mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 06:59:40 -05:00
Rename mount package to csi (#47)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
d06d403d1d
commit
4db837d7f9
@ -70,6 +70,6 @@ add_test(NAME unit-main COMMAND go test -race -count=3 ./... WORKING_DIRECTORY $
|
||||
add_test(NAME unit-hack COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/hack)
|
||||
add_test(NAME unit-node-operator COMMAND go test -race -count=3 ./... WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator)
|
||||
add_test(NAME integration-node-operator COMMAND make test WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/operators/constellation-node-operator)
|
||||
add_test(NAME integration-mount COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/mount)
|
||||
add_test(NAME integration-csi COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/csi)
|
||||
add_test(NAME integration-dm COMMAND bash -c "go test -tags integration -c ./test/ && sudo ./test.test -test.v" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/state/internal)
|
||||
add_test(NAME integration-license COMMAND bash -c "go test -tags integration" WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/internal/license)
|
||||
|
@ -60,7 +60,7 @@ Core components:
|
||||
* [bootstrapper](bootstrapper): The bootstrapper is a node agent whose most important task is to bootstrap a node
|
||||
* [image](image): Build files for the Constellation disk image
|
||||
* [kms](kms): Constellation's key management client and server
|
||||
* [mount](mount): Package used by CSI plugins to create and mount encrypted block devices
|
||||
* [csi](csi): Package used by CSI plugins to create and mount encrypted block devices
|
||||
* [state](state): Contains the disk-mapper that maps the encrypted node data disk during boot
|
||||
|
||||
Development components:
|
||||
@ -77,8 +77,8 @@ Additional repositories:
|
||||
|
||||
* [constellation-docs](https://github.com/edgelesssys/constellation-docs): End-user documentation
|
||||
* [constellation-fedora-coreos-config](https://github.com/edgelesssys/constellation-fedora-coreos-config): CoreOS build configuration with changes for Constellation
|
||||
* [edg-azuredisk-csi-driver](https://github.com/edgelesssys/edg-azuredisk-csi-driver): Azure CSI driver with encryption on node
|
||||
* [edg-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/edg-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node
|
||||
* [constellation-azuredisk-csi-driver](https://github.com/edgelesssys/constellation-azuredisk-csi-driver): Azure CSI driver with encryption on node
|
||||
* [constellation-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node
|
||||
|
||||
## Build
|
||||
|
||||
|
@ -87,7 +87,7 @@ You may want to start with one of the following sections.
|
||||
|
||||
Refer to [`CONTRIBUTING.md`](CONTRIBUTING.md) on how to contribute. The most important points:
|
||||
* Pull requests are welcome! You need to agree to our [Contributor License Agreement][cla-assistant].
|
||||
* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md).
|
||||
* Please follow the [Code of Conduct](/CODE_OF_CONDUCT.md).
|
||||
* ⚠️ To report a security issue, please write to security@edgeless.systems.
|
||||
|
||||
## License
|
||||
@ -117,4 +117,4 @@ The Constellation source code is licensed under the [GNU Affero General Public L
|
||||
[security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits
|
||||
[twitter]: https://twitter.com/EdgelessSystems
|
||||
[whitepaper]: https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf
|
||||
[performance]: https://docs.edgeless.systems/constellation/overview/performance
|
||||
[performance]: https://docs.edgeless.systems/constellation/overview/benchmarks
|
||||
|
29
csi/README.md
Normal file
29
csi/README.md
Normal file
@ -0,0 +1,29 @@
|
||||
# Constellation CSI tools
|
||||
|
||||
These packages are intended to be used by [Kubernetes CSI drivers](https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/) to enable transparent encryption of storage on the node.
|
||||
|
||||
## Dependencies
|
||||
|
||||
This package uses the C library [`libcryptsetup`](https://gitlab.com/cryptsetup/cryptsetup/) for device mapping and crypto operations.
|
||||
|
||||
* Install on Ubuntu:
|
||||
|
||||
```bash
|
||||
sudo apt install libcryptsetup12 libcryptsetup-dev
|
||||
```
|
||||
|
||||
* Install on Fedora:
|
||||
|
||||
```bash
|
||||
sudo dnf install cryptsetup-libs cryptsetup-devel
|
||||
```
|
||||
|
||||
## Testing
|
||||
|
||||
Running the integration test requires root privileges.
|
||||
Build and run the test:
|
||||
|
||||
``` bash
|
||||
go test -c -tags=integration ./test/
|
||||
sudo ./test.test
|
||||
```
|
@ -5,7 +5,6 @@ import (
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/mount/kms"
|
||||
cryptsetup "github.com/martinjungblut/go-cryptsetup"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.uber.org/goleak"
|
||||
@ -116,7 +115,7 @@ func TestCloseCryptDevice(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
|
||||
mapper := New(&fakeKMS{}, &stubCryptDevice{})
|
||||
err := mapper.CloseCryptDevice("volume01-unit-test")
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
@ -306,7 +305,7 @@ func TestOpenCryptDevice(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
mapper := New(kms.NewStaticKMS(), &stubCryptDevice{})
|
||||
mapper := New(&fakeKMS{}, &stubCryptDevice{})
|
||||
_, err := mapper.OpenCryptDevice(context.Background(), "/dev/some-device", "volume01", false)
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
@ -350,7 +349,7 @@ func TestResizeCryptDevice(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
|
||||
mapper := &CryptMapper{
|
||||
kms: kms.NewStaticKMS(),
|
||||
kms: &fakeKMS{},
|
||||
mapper: tc.device,
|
||||
}
|
||||
|
||||
@ -452,3 +451,13 @@ func TestIsIntegrityFS(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
type fakeKMS struct{}
|
||||
|
||||
func (k *fakeKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
||||
key := make([]byte, dekSize)
|
||||
for i := range key {
|
||||
key[i] = 0x41
|
||||
}
|
||||
return key, nil
|
||||
}
|
@ -9,8 +9,7 @@ import (
|
||||
"os/exec"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/mount/cryptmapper"
|
||||
"github.com/edgelesssys/constellation/mount/kms"
|
||||
"github.com/edgelesssys/constellation/csi/cryptmapper"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go.uber.org/goleak"
|
||||
@ -55,8 +54,7 @@ func TestOpenAndClose(t *testing.T) {
|
||||
setup()
|
||||
defer teardown(DevicePath)
|
||||
|
||||
kms := kms.NewStaticKMS()
|
||||
mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
|
||||
mapper := cryptmapper.New(&fakeKMS{}, &cryptmapper.CryptDevice{})
|
||||
|
||||
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, false)
|
||||
require.NoError(err)
|
||||
@ -94,8 +92,7 @@ func TestOpenAndCloseIntegrity(t *testing.T) {
|
||||
setup()
|
||||
defer teardown(DevicePath)
|
||||
|
||||
kms := kms.NewStaticKMS()
|
||||
mapper := cryptmapper.New(kms, &cryptmapper.CryptDevice{})
|
||||
mapper := cryptmapper.New(&fakeKMS{}, &cryptmapper.CryptDevice{})
|
||||
|
||||
newPath, err := mapper.OpenCryptDevice(context.Background(), DevicePath, DeviceName, true)
|
||||
require.NoError(err)
|
||||
@ -149,6 +146,16 @@ func TestDeviceCloning(t *testing.T) {
|
||||
assert.NoError(mapper.CloseCryptDevice(DeviceName + "-copy"))
|
||||
}
|
||||
|
||||
type fakeKMS struct{}
|
||||
|
||||
func (k *fakeKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
||||
key := make([]byte, dekSize)
|
||||
for i := range key {
|
||||
key[i] = 0x41
|
||||
}
|
||||
return key, nil
|
||||
}
|
||||
|
||||
type dynamicKMS struct{}
|
||||
|
||||
func (k *dynamicKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
@ -1,36 +0,0 @@
|
||||
# constellation-mount-utils
|
||||
|
||||
## Dependencies
|
||||
|
||||
This package uses the C library [`libcryptsetup`](https://gitlab.com/cryptsetup/cryptsetup/) for device mapping.
|
||||
|
||||
To install the required dependencies on Ubuntu run:
|
||||
```shell
|
||||
sudo apt install libcryptsetup-dev
|
||||
```
|
||||
|
||||
|
||||
## Testing
|
||||
|
||||
A small test program is available in `test/main.go`.
|
||||
To build the program run:
|
||||
```shell
|
||||
go build -o test/crypt ./test/
|
||||
```
|
||||
|
||||
Create a new crypt device for `/dev/sdX` and map it to `/dev/mapper/volume01`:
|
||||
```shell
|
||||
sudo test/crypt -source /dev/sdX -target volume01 -v 4
|
||||
```
|
||||
|
||||
You can now interact with the mapped volume as if it was an unformatted device:
|
||||
```shell
|
||||
sudo mkfs.ext4 /dev/mapper/volume01
|
||||
sudo mount /dev/mapper/volume01 /mnt/volume01
|
||||
```
|
||||
|
||||
Close the mapped volume:
|
||||
```shell
|
||||
sudo umount /mnt/volume01
|
||||
sudo test/crypt -c -target volume01 -v 4
|
||||
```
|
@ -1,24 +0,0 @@
|
||||
package kms
|
||||
|
||||
import (
|
||||
"context"
|
||||
)
|
||||
|
||||
// staticKMS is a KMS only returning keys containing of 0x41 bytes for every request.
|
||||
// Use for testing ONLY.
|
||||
type staticKMS struct{}
|
||||
|
||||
// NewStaticKMS creates a new StaticKMS.
|
||||
// Use for testing ONLY.
|
||||
func NewStaticKMS() *staticKMS {
|
||||
return &staticKMS{}
|
||||
}
|
||||
|
||||
// GetDEK returns the key of staticKMS.
|
||||
func (k *staticKMS) GetDEK(ctx context.Context, dekID string, dekSize int) ([]byte, error) {
|
||||
key := make([]byte, dekSize)
|
||||
for i := range key {
|
||||
key[i] = 0x41
|
||||
}
|
||||
return key, nil
|
||||
}
|
@ -1,43 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"flag"
|
||||
"fmt"
|
||||
"log"
|
||||
|
||||
"github.com/edgelesssys/constellation/mount/cryptmapper"
|
||||
"github.com/edgelesssys/constellation/mount/kms"
|
||||
)
|
||||
|
||||
var (
|
||||
close = flag.Bool("c", false, "close the crypt device")
|
||||
integrity = flag.Bool("integrity", false, "format the device with dm-integrity")
|
||||
source = flag.String("source", "", "source volume")
|
||||
volumeID = flag.String("target", "new_crypt_device", "mapped target")
|
||||
)
|
||||
|
||||
func main() {
|
||||
flag.Parse()
|
||||
|
||||
mapper := cryptmapper.New(
|
||||
kms.NewStaticKMS(),
|
||||
&cryptmapper.CryptDevice{},
|
||||
)
|
||||
|
||||
if *close {
|
||||
err := mapper.CloseCryptDevice(*volumeID)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
} else {
|
||||
if *source == "" {
|
||||
log.Fatal("missing require flag \"-source\"")
|
||||
}
|
||||
out, err := mapper.OpenCryptDevice(context.Background(), *source, *volumeID, *integrity)
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
fmt.Printf("Crypt device activate as: %q\n", out)
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user