arver 0.1.8 → 0.1.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b11992d186276bbaa51cef0eb4b05f51cc74ee1e0668dffb7f81122d8674e764
-  data.tar.gz: 686b2e04289e64f90ac0064d2464ee3d5e7b6b29507cced0b51343b59033b9b7
+  metadata.gz: eeb29f1cdc8ba4b8fd5a05791fe282f1a016440253f0b3591c95e30f573343f5
+  data.tar.gz: d41505b368abe1d3aa20c3fdf0ed13c3e382aadeb18e9b000778f156279dce0d
 SHA512:
-  metadata.gz: 8e8b53c4598c0ee397aa3fb47fabf697c906386fa1c0d6f6eacd01dec2fa118c4edff2c2fe68b97068aaf0f71e8975b42604730c1866e4e03a8668732c170478
-  data.tar.gz: b499b9154521c7d98f327487b964d77022ac98e278ba43139b14526d09bf3f48c757691b03c2a53d43fb2624ecd90aae25c9794be0e505402f1c7e598ef401f7
+  metadata.gz: f63236b680841a83333b3fce1c6a6c379e0a35820554f016821f1aff3998011c844655a883cd5f0514481b20618490aec95d005f320cfa57472b9f95585c73ff
+  data.tar.gz: 5734e53e093a97465751ae5e9cd95cee18f9565337ea94208f7eea9448c7a32f79b53aa1f92a8e82f0ac4a88127ca13fd91ca6e9838f5b7aaa284a4b05ea8e91

data/CHANGELOG.textile

@@ -1,3 +1,7 @@
+=== 0.1.9 2022-01-29
+
+* Add a new --open-systemd to support opening disks at startup. This mode is compatible with systemd-ask-password which is used to open disks in the initrd.
+
 === 0.1.7 2018-09-01
 
 * Updated gems to work with 2.5.1

data/lib/arver/cli.rb

@@ -59,6 +59,8 @@ module Arver
         opts.separator "Actions:"
         opts.on_tail( "-o TARGET", "--open TARGET", String,
                 "Open target." ) { |arg| options[:argument][:target] = arg; options[:action] = :open; }
+        opts.on_tail( "--systemd-open TARGET", String,
+                "Open target during boot via systemd-asskpasswd." ) { |arg| options[:argument][:target] = arg; options[:action] = :systemd_open; }
         opts.on_tail( "-c TARGET", "--close TARGET", String,
                 "Close target." ) { |arg| options[:argument][:target] = arg; options[:action] = :close; }
         opts.on_tail( "--create TARGET", String,
@@ -118,6 +120,7 @@ module Arver
         :gc => Arver::GCAction,
         :create => Arver::CreateAction,
         :open => Arver::OpenAction,
+        :systemd_open => Arver::SystemdOpenAction,
         :close => Arver::CloseAction,
         :adduser => Arver::AdduserAction,
         :deluser => Arver::DeluserAction,

data/lib/arver/command_wrapper.rb

@@ -1,8 +1,7 @@
 module Arver
   class CommandWrapper
-
     attr_accessor :command, :arguments_array, :return_value, :output
-  
+
     def self.create( cmd, args = [] )
       c = CommandWrapper.new
       c.command= cmd
@@ -10,8 +9,12 @@ module Arver
       c
     end
 
-    # copy from shellwords.rb
     def shellescape(str)
+      CommandWrapper.shellescape(str)
+    end
+
+    # copy from shellwords.rb
+    def self.shellescape(str)
       str = str.to_s
 
       # An empty argument will be skipped, so return empty quotes.

data/lib/arver/host.rb

@@ -2,7 +2,7 @@ module Arver
   class Host
     
     attr_accessor :port, :username
-    attr_writer :address
+    attr_writer :address, :boot_address
     
     include Arver::PartitionHierarchyNode
     include Arver::NodeWithScriptHooks
@@ -25,6 +25,11 @@ module Arver
       self.name
     end
 
+    def boot_address
+      return @boot_address unless @boot_address.nil?
+      address
+    end
+
     def port
       return @port unless @port.nil?
       '22'
@@ -44,6 +49,7 @@ module Arver
     def to_yaml
       yaml = ""
       yaml += "'address': '"+@address+"'\n" unless @address.nil?
+      yaml += "'boot_address': '"+@boot_address+"'\n" unless @boot_address.nil?
       yaml += "'port': '"+@port+"'\n" unless @port.nil?
       yaml += "'username': '"+@username+"'\n" unless @username.nil?
       yaml += script_hooks_to_yaml
@@ -61,6 +67,10 @@ module Arver
           self.address = data
           next
         end
+        if( name == "boot_address" )
+          self.boot_address = data
+          next
+        end
         if( name == "username" )
           self.username= data
           next

data/lib/arver/ssh_command_wrapper.rb

@@ -1,20 +1,29 @@
 module Arver
   class SSHCommandWrapper < CommandWrapper
-    
-    attr_accessor :host, :user, :port, :as_root
-    
-    def self.create( cmd, args, host, as_root = false )
+    attr_accessor :host, :user, :port, :as_root, :on_boot
+
+    def self.create( cmd, args, host, as_root = false, on_boot = false)
       c = SSHCommandWrapper.new
       c.host= host
       c.as_root= as_root
       c.command= cmd
       c.arguments_array= args
+      c.on_boot = on_boot
       c
     end
-    
+
     def escaped_command
-      sudo = if as_root && host.username != "root" then "sudo" else "" end
-      "ssh -p #{shellescape(host.port)} #{shellescape(host.username)}@#{shellescape(host.address)} #{sudo} #{super}" 
+      addr = (on_boot ? host.boot_address : nil) || host.address
+      user = on_boot ? 'root' : host.username
+      port = on_boot ? '22' : host.port
+      sudo = if as_root && on_boot && host.username != "root" then "sudo" else "" end
+      "ssh -p #{shellescape(port)} #{shellescape(user)}@#{shellescape(addr)} #{sudo} #{super}" 
+    end
+
+    def self.is_system_running?(partition)
+      wr = Arver::SSHCommandWrapper.create("systemctl", ["is-system-running"], partition.parent, true, true)
+      wr.execute
+      wr.success? && !['initializing','starting'].include?(wr.output.chomp)
     end
   end
 end

data/lib/arver/systemd_open_action.rb

@@ -0,0 +1,83 @@
+require 'tmpdir'
+
+module Arver
+  class SystemdOpenAction < Action
+    def initialize( target_list )
+      super( target_list )
+      self.open_keystore
+    end
+
+    def verify?( partition )
+      if(Arver::SSHCommandWrapper.is_system_running?(partition))
+        Arver::Log.error( "#{partition.parent.name} already up. Use normal open, skipping." )
+        return false
+      end
+      return false unless load_key( partition )
+      true
+    end
+
+    def get_socket(host, partid)
+      # Check which partitions are waiting for a password
+      # see https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/
+      files_exec = Arver::SSHCommandWrapper.create("ls", ["/run/systemd/ask-password/ask.*"], host, true, true)
+      files_exec.execute
+      files = files_exec.output.split("\n")
+
+      # Find the socket for the partition we want to open
+      files.each do |f|
+        f_exec = Arver::SSHCommandWrapper.create("cat", [f], host, true, true)
+        f_exec.execute
+        ask_file = f_exec.output
+        if ask_file =~ /#{partid}/
+          ask_file =~ /Socket=(.*)/
+          return $1
+        end
+      end
+      nil
+    end
+
+    def execute_partition( partition )
+      Arver::Log.info( "opening: "+partition.path )
+      socket = nil
+      partid = nil
+      host = partition.parent
+
+      # Find the uuid of this partition
+      partid_exec = Arver::SSHCommandWrapper.create("blkid", ["/dev/#{partition.device}"], host, true, true)
+      partid_exec.execute
+      partid = partid_exec.output.chomp.gsub(/.* UUID=\"([^"]+)\" .*/,'\1')
+      unless partid =~ /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/
+        puts "Could not get uuid of disk"
+        throw( :abort_action )
+      end
+
+      socket = get_socket(host, partid)
+      if socket.nil?
+        puts "Disk is not waiting to be opened"
+        throw( :abort_action )
+      end
+
+      # Upload password-agent binary and supply password to the correct socket
+      binary = File.join(ROOT_DIR, "vendor", "password-agent")
+      unless File.exists?(binary)
+        puts "This gem is missing the native password-agent binary"
+        throw( :abort_action )
+      end
+      # This is an epic hack to have a binary with exec permission
+      # initrd does not have chmod, so we copy an existing binary and override it
+      r = Arver::SSHCommandWrapper.create("cp", ["/bin/true", "/run/password-agent"], host, true, true).execute
+      r = Arver::SSHCommandWrapper.create("cat", ["- > /run/password-agent"], host, true, true)
+      r.execute(File.read(binary))
+      unless r.success?
+        puts "Could not upload password-agent"
+        throw( :abort_action )
+      end
+
+      # Pass password
+      a = Arver::SSHCommandWrapper.create("/run/password-agent", [socket], host, true, true)
+      a.execute(key)
+
+      # Cannot check if it worked, since if it did, the server rebooted
+    end
+  end
+end

data/lib/arver/version.rb

@@ -1,3 +1,3 @@
 module Arver
-  VERSION = '0.1.8'
+  VERSION = '0.1.9'
 end

data/lib/arver.rb

@@ -2,5 +2,6 @@
 $:.unshift(File.dirname(__FILE__)) unless
   $:.include?(File.dirname(__FILE__)) || $:.include?(File.expand_path(File.dirname(__FILE__)))
  
-%w{ gpg_key_manager luks_wrapper action initial_config_action refresh_action create_action list_action gc_action adduser_action deluser_action info_action close_action open_action target_list command_wrapper ssh_command_wrapper log_levels io_logger log string bootstrap local_config config test_config_loader node_with_script_hooks partition_hierarchy_node host hostgroup tree partition test_partition key_generator key_saver keystore runtime_config key_info_action dump_key_action }.each {|f| require "arver/#{f}" }
+%w{ gpg_key_manager luks_wrapper action initial_config_action refresh_action create_action list_action gc_action adduser_action deluser_action info_action close_action open_action systemd_open_action target_list command_wrapper ssh_command_wrapper log_levels io_logger log string bootstrap local_config config test_config_loader node_with_script_hooks partition_hierarchy_node host hostgroup tree partition test_partition key_generator key_saver keystore runtime_config key_info_action dump_key_action }.each {|f| require "arver/#{f}" }
 
+ROOT_DIR = File.expand_path('../..',__FILE__)

data/man/arver.5

@@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "ARVER" "5" "August 2012" "" ""
+.TH "ARVER" "5" "January 2022" "" ""
 .
 .SH "NAME"
 \fBarver\fR \- LUKS on the loose
@@ -46,6 +46,10 @@ Creates LUKS partitions for \fBarver\fR on all targeted disks\.
 Opens all targeted disks\.
 .
 .TP
+\fB\-\-systemd\-open TARGET\fR
+Same as above, but supplying password to systemd ask\-password, used during system startup\.
+.
+.TP
 \fB\-\-close TARGET\fR
 Closes all targeted disks\.
 .
@@ -327,6 +331,22 @@ Those scripts have to be present at the actual host\.
 .P
 If you don\'t have a key for any of the disks that you wish to open it will be skipped (along with its script hooks)\.
 .
+.P
+Arver can also open a disk that is waiting for a password by systemd\-ask\-password\. Typically this is happening during startup of a physical system, e\.g\., within the initrd\. For that there is a special mode called:
+.
+.IP "" 4
+.
+.nf
+
+$ arver \-\-systemd\-open TARGET
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Note, due to the provided api by systemd, there is unfortunately no indication if the command suceeded\. Typically unlocking the last pending disk automatically continues booting the server\. In case the inird ssh has a differen hostname or address than the acutal system, there is an optional \fBboot_address\fR config in the disks configuration, to override the default one\. This mode expects ssh to be on port 22 and user root\.
+.
 .SH "Action Close"
 Closing luks devices is simply done by invoking
 .

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: arver
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.1.9
 platform: ruby
 authors:
 - o
 - andreas
 - mh
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-03-02 00:00:00.000000000 Z
+date: 2022-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gpgme
@@ -128,16 +128,18 @@ files:
 - lib/arver/runtime_config.rb
 - lib/arver/ssh_command_wrapper.rb
 - lib/arver/string.rb
+- lib/arver/systemd_open_action.rb
 - lib/arver/target_list.rb
 - lib/arver/test_config_loader.rb
 - lib/arver/test_partition.rb
 - lib/arver/tree.rb
 - lib/arver/version.rb
 - man/arver.5
+- vendor/password-agent
 homepage: https://code.immerda.ch/immerda/apps/arver
 licenses: []
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -152,8 +154,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.6
 requirements: []
-rubygems_version: 3.0.6
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: LUKS for groups
 test_files: []