stages: add new org.osbuild.crypttab stage

New stage to configure /etc/crypttab to setup encrypted block devices. See the documentation of the stage for more information.
2021-11-08 16:15:46 +01:00 · 2021-11-08 16:15:46 +01:00 · d8a4f9d063
commit d8a4f9d063
parent 2801c17730
1 changed files with 91 additions and 0 deletions
--- a/stages/org.osbuild.crypttab
+++ b/stages/org.osbuild.crypttab
@ -0,0 +1,91 @@
+#!/usr/bin/python3
+"""
+Create /etc/crypttab entries for encrypted block devices
+
+See crypttab(5) for a detailed description of the format but in brief:
+each item in the list of `volumes` describes an encrypted block device
+and how it should it should be setup. The block device is identified
+either by `uuid` or by `path` (device node path). The volume will be
+named as `volume`, i.e. made available as `/dev/mapper/$volume`.
+Additionally, a keyfile can (optionally) be specified via `keyfile`.
+Specific device options can be specified via `options`.
+
+This stage replaces /etc/crypttab, removing any existing entries.
+"""
+
+
+import sys
+
+import osbuild.api
+
+
+SCHEMA = """
+"additionalProperties": false,
+"required": ["volumes"],
+"properties": {
+  "volumes": {
+    "type": "array",
+    "description": "array of volume objects",
+    "items": {
+      "type": "object",
+      "oneOf": [{
+        "required": ["uuid", "volume"]
+      }, {
+        "required": ["path", "volume"]
+      }],
+      "properties": {
+        "volume": {
+          "description": "volume mountpoint",
+          "type": "string"
+        },
+        "uuid": {
+          "description": "device UUID",
+          "type": "string"
+        },
+        "path": {
+          "description": "device path",
+          "type": "string"
+        },
+        "keyfile": {
+          "description": "",
+          "type": "string",
+          "default": "none"
+        },
+        "options": {
+          "description": "options (comma-separated)",
+          "type": "string",
+          "default": ""
+        }
+      }
+    }
+  }
+}
+"""
+
+
+def main(tree, options):
+    volumes = options["volumes"]
+
+    with open(f"{tree}/etc/crypttab", "w") as f:
+        for volume in volumes:
+            name = volume["volume"]
+            uuid = volume.get("uuid")
+            path = volume.get("path")
+            options = volume.get("options", "")
+            keyfile = volume.get("keyfile", "none")
+
+            if uuid:
+                device = f"UUID={uuid}"
+            elif path:
+                device = path
+            else:
+                raise ValueError("Need 'uuid' or 'label'")
+
+            f.write(
+                f"{name}\t{device}\t{keyfile}\t{options}\n")
+
+
+if __name__ == '__main__':
+    args = osbuild.api.arguments()
+    r = main(args["tree"], args["options"])
+    sys.exit(r)