Rename mount package to csi (#47)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-09-05 08:42:55 +02:00 committed by GitHub
parent d06d403d1d
commit 4db837d7f9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 61 additions and 119 deletions

View File

@ -70,6 +70,6 @@ add_test(NAME unit-main COMMAND go test -race -count=3 ./... WORKING_DIRECTORY $
add_test(NAME unit-hack COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/hack) add_test(NAME unit-hack COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/hack)
add_test(NAME unit-node-operator COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator) add_test(NAME unit-node-operator COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator)
add_test(NAME integration-node-operator COMMAND make test WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator) add_test(NAME integration-node-operator COMMAND make test WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator)
add_test(NAME integration-mount COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/mount) add_test(NAME integration-csi COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/csi)
add_test(NAME integration-dm COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/state/internal) add_test(NAME integration-dm COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/state/internal)
add_test(NAME integration-license COMMAND bash -c "go test -tags integration" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/internal/license) add_test(NAME integration-license COMMAND bash -c "go test -tags integration" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/internal/license)

View File

@ -60,7 +60,7 @@ Core components:
* [bootstrapper](bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node * [bootstrapper](bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node
* [image](image): Build files for the Constellation disk image * [image](image): Build files for the Constellation disk image
* [kms](kms): Constellation's key management client and server * [kms](kms): Constellation's key management client and server
* [mount](mount): Package used by CSI plugins to create and mount encrypted block devices * [csi](csi): Package used by CSI plugins to create and mount encrypted block devices
* [state](state): Contains the disk-mapper that maps the encrypted node data disk during boot * [state](state): Contains the disk-mapper that maps the encrypted node data disk during boot
Development components: Development components:
@ -77,8 +77,8 @@ Additional repositories:
* [constellation-docs](https://github.com/edgelesssys/constellation-docs): End-user documentation * [constellation-docs](https://github.com/edgelesssys/constellation-docs): End-user documentation
* [constellation-fedora-coreos-config](https://github.com/edgelesssys/constellation-fedora-coreos-config): CoreOS build configuration with changes for Constellation * [constellation-fedora-coreos-config](https://github.com/edgelesssys/constellation-fedora-coreos-config): CoreOS build configuration with changes for Constellation
* [edg-azuredisk-csi-driver](https://github.com/edgelesssys/edg-azuredisk-csi-driver): Azure CSI driver with encryption on node * [constellation-azuredisk-csi-driver](https://github.com/edgelesssys/constellation-azuredisk-csi-driver): Azure CSI driver with encryption on node
* [edg-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/edg-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node * [constellation-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node
## Build ## Build

View File

@ -87,7 +87,7 @@ You may want to start with one of the following sections.
Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most important points: Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most important points:
* Pull requests are welcome! You need to agree to our [Contributor License Agreement][cla-assistant]. * Pull requests are welcome! You need to agree to our [Contributor License Agreement][cla-assistant].
* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md). * Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md).
* ⚠️ To report a security issue, please write to security@edgeless.systems. * ⚠️ To report a security issue, please write to security@edgeless.systems.
## License ## License
@ -117,4 +117,4 @@ The Constellation source code is licensed under the [GNU Affero General Public L
[security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits [security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits
[twitter]: https://twitter.com/EdgelessSystems [twitter]: https://twitter.com/EdgelessSystems
[whitepaper]: https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf [whitepaper]: https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf
[performance]: https://docs.edgeless.systems/constellation/overview/performance [performance]: https://docs.edgeless.systems/constellation/overview/benchmarks

29
csi/README.md Normal file
View File

@ -0,0 +1,29 @@
# Constellation CSI tools
These packages are intended to be used by [Kubernetes CSI drivers](https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/) to enable transparent encryption of storage on the node.
## Dependencies
This package uses the C library [`libcryptsetup`](https://gitlab.com/cryptsetup/cryptsetup/) for device mapping and crypto operations.
* Install on Ubuntu:
```bash
sudo apt install libcryptsetup12 libcryptsetup-dev
```
* Install on Fedora:
```bash
sudo dnf install cryptsetup-libs cryptsetup-devel
```
## Testing
Running the integration test requires root privileges.
Build and run the test:
``` bash
go test -c -tags=integration ./test/
sudo ./test.test
```

View File

@ -5,7 +5,6 @@ import (
"errors" "errors"
"testing" "testing"
"github.com/edgelesssys/constellation/mount/kms"
cryptsetup "github.com/martinjungblut/go-cryptsetup" cryptsetup "github.com/martinjungblut/go-cryptsetup"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"go.uber.org/goleak" "go.uber.org/goleak"
@ -116,7 +115,7 @@ func TestCloseCryptDevice(t *testing.T) {
}) })
} }
mapper := New(kms.NewStaticKMS(), &stubCryptDevice{}) mapper := New(&fakeKMS{}, &stubCryptDevice{})
err := mapper.CloseCryptDevice("volume01-unit-test") err := mapper.CloseCryptDevice("volume01-unit-test")
assert.NoError(t, err) assert.NoError(t, err)
} }
@ -306,7 +305,7 @@ func TestOpenCryptDevice(t *testing.T) {
}) })
} }
mapper := New(kms.NewStaticKMS(), &stubCryptDevice{}) mapper := New(&fakeKMS{}, &stubCryptDevice{})
_, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false) _, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false)
assert.NoError(t, err) assert.NoError(t, err)
} }
@ -350,7 +349,7 @@ func TestResizeCryptDevice(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
mapper := &CryptMapper{ mapper := &CryptMapper{
kms: kms.NewStaticKMS(), kms: &fakeKMS{},
mapper: tc.device, mapper: tc.device,
} }
@ -452,3 +451,13 @@ func TestIsIntegrityFS(t *testing.T) {
}) })
} }
} }
type fakeKMS struct{}
func (k *fakeKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
key := make([]byte, dekSize)
for i := range key {
key[i] = 0x41
}
return key, nil
}

View File

@ -9,8 +9,7 @@ import (
"os/exec" "os/exec"
"testing" "testing"
"github.com/edgelesssys/constellation/mount/cryptmapper" "github.com/edgelesssys/constellation/csi/cryptmapper"
"github.com/edgelesssys/constellation/mount/kms"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"go.uber.org/goleak" "go.uber.org/goleak"
@ -55,8 +54,7 @@ func TestOpenAndClose(t *testing.T) {
setup() setup()
defer teardown(DevicePath) defer teardown(DevicePath)
kms := kms.NewStaticKMS() mapper := cryptmapper.New(&fakeKMS{}, &cryptmapper.CryptDevice{})
mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false) newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false)
require.NoError(err) require.NoError(err)
@ -94,8 +92,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) {
setup() setup()
defer teardown(DevicePath) defer teardown(DevicePath)
kms := kms.NewStaticKMS() mapper := cryptmapper.New(&fakeKMS{}, &cryptmapper.CryptDevice{})
mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true) newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true)
require.NoError(err) require.NoError(err)
@ -149,6 +146,16 @@ func TestDeviceCloning(t *testing.T) {
assert.NoError(mapper.CloseCryptDevice(DeviceName + "-copy")) assert.NoError(mapper.CloseCryptDevice(DeviceName + "-copy"))
} }
type fakeKMS struct{}
func (k *fakeKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
key := make([]byte, dekSize)
for i := range key {
key[i] = 0x41
}
return key, nil
}
type dynamicKMS struct{} type dynamicKMS struct{}
func (k *dynamicKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) { func (k *dynamicKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {

View File

@ -1,36 +0,0 @@
# constellation-mount-utils
## Dependencies
This package uses the C library [`libcryptsetup`](https://gitlab.com/cryptsetup/cryptsetup/) for device mapping.
To install the required dependencies on Ubuntu run:
```shell
sudo apt install libcryptsetup-dev
```
## Testing
A small test program is available in `test/main.go`.
To build the program run:
```shell
go build -o test/crypt ./test/
```
Create a new crypt device for `/dev/sdX` and map it to `/dev/mapper/volume01`:
```shell
sudo test/crypt -source /dev/sdX -target volume01 -v 4
```
You can now interact with the mapped volume as if it was an unformatted device:
```shell
sudo mkfs.ext4 /dev/mapper/volume01
sudo mount /dev/mapper/volume01 /mnt/volume01
```
Close the mapped volume:
```shell
sudo umount /mnt/volume01
sudo test/crypt -c -target volume01 -v 4
```

View File

@ -1,24 +0,0 @@
package kms
import (
"context"
)
// staticKMS is a KMS only returning keys containing of 0x41 bytes for every request.
// Use for testing ONLY.
type staticKMS struct{}
// NewStaticKMS creates a new StaticKMS.
// Use for testing ONLY.
func NewStaticKMS() *staticKMS {
return &staticKMS{}
}
// GetDEK returns the key of staticKMS.
func (k *staticKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
key := make([]byte, dekSize)
for i := range key {
key[i] = 0x41
}
return key, nil
}

View File

@ -1,43 +0,0 @@
package main
import (
"context"
"flag"
"fmt"
"log"
"github.com/edgelesssys/constellation/mount/cryptmapper"
"github.com/edgelesssys/constellation/mount/kms"
)
var (
close = flag.Bool("c", false, "close the crypt device")
integrity = flag.Bool("integrity", false, "format the device with dm-integrity")
source = flag.String("source", "", "source volume")
volumeID = flag.String("target", "new_crypt_device", "mapped target")
)
func main() {
flag.Parse()
mapper := cryptmapper.New(
kms.NewStaticKMS(),
&cryptmapper.CryptDevice{},
)
if *close {
err := mapper.CloseCryptDevice(*volumeID)
if err != nil {
log.Fatal(err)
}
} else {
if *source == "" {
log.Fatal("missing require flag \"-source\"")
}
out, err := mapper.OpenCryptDevice(context.Background(), *source, *volumeID, *integrity)
if err != nil {
log.Fatal(err)
}
fmt.Printf("Crypt device activate as: %q\n", out)
}
}