curtin-dev team mailing list archive

[Olivier Gayot <mp+490155@xxxxxxxxxxxxxxxxxx>]

Olivier Gayot has proposed merging ~ogayot/curtin:encrypted-zpool-requires-cryptsetup into curtin:master.

Commit message:
zfs: add dependency on cryptsetup for encrypted zpools

For a ZFS encrypted installation, the cryptsetup package must be
installed to the target system and the binary copied to the initramfs.
Failing to install the package results in an unbootable system.

Currently, we only install the cryptsetup package when the partitioning
config contains at least one "type: dm_crypt" element.

But not all installations have an explicit "type: dm_crypt" element.

When Subiquity runs a guided ZFS encrypted installation, the
partitioning config only contains a "type: dm_crypt" element if we have
room for an encrypted swap partition. While this is true in most
scenarios, installing to a small enough disk will make Subiquity skip
the swap partition.

We now also install crypsetup when the partitioning configuration
contains a "type: zpool" element with "encryption_style: luks_keystore".

LP: #2119293

Requested reviews:
  curtin developers (curtin-dev)
Related bugs:
  Bug #2119293 in curtin: "Failure to boot after installing using zfs+encryption on a small disk - cryptsetup not present in initramfs"
  https://bugs.launchpad.net/curtin/+bug/2119293

For more details, see:
https://code.launchpad.net/~ogayot/curtin/+git/curtin/+merge/490155

Ensure cryptsetup is present in the initramfs after performing a ZFS encrypted installation.

If cryptsetup is absent, the system fails to boot.

Bug LP: #2119293
-- 
Your team curtin developers is requested to review the proposed merge of ~ogayot/curtin:encrypted-zpool-requires-cryptsetup into curtin:master.

diff --git a/curtin/block/deps.py b/curtin/block/deps.py
index 42ad847..b660c0f 100644
--- a/curtin/block/deps.py
+++ b/curtin/block/deps.py
@@ -1,7 +1,7 @@
 # This file is part of curtin. See LICENSE file for copyright and license info.
 
 from curtin.distro import DISTROS
-from curtin.block import iscsi, nvme
+from curtin.block import iscsi, nvme, zfs
 
 
 def storage_config_required_packages(storage_config, mapping):
@@ -40,6 +40,10 @@ def storage_config_required_packages(storage_config, mapping):
                                              exclude_pcie=True):
         needed_packages.extend(mapping['nvme_of_controller'])
 
+    # zpools encrypted using LUKS require cryptsetup
+    if zfs.get_zpool_from_config({"storage": storage_config}, only_encrypted=True):
+        needed_packages.extend(mapping['dm_crypt'])
+
     # for any format operations, check the fstype and
     # determine if we need any mkfs tools as well.
     format_configs = set([operation['fstype']
diff --git a/curtin/block/zfs.py b/curtin/block/zfs.py
index bb78138..9f4eb8c 100644
--- a/curtin/block/zfs.py
+++ b/curtin/block/zfs.py
@@ -448,7 +448,7 @@ def device_to_poolname(devname):
         return label
 
 
-def get_zpool_from_config(cfg):
+def get_zpool_from_config(cfg, *, only_encrypted=False):
     """Parse a curtin storage config and return a list
        of zpools that were created.
     """
@@ -462,6 +462,8 @@ def get_zpool_from_config(cfg):
     sconfig = cfg['storage']['config']
     for item in sconfig:
         if item['type'] == 'zpool':
+            if only_encrypted and item.get('encryption_style') is None:
+                continue
             zpools.append(item['pool'])
         elif item['type'] == 'format':
             if item['fstype'] == 'zfsroot':
diff --git a/tests/unittests/test_block_zfs.py b/tests/unittests/test_block_zfs.py
index 23dba50..14cf239 100644
--- a/tests/unittests/test_block_zfs.py
+++ b/tests/unittests/test_block_zfs.py
@@ -597,6 +597,19 @@ class TestZfsGetPoolFromConfig(CiTestCase):
         self.assertEqual(sorted(expected_zpools),
                          sorted(zfs.get_zpool_from_config(sconfig)))
 
+    def test_get_zpool_from_config_only_encrypted(self):
+        """ get_zpool_from_config_returns pool names for each zpool in cfg.
+        Here we are only interested in encrypted ones."""
+        zpool_cfg = [
+            {'type': 'zpool', 'pool': 'rpool1'},
+            {'type': 'zpool', 'pool': 'rpool2',
+             'encryption_style': 'luks_keystore', 'keyfile': '/tmp/zpool-key'},
+            {'type': 'zpool', 'pool': 'rpool3', 'encryption_style': None},
+        ]
+        sconfig = {'storage': {'config': zpool_cfg}}
+        self.assertEqual(['rpool2'],
+                         zfs.get_zpool_from_config(sconfig, only_encrypted=True))
+
     def test_get_zpool_from_config_zfsroot(self):
         """ get_zpool_from_config_returns injected pool name for zfsroot."""
         zpool_cfg = [{'type': 'format', 'fstype': 'zfsroot'}]