Add support for encrypted block devices

This can be advantageous in deployments with a data security
requirement.

Change-Id: I555ee575ccec0cfbcc4c4bcb53677796c83227e3
Story: 2007555
Task: 39410

ansible/group_vars/all/compute

@@ -61,6 +61,12 @@ compute_raid_config_extra: []
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 compute_mdadm_arrays: []
 
+###############################################################################
+# Compute node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+compute_luks_devices: []
+
 ###############################################################################
 # Compute node LVM configuration.
 

ansible/group_vars/all/controllers

@@ -72,6 +72,12 @@ controller_raid_config_extra: []
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 controller_mdadm_arrays: []
 
+###############################################################################
+# Controller node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+controller_luks_devices: []
+
 ###############################################################################
 # Controller node LVM configuration.
 

ansible/group_vars/all/monitoring

@@ -61,6 +61,12 @@ monitoring_raid_config_extra: "{{ controller_raid_config_extra }}"
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 monitoring_mdadm_arrays: []
 
+###############################################################################
+# Monitoring node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+monitoring_luks_devices: []
+
 ###############################################################################
 # Monitoring node LVM configuration.
 

ansible/group_vars/all/seed

@@ -29,6 +29,12 @@ seed_extra_network_interfaces: []
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 seed_mdadm_arrays: []
 
+###############################################################################
+# Seed node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+seed_luks_devices: []
+
 ###############################################################################
 # Seed node LVM configuration.
 

ansible/group_vars/all/seed-hypervisor

@@ -26,6 +26,12 @@ seed_hypervisor_extra_network_interfaces: "{{ seed_extra_network_interfaces }}"
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 seed_hypervisor_mdadm_arrays: []
 
+###############################################################################
+# Seed hypervisor node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+seed_hypervisor_luks_devices: []
+
 ###############################################################################
 # Seed hypervisor node LVM configuration.
 

ansible/group_vars/all/storage

@@ -73,6 +73,12 @@ storage_raid_config_extra: []
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 storage_mdadm_arrays: []
 
+###############################################################################
+# Storage node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+storage_luks_devices: []
+
 ###############################################################################
 # Storage node LVM configuration.
 

ansible/group_vars/compute/luks

@@ -0,0 +1,6 @@
+---
+###############################################################################
+# Compute node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+luks_devices: "{{ compute_luks_devices }}"

ansible/group_vars/controllers/luks

@@ -0,0 +1,6 @@
+---
+###############################################################################
+# Controller node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+luks_devices: "{{ controller_luks_devices }}"

ansible/group_vars/monitoring/luks

@@ -0,0 +1,9 @@
+---
+###############################################################################
+# Monitoring node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+luks_devices: >
+  {{ controller_luks_devices
+     if inventory_hostname in groups['controllers'] else
+     monitoring_luks_devices }}

ansible/group_vars/seed-hypervisor/luks

@@ -0,0 +1,6 @@
+---
+###############################################################################
+# Seed hypervisor node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+luks_devices: "{{ seed_hypervisor_luks_devices }}"

ansible/group_vars/seed/luks

@@ -0,0 +1,6 @@
+---
+###############################################################################
+# Seed node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+luks_devices: "{{ seed_luks_devices }}"

ansible/group_vars/storage/luks

@@ -0,0 +1,6 @@
+---
+###############################################################################
+# Storage node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+luks_devices: "{{ storage_luks_devices }}"

ansible/luks.yml

@@ -0,0 +1,14 @@
+---
+- name: Ensure encryption configuration is applied
+  hosts: seed-hypervisor:seed:overcloud
+  tags:
+    - luks
+  tasks:
+    - name: Setup LUKS disk encryption
+      vars:
+        luks_action: setup
+      include_role:
+        name: stackhpc.luks
+      when:
+        - luks_devices is defined
+        - luks_devices | length > 0

ansible/wipe-disks.yml

@@ -4,11 +4,15 @@
 
 # Initialisation task to be applied on first boot of a system to initalise
 # disks. We search for block devices that are not currently mounted, then wipe
-# any LVM or file system state from them.
+# any LVM or file system state from them. Any associated dm-crypt devices are
+# also closed and removed from crypttab.
 
 - name: Ensure that all unmounted block devices are wiped
   hosts: seed-hypervisor:seed:overcloud
   tags:
     - wipe-disks
   roles:
+    - role: stackhpc.luks
+      vars:
+        luks_action: teardown-unmounted
     - role: wipe-disks

doc/source/configuration/hosts.rst

@@ -561,6 +561,41 @@ available as ``/dev/md0``:
        level: '1'
        state: present
 
+.. _configuration-hosts-encryption:
+
+Encryption
+==========
+*tags:*
+  | ``luks``
+
+Encrypted block devices may be configured via the ``luks_devices`` variable. For
+convenience, this is mapped to the following variables:
+
+* ``seed_hypervisor_luks_devices``
+* ``seed_luks_devices``
+* ``compute_luks_devices``
+* ``controller_luks_devices``
+* ``monitoring_luks_devices``
+* ``storage_luks_devices``
+
+The format of these variables is as defined by the ``luks_devices`` variable of
+the `stackhpc.luks <https://galaxy.ansible.com/stackhpc/luks>`__
+Ansible role.
+
+For example, to encrypt the software raid device, ``/dev/md0``, on the seed, and make it
+available as ``/dev/mapper/md0crypt``
+
+.. code-block:: yaml
+   :caption: ``seed.yml``
+
+   seed_luks_devices:
+     - name: md0crypt
+       device: /dev/md0
+
+..  note::
+
+    It is not yet possible to encrypt the root device.
+
 .. _configuration-hosts-lvm:
 
 LVM

etc/kayobe/compute.yml

@@ -54,6 +54,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #compute_mdadm_arrays:
 
+###############################################################################
+# Compute node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+#compute_luks_devices:
+
 ###############################################################################
 # Compute node LVM configuration.
 

etc/kayobe/controllers.yml

@@ -57,6 +57,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #controller_mdadm_arrays:
 
+###############################################################################
+# Controller node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+#controller_luks_devices:
+
 ###############################################################################
 # Controller node LVM configuration.
 

etc/kayobe/monitoring.yml

@@ -54,6 +54,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #monitoring_mdadm_arrays:
 
+###############################################################################
+# Monitoring node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+#monitoring_luks_devices:
+
 ###############################################################################
 # Monitoring node LVM configuration.
 

etc/kayobe/seed-hypervisor.yml

@@ -24,6 +24,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #seed_hypervisor_mdadm_arrays:
 
+###############################################################################
+# Seed hypervisor node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+#seed_hypervisor_luks_devices:
+
 ###############################################################################
 # Seed hypervisor node LVM configuration.
 

etc/kayobe/seed.yml

@@ -24,6 +24,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #seed_mdadm_arrays:
 
+###############################################################################
+# Seed node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+#seed_luks_devices:
+
 ###############################################################################
 # LVM configuration.
 

etc/kayobe/storage.yml

@@ -59,6 +59,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #storage_mdadm_arrays:
 
+###############################################################################
+# Storage node encryption configuration.
+
+# List of block devices to encrypt. See stackhpc.luks role for format.
+#storage_luks_devices:
+
 ###############################################################################
 # Storage node LVM configuration.
 

kayobe/cli/commands.py

@@ -342,6 +342,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin,
     * Set sysctl parameters.
     * Configure NTP.
     * Optionally, configure software RAID arrays.
+    * Optionally, configure encryption.
     * Configure LVM volumes.
     * Configure the host as a libvirt hypervisor.
     """
@@ -379,7 +380,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin,
             playbooks += _build_playbook_list("wipe-disks")
         playbooks += _build_playbook_list(
             "users", "yum", "dnf", "dev-tools", "network", "sysctl", "ntp",
-            "mdadm", "lvm", "seed-hypervisor-libvirt-host")
+            "mdadm", "luks", "lvm", "seed-hypervisor-libvirt-host")
         self.run_kayobe_playbooks(parsed_args, playbooks,
                                   limit="seed-hypervisor")
 
@@ -498,6 +499,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
     * Disable bootstrap interface configuration.
     * Configure NTP.
     * Optionally, configure software RAID arrays.
+    * Optionally, configure encryption.
     * Configure LVM volumes.
     * Optionally, create a virtualenv for kolla-ansible.
     * Configure a user account for kolla-ansible.
@@ -530,8 +532,8 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
         playbooks += _build_playbook_list(
             "users", "yum", "dnf", "dev-tools", "disable-selinux", "network",
             "sysctl", "ip-routing", "snat", "disable-glean", "ntp", "mdadm",
-            "lvm", "docker-devicemapper", "kolla-ansible-user", "kolla-pip",
-            "kolla-target-venv")
+            "luks", "lvm", "docker-devicemapper", "kolla-ansible-user",
+            "kolla-pip", "kolla-target-venv")
         self.run_kayobe_playbooks(parsed_args, playbooks, limit="seed")
 
         self.generate_kolla_ansible_config(parsed_args, service_config=False)
@@ -863,6 +865,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
     * Disable bootstrap interface configuration.
     * Configure NTP.
     * Optionally, configure software RAID arrays.
+    * Optionally, configure encryption.
     * Configure LVM volumes.
     * Optionally, create a virtualenv for kolla-ansible.
     * Configure a user account for kolla-ansible.
@@ -894,8 +897,8 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
         playbooks += _build_playbook_list(
             "users", "yum", "dnf", "dev-tools", "disable-selinux", "network",
             "sysctl", "disable-glean", "disable-cloud-init", "ntp", "mdadm",
-            "lvm", "docker-devicemapper", "kolla-ansible-user", "kolla-pip",
-            "kolla-target-venv")
+            "luks", "lvm", "docker-devicemapper", "kolla-ansible-user",
+            "kolla-pip", "kolla-target-venv")
         self.run_kayobe_playbooks(parsed_args, playbooks, limit="overcloud")
 
         self.generate_kolla_ansible_config(parsed_args, service_config=False)

kayobe/tests/unit/cli/test_commands.py

@@ -328,6 +328,7 @@ class TestCase(unittest.TestCase):
                     utils.get_data_files_path("ansible", "sysctl.yml"),
                     utils.get_data_files_path("ansible", "ntp.yml"),
                     utils.get_data_files_path("ansible", "mdadm.yml"),
+                    utils.get_data_files_path("ansible", "luks.yml"),
                     utils.get_data_files_path("ansible", "lvm.yml"),
                     utils.get_data_files_path(
                         "ansible", "seed-hypervisor-libvirt-host.yml"),
@@ -501,6 +502,7 @@ class TestCase(unittest.TestCase):
                     utils.get_data_files_path("ansible", "disable-glean.yml"),
                     utils.get_data_files_path("ansible", "ntp.yml"),
                     utils.get_data_files_path("ansible", "mdadm.yml"),
+                    utils.get_data_files_path("ansible", "luks.yml"),
                     utils.get_data_files_path("ansible", "lvm.yml"),
                     utils.get_data_files_path("ansible",
                                               "docker-devicemapper.yml"),
@@ -1016,6 +1018,7 @@ class TestCase(unittest.TestCase):
                         "ansible", "disable-cloud-init.yml"),
                     utils.get_data_files_path("ansible", "ntp.yml"),
                     utils.get_data_files_path("ansible", "mdadm.yml"),
+                    utils.get_data_files_path("ansible", "luks.yml"),
                     utils.get_data_files_path("ansible", "lvm.yml"),
                     utils.get_data_files_path("ansible",
                                               "docker-devicemapper.yml"),

playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2

@@ -51,14 +51,6 @@ test_net_bond_vlan_cidr: 192.168.39.0/24
 test_net_bond_vlan_interface: "{% raw %}{{ test_net_bond_interface }}.{{ test_net_bond_vlan_vlan }}{% endraw %}"
 test_net_bond_vlan_vlan: 44
 
-# Create an LVM volume group for Docker volumes and devicemapper.
-controller_lvm_groups:
-  - "{% raw %}{{ controller_lvm_group_data }}{% endraw %}"
-
-# Provide a disk for use by LVM. Uses the software RAID device created below.
-controller_lvm_group_data_disks:
-  - /dev/md0
-
 # Define a software RAID device consisting of two loopback devices.
 controller_mdadm_arrays:
   - name: md0
@@ -68,6 +60,19 @@ controller_mdadm_arrays:
     level: '1'
     state: present
 
+# Layer LUKS encryption on top of the software RAID
+controller_luks_devices:
+  - name: loopback-crypt
+    device: /dev/md0
+
+# Create an LVM volume group for Docker volumes and devicemapper.
+controller_lvm_groups:
+  - "{% raw %}{{ controller_lvm_group_data }}{% endraw %}"
+
+# Provide a disk for use by LVM. Uses the LUKS encrypted device created above.
+controller_lvm_group_data_disks:
+  - /dev/mapper/loopback-crypt
+
 # Set a sysctl.
 controller_sysctl_parameters:
   fs.mount-max: 99999

playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py

@@ -92,6 +92,13 @@ def test_software_RAID(host):
     assert slaves == "loop0\nloop1"
 
 
+def test_luks(host):
+    # blkid returns an emptry string without root permissions
+    with host.sudo():
+        blkid = host.check_output('blkid /dev/md0')
+    assert 'TYPE="crypto_LUKS"' in blkid
+
+
 def test_sysctls(host):
     assert host.sysctl("fs.mount-max") == 99999
 

releasenotes/notes/luks-ed1d301ad0168e91.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Adds support for configuring encrypted block devices using ``dm-crypt``.
+    Encryption is applied before LVM configuration and after software raid,
+    which allows creating LVM volumes on top of encrypted block devices.
+    See `story 2007555 <https://storyboard.openstack.org/#!/story/2007555>`__
+    for details.

requirements.yml

@@ -27,6 +27,8 @@
   version: v1.7.0
 - src: stackhpc.libvirt-vm
   version: v1.13.0
+- src: stackhpc.luks
+  version: 0.3.2
 - src: stackhpc.mellanox-switch
   version: v1.0.0
 - src: stackhpc.os-images