Debian Bug report logs - #639105
please consider adding support for lvm-snapshot on crypted LV

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-bugs@zugschlus.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: please consider adding support for lvm-snapshot on crypted LV

Date: Wed, 24 Aug 2011 08:52:01 +0200

Package: schroot
Version: 1.4.23-1
Severity: wishlist

Hi,

this is admittedly an exotic use case, and I would perfectly understand
a wontfix tag on this. However, I would like to document the use case
to make clear that it exists.

Contrary to Debian's normal setup, I create my file systems on an
encrypted LV on an unencrypted PV (Debian creates file sytems on an LV
on an encrypted PV by default). This allows me to keep LVs with really
sensitive information locked until they're actually needed, but needs
support in every script that handles LVs and Snapshots. schroot is one
of these scripts.

To avoid having build chroots unencrypted, the lvm-snapshot method
would need to have the possibility to

(1) take the snapshot from a different volume name than the one being
    actually mounted
(2) unlock the snapshot LV using information from /etc/crypttab
(3) mount the device that was created during step (2)
(4) do steps (1) to (3) in reverse when the snapshot is being removed

Please consider adding this in a future version of schroot.

Encrypted build chroots may be important in settings where an schroot
installation is being used on a machine in untrusted housing to make
it harder to trojan the build system.

In the mean time, I'll use a VM on an encrypted volume which is an
acceptable workaround for me. It's, however, a waste of resources.

Greetings
Marc


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.1-zgws1 (SMP w/6 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages schroot depends on:
ii  libboost-filesystem1.46.1   1.46.1-7     filesystem operations (portable pa
ii  libboost-program-options1.4 1.46.1-7     program options library for C++
ii  libboost-regex1.46.1        1.46.1-7     regular expression library for C++
ii  libboost-system1.46.1       1.46.1-7     Operating system (e.g. diagnostics
ii  libc6                       2.13-17      Embedded GNU C Library: Shared lib
ii  libgcc1                     1:4.6.1-7    GCC support library
ii  liblockdev1                 1.0.3-1.4+b1 Run-time shared library for lockin
ii  libpam0g                    1.1.3-2      Pluggable Authentication Modules l
ii  libstdc++6                  4.6.1-7      GNU Standard C++ Library v3
ii  libuuid1                    2.19.1-5     Universally Unique ID library
ii  schroot-common              1.4.23-1     common files for schroot

schroot recommends no packages.

Versions of packages schroot suggests:
pn  aufs-modules | unionfs-modul <none>      (no description available)
pn  btrfs-tools                  <none>      (no description available)
ii  debootstrap                  1.0.36      Bootstrap a basic Debian system
ii  lvm2                         2.02.84-3.1 The Linux Logical Volume Manager
ii  unzip                        6.0-5       De-archiver for .zip files

-- no debconf information

Message #10 received at 639105@bugs.debian.org (full text, mbox, reply):

From: Roger Leigh <rleigh@codelibre.net>

To: Marc Haber <mh+debian-bugs@zugschlus.de>, 639105@bugs.debian.org

Subject: Re: [buildd-tools-devel] Bug#639105: please consider adding support for lvm-snapshot on crypted LV

Date: Wed, 24 Aug 2011 10:32:24 +0100

[Message part 1 (text/plain, inline)]

On Wed, Aug 24, 2011 at 08:52:01AM +0200, Marc Haber wrote:
> Contrary to Debian's normal setup, I create my file systems on an
> encrypted LV on an unencrypted PV (Debian creates file sytems on an LV
> on an encrypted PV by default). This allows me to keep LVs with really
> sensitive information locked until they're actually needed, but needs
> support in every script that handles LVs and Snapshots. schroot is one
> of these scripts.
> 
> To avoid having build chroots unencrypted, the lvm-snapshot method
> would need to have the possibility to
> 
> (1) take the snapshot from a different volume name than the one being
>     actually mounted
> (2) unlock the snapshot LV using information from /etc/crypttab
> (3) mount the device that was created during step (2)
> (4) do steps (1) to (3) in reverse when the snapshot is being removed
> 
> Please consider adding this in a future version of schroot.

I'll be happy to add this to schroot.  Currently the 05lvm setup
script is simply doing an lvcreate when creating and lvremove
when removing a session, respectively.  Could you please provide
an example of the commands you would need to run to do this for
an encrypted PV/LV (I guess we should support both; is the PV
method more transparent)?  We can then add these to the 05lvm
setup script.  Bearing in mind the information the updated
05lvm setup script would require, would we need to add any
new configuration keys to the configuration file for
lvm-snapshot chroots?


Thanks,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 639105@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-bugs@zugschlus.de>

To: Roger Leigh <rleigh@codelibre.net>

Cc: 639105@bugs.debian.org

Subject: Re: [buildd-tools-devel] Bug#639105: please consider adding support for lvm-snapshot on crypted LV

Date: Sun, 13 May 2012 01:30:06 +0200

Hi Roger,

sorry for not getting back to you any sooner.

On Wed, Aug 24, 2011 at 10:32:24AM +0100, Roger Leigh wrote:
> I'll be happy to add this to schroot.  Currently the 05lvm setup
> script is simply doing an lvcreate when creating and lvremove
> when removing a session, respectively.  Could you please provide
> an example of the commands you would need to run to do this for
> an encrypted PV/LV (I guess we should support both; is the PV
> method more transparent)?

Encrypted PV will work with current schroot setup, you can just take a
snapshot from the LV and directly use it.

Encrypted LV is a little bit harder.

I would suggest configuration like:

[sid_build64]
type=crypted-lvm-snapshot
device=/dev/salida/c_sid_build64
mapping-name=sid_build64
script-config=zg2-build/config
description=sid amd64 for building packages
users=mh
source-users=mh
personality=linux
lvm-snapshot-options=-L 4G

You could also auto-generate the mapping-name for the unlocked volume.
That way, things would just work without a new configuration key.
Optionally, you could implement this inside the normal lvm-snapshot
type by trying cryptsetup isLuks <device> which will indicate whether
the device is encrypted or not.

To enable this chroot, you would need:

lvcreate --snapshot <lvm-snapshot-options> --name <mapping-name> <device>
cryptdisks_start <mapping-name>
mount /dev/mapper/<mapping-name> <mountpoint>

This would need the crypttabl line for <device> to be repeated for
<mapping-name>, and the cryptdisks_start call will probably go
interactive, querying the user for the passphrase.

This is horribly untested.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062

Message #20 received at 639105@bugs.debian.org (full text, mbox, reply):

From: Roger Leigh <rleigh@codelibre.net>

To: Marc Haber <mh+debian-bugs@zugschlus.de>

Cc: 639105@bugs.debian.org

Subject: Re: [buildd-tools-devel] Bug#639105: please consider adding support for lvm-snapshot on crypted LV

Date: Sun, 13 May 2012 01:12:34 +0100

On Sun, May 13, 2012 at 01:30:06AM +0200, Marc Haber wrote:
> Hi Roger,
> 
> sorry for not getting back to you any sooner.

Please don't worry--after finishing my PhD and starting a new job,
this weekend is the first time I've had to really get into schroot
development, so the timing is perfect!

> On Wed, Aug 24, 2011 at 10:32:24AM +0100, Roger Leigh wrote:
> > I'll be happy to add this to schroot.  Currently the 05lvm setup
> > script is simply doing an lvcreate when creating and lvremove
> > when removing a session, respectively.  Could you please provide
> > an example of the commands you would need to run to do this for
> > an encrypted PV/LV (I guess we should support both; is the PV
> > method more transparent)?
> 
> Encrypted PV will work with current schroot setup, you can just take a
> snapshot from the LV and directly use it.
> 
> Encrypted LV is a little bit harder.
> 
> I would suggest configuration like:
> 
> [sid_build64]
> type=crypted-lvm-snapshot
> device=/dev/salida/c_sid_build64
> mapping-name=sid_build64
> script-config=zg2-build/config
> description=sid amd64 for building packages
> users=mh
> source-users=mh
> personality=linux
> lvm-snapshot-options=-L 4G
> 
> You could also auto-generate the mapping-name for the unlocked volume.
> That way, things would just work without a new configuration key.
> Optionally, you could implement this inside the normal lvm-snapshot
> type by trying cryptsetup isLuks <device> which will indicate whether
> the device is encrypted or not.
> 
> To enable this chroot, you would need:
> 
> lvcreate --snapshot <lvm-snapshot-options> --name <mapping-name> <device>
> cryptdisks_start <mapping-name>
> mount /dev/mapper/<mapping-name> <mountpoint>
> 
> This would need the crypttabl line for <device> to be repeated for
> <mapping-name>, and the cryptdisks_start call will probably go
> interactive, querying the user for the passphrase.
> 
> This is horribly untested.

Thanks for the hints to get started with this.  With 1.5.2, you
should potentially be able to experiment with this using user
options--you can just add the mapping-name and anything else
you need.  You'll get MAPPING_NAME set in the setup scripts, so
the script can then use that to set up.

This one might need deferring for 1.5.3 in a week or so, due
to being a bit harder than the first two, and me lacking a
system with any crypted LVs to test on.  If you would be
willing to give 1.5.2 a try with some custom setup scripts, that
would greatly speed up getting this working.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800

Message #25 received at 639105@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-bugs@zugschlus.de>

To: Roger Leigh <rleigh@codelibre.net>

Cc: 639105@bugs.debian.org

Subject: Re: [buildd-tools-devel] Bug#639105: please consider adding support for lvm-snapshot on crypted LV

Date: Sun, 13 May 2012 09:43:54 +0200

On Sun, May 13, 2012 at 01:12:34AM +0100, Roger Leigh wrote:
> Thanks for the hints to get started with this.  With 1.5.2, you
> should potentially be able to experiment with this using user
> options--you can just add the mapping-name and anything else
> you need.  You'll get MAPPING_NAME set in the setup scripts, so
> the script can then use that to set up.

Sounds good.

> This one might need deferring for 1.5.3 in a week or so, due
> to being a bit harder than the first two, and me lacking a
> system with any crypted LVs to test on.  If you would be
> willing to give 1.5.2 a try with some custom setup scripts, that
> would greatly speed up getting this working.

I can offer you a VM to play with if you want to. Just send me an ssh
key in private mail, and preferably an IP address from where you will
connect.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062

Send a report that this bug log contains spam.