From 1d7a1c00b3267d7881905604cdf5700d7dfd5382 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Sun, 15 Dec 2024 20:57:43 +0100 Subject: [PATCH] podvm: add scratch-space logic This adds the configuration for an encrypted scratch space in /dev/sda4 on an mkosi image. If the image has space available it will create a "scratch" partition and encrypt it using an adhoc LUKS key. An empty `/run/peerpod/mount-scratch` file is being added to the write-files directive of userdata, if a disk size param has been set. In this case kata-agent will mount the encrypted scratch space to `/run/kata-containers` prior to startup. Signed-off-by: Magnus Kulke --- .../mkosi.presets/system/mkosi.conf.d/fedora.conf | 3 ++- .../podvm-mkosi/mkosi.skeleton-rootfs/etc/crypttab | 1 + .../etc/neofetch/coco.ascii | 0 .../etc/neofetch/config.conf | 0 .../etc/profile.d/10-alias.sh | 0 .../etc/profile.d/20-ssh-banner.sh | 0 .../system/afterburn-checkin.service.d/10-override.conf | 0 .../usr/lib/systemd/system/gen-issue.service | 0 .../lib/systemd/system/kata-agent.service.d/10-override.conf | 2 ++ .../system/process-user-data.service.d/10-override.conf | 0 .../mkosi.skeleton/usr/lib/repart.d/30-scratch.conf | 5 +++++ 11 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/crypttab rename src/cloud-api-adaptor/podvm-mkosi/{mkosi.skeleton => mkosi.skeleton-rootfs}/etc/neofetch/coco.ascii (100%) rename src/cloud-api-adaptor/podvm-mkosi/{mkosi.skeleton => mkosi.skeleton-rootfs}/etc/neofetch/config.conf (100%) rename src/cloud-api-adaptor/podvm-mkosi/{mkosi.skeleton => mkosi.skeleton-rootfs}/etc/profile.d/10-alias.sh (100%) rename src/cloud-api-adaptor/podvm-mkosi/{mkosi.skeleton => mkosi.skeleton-rootfs}/etc/profile.d/20-ssh-banner.sh (100%) rename src/cloud-api-adaptor/podvm-mkosi/{mkosi.skeleton => mkosi.skeleton-rootfs}/usr/lib/systemd/system/afterburn-checkin.service.d/10-override.conf (100%) rename src/cloud-api-adaptor/podvm-mkosi/{mkosi.skeleton => mkosi.skeleton-rootfs}/usr/lib/systemd/system/gen-issue.service (100%) create mode 100644 src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/usr/lib/systemd/system/kata-agent.service.d/10-override.conf rename src/cloud-api-adaptor/podvm-mkosi/{mkosi.skeleton => mkosi.skeleton-rootfs}/usr/lib/systemd/system/process-user-data.service.d/10-override.conf (100%) create mode 100644 src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/repart.d/30-scratch.conf diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora.conf index 08891dda9..33ae482f4 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora.conf +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.presets/system/mkosi.conf.d/fedora.conf @@ -7,7 +7,7 @@ Release=40 [Content] CleanPackageMetadata=true -SkeletonTrees=../../resources/binaries-tree +SkeletonTrees=../../mkosi.skeleton-rootfs,../../resources/binaries-tree, Packages= kernel kernel-core @@ -23,6 +23,7 @@ Packages= iptables afterburn neofetch + e2fsprogs RemoveFiles=/etc/issue RemoveFiles=/etc/issue.net diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/crypttab b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/crypttab new file mode 100644 index 000000000..c91cea6d4 --- /dev/null +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/crypttab @@ -0,0 +1 @@ +scratch /dev/disk/by-label/scratch - try-empty-password diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/etc/neofetch/coco.ascii b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/neofetch/coco.ascii similarity index 100% rename from src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/etc/neofetch/coco.ascii rename to src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/neofetch/coco.ascii diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/etc/neofetch/config.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/neofetch/config.conf similarity index 100% rename from src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/etc/neofetch/config.conf rename to src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/neofetch/config.conf diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/etc/profile.d/10-alias.sh b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/profile.d/10-alias.sh similarity index 100% rename from src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/etc/profile.d/10-alias.sh rename to src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/profile.d/10-alias.sh diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/etc/profile.d/20-ssh-banner.sh b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/profile.d/20-ssh-banner.sh similarity index 100% rename from src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/etc/profile.d/20-ssh-banner.sh rename to src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/etc/profile.d/20-ssh-banner.sh diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/afterburn-checkin.service.d/10-override.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/usr/lib/systemd/system/afterburn-checkin.service.d/10-override.conf similarity index 100% rename from src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/afterburn-checkin.service.d/10-override.conf rename to src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/usr/lib/systemd/system/afterburn-checkin.service.d/10-override.conf diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/gen-issue.service b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/usr/lib/systemd/system/gen-issue.service similarity index 100% rename from src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/gen-issue.service rename to src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/usr/lib/systemd/system/gen-issue.service diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/usr/lib/systemd/system/kata-agent.service.d/10-override.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/usr/lib/systemd/system/kata-agent.service.d/10-override.conf new file mode 100644 index 000000000..61dac7f50 --- /dev/null +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/usr/lib/systemd/system/kata-agent.service.d/10-override.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPre=sh -c '[[ -f /run/peerpod/mount-scratch ]] && mount /dev/mapper/scratch /run/kata-containers' diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/process-user-data.service.d/10-override.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/usr/lib/systemd/system/process-user-data.service.d/10-override.conf similarity index 100% rename from src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/process-user-data.service.d/10-override.conf rename to src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton-rootfs/usr/lib/systemd/system/process-user-data.service.d/10-override.conf diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/repart.d/30-scratch.conf b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/repart.d/30-scratch.conf new file mode 100644 index 000000000..cabcc9ef5 --- /dev/null +++ b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/usr/lib/repart.d/30-scratch.conf @@ -0,0 +1,5 @@ +[Partition] +Type=linux-generic +Label=scratch +Encrypt=key-file +Format=ext4