mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-11 15:39:33 -05:00
Rename mount package to csi (#47)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
d06d403d1d
commit
4db837d7f9
@ -70,6 +70,6 @@ add_test(NAME unit-main COMMAND go test -race -count=3 ./... WORKING_DIRECTORY $
|
|||||||
add_test(NAME unit-hack COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/hack)
|
add_test(NAME unit-hack COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/hack)
|
||||||
add_test(NAME unit-node-operator COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator)
|
add_test(NAME unit-node-operator COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator)
|
||||||
add_test(NAME integration-node-operator COMMAND make test WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator)
|
add_test(NAME integration-node-operator COMMAND make test WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator)
|
||||||
add_test(NAME integration-mount COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/mount)
|
add_test(NAME integration-csi COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/csi)
|
||||||
add_test(NAME integration-dm COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/state/internal)
|
add_test(NAME integration-dm COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/state/internal)
|
||||||
add_test(NAME integration-license COMMAND bash -c "go test -tags integration" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/internal/license)
|
add_test(NAME integration-license COMMAND bash -c "go test -tags integration" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/internal/license)
|
||||||
|
@ -60,7 +60,7 @@ Core components:
|
|||||||
* [bootstrapper](bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node
|
* [bootstrapper](bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node
|
||||||
* [image](image): Build files for the Constellation disk image
|
* [image](image): Build files for the Constellation disk image
|
||||||
* [kms](kms): Constellation's key management client and server
|
* [kms](kms): Constellation's key management client and server
|
||||||
* [mount](mount): Package used by CSI plugins to create and mount encrypted block devices
|
* [csi](csi): Package used by CSI plugins to create and mount encrypted block devices
|
||||||
* [state](state): Contains the disk-mapper that maps the encrypted node data disk during boot
|
* [state](state): Contains the disk-mapper that maps the encrypted node data disk during boot
|
||||||
|
|
||||||
Development components:
|
Development components:
|
||||||
@ -77,8 +77,8 @@ Additional repositories:
|
|||||||
|
|
||||||
* [constellation-docs](https://github.com/edgelesssys/constellation-docs): End-user documentation
|
* [constellation-docs](https://github.com/edgelesssys/constellation-docs): End-user documentation
|
||||||
* [constellation-fedora-coreos-config](https://github.com/edgelesssys/constellation-fedora-coreos-config): CoreOS build configuration with changes for Constellation
|
* [constellation-fedora-coreos-config](https://github.com/edgelesssys/constellation-fedora-coreos-config): CoreOS build configuration with changes for Constellation
|
||||||
* [edg-azuredisk-csi-driver](https://github.com/edgelesssys/edg-azuredisk-csi-driver): Azure CSI driver with encryption on node
|
* [constellation-azuredisk-csi-driver](https://github.com/edgelesssys/constellation-azuredisk-csi-driver): Azure CSI driver with encryption on node
|
||||||
* [edg-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/edg-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node
|
* [constellation-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node
|
||||||
|
|
||||||
## Build
|
## Build
|
||||||
|
|
||||||
|
@ -87,7 +87,7 @@ You may want to start with one of the following sections.
|
|||||||
|
|
||||||
Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most important points:
|
Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most important points:
|
||||||
* Pull requests are welcome! You need to agree to our [Contributor License Agreement][cla-assistant].
|
* Pull requests are welcome! You need to agree to our [Contributor License Agreement][cla-assistant].
|
||||||
* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md).
|
* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md).
|
||||||
* ⚠️ To report a security issue, please write to security@edgeless.systems.
|
* ⚠️ To report a security issue, please write to security@edgeless.systems.
|
||||||
|
|
||||||
## License
|
## License
|
||||||
@ -117,4 +117,4 @@ The Constellation source code is licensed under the [GNU Affero General Public L
|
|||||||
[security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits
|
[security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits
|
||||||
[twitter]: https://twitter.com/EdgelessSystems
|
[twitter]: https://twitter.com/EdgelessSystems
|
||||||
[whitepaper]: https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf
|
[whitepaper]: https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf
|
||||||
[performance]: https://docs.edgeless.systems/constellation/overview/performance
|
[performance]: https://docs.edgeless.systems/constellation/overview/benchmarks
|
||||||
|
29
csi/README.md
Normal file
29
csi/README.md
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# Constellation CSI tools
|
||||||
|
|
||||||
|
These packages are intended to be used by [Kubernetes CSI drivers](https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/) to enable transparent encryption of storage on the node.
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
|
||||||
|
This package uses the C library [`libcryptsetup`](https://gitlab.com/cryptsetup/cryptsetup/) for device mapping and crypto operations.
|
||||||
|
|
||||||
|
* Install on Ubuntu:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo apt install libcryptsetup12 libcryptsetup-dev
|
||||||
|
```
|
||||||
|
|
||||||
|
* Install on Fedora:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo dnf install cryptsetup-libs cryptsetup-devel
|
||||||
|
```
|
||||||
|
|
||||||
|
## Testing
|
||||||
|
|
||||||
|
Running the integration test requires root privileges.
|
||||||
|
Build and run the test:
|
||||||
|
|
||||||
|
``` bash
|
||||||
|
go test -c -tags=integration ./test/
|
||||||
|
sudo ./test.test
|
||||||
|
```
|
@ -5,7 +5,6 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/edgelesssys/constellation/mount/kms"
|
|
||||||
cryptsetup "github.com/martinjungblut/go-cryptsetup"
|
cryptsetup "github.com/martinjungblut/go-cryptsetup"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"go.uber.org/goleak"
|
"go.uber.org/goleak"
|
||||||
@ -116,7 +115,7 @@ func TestCloseCryptDevice(t *testing.T) {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
|
mapper := New(&fakeKMS{}, &stubCryptDevice{})
|
||||||
err := mapper.CloseCryptDevice("volume01-unit-test")
|
err := mapper.CloseCryptDevice("volume01-unit-test")
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
}
|
}
|
||||||
@ -306,7 +305,7 @@ func TestOpenCryptDevice(t *testing.T) {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
|
mapper := New(&fakeKMS{}, &stubCryptDevice{})
|
||||||
_, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false)
|
_, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
}
|
}
|
||||||
@ -350,7 +349,7 @@ func TestResizeCryptDevice(t *testing.T) {
|
|||||||
assert := assert.New(t)
|
assert := assert.New(t)
|
||||||
|
|
||||||
mapper := &CryptMapper{
|
mapper := &CryptMapper{
|
||||||
kms: kms.NewStaticKMS(),
|
kms: &fakeKMS{},
|
||||||
mapper: tc.device,
|
mapper: tc.device,
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -452,3 +451,13 @@ func TestIsIntegrityFS(t *testing.T) {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type fakeKMS struct{}
|
||||||
|
|
||||||
|
func (k *fakeKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
||||||
|
key := make([]byte, dekSize)
|
||||||
|
for i := range key {
|
||||||
|
key[i] = 0x41
|
||||||
|
}
|
||||||
|
return key, nil
|
||||||
|
}
|
@ -9,8 +9,7 @@ import (
|
|||||||
"os/exec"
|
"os/exec"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/edgelesssys/constellation/mount/cryptmapper"
|
"github.com/edgelesssys/constellation/csi/cryptmapper"
|
||||||
"github.com/edgelesssys/constellation/mount/kms"
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
"go.uber.org/goleak"
|
"go.uber.org/goleak"
|
||||||
@ -55,8 +54,7 @@ func TestOpenAndClose(t *testing.T) {
|
|||||||
setup()
|
setup()
|
||||||
defer teardown(DevicePath)
|
defer teardown(DevicePath)
|
||||||
|
|
||||||
kms := kms.NewStaticKMS()
|
mapper := cryptmapper.New(&fakeKMS{}, &cryptmapper.CryptDevice{})
|
||||||
mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
|
|
||||||
|
|
||||||
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false)
|
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false)
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
@ -94,8 +92,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) {
|
|||||||
setup()
|
setup()
|
||||||
defer teardown(DevicePath)
|
defer teardown(DevicePath)
|
||||||
|
|
||||||
kms := kms.NewStaticKMS()
|
mapper := cryptmapper.New(&fakeKMS{}, &cryptmapper.CryptDevice{})
|
||||||
mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
|
|
||||||
|
|
||||||
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true)
|
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true)
|
||||||
require.NoError(err)
|
require.NoError(err)
|
||||||
@ -149,6 +146,16 @@ func TestDeviceCloning(t *testing.T) {
|
|||||||
assert.NoError(mapper.CloseCryptDevice(DeviceName + "-copy"))
|
assert.NoError(mapper.CloseCryptDevice(DeviceName + "-copy"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type fakeKMS struct{}
|
||||||
|
|
||||||
|
func (k *fakeKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
||||||
|
key := make([]byte, dekSize)
|
||||||
|
for i := range key {
|
||||||
|
key[i] = 0x41
|
||||||
|
}
|
||||||
|
return key, nil
|
||||||
|
}
|
||||||
|
|
||||||
type dynamicKMS struct{}
|
type dynamicKMS struct{}
|
||||||
|
|
||||||
func (k *dynamicKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
func (k *dynamicKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
@ -1,36 +0,0 @@
|
|||||||
# constellation-mount-utils
|
|
||||||
|
|
||||||
## Dependencies
|
|
||||||
|
|
||||||
This package uses the C library [`libcryptsetup`](https://gitlab.com/cryptsetup/cryptsetup/) for device mapping.
|
|
||||||
|
|
||||||
To install the required dependencies on Ubuntu run:
|
|
||||||
```shell
|
|
||||||
sudo apt install libcryptsetup-dev
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Testing
|
|
||||||
|
|
||||||
A small test program is available in `test/main.go`.
|
|
||||||
To build the program run:
|
|
||||||
```shell
|
|
||||||
go build -o test/crypt ./test/
|
|
||||||
```
|
|
||||||
|
|
||||||
Create a new crypt device for `/dev/sdX` and map it to `/dev/mapper/volume01`:
|
|
||||||
```shell
|
|
||||||
sudo test/crypt -source /dev/sdX -target volume01 -v 4
|
|
||||||
```
|
|
||||||
|
|
||||||
You can now interact with the mapped volume as if it was an unformatted device:
|
|
||||||
```shell
|
|
||||||
sudo mkfs.ext4 /dev/mapper/volume01
|
|
||||||
sudo mount /dev/mapper/volume01 /mnt/volume01
|
|
||||||
```
|
|
||||||
|
|
||||||
Close the mapped volume:
|
|
||||||
```shell
|
|
||||||
sudo umount /mnt/volume01
|
|
||||||
sudo test/crypt -c -target volume01 -v 4
|
|
||||||
```
|
|
@ -1,24 +0,0 @@
|
|||||||
package kms
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
)
|
|
||||||
|
|
||||||
// staticKMS is a KMS only returning keys containing of 0x41 bytes for every request.
|
|
||||||
// Use for testing ONLY.
|
|
||||||
type staticKMS struct{}
|
|
||||||
|
|
||||||
// NewStaticKMS creates a new StaticKMS.
|
|
||||||
// Use for testing ONLY.
|
|
||||||
func NewStaticKMS() *staticKMS {
|
|
||||||
return &staticKMS{}
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetDEK returns the key of staticKMS.
|
|
||||||
func (k *staticKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
|
||||||
key := make([]byte, dekSize)
|
|
||||||
for i := range key {
|
|
||||||
key[i] = 0x41
|
|
||||||
}
|
|
||||||
return key, nil
|
|
||||||
}
|
|
@ -1,43 +0,0 @@
|
|||||||
package main
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"flag"
|
|
||||||
"fmt"
|
|
||||||
"log"
|
|
||||||
|
|
||||||
"github.com/edgelesssys/constellation/mount/cryptmapper"
|
|
||||||
"github.com/edgelesssys/constellation/mount/kms"
|
|
||||||
)
|
|
||||||
|
|
||||||
var (
|
|
||||||
close = flag.Bool("c", false, "close the crypt device")
|
|
||||||
integrity = flag.Bool("integrity", false, "format the device with dm-integrity")
|
|
||||||
source = flag.String("source", "", "source volume")
|
|
||||||
volumeID = flag.String("target", "new_crypt_device", "mapped target")
|
|
||||||
)
|
|
||||||
|
|
||||||
func main() {
|
|
||||||
flag.Parse()
|
|
||||||
|
|
||||||
mapper := cryptmapper.New(
|
|
||||||
kms.NewStaticKMS(),
|
|
||||||
&cryptmapper.CryptDevice{},
|
|
||||||
)
|
|
||||||
|
|
||||||
if *close {
|
|
||||||
err := mapper.CloseCryptDevice(*volumeID)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatal(err)
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if *source == "" {
|
|
||||||
log.Fatal("missing require flag \"-source\"")
|
|
||||||
}
|
|
||||||
out, err := mapper.OpenCryptDevice(context.Background(), *source, *volumeID, *integrity)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatal(err)
|
|
||||||
}
|
|
||||||
fmt.Printf("Crypt device activate as: %q\n", out)
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user