From f85e617a8441def659ffa9a40dc6aca7a10f20cb Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Sun, 25 Sep 2016 01:40:23 +0000 Subject: [PATCH] Terminated HTTPS certs and keys in encrypted ramfs This patch adds an element that causes the terminated HTTPS certificates and keys to be stored in an encrypted ramfs path so they are encrypted at rest. Change-Id: Id0f80f311d37d5691087e855fb1291011451c851 Closes-Bug: #1627370 --- diskimage-create/diskimage-create.sh | 3 ++ elements/cert-ramfs-ecrypt/README.rst | 4 ++ elements/cert-ramfs-ecrypt/element-deps | 2 + .../systemd/cert-ramfs-ecrypt.service | 15 +++++++ .../init-scripts/sysv/cert-ramfs-ecrypt | 45 +++++++++++++++++++ .../upstart/cert-ramfs-ecrypt.conf | 19 ++++++++ .../cert-ramfs-ecrypt/package-installs.yaml | 4 ++ elements/cert-ramfs-ecrypt/svc-map | 2 + ...cert-encrypted-ramfs-381ffe3d4a7392d7.yaml | 12 +++++ 9 files changed, 106 insertions(+) create mode 100644 elements/cert-ramfs-ecrypt/README.rst create mode 100644 elements/cert-ramfs-ecrypt/element-deps create mode 100644 elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service create mode 100644 elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt create mode 100644 elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf create mode 100644 elements/cert-ramfs-ecrypt/package-installs.yaml create mode 100644 elements/cert-ramfs-ecrypt/svc-map create mode 100644 releasenotes/notes/cert-encrypted-ramfs-381ffe3d4a7392d7.yaml diff --git a/diskimage-create/diskimage-create.sh b/diskimage-create/diskimage-create.sh index 1bc680b98a..ddd8c4631e 100755 --- a/diskimage-create/diskimage-create.sh +++ b/diskimage-create/diskimage-create.sh @@ -357,6 +357,9 @@ fi # Add pip-cache element AMP_element_sequence="$AMP_element_sequence pip-cache" +# Add certificate ramfs ecrypt element +AMP_element_sequence="$AMP_element_sequence cert-ramfs-ecrypt" + # Allow full elements override if [ "$DIB_ELEMENTS" ]; then AMP_element_sequence="$DIB_ELEMENTS" diff --git a/elements/cert-ramfs-ecrypt/README.rst b/elements/cert-ramfs-ecrypt/README.rst new file mode 100644 index 0000000000..ee07dc50e4 --- /dev/null +++ b/elements/cert-ramfs-ecrypt/README.rst @@ -0,0 +1,4 @@ +Element to setup a ramfs with ecrypt to store the TLS certificates and keys. + +Enabling this element will mean that the amphroa can no longer recover from a +reboot. diff --git a/elements/cert-ramfs-ecrypt/element-deps b/elements/cert-ramfs-ecrypt/element-deps new file mode 100644 index 0000000000..be9833530d --- /dev/null +++ b/elements/cert-ramfs-ecrypt/element-deps @@ -0,0 +1,2 @@ +dib-init-system +package-installs diff --git a/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service b/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service new file mode 100644 index 0000000000..5bfb137130 --- /dev/null +++ b/elements/cert-ramfs-ecrypt/init-scripts/systemd/cert-ramfs-ecrypt.service @@ -0,0 +1,15 @@ +[unit] +Description=Creates an encrypted ramfs for Octavia certs +After=cloud-config.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c 'passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}');certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);mkdir -p $$certs_path;mount -t ramfs -o size=1m ramfs $$certs_path;mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path' +ExecStop=/bin/sh -c 'certs_path=$$(awk '/base_cert_dir / {printf $$3}' /etc/octavia/amphora-agent.conf);umount $$certs_path;umount $$certs_path' +RemainAfterExit=yes +TimeoutSec=0 + +[Install] +# TODO(johnsom) Fix when amphora-agent has a systemd script +WantedBy=multi-user.target + diff --git a/elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt b/elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt new file mode 100644 index 0000000000..4979176844 --- /dev/null +++ b/elements/cert-ramfs-ecrypt/init-scripts/sysv/cert-ramfs-ecrypt @@ -0,0 +1,45 @@ +### BEGIN INIT INFO +# Provides: cert-ramfs-ecrypt +# Required-Start: $remote_fs $syslog $network cloud-config +# Required-Stop: $remote_fs $syslog $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Creates an encrypted ramfs for Octavia certs +# Description: Creates an encrypted ramfs for Octavia TLS +# certificates and key storage. +### END INIT INFO + +# Using the lsb functions to perform the operations. +. /lib/lsb/init-functions +# Process name ( For display ) +NAME=cert-ramfs-ecrypt + +case $1 in + start) + log_daemon_msg "Starting the process" "$NAME" + passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) + token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}') + + certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) + mkdir -p $certs_path + mount -t ramfs -o size=1m ramfs $certs_path + mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path + log_end_msg 0 + ;; + stop) + log_daemon_msg "Stopping the process" "$NAME" + certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) + umount $certs_path + umount $certs_path + log_end_msg 0 + ;; + restart) + # Restart the daemon. + $0 stop && sleep 2 && $0 start + ;; + *) + # For invalid arguments, print the usage message. + echo "Usage: $0 {start|stop|restart|reload|status}" + exit 2 + ;; +esac diff --git a/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf b/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf new file mode 100644 index 0000000000..2b72dd6b4d --- /dev/null +++ b/elements/cert-ramfs-ecrypt/init-scripts/upstart/cert-ramfs-ecrypt.conf @@ -0,0 +1,19 @@ +description "Creates an encrypted ramfs for Octavia certs" + +start on started cloud-config +stop on runlevel [!2345] + +pre-start script + passphrase=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) + token=$(echo $passphrase | ecryptfs-add-passphrase | awk -F'[][]' '{printf $2}') + certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) + mkdir -p $certs_path + mount -t ramfs -o size=1m ramfs $certs_path + mount -t ecryptfs -o key=passphrase:passphrase_passwd=$passphrase,no_sig_cache=yes,verbose=no,ecryptfs_sig=$token,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no $certs_path $certs_path +end script + +post-stop script + certs_path=$(awk '/base_cert_dir / {printf $3}' /etc/octavia/amphora-agent.conf) + umount $certs_path + umount $certs_path +end script diff --git a/elements/cert-ramfs-ecrypt/package-installs.yaml b/elements/cert-ramfs-ecrypt/package-installs.yaml new file mode 100644 index 0000000000..8004f22609 --- /dev/null +++ b/elements/cert-ramfs-ecrypt/package-installs.yaml @@ -0,0 +1,4 @@ +ecryptfs-utils: +keyutils: +libecryptfs0: +libnss3-1d: diff --git a/elements/cert-ramfs-ecrypt/svc-map b/elements/cert-ramfs-ecrypt/svc-map new file mode 100644 index 0000000000..17e143a912 --- /dev/null +++ b/elements/cert-ramfs-ecrypt/svc-map @@ -0,0 +1,2 @@ +cert-ramfs-ecrypt: + default: cert-ramfs-ecrypt diff --git a/releasenotes/notes/cert-encrypted-ramfs-381ffe3d4a7392d7.yaml b/releasenotes/notes/cert-encrypted-ramfs-381ffe3d4a7392d7.yaml new file mode 100644 index 0000000000..51d2301f5b --- /dev/null +++ b/releasenotes/notes/cert-encrypted-ramfs-381ffe3d4a7392d7.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - To enabled encrypted ramfs storage for certificates + and keys, you must upgrade your amphora image. +deprecations: + - Amphora with a terminated HTTPS load balancer can + no longer be rebooted. If they reboot, they will + trigger a failover of the amphora. +security: + - Certificate and key storage for terminated HTTPS + load balancers is now in an encrypted ramfs path + inside the amphora.