_items()
for mount_item in mount_items:
if mount_item["dest"] == self.RD_MOUNT_POINT and mount_item[
"src"].startswith(self.DM_PREFIX):
return True
return False
def get_rd_device_mapper(self):
""" retrieve current device mapper path backing the encrypted resource disk mount point """
device_items = self.disk_util.get_device_items(self.RD_DEV_PATH)
for device_item in device_items:
if device_item.type.lower() == 'crypt':
self.logger.log('Found device mapper: ' +
device_item.name.lower(),
level='Info')
return device_item.name.lower()
return None
def remove_device_mapper(self):
""" use dmsetup to remove the resource disk device mapper if it exists """
dm_name = self.get_rd_device_mapper()
if dm_name:
cmd = 'dmsetup remove ' + self.DM_PREFIX + dm_name
if self.executor.Execute(cmd) == CommonVariables.process_success:
return True
else:
self.logger.log('failed to remove ' + dm_name)
else:
self.logger.log('no resource disk device mapper found')
return False
def prepare_partition(self):
""" create partition on resource disk if missing """
if self.resource_disk_partition_exists():
return True
self.logger.log("resource disk partition does not exist", level='Info')
cmd = 'parted ' + self.RD_BASE_DEV_PATH + ' mkpart primary ext4 0% 100%'
if self.executor.ExecuteInBash(cmd) == CommonVariables.process_success:
# wait for the corresponding udev name to become available
for i in range(0, 10):
time.sleep(i)
if self.resource_disk_partition_exists():
return True
self.logger.log('unable to make resource disk partition')
return False
def clear_luks_header(self):
""" clear luks header by overwriting with 10MB of entropy """
if not self.resource_disk_partition_exists():
self.logger.log(
"resource partition does not exist, no luks header to clear")
return True
cmd = 'dd if=/dev/urandom of=' + self.RD_DEV_PATH + ' bs=512 count=20480'
return self.executor.Execute(cmd) == CommonVariables.process_success
def try_remount(self):
""" mount encrypted resource disk if not already mounted"""
if self.is_crypt_mounted():
self.logger.log("resource disk already encrypted and mounted",
level='Info')
return True
if self.resource_disk_exists() and self.resource_disk_partition_exists(
) and self.is_luks_device() and self.is_valid_key():
# store the currently associated path and name
current_mapper_name = self.get_rd_device_mapper()
if current_mapper_name:
self.mapper_name = current_mapper_name
self.mapper_path = self.DM_PREFIX + self.mapper_name
if not self.is_luks_device_opened:
# attempt to open
self.disk_util.luks_open(passphrase_file=self.RD_KEY_FILE,
dev_path=self.RD_DEV_PATH,
mapper_name=self.mapper_name,
header_file=None,
uses_cleartext_key=False)
if not self.is_luks_device_opened:
return False
# attempt mount
return self.mount()
# conditions required to re-mount were not met
return False
def prepare(self):
""" prepare a non-encrypted resource disk to be encrypted """
self.configure_waagent()
self.configure_fstab()
if self.resource_disk_partition_exists():
self.disk_util.swapoff()
self.unmount_resource_disk()
self.remove_device_mapper()
self.clear_luks_header()
self.prepare_partition()
return True
def automount(self):
""" encrypt resource disk """
# try to remount if the disk was previously encrypted and is still valid
if self.try_remount():
return True
# unencrypted or unusable
if self.is_encrypt_format_all():
return self.prepare() and self.encrypt() and self.make(
) and self.mount()
else:
self.logger.log(
'EncryptionFormatAll not in use, resource disk will not be automatically formatted and encrypted.'
)
class ResourceDiskUtil(object):
""" Resource Disk Encryption Utilities """
RD_KEY_FILE = CommonVariables.PassphraseFileNameKey
RD_MOUNT_POINT = '/mnt/resource'
RD_BASE_DEV_PATH = '/dev/disk/azure/resource'
RD_DEV_PATH = '/dev/disk/azure/resource-part1'
DM_PREFIX = '/dev/mapper/'
# todo: consolidate this and other key file path references
# (BekUtil.py, ExtensionParameter.py, and dracut patches)
RD_KEY_FILE = '/mnt/azure_bek_disk/LinuxPassPhraseFileName'
RD_KEY_FILE_MOUNT_POINT = '/mnt/azure_bek_disk'
RD_KEY_VOLUME_LABEL = 'BEK VOLUME'
def __init__(self, hutil, logger, distro_patcher):
self.hutil = hutil
self.logger = logger
self.executor = CommandExecutor(self.logger)
self.disk_util = DiskUtil(hutil=self.hutil, patching=distro_patcher, logger=self.logger, encryption_environment=None)
self.mapper_name = str(uuid.uuid4())
self.mapper_path = self.DM_PREFIX + self.mapper_name
def is_encrypt_format_all(self):
""" return true if current encryption operation is EncryptFormatAll """
try:
public_settings_str = self.hutil._context._config['runtimeSettings'][0]['handlerSettings'].get('publicSettings')
if isinstance(public_settings_str, basestring):
public_settings = json.loads(public_settings_str)
else:
public_settings = public_settings_str
encryption_operation = public_settings.get(CommonVariables.EncryptionEncryptionOperationKey)
if encryption_operation in [CommonVariables.EnableEncryptionFormatAll]:
return True
except:
self.logger.log("unable to identify current encryption operation")
return False
def is_luks_device(self):
""" checks if the device is set up with a luks header """
if not self.resource_disk_partition_exists():
return False
cmd = 'cryptsetup isLuks ' + self.RD_DEV_PATH
return (int)(self.executor.Execute(cmd, suppress_logging=True)) == CommonVariables.process_success
def is_luks_device_opened(self):
""" check for presence of luks uuid to see if device was already opened """
# suppress logging to avoid log clutter if the device is not open yet
if not self.resource_disk_partition_exists():
return False
cmd = 'test -b /dev/disk/by-uuid/$(cryptsetup luksUUID ' + self.RD_DEV_PATH + ')'
return (int)(self.executor.ExecuteInBash(cmd, suppress_logging=True)) == CommonVariables.process_success
def is_valid_key(self):
""" test if current key can be used to open current partition """
# suppress logging to avoid log clutter if the key doesn't match
if not self.resource_disk_partition_exists():
return False
cmd = 'cryptsetup luksOpen ' + self.RD_DEV_PATH + ' --test-passphrase --key-file ' + self.RD_KEY_FILE
return (int)(self.executor.Execute(cmd, suppress_logging=True)) == CommonVariables.process_success
def resource_disk_exists(self):
""" true if the udev name for resource disk exists """
cmd = 'test -b ' + self.RD_BASE_DEV_PATH
return (int)(self.executor.Execute(cmd, suppress_logging=True)) == CommonVariables.process_success
def resource_disk_partition_exists(self):
""" true if udev name for resource disk partition exists """
cmd = 'test -b ' + self.RD_DEV_PATH
return (int)(self.executor.Execute(cmd, suppress_logging=True)) == CommonVariables.process_success
def format_luks(self):
""" set up resource disk crypt device layer using disk util """
if not self.resource_disk_partition_exists():
self.logger.log('LUKS format operation requested, but resource disk partition does not exist')
return False
return (int)(self.disk_util.luks_format(passphrase_file=self.RD_KEY_FILE, dev_path=self.RD_DEV_PATH, header_file=None)) == CommonVariables.process_success
def encrypt(self):
""" use disk util with the appropriate device mapper """
self.mount_key_volume()
return (int)(self.disk_util.encrypt_disk(dev_path=self.RD_DEV_PATH, passphrase_file=self.RD_KEY_FILE, mapper_name=self.mapper_name, header_file=None)) == CommonVariables.process_success
def make(self):
""" make a default file system on top of the crypt layer """
make_result = self.disk_util.format_disk(dev_path=self.mapper_path, file_system=CommonVariables.default_file_system)
if make_result != CommonVariables.process_success:
self.logger.log(msg="Failed to make file system on ephemeral disk", level=CommonVariables.ErrorLevel)
return False
# todo - drop DATALOSS_WARNING_README.txt file to disk
return True
def mount_key_volume(self):
""" attempt to mount the key volume and verify existence of key file"""
if not os.path.exists(self.RD_KEY_FILE):
self.disk_util.make_sure_path_exists(self.RD_KEY_FILE_MOUNT_POINT)
key_volume_device_name = os.popen('blkid -L "' + self.RD_KEY_VOLUME_LABEL + '"').read().strip()
self.disk_util.mount_filesystem(key_volume_device_name, self.RD_KEY_FILE_MOUNT_POINT)
return os.path.exists(self.RD_KEY_FILE)
def mount(self):
""" mount the file system previously made on top of the crypt layer """
#ensure that resource disk mount point directory has been created
cmd = 'mkdir -p ' + self.RD_MOUNT_POINT
if self.executor.Execute(cmd, suppress_logging=True) != CommonVariables.process_success:
self.logger.log(msg='Failed to precreate mount point directory: ' + cmd, level=CommonVariables.ErrorLevel)
return False
# mount to mount point directory
mount_result = self.disk_util.mount_filesystem(dev_path=self.mapper_path, mount_point=self.RD_MOUNT_POINT, file_system=CommonVariables.default_file_system)
if mount_result != CommonVariables.process_success:
self.logger.log(msg="Failed to mount file system on resource disk", level=CommonVariables.ErrorLevel)
return False
return True
def configure_waagent(self):
""" turn off waagent.conf resource disk management """
# set ResourceDisk.MountPoint to standard mount point
cmd = "sed -i.rdbak1 's|ResourceDisk.MountPoint=.*|ResourceDisk.MountPoint=" + self.RD_MOUNT_POINT + "|' /etc/waagent.conf"
# set ResourceDiskFormat=n to ensure waagent does not attempt a simultaneous format
cmd = "sed -i.rdbak2 's|ResourceDisk.Format=y|ResourceDisk.Format=n|' /etc/waagent.conf"
if self.executor.ExecuteInBash(cmd) != CommonVariables.process_success:
self.logger.log(msg="Failed to set ResourceDiskFormat in /etc/waagent.conf", level=CommonVariables.WarningLevel)
return False
# todo: restart waagent if necessary to ensure changes are picked up?
return True
def configure_fstab(self):
""" remove resource disk from /etc/fstab if present """
cmd = "sed -i.bak '/azure_resource-part1/d' /etc/fstab"
if self.executor.ExecuteInBash(cmd) != CommonVariables.process_success:
self.logger.log(msg="Failed to configure resource disk entry of /etc/fstab", level=CommonVariables.WarningLevel)
return False
return True
def unmount_resource_disk(self):
""" unmount resource disk """
# after service healing multiple unmounts of key file mount point may be required
self.disk_util.umount(self.RD_KEY_FILE_MOUNT_POINT)
self.disk_util.umount(self.RD_KEY_FILE_MOUNT_POINT)
self.disk_util.umount(self.RD_MOUNT_POINT)
self.disk_util.umount('/mnt')
def is_crypt_mounted(self):
""" return true if mount point is already on a crypt layer """
mount_items = self.disk_util.get_mount_items()
for mount_item in mount_items:
if mount_item["dest"] == self.RD_MOUNT_POINT and mount_item["src"].startswith(self.DM_PREFIX):
return True
return False
def get_rd_device_mapper(self):
""" retrieve current device mapper path backing the encrypted resource disk mount point """
device_items = self.disk_util.get_device_items(self.RD_DEV_PATH)
for device_item in device_items:
if device_item.type.lower() == 'crypt':
self.logger.log('Found device mapper: ' + device_item.name.lower(), level='Info')
return device_item.name.lower()
return None
def remove_device_mapper(self):
""" use dmsetup to remove the resource disk device mapper if it exists """
dm_name = self.get_rd_device_mapper()
if dm_name:
cmd = 'dmsetup remove ' + self.DM_PREFIX + dm_name
if self.executor.Execute(cmd) == CommonVariables.process_success:
return True
else:
self.logger.log('failed to remove ' + dm_name)
else:
self.logger.log('no resource disk device mapper found')
return False
def prepare_partition(self):
""" create partition on resource disk if missing """
if self.resource_disk_partition_exists():
return True
self.logger.log("resource disk partition does not exist", level='Info')
cmd = 'parted ' + self.RD_BASE_DEV_PATH + ' mkpart primary ext4 0% 100%'
if self.executor.ExecuteInBash(cmd) == CommonVariables.process_success:
# wait for the corresponding udev name to become available
for i in range(0, 10):
time.sleep(i)
if self.resource_disk_partition_exists():
return True
self.logger.log('unable to make resource disk partition')
return False
def clear_luks_header(self):
""" clear luks header by overwriting with 10MB of entropy """
if not self.resource_disk_partition_exists():
self.logger.log("resource partition does not exist, no luks header to clear")
return True
cmd = 'dd if=/dev/urandom of=' + self.RD_DEV_PATH + ' bs=512 count=20480'
return self.executor.Execute(cmd) == CommonVariables.process_success
def try_remount(self):
""" mount encrypted resource disk if not already mounted"""
if self.is_crypt_mounted():
self.logger.log("resource disk already encrypted and mounted", level='Info')
return True
if self.resource_disk_exists() and self.resource_disk_partition_exists() and self.is_luks_device() and self.is_valid_key():
# store the currently associated path and name
current_mapper_name = self.get_rd_device_mapper()
if current_mapper_name:
self.mapper_name = current_mapper_name
self.mapper_path = self.DM_PREFIX + self.mapper_name
if not self.is_luks_device_opened:
# attempt to open
self.disk_util.luks_open(passphrase_file=self.RD_KEY_FILE, dev_path=self.RD_DEV_PATH, mapper_name=self.mapper_name, header_file=None, uses_cleartext_key=False)
if not self.is_luks_device_opened:
return False
# attempt mount
return self.mount()
# conditions required to re-mount were not met
return False
def prepare(self):
""" prepare a non-encrypted resource disk to be encrypted """
self.configure_waagent()
self.configure_fstab()
if self.resource_disk_partition_exists():
self.disk_util.swapoff()
self.unmount_resource_disk()
self.remove_device_mapper()
self.clear_luks_header()
self.prepare_partition()
return True
def automount(self):
""" encrypt resource disk """
# try to remount if the disk was previously encrypted and is still valid
if self.try_remount():
return True
# unencrypted or unusable
if self.is_encrypt_format_all():
return self.prepare() and self.encrypt() and self.make() and self.mount()
else:
self.logger.log('EncryptionFormatAll not in use, resource disk will not be automatically formatted and encrypted.')
