mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2025-04-28 12:37:11 +00:00
ac46b35693
See https://github.com/koalaman/shellcheck/wiki/SC2006 for details. Not only uses this the recommended construct, it also makes the code more uniform as in many other places the $() construct was already used. Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
51 lines
2.5 KiB
Bash
Executable File
51 lines
2.5 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# (C) Copyright Canonical 2011-2013
|
|
|
|
# This library is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Lesser General Public
|
|
# License as published by the Free Software Foundation; either
|
|
# version 2.1 of the License, or (at your option) any later version.
|
|
|
|
# This library is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# Lesser General Public License for more details.
|
|
|
|
# You should have received a copy of the GNU Lesser General Public
|
|
# License along with this library; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
# This hook can be used to mount an ecryptfs filesystem as a container's
|
|
# rootfs.
|
|
# To use this hook, assuming your container is called q1,
|
|
# 1. add 'lxc.hook.pre-mount = /usr/share/lxc/hooks/mountecryptfsroot' to
|
|
# the container's configuration file
|
|
# 2. Create /var/lib/lxc/q1/ecryptfs-root
|
|
# a. mkdir /var/lib/lxc/q1/ecryptfs-root
|
|
# 3. convert your container's root filesystem to be ecryptfs-backed. Assuming
|
|
# your container is called 'q1', do
|
|
# a. c=q1
|
|
# b. mv /var/lib/lxc/$c/rootfs /var/lib/lxc/$c/rootfs.plain
|
|
# c. mkdir /var/lib/lxc/$c/rootfs{,.crypt}
|
|
# d. sig=$(echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut -d[ -f 2 | cut -d] -f 1)
|
|
# e. echo $sig > /var/lib/lxc/$c/sig
|
|
# f. mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 /var/lib/lxc/$c/rootfs.crypt /var/lib/lxc/$c/rootfs
|
|
# g. rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/
|
|
# h. umount /var/lib/lxc/$c/rootfs
|
|
# i. rm -rf /var/lib/lxc/$c/rootfs.plain
|
|
# 4. Now you can start your container by adding the passphrase to your
|
|
# in-kernel keyring using 'ecryptfs-add-passphrase', then starting your
|
|
# container as normal.
|
|
# a. echo none | ecryptfs-add-passphrase
|
|
# b. lxc-start -n q1
|
|
# Note that you may well want to use a wrapped passphrase (see the ecryptfs-wrap-passphrase(1) manual page).
|
|
|
|
set -e
|
|
ecryptfs_crypt=$(echo $LXC_ROOTFS_PATH | sed 's/rootfs$/rootfs.crypt/')
|
|
sigfile=$(echo $LXC_CONFIG_FILE | sed 's/config$/sig/')
|
|
|
|
sig=$(cat $sigfile)
|
|
mount -n -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 $ecryptfs_crypt $LXC_ROOTFS_PATH
|
|
exit 0
|