proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-10-31 07:26:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d23c6cc996
mirror_lxc/hooks/mountecryptfsroot
Stéphane Graber 250b1eec71
licensing: Add missing headers and FSF address 
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2013-09-03 14:33:03 -04:00

51 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# (C) Copyright Canonical 2011-2013
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
# This hook can be used to mount an ecryptfs filesystem as a container's
# rootfs.
# To use this hook, assuming your container is called q1,
# 1. add 'lxc.hook.pre-mount = /usr/share/lxc/hooks/mountecryptfsroot' to
# the container's configuration file
# 2. Create /var/lib/lxc/q1/ecryptfs-root
# a. mkdir /var/lib/lxc/q1/ecryptfs-root
# 3. convert your container's root filesystem to be ecryptfs-backed. Assuming
# your container is called 'q1', do
# a. c=q1
# b. mv /var/lib/lxc/$c/rootfs /var/lib/lxc/$c/rootfs.plain
# c. mkdir /var/lib/lxc/$c/rootfs{,.crypt}
# d. sig=`echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut -d[ -f 2 | cut -d] -f 1`
# e. echo $sig > /var/lib/lxc/$c/sig
# f. mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 /var/lib/lxc/$c/rootfs.crypt /var/lib/lxc/$c/rootfs
# g. rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/
# h. umount /var/lib/lxc/$c/rootfs
# i. rm -rf /var/lib/lxc/$c/rootfs.plain
# 4. Now you can start your container by adding the passphrase to your
# in-kernel keyring using 'ecryptfs-add-passphrase', then starting your
# container as normal.
# a. echo none | ecryptfs-add-passphrase
# b. lxc-start -n q1
# Note that you may well want to use a wrapped passhrase (see the ecryptfs-wrap-passphrase(1) manual page).
set -e
ecryptfs_crypt=$(echo $LXC_ROOTFS_PATH | sed 's/rootfs$/rootfs.crypt/')
sigfile=$(echo $LXC_CONFIG_FILE | sed 's/config$/sig/')
sig=`cat $sigfile`
mount -n -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 $ecryptfs_crypt $LXC_ROOTFS_PATH
exit 0
Reference in New Issue View Git Blame Copy Permalink