diff --git a/ansible/group_vars/all/compute b/ansible/group_vars/all/compute index 244eac119..f5f5073d3 100644 --- a/ansible/group_vars/all/compute +++ b/ansible/group_vars/all/compute @@ -61,6 +61,12 @@ compute_raid_config_extra: [] # List of software RAID arrays. See mrlesmithjr.mdadm role for format. compute_mdadm_arrays: [] +############################################################################### +# Compute node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +compute_luks_devices: [] + ############################################################################### # Compute node LVM configuration. diff --git a/ansible/group_vars/all/controllers b/ansible/group_vars/all/controllers index d8d5e4d88..58ec88172 100644 --- a/ansible/group_vars/all/controllers +++ b/ansible/group_vars/all/controllers @@ -72,6 +72,12 @@ controller_raid_config_extra: [] # List of software RAID arrays. See mrlesmithjr.mdadm role for format. controller_mdadm_arrays: [] +############################################################################### +# Controller node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +controller_luks_devices: [] + ############################################################################### # Controller node LVM configuration. diff --git a/ansible/group_vars/all/monitoring b/ansible/group_vars/all/monitoring index d03e4f2ae..5eaec6df4 100644 --- a/ansible/group_vars/all/monitoring +++ b/ansible/group_vars/all/monitoring @@ -61,6 +61,12 @@ monitoring_raid_config_extra: "{{ controller_raid_config_extra }}" # List of software RAID arrays. See mrlesmithjr.mdadm role for format. monitoring_mdadm_arrays: [] +############################################################################### +# Monitoring node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +monitoring_luks_devices: [] + ############################################################################### # Monitoring node LVM configuration. diff --git a/ansible/group_vars/all/seed b/ansible/group_vars/all/seed index b53b1dbaf..45faf19b0 100644 --- a/ansible/group_vars/all/seed +++ b/ansible/group_vars/all/seed @@ -29,6 +29,12 @@ seed_extra_network_interfaces: [] # List of software RAID arrays. See mrlesmithjr.mdadm role for format. seed_mdadm_arrays: [] +############################################################################### +# Seed node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +seed_luks_devices: [] + ############################################################################### # Seed node LVM configuration. diff --git a/ansible/group_vars/all/seed-hypervisor b/ansible/group_vars/all/seed-hypervisor index c0793d58e..7ebdeee50 100644 --- a/ansible/group_vars/all/seed-hypervisor +++ b/ansible/group_vars/all/seed-hypervisor @@ -26,6 +26,12 @@ seed_hypervisor_extra_network_interfaces: "{{ seed_extra_network_interfaces }}" # List of software RAID arrays. See mrlesmithjr.mdadm role for format. seed_hypervisor_mdadm_arrays: [] +############################################################################### +# Seed hypervisor node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +seed_hypervisor_luks_devices: [] + ############################################################################### # Seed hypervisor node LVM configuration. diff --git a/ansible/group_vars/all/storage b/ansible/group_vars/all/storage index 74b3339d0..23197be3d 100644 --- a/ansible/group_vars/all/storage +++ b/ansible/group_vars/all/storage @@ -73,6 +73,12 @@ storage_raid_config_extra: [] # List of software RAID arrays. See mrlesmithjr.mdadm role for format. storage_mdadm_arrays: [] +############################################################################### +# Storage node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +storage_luks_devices: [] + ############################################################################### # Storage node LVM configuration. diff --git a/ansible/group_vars/compute/luks b/ansible/group_vars/compute/luks new file mode 100644 index 000000000..902a30319 --- /dev/null +++ b/ansible/group_vars/compute/luks @@ -0,0 +1,6 @@ +--- +############################################################################### +# Compute node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +luks_devices: "{{ compute_luks_devices }}" diff --git a/ansible/group_vars/controllers/luks b/ansible/group_vars/controllers/luks new file mode 100644 index 000000000..d422e2e37 --- /dev/null +++ b/ansible/group_vars/controllers/luks @@ -0,0 +1,6 @@ +--- +############################################################################### +# Controller node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +luks_devices: "{{ controller_luks_devices }}" diff --git a/ansible/group_vars/monitoring/luks b/ansible/group_vars/monitoring/luks new file mode 100644 index 000000000..911692ba0 --- /dev/null +++ b/ansible/group_vars/monitoring/luks @@ -0,0 +1,9 @@ +--- +############################################################################### +# Monitoring node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +luks_devices: > + {{ controller_luks_devices + if inventory_hostname in groups['controllers'] else + monitoring_luks_devices }} diff --git a/ansible/group_vars/seed-hypervisor/luks b/ansible/group_vars/seed-hypervisor/luks new file mode 100644 index 000000000..bc454722a --- /dev/null +++ b/ansible/group_vars/seed-hypervisor/luks @@ -0,0 +1,6 @@ +--- +############################################################################### +# Seed hypervisor node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +luks_devices: "{{ seed_hypervisor_luks_devices }}" diff --git a/ansible/group_vars/seed/luks b/ansible/group_vars/seed/luks new file mode 100644 index 000000000..0c656fe44 --- /dev/null +++ b/ansible/group_vars/seed/luks @@ -0,0 +1,6 @@ +--- +############################################################################### +# Seed node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +luks_devices: "{{ seed_luks_devices }}" diff --git a/ansible/group_vars/storage/luks b/ansible/group_vars/storage/luks new file mode 100644 index 000000000..2c9ba1974 --- /dev/null +++ b/ansible/group_vars/storage/luks @@ -0,0 +1,6 @@ +--- +############################################################################### +# Storage node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +luks_devices: "{{ storage_luks_devices }}" diff --git a/ansible/luks.yml b/ansible/luks.yml new file mode 100644 index 000000000..6aa65c4b2 --- /dev/null +++ b/ansible/luks.yml @@ -0,0 +1,14 @@ +--- +- name: Ensure encryption configuration is applied + hosts: seed-hypervisor:seed:overcloud + tags: + - luks + tasks: + - name: Setup LUKS disk encryption + vars: + luks_action: setup + include_role: + name: stackhpc.luks + when: + - luks_devices is defined + - luks_devices | length > 0 diff --git a/ansible/wipe-disks.yml b/ansible/wipe-disks.yml index 2b2c6ea23..7aec95078 100644 --- a/ansible/wipe-disks.yml +++ b/ansible/wipe-disks.yml @@ -4,11 +4,15 @@ # Initialisation task to be applied on first boot of a system to initalise # disks. We search for block devices that are not currently mounted, then wipe -# any LVM or file system state from them. +# any LVM or file system state from them. Any associated dm-crypt devices are +# also closed and removed from crypttab. - name: Ensure that all unmounted block devices are wiped hosts: seed-hypervisor:seed:overcloud tags: - wipe-disks roles: + - role: stackhpc.luks + vars: + luks_action: teardown-unmounted - role: wipe-disks diff --git a/doc/source/configuration/hosts.rst b/doc/source/configuration/hosts.rst index 66d86c233..a33253238 100644 --- a/doc/source/configuration/hosts.rst +++ b/doc/source/configuration/hosts.rst @@ -561,6 +561,41 @@ available as ``/dev/md0``: level: '1' state: present +.. _configuration-hosts-encryption: + +Encryption +========== +*tags:* + | ``luks`` + +Encrypted block devices may be configured via the ``luks_devices`` variable. For +convenience, this is mapped to the following variables: + +* ``seed_hypervisor_luks_devices`` +* ``seed_luks_devices`` +* ``compute_luks_devices`` +* ``controller_luks_devices`` +* ``monitoring_luks_devices`` +* ``storage_luks_devices`` + +The format of these variables is as defined by the ``luks_devices`` variable of +the `stackhpc.luks `__ +Ansible role. + +For example, to encrypt the software raid device, ``/dev/md0``, on the seed, and make it +available as ``/dev/mapper/md0crypt`` + +.. code-block:: yaml + :caption: ``seed.yml`` + + seed_luks_devices: + - name: md0crypt + device: /dev/md0 + +.. note:: + + It is not yet possible to encrypt the root device. + .. _configuration-hosts-lvm: LVM diff --git a/etc/kayobe/compute.yml b/etc/kayobe/compute.yml index c744722a8..bc5183634 100644 --- a/etc/kayobe/compute.yml +++ b/etc/kayobe/compute.yml @@ -54,6 +54,12 @@ # List of software RAID arrays. See mrlesmithjr.mdadm role for format. #compute_mdadm_arrays: +############################################################################### +# Compute node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +#compute_luks_devices: + ############################################################################### # Compute node LVM configuration. diff --git a/etc/kayobe/controllers.yml b/etc/kayobe/controllers.yml index c0dfbcda8..e23695574 100644 --- a/etc/kayobe/controllers.yml +++ b/etc/kayobe/controllers.yml @@ -57,6 +57,12 @@ # List of software RAID arrays. See mrlesmithjr.mdadm role for format. #controller_mdadm_arrays: +############################################################################### +# Controller node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +#controller_luks_devices: + ############################################################################### # Controller node LVM configuration. diff --git a/etc/kayobe/monitoring.yml b/etc/kayobe/monitoring.yml index 30690a2fe..e28e5ccf1 100644 --- a/etc/kayobe/monitoring.yml +++ b/etc/kayobe/monitoring.yml @@ -54,6 +54,12 @@ # List of software RAID arrays. See mrlesmithjr.mdadm role for format. #monitoring_mdadm_arrays: +############################################################################### +# Monitoring node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +#monitoring_luks_devices: + ############################################################################### # Monitoring node LVM configuration. diff --git a/etc/kayobe/seed-hypervisor.yml b/etc/kayobe/seed-hypervisor.yml index f4e2db64e..1ef898893 100644 --- a/etc/kayobe/seed-hypervisor.yml +++ b/etc/kayobe/seed-hypervisor.yml @@ -24,6 +24,12 @@ # List of software RAID arrays. See mrlesmithjr.mdadm role for format. #seed_hypervisor_mdadm_arrays: +############################################################################### +# Seed hypervisor node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +#seed_hypervisor_luks_devices: + ############################################################################### # Seed hypervisor node LVM configuration. diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml index a1c5b1a1d..3326c2429 100644 --- a/etc/kayobe/seed.yml +++ b/etc/kayobe/seed.yml @@ -24,6 +24,12 @@ # List of software RAID arrays. See mrlesmithjr.mdadm role for format. #seed_mdadm_arrays: +############################################################################### +# Seed node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +#seed_luks_devices: + ############################################################################### # LVM configuration. diff --git a/etc/kayobe/storage.yml b/etc/kayobe/storage.yml index bd7a0d681..624553736 100644 --- a/etc/kayobe/storage.yml +++ b/etc/kayobe/storage.yml @@ -59,6 +59,12 @@ # List of software RAID arrays. See mrlesmithjr.mdadm role for format. #storage_mdadm_arrays: +############################################################################### +# Storage node encryption configuration. + +# List of block devices to encrypt. See stackhpc.luks role for format. +#storage_luks_devices: + ############################################################################### # Storage node LVM configuration. diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py index d43c2d844..2e6740aac 100644 --- a/kayobe/cli/commands.py +++ b/kayobe/cli/commands.py @@ -342,6 +342,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, * Set sysctl parameters. * Configure NTP. * Optionally, configure software RAID arrays. + * Optionally, configure encryption. * Configure LVM volumes. * Configure the host as a libvirt hypervisor. """ @@ -379,7 +380,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, playbooks += _build_playbook_list("wipe-disks") playbooks += _build_playbook_list( "users", "yum", "dnf", "dev-tools", "network", "sysctl", "ntp", - "mdadm", "lvm", "seed-hypervisor-libvirt-host") + "mdadm", "luks", "lvm", "seed-hypervisor-libvirt-host") self.run_kayobe_playbooks(parsed_args, playbooks, limit="seed-hypervisor") @@ -498,6 +499,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, * Disable bootstrap interface configuration. * Configure NTP. * Optionally, configure software RAID arrays. + * Optionally, configure encryption. * Configure LVM volumes. * Optionally, create a virtualenv for kolla-ansible. * Configure a user account for kolla-ansible. @@ -530,8 +532,8 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, playbooks += _build_playbook_list( "users", "yum", "dnf", "dev-tools", "disable-selinux", "network", "sysctl", "ip-routing", "snat", "disable-glean", "ntp", "mdadm", - "lvm", "docker-devicemapper", "kolla-ansible-user", "kolla-pip", - "kolla-target-venv") + "luks", "lvm", "docker-devicemapper", "kolla-ansible-user", + "kolla-pip", "kolla-target-venv") self.run_kayobe_playbooks(parsed_args, playbooks, limit="seed") self.generate_kolla_ansible_config(parsed_args, service_config=False) @@ -863,6 +865,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, * Disable bootstrap interface configuration. * Configure NTP. * Optionally, configure software RAID arrays. + * Optionally, configure encryption. * Configure LVM volumes. * Optionally, create a virtualenv for kolla-ansible. * Configure a user account for kolla-ansible. @@ -894,8 +897,8 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, playbooks += _build_playbook_list( "users", "yum", "dnf", "dev-tools", "disable-selinux", "network", "sysctl", "disable-glean", "disable-cloud-init", "ntp", "mdadm", - "lvm", "docker-devicemapper", "kolla-ansible-user", "kolla-pip", - "kolla-target-venv") + "luks", "lvm", "docker-devicemapper", "kolla-ansible-user", + "kolla-pip", "kolla-target-venv") self.run_kayobe_playbooks(parsed_args, playbooks, limit="overcloud") self.generate_kolla_ansible_config(parsed_args, service_config=False) diff --git a/kayobe/tests/unit/cli/test_commands.py b/kayobe/tests/unit/cli/test_commands.py index a67d6ee26..a7ed3f4bc 100644 --- a/kayobe/tests/unit/cli/test_commands.py +++ b/kayobe/tests/unit/cli/test_commands.py @@ -328,6 +328,7 @@ class TestCase(unittest.TestCase): utils.get_data_files_path("ansible", "sysctl.yml"), utils.get_data_files_path("ansible", "ntp.yml"), utils.get_data_files_path("ansible", "mdadm.yml"), + utils.get_data_files_path("ansible", "luks.yml"), utils.get_data_files_path("ansible", "lvm.yml"), utils.get_data_files_path( "ansible", "seed-hypervisor-libvirt-host.yml"), @@ -501,6 +502,7 @@ class TestCase(unittest.TestCase): utils.get_data_files_path("ansible", "disable-glean.yml"), utils.get_data_files_path("ansible", "ntp.yml"), utils.get_data_files_path("ansible", "mdadm.yml"), + utils.get_data_files_path("ansible", "luks.yml"), utils.get_data_files_path("ansible", "lvm.yml"), utils.get_data_files_path("ansible", "docker-devicemapper.yml"), @@ -1016,6 +1018,7 @@ class TestCase(unittest.TestCase): "ansible", "disable-cloud-init.yml"), utils.get_data_files_path("ansible", "ntp.yml"), utils.get_data_files_path("ansible", "mdadm.yml"), + utils.get_data_files_path("ansible", "luks.yml"), utils.get_data_files_path("ansible", "lvm.yml"), utils.get_data_files_path("ansible", "docker-devicemapper.yml"), diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 index 51d1119fe..323df0dde 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 @@ -51,14 +51,6 @@ test_net_bond_vlan_cidr: 192.168.39.0/24 test_net_bond_vlan_interface: "{% raw %}{{ test_net_bond_interface }}.{{ test_net_bond_vlan_vlan }}{% endraw %}" test_net_bond_vlan_vlan: 44 -# Create an LVM volume group for Docker volumes and devicemapper. -controller_lvm_groups: - - "{% raw %}{{ controller_lvm_group_data }}{% endraw %}" - -# Provide a disk for use by LVM. Uses the software RAID device created below. -controller_lvm_group_data_disks: - - /dev/md0 - # Define a software RAID device consisting of two loopback devices. controller_mdadm_arrays: - name: md0 @@ -68,6 +60,19 @@ controller_mdadm_arrays: level: '1' state: present +# Layer LUKS encryption on top of the software RAID +controller_luks_devices: + - name: loopback-crypt + device: /dev/md0 + +# Create an LVM volume group for Docker volumes and devicemapper. +controller_lvm_groups: + - "{% raw %}{{ controller_lvm_group_data }}{% endraw %}" + +# Provide a disk for use by LVM. Uses the LUKS encrypted device created above. +controller_lvm_group_data_disks: + - /dev/mapper/loopback-crypt + # Set a sysctl. controller_sysctl_parameters: fs.mount-max: 99999 diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py index 1f55ba999..083d43fe2 100644 --- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py +++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py @@ -92,6 +92,13 @@ def test_software_RAID(host): assert slaves == "loop0\nloop1" +def test_luks(host): + # blkid returns an emptry string without root permissions + with host.sudo(): + blkid = host.check_output('blkid /dev/md0') + assert 'TYPE="crypto_LUKS"' in blkid + + def test_sysctls(host): assert host.sysctl("fs.mount-max") == 99999 diff --git a/releasenotes/notes/luks-ed1d301ad0168e91.yaml b/releasenotes/notes/luks-ed1d301ad0168e91.yaml new file mode 100644 index 000000000..7bd7e3ef5 --- /dev/null +++ b/releasenotes/notes/luks-ed1d301ad0168e91.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Adds support for configuring encrypted block devices using ``dm-crypt``. + Encryption is applied before LVM configuration and after software raid, + which allows creating LVM volumes on top of encrypted block devices. + See `story 2007555 `__ + for details. diff --git a/requirements.yml b/requirements.yml index d08b92a3e..f2d0ae833 100644 --- a/requirements.yml +++ b/requirements.yml @@ -27,6 +27,8 @@ version: v1.7.0 - src: stackhpc.libvirt-vm version: v1.13.0 +- src: stackhpc.luks + version: 0.3.2 - src: stackhpc.mellanox-switch version: v1.0.0 - src: stackhpc.os-images