Terminated HTTPS certs and keys in encrypted ramfs

This patch adds an element that causes the terminated HTTPS
certificates and keys to be stored in an encrypted ramfs path
so they are encrypted at rest.

Change-Id: Id0f80f311d37d5691087e855fb1291011451c851
Closes-Bug: #1627370

diskimage-create/diskimage-create.sh

@@ -357,6 +357,9 @@ fi
 # Add pip-cache element
 AMP_element_sequence="$AMP_element_sequence pip-cache"
 
+# Add certificate ramfs ecrypt element
+AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt"
+
 # Allow full elements override
 if [ "$DIB_ELEMENTS" ]; then
     AMP_element_sequence="$DIB_ELEMENTS"

elements/cert-ramfs-ecrypt/README.rst

@@ -0,0 +1,4 @@
+Element to setup a ramfs with ecrypt to store the TLS certificates and keys.
+
+Enabling this element will mean that the amphroa can no longer recover from a
+reboot.

elements/cert-ramfs-ecrypt/element-deps

@@ -0,0 +1,2 @@
+dib-init-system
+package-installs

elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service

@@ -0,0 +1,15 @@
+[unit]
+Description=Creates an encrypted ramfs for Octavia certs
+After=cloud-config.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path'
+ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path'
+RemainAfterExit=yes
+TimeoutSec=0
+
+[Install]
+# TODO(johnsom) Fix when amphora-agent has a systemd script
+WantedBy=multi-user.target
+

elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt

@@ -0,0 +1,45 @@
+### BEGIN INIT INFO
+# Provides:          cert-ramfs-ecrypt
+# Required-Start:    $remote_fs $syslog $network cloud-config
+# Required-Stop:     $remote_fs $syslog $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Creates an encrypted ramfs for Octavia certs
+# Description:       Creates an encrypted ramfs for Octavia TLS
+#                    certificates and key storage.
+### END INIT INFO
+
+# Using the lsb functions to perform the operations.
+. /lib/lsb/init-functions
+# Process name ( For display )
+NAME=cert-ramfs-ecrypt
+
+case $1 in
+ start)
+  log_daemon_msg "Starting the process" "$NAME"
+  passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+  token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
+
+  certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
+  mkdir -p $certs_path
+  mount -t ramfs -o size=1m ramfs $certs_path
+  mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
+  log_end_msg 0
+  ;;
+ stop)
+  log_daemon_msg "Stopping the process" "$NAME"
+  certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
+  umount $certs_path
+  umount $certs_path
+  log_end_msg 0
+  ;;
+ restart)
+  # Restart the daemon.
+  $0 stop && sleep 2 && $0 start
+  ;;
+ *)
+  # For invalid arguments, print the usage message.
+  echo "Usage: $0 {start|stop|restart|reload|status}"
+  exit 2
+  ;;
+esac

elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf

@@ -0,0 +1,19 @@
+description "Creates an encrypted ramfs for Octavia certs"
+
+start on started cloud-config
+stop on runlevel [!2345]
+
+pre-start script
+    passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+    token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}')
+    certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
+    mkdir -p $certs_path
+    mount -t ramfs -o size=1m ramfs $certs_path
+    mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path
+end script
+
+post-stop script
+    certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf)
+    umount $certs_path
+    umount $certs_path
+end script

elements/cert-ramfs-ecrypt/package-installs.yaml

@@ -0,0 +1,4 @@
+ecryptfs-utils:
+keyutils:
+libecryptfs0:
+libnss3-1d:

elements/cert-ramfs-ecrypt/svc-map

@@ -0,0 +1,2 @@
+cert-ramfs-ecrypt:
+  default: cert-ramfs-ecrypt

releasenotes/notes/cert-encrypted-ramfs-381ffe3d4a7392d7.yaml

@@ -0,0 +1,12 @@
+---
+upgrade:
+  - To enabled encrypted ramfs storage for certificates
+    and keys, you must upgrade your amphora image.
+deprecations:
+  - Amphora with a terminated HTTPS load balancer can
+    no longer be rebooted.  If they reboot, they will
+    trigger a failover of the amphora.
+security:
+  - Certificate and key storage for terminated HTTPS
+    load balancers is now in an encrypted ramfs path
+    inside the amphora.