From 4db837d7f997bf3eca6997685645913e23114bc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Mon, 5 Sep 2022 08:42:55 +0200 Subject: [PATCH] Rename mount package to csi (#47) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel Weiße --- CMakeLists.txt | 2 +- CONTRIBUTING.md | 6 +-- README.md | 4 +- csi/README.md | 29 +++++++++++++ {mount => csi}/cryptmapper/cryptmapper.go | 0 .../cryptmapper/cryptmapper_test.go | 17 ++++++-- {mount => csi}/kms/constellation.go | 0 {mount => csi}/kms/constellation_test.go | 0 {mount => csi}/test/mount_integration_test.go | 19 +++++--- mount/README.md | 36 ---------------- mount/kms/static.go | 24 ----------- mount/test/manual/main.go | 43 ------------------- 12 files changed, 61 insertions(+), 119 deletions(-) create mode 100644 csi/README.md rename {mount => csi}/cryptmapper/cryptmapper.go (100%) rename {mount => csi}/cryptmapper/cryptmapper_test.go (97%) rename {mount => csi}/kms/constellation.go (100%) rename {mount => csi}/kms/constellation_test.go (100%) rename {mount => csi}/test/mount_integration_test.go (91%) delete mode 100644 mount/README.md delete mode 100644 mount/kms/static.go delete mode 100644 mount/test/manual/main.go diff --git a/CMakeLists.txt b/CMakeLists.txt index 071f544f5..629185001 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -70,6 +70,6 @@ add_test(NAME unit-main COMMAND go test -race -count=3 ./... WORKING_DIRECTORY $ add_test(NAME unit-hack COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/hack) add_test(NAME unit-node-operator COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator) add_test(NAME integration-node-operator COMMAND make test WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator) -add_test(NAME integration-mount COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/mount) +add_test(NAME integration-csi COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/csi) add_test(NAME integration-dm COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/state/internal) add_test(NAME integration-license COMMAND bash -c "go test -tags integration" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/internal/license) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e127ba3a8..1ea6bc652 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -60,7 +60,7 @@ Core components: * [bootstrapper](bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node * [image](image): Build files for the Constellation disk image * [kms](kms): Constellation's key management client and server -* [mount](mount): Package used by CSI plugins to create and mount encrypted block devices +* [csi](csi): Package used by CSI plugins to create and mount encrypted block devices * [state](state): Contains the disk-mapper that maps the encrypted node data disk during boot Development components: @@ -77,8 +77,8 @@ Additional repositories: * [constellation-docs](https://github.com/edgelesssys/constellation-docs): End-user documentation * [constellation-fedora-coreos-config](https://github.com/edgelesssys/constellation-fedora-coreos-config): CoreOS build configuration with changes for Constellation -* [edg-azuredisk-csi-driver](https://github.com/edgelesssys/edg-azuredisk-csi-driver): Azure CSI driver with encryption on node -* [edg-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/edg-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node +* [constellation-azuredisk-csi-driver](https://github.com/edgelesssys/constellation-azuredisk-csi-driver): Azure CSI driver with encryption on node +* [constellation-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node ## Build diff --git a/README.md b/README.md index be7590ba9..631fb08e0 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,7 @@ You may want to start with one of the following sections. Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most important points: * Pull requests are welcome! You need to agree to our [Contributor License Agreement][cla-assistant]. -* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md). +* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md). * ⚠️ To report a security issue, please write to security@edgeless.systems. ## License @@ -117,4 +117,4 @@ The Constellation source code is licensed under the [GNU Affero General Public L [security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits [twitter]: https://twitter.com/EdgelessSystems [whitepaper]: https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf -[performance]: https://docs.edgeless.systems/constellation/overview/performance \ No newline at end of file +[performance]: https://docs.edgeless.systems/constellation/overview/benchmarks diff --git a/csi/README.md b/csi/README.md new file mode 100644 index 000000000..1e47a4c25 --- /dev/null +++ b/csi/README.md @@ -0,0 +1,29 @@ +# Constellation CSI tools + +These packages are intended to be used by [Kubernetes CSI drivers](https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/) to enable transparent encryption of storage on the node. + +## Dependencies + +This package uses the C library [`libcryptsetup`](https://gitlab.com/cryptsetup/cryptsetup/) for device mapping and crypto operations. + +* Install on Ubuntu: + + ```bash + sudo apt install libcryptsetup12 libcryptsetup-dev + ``` + +* Install on Fedora: + + ```bash + sudo dnf install cryptsetup-libs cryptsetup-devel + ``` + +## Testing + +Running the integration test requires root privileges. +Build and run the test: + +``` bash +go test -c -tags=integration ./test/ +sudo ./test.test +``` diff --git a/mount/cryptmapper/cryptmapper.go b/csi/cryptmapper/cryptmapper.go similarity index 100% rename from mount/cryptmapper/cryptmapper.go rename to csi/cryptmapper/cryptmapper.go diff --git a/mount/cryptmapper/cryptmapper_test.go b/csi/cryptmapper/cryptmapper_test.go similarity index 97% rename from mount/cryptmapper/cryptmapper_test.go rename to csi/cryptmapper/cryptmapper_test.go index 0aed6ce6c..4f40ccc99 100644 --- a/mount/cryptmapper/cryptmapper_test.go +++ b/csi/cryptmapper/cryptmapper_test.go @@ -5,7 +5,6 @@ import ( "errors" "testing" - "github.com/edgelesssys/constellation/mount/kms" cryptsetup "github.com/martinjungblut/go-cryptsetup" "github.com/stretchr/testify/assert" "go.uber.org/goleak" @@ -116,7 +115,7 @@ func TestCloseCryptDevice(t *testing.T) { }) } - mapper := New(kms.NewStaticKMS(), &stubCryptDevice{}) + mapper := New(&fakeKMS{}, &stubCryptDevice{}) err := mapper.CloseCryptDevice("volume01-unit-test") assert.NoError(t, err) } @@ -306,7 +305,7 @@ func TestOpenCryptDevice(t *testing.T) { }) } - mapper := New(kms.NewStaticKMS(), &stubCryptDevice{}) + mapper := New(&fakeKMS{}, &stubCryptDevice{}) _, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false) assert.NoError(t, err) } @@ -350,7 +349,7 @@ func TestResizeCryptDevice(t *testing.T) { assert := assert.New(t) mapper := &CryptMapper{ - kms: kms.NewStaticKMS(), + kms: &fakeKMS{}, mapper: tc.device, } @@ -452,3 +451,13 @@ func TestIsIntegrityFS(t *testing.T) { }) } } + +type fakeKMS struct{} + +func (k *fakeKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) { + key := make([]byte, dekSize) + for i := range key { + key[i] = 0x41 + } + return key, nil +} diff --git a/mount/kms/constellation.go b/csi/kms/constellation.go similarity index 100% rename from mount/kms/constellation.go rename to csi/kms/constellation.go diff --git a/mount/kms/constellation_test.go b/csi/kms/constellation_test.go similarity index 100% rename from mount/kms/constellation_test.go rename to csi/kms/constellation_test.go diff --git a/mount/test/mount_integration_test.go b/csi/test/mount_integration_test.go similarity index 91% rename from mount/test/mount_integration_test.go rename to csi/test/mount_integration_test.go index b81919e9e..39bc7489b 100644 --- a/mount/test/mount_integration_test.go +++ b/csi/test/mount_integration_test.go @@ -9,8 +9,7 @@ import ( "os/exec" "testing" - "github.com/edgelesssys/constellation/mount/cryptmapper" - "github.com/edgelesssys/constellation/mount/kms" + "github.com/edgelesssys/constellation/csi/cryptmapper" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/goleak" @@ -55,8 +54,7 @@ func TestOpenAndClose(t *testing.T) { setup() defer teardown(DevicePath) - kms := kms.NewStaticKMS() - mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{}) + mapper := cryptmapper.New(&fakeKMS{}, &cryptmapper.CryptDevice{}) newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false) require.NoError(err) @@ -94,8 +92,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) { setup() defer teardown(DevicePath) - kms := kms.NewStaticKMS() - mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{}) + mapper := cryptmapper.New(&fakeKMS{}, &cryptmapper.CryptDevice{}) newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true) require.NoError(err) @@ -149,6 +146,16 @@ func TestDeviceCloning(t *testing.T) { assert.NoError(mapper.CloseCryptDevice(DeviceName + "-copy")) } +type fakeKMS struct{} + +func (k *fakeKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) { + key := make([]byte, dekSize) + for i := range key { + key[i] = 0x41 + } + return key, nil +} + type dynamicKMS struct{} func (k *dynamicKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) { diff --git a/mount/README.md b/mount/README.md deleted file mode 100644 index be7a7a86d..000000000 --- a/mount/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# constellation-mount-utils - -## Dependencies - -This package uses the C library [`libcryptsetup`](https://gitlab.com/cryptsetup/cryptsetup/) for device mapping. - -To install the required dependencies on Ubuntu run: -```shell -sudo apt install libcryptsetup-dev -``` - - -## Testing - -A small test program is available in `test/main.go`. -To build the program run: -```shell -go build -o test/crypt ./test/ -``` - -Create a new crypt device for `/dev/sdX` and map it to `/dev/mapper/volume01`: -```shell -sudo test/crypt -source /dev/sdX -target volume01 -v 4 -``` - -You can now interact with the mapped volume as if it was an unformatted device: -```shell -sudo mkfs.ext4 /dev/mapper/volume01 -sudo mount /dev/mapper/volume01 /mnt/volume01 -``` - -Close the mapped volume: -```shell -sudo umount /mnt/volume01 -sudo test/crypt -c -target volume01 -v 4 -``` diff --git a/mount/kms/static.go b/mount/kms/static.go deleted file mode 100644 index 3c705258e..000000000 --- a/mount/kms/static.go +++ /dev/null @@ -1,24 +0,0 @@ -package kms - -import ( - "context" -) - -// staticKMS is a KMS only returning keys containing of 0x41 bytes for every request. -// Use for testing ONLY. -type staticKMS struct{} - -// NewStaticKMS creates a new StaticKMS. -// Use for testing ONLY. -func NewStaticKMS() *staticKMS { - return &staticKMS{} -} - -// GetDEK returns the key of staticKMS. -func (k *staticKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) { - key := make([]byte, dekSize) - for i := range key { - key[i] = 0x41 - } - return key, nil -} diff --git a/mount/test/manual/main.go b/mount/test/manual/main.go deleted file mode 100644 index 7f105f770..000000000 --- a/mount/test/manual/main.go +++ /dev/null @@ -1,43 +0,0 @@ -package main - -import ( - "context" - "flag" - "fmt" - "log" - - "github.com/edgelesssys/constellation/mount/cryptmapper" - "github.com/edgelesssys/constellation/mount/kms" -) - -var ( - close = flag.Bool("c", false, "close the crypt device") - integrity = flag.Bool("integrity", false, "format the device with dm-integrity") - source = flag.String("source", "", "source volume") - volumeID = flag.String("target", "new_crypt_device", "mapped target") -) - -func main() { - flag.Parse() - - mapper := cryptmapper.New( - kms.NewStaticKMS(), - &cryptmapper.CryptDevice{}, - ) - - if *close { - err := mapper.CloseCryptDevice(*volumeID) - if err != nil { - log.Fatal(err) - } - } else { - if *source == "" { - log.Fatal("missing require flag \"-source\"") - } - out, err := mapper.OpenCryptDevice(context.Background(), *source, *volumeID, *integrity) - if err != nil { - log.Fatal(err) - } - fmt.Printf("Crypt device activate as: %q\n", out) - } -}