Add support for encrypted block devices

This can be advantageous in deployments with a data security requirement. Change-Id: I555ee575ccec0cfbcc4c4bcb53677796c83227e3 Story: 2007555 Task: 39410
2020-04-09 23:16:00 +01:00 · 2020-04-09 23:16:00 +01:00 · 5d2a46b2b0
commit 5d2a46b2b0
parent 840c56167a
27 changed files with 206 additions and 14 deletions
--- a/ansible/group_vars/all/compute
+++ b/ansible/group_vars/all/compute
@ -61,6 +61,12 @@ compute_raid_config_extra: []
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 compute_mdadm_arrays: []
 ###############################################################################
 # Compute node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 compute_luks_devices: []
 ###############################################################################
 # Compute node LVM configuration.
--- a/ansible/group_vars/all/controllers
+++ b/ansible/group_vars/all/controllers
@ -72,6 +72,12 @@ controller_raid_config_extra: []
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 controller_mdadm_arrays: []
 ###############################################################################
 # Controller node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 controller_luks_devices: []
 ###############################################################################
 # Controller node LVM configuration.
--- a/ansible/group_vars/all/monitoring
+++ b/ansible/group_vars/all/monitoring
@ -61,6 +61,12 @@ monitoring_raid_config_extra: "{{ controller_raid_config_extra }}"
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 monitoring_mdadm_arrays: []
 ###############################################################################
 # Monitoring node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 monitoring_luks_devices: []
 ###############################################################################
 # Monitoring node LVM configuration.
--- a/ansible/group_vars/all/seed
+++ b/ansible/group_vars/all/seed
@ -29,6 +29,12 @@ seed_extra_network_interfaces: []
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 seed_mdadm_arrays: []
 ###############################################################################
 # Seed node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 seed_luks_devices: []
 ###############################################################################
 # Seed node LVM configuration.
--- a/ansible/group_vars/all/seed-hypervisor
+++ b/ansible/group_vars/all/seed-hypervisor
@ -26,6 +26,12 @@ seed_hypervisor_extra_network_interfaces: "{{ seed_extra_network_interfaces }}"
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 seed_hypervisor_mdadm_arrays: []
 ###############################################################################
 # Seed hypervisor node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 seed_hypervisor_luks_devices: []
 ###############################################################################
 # Seed hypervisor node LVM configuration.
--- a/ansible/group_vars/all/storage
+++ b/ansible/group_vars/all/storage
@ -73,6 +73,12 @@ storage_raid_config_extra: []
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 storage_mdadm_arrays: []
 ###############################################################################
 # Storage node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 storage_luks_devices: []
 ###############################################################################
 # Storage node LVM configuration.
--- a/ansible/group_vars/compute/luks
+++ b/ansible/group_vars/compute/luks
@ -0,0 +1,6 @@
 ---
 ###############################################################################
 # Compute node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 luks_devices: "{{ compute_luks_devices }}"
--- a/ansible/group_vars/controllers/luks
+++ b/ansible/group_vars/controllers/luks
@ -0,0 +1,6 @@
 ---
 ###############################################################################
 # Controller node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 luks_devices: "{{ controller_luks_devices }}"
--- a/ansible/group_vars/monitoring/luks
+++ b/ansible/group_vars/monitoring/luks
@ -0,0 +1,9 @@
 ---
 ###############################################################################
 # Monitoring node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 luks_devices: >
  {{ controller_luks_devices
     if inventory_hostname in groups['controllers'] else
     monitoring_luks_devices }}
--- a/ansible/group_vars/seed-hypervisor/luks
+++ b/ansible/group_vars/seed-hypervisor/luks
@ -0,0 +1,6 @@
 ---
 ###############################################################################
 # Seed hypervisor node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 luks_devices: "{{ seed_hypervisor_luks_devices }}"
--- a/ansible/group_vars/seed/luks
+++ b/ansible/group_vars/seed/luks
@ -0,0 +1,6 @@
 ---
 ###############################################################################
 # Seed node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 luks_devices: "{{ seed_luks_devices }}"
--- a/ansible/group_vars/storage/luks
+++ b/ansible/group_vars/storage/luks
@ -0,0 +1,6 @@
 ---
 ###############################################################################
 # Storage node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 luks_devices: "{{ storage_luks_devices }}"
--- a/ansible/luks.yml
+++ b/ansible/luks.yml
@ -0,0 +1,14 @@
 ---
 - name: Ensure encryption configuration is applied
  hosts: seed-hypervisor:seed:overcloud
  tags:
    - luks
  tasks:
    - name: Setup LUKS disk encryption
      vars:
        luks_action: setup
      include_role:
        name: stackhpc.luks
      when:
        - luks_devices is defined
        - luks_devices | length > 0
--- a/ansible/wipe-disks.yml
+++ b/ansible/wipe-disks.yml
@ -4,11 +4,15 @@
 # Initialisation task to be applied on first boot of a system to initalise
 # disks. We search for block devices that are not currently mounted, then wipe
-# any LVM or file system state from them.
+# any LVM or file system state from them. Any associated dm-crypt devices are
 # also closed and removed from crypttab.
 - name: Ensure that all unmounted block devices are wiped
  hosts: seed-hypervisor:seed:overcloud
  tags:
    - wipe-disks
  roles:
    - role: stackhpc.luks
      vars:
        luks_action: teardown-unmounted
    - role: wipe-disks
--- a/doc/source/configuration/hosts.rst
+++ b/doc/source/configuration/hosts.rst
@ -561,6 +561,41 @@ available as ``/dev/md0``:
       level: '1'
       state: present
 .. _configuration-hosts-encryption:
 Encryption
 ==========
 *tags:*
  | ``luks``
 Encrypted block devices may be configured via the ``luks_devices`` variable. For
 convenience, this is mapped to the following variables:
 * ``seed_hypervisor_luks_devices``
 * ``seed_luks_devices``
 * ``compute_luks_devices``
 * ``controller_luks_devices``
 * ``monitoring_luks_devices``
 * ``storage_luks_devices``
 The format of these variables is as defined by the ``luks_devices`` variable of
 the `stackhpc.luks <https://galaxy.ansible.com/stackhpc/luks>`__
 Ansible role.
 For example, to encrypt the software raid device, ``/dev/md0``, on the seed, and make it
 available as ``/dev/mapper/md0crypt``
 .. code-block:: yaml
   :caption: ``seed.yml``
   seed_luks_devices:
     - name: md0crypt
       device: /dev/md0
 ..  note::
    It is not yet possible to encrypt the root device.
 .. _configuration-hosts-lvm:
 LVM
--- a/etc/kayobe/compute.yml
+++ b/etc/kayobe/compute.yml
@ -54,6 +54,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #compute_mdadm_arrays:
 ###############################################################################
 # Compute node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 #compute_luks_devices:
 ###############################################################################
 # Compute node LVM configuration.
--- a/etc/kayobe/controllers.yml
+++ b/etc/kayobe/controllers.yml
@ -57,6 +57,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #controller_mdadm_arrays:
 ###############################################################################
 # Controller node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 #controller_luks_devices:
 ###############################################################################
 # Controller node LVM configuration.
--- a/etc/kayobe/monitoring.yml
+++ b/etc/kayobe/monitoring.yml
@ -54,6 +54,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #monitoring_mdadm_arrays:
 ###############################################################################
 # Monitoring node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 #monitoring_luks_devices:
 ###############################################################################
 # Monitoring node LVM configuration.
--- a/etc/kayobe/seed-hypervisor.yml
+++ b/etc/kayobe/seed-hypervisor.yml
@ -24,6 +24,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #seed_hypervisor_mdadm_arrays:
 ###############################################################################
 # Seed hypervisor node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 #seed_hypervisor_luks_devices:
 ###############################################################################
 # Seed hypervisor node LVM configuration.
--- a/etc/kayobe/seed.yml
+++ b/etc/kayobe/seed.yml
@ -24,6 +24,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #seed_mdadm_arrays:
 ###############################################################################
 # Seed node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 #seed_luks_devices:
 ###############################################################################
 # LVM configuration.
--- a/etc/kayobe/storage.yml
+++ b/etc/kayobe/storage.yml
@ -59,6 +59,12 @@
 # List of software RAID arrays. See mrlesmithjr.mdadm role for format.
 #storage_mdadm_arrays:
 ###############################################################################
 # Storage node encryption configuration.
 # List of block devices to encrypt. See stackhpc.luks role for format.
 #storage_luks_devices:
 ###############################################################################
 # Storage node LVM configuration.
--- a/kayobe/cli/commands.py
+++ b/kayobe/cli/commands.py
@ -342,6 +342,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin,
    * Set sysctl parameters.
    * Configure NTP.
    * Optionally, configure software RAID arrays.
    * Optionally, configure encryption.
    * Configure LVM volumes.
    * Configure the host as a libvirt hypervisor.
    """
@ -379,7 +380,7 @@ class SeedHypervisorHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin,
            playbooks += _build_playbook_list("wipe-disks")
        playbooks += _build_playbook_list(
            "users", "yum", "dnf", "dev-tools", "network", "sysctl", "ntp",
-            "mdadm", "lvm", "seed-hypervisor-libvirt-host")
+            "mdadm", "luks", "lvm", "seed-hypervisor-libvirt-host")
        self.run_kayobe_playbooks(parsed_args, playbooks,
                                  limit="seed-hypervisor")
@ -498,6 +499,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
    * Disable bootstrap interface configuration.
    * Configure NTP.
    * Optionally, configure software RAID arrays.
    * Optionally, configure encryption.
    * Configure LVM volumes.
    * Optionally, create a virtualenv for kolla-ansible.
    * Configure a user account for kolla-ansible.
@ -530,8 +532,8 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
        playbooks += _build_playbook_list(
            "users", "yum", "dnf", "dev-tools", "disable-selinux", "network",
            "sysctl", "ip-routing", "snat", "disable-glean", "ntp", "mdadm",
-            "lvm", "docker-devicemapper", "kolla-ansible-user", "kolla-pip",
+            "luks", "lvm", "docker-devicemapper", "kolla-ansible-user",
-            "kolla-target-venv")
+            "kolla-pip", "kolla-target-venv")
        self.run_kayobe_playbooks(parsed_args, playbooks, limit="seed")
        self.generate_kolla_ansible_config(parsed_args, service_config=False)
@ -863,6 +865,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
    * Disable bootstrap interface configuration.
    * Configure NTP.
    * Optionally, configure software RAID arrays.
    * Optionally, configure encryption.
    * Configure LVM volumes.
    * Optionally, create a virtualenv for kolla-ansible.
    * Configure a user account for kolla-ansible.
@ -894,8 +897,8 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
        playbooks += _build_playbook_list(
            "users", "yum", "dnf", "dev-tools", "disable-selinux", "network",
            "sysctl", "disable-glean", "disable-cloud-init", "ntp", "mdadm",
-            "lvm", "docker-devicemapper", "kolla-ansible-user", "kolla-pip",
+            "luks", "lvm", "docker-devicemapper", "kolla-ansible-user",
-            "kolla-target-venv")
+            "kolla-pip", "kolla-target-venv")
        self.run_kayobe_playbooks(parsed_args, playbooks, limit="overcloud")
        self.generate_kolla_ansible_config(parsed_args, service_config=False)
--- a/kayobe/tests/unit/cli/test_commands.py
+++ b/kayobe/tests/unit/cli/test_commands.py
@ -328,6 +328,7 @@ class TestCase(unittest.TestCase):
                    utils.get_data_files_path("ansible", "sysctl.yml"),
                    utils.get_data_files_path("ansible", "ntp.yml"),
                    utils.get_data_files_path("ansible", "mdadm.yml"),
                    utils.get_data_files_path("ansible", "luks.yml"),
                    utils.get_data_files_path("ansible", "lvm.yml"),
                    utils.get_data_files_path(
                        "ansible", "seed-hypervisor-libvirt-host.yml"),
@ -501,6 +502,7 @@ class TestCase(unittest.TestCase):
                    utils.get_data_files_path("ansible", "disable-glean.yml"),
                    utils.get_data_files_path("ansible", "ntp.yml"),
                    utils.get_data_files_path("ansible", "mdadm.yml"),
                    utils.get_data_files_path("ansible", "luks.yml"),
                    utils.get_data_files_path("ansible", "lvm.yml"),
                    utils.get_data_files_path("ansible",
                                              "docker-devicemapper.yml"),
@ -1016,6 +1018,7 @@ class TestCase(unittest.TestCase):
                        "ansible", "disable-cloud-init.yml"),
                    utils.get_data_files_path("ansible", "ntp.yml"),
                    utils.get_data_files_path("ansible", "mdadm.yml"),
                    utils.get_data_files_path("ansible", "luks.yml"),
                    utils.get_data_files_path("ansible", "lvm.yml"),
                    utils.get_data_files_path("ansible",
                                              "docker-devicemapper.yml"),
--- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
@ -51,14 +51,6 @@ test_net_bond_vlan_cidr: 192.168.39.0/24
 test_net_bond_vlan_interface: "{% raw %}{{ test_net_bond_interface }}.{{ test_net_bond_vlan_vlan }}{% endraw %}"
 test_net_bond_vlan_vlan: 44
 # Create an LVM volume group for Docker volumes and devicemapper.
 controller_lvm_groups:
  - "{% raw %}{{ controller_lvm_group_data }}{% endraw %}"
 # Provide a disk for use by LVM. Uses the software RAID device created below.
 controller_lvm_group_data_disks:
  - /dev/md0
 # Define a software RAID device consisting of two loopback devices.
 controller_mdadm_arrays:
  - name: md0
@ -68,6 +60,19 @@ controller_mdadm_arrays:
    level: '1'
    state: present
 # Layer LUKS encryption on top of the software RAID
 controller_luks_devices:
  - name: loopback-crypt
    device: /dev/md0
 # Create an LVM volume group for Docker volumes and devicemapper.
 controller_lvm_groups:
  - "{% raw %}{{ controller_lvm_group_data }}{% endraw %}"
 # Provide a disk for use by LVM. Uses the LUKS encrypted device created above.
 controller_lvm_group_data_disks:
  - /dev/mapper/loopback-crypt
 # Set a sysctl.
 controller_sysctl_parameters:
  fs.mount-max: 99999
--- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
+++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
@ -92,6 +92,13 @@ def test_software_RAID(host):
    assert slaves == "loop0\nloop1"
 def test_luks(host):
    # blkid returns an emptry string without root permissions
    with host.sudo():
        blkid = host.check_output('blkid /dev/md0')
    assert 'TYPE="crypto_LUKS"' in blkid
 def test_sysctls(host):
    assert host.sysctl("fs.mount-max") == 99999
--- a/releasenotes/notes/luks-ed1d301ad0168e91.yaml
+++ b/releasenotes/notes/luks-ed1d301ad0168e91.yaml
@ -0,0 +1,8 @@
 ---
 features:
  - |
    Adds support for configuring encrypted block devices using ``dm-crypt``.
    Encryption is applied before LVM configuration and after software raid,
    which allows creating LVM volumes on top of encrypted block devices.
    See `story 2007555 <https://storyboard.openstack.org/#!/story/2007555>`__
    for details.
--- a/requirements.yml
+++ b/requirements.yml
@ -27,6 +27,8 @@
  version: v1.7.0
 - src: stackhpc.libvirt-vm
  version: v1.13.0
 - src: stackhpc.luks
  version: 0.3.2
 - src: stackhpc.mellanox-switch
  version: v1.0.0
 - src: stackhpc.os-images