luks: do not support ubuntu < 20.04 and debian < 10

Signed-off-by: Adphi <philippe.adrien.nousse@gmail.com>
linka-cloud · Mar 1, 2023 · fb33b2a · fb33b2a
1 parent 8c36d42
commit fb33b2a
Show file tree

Hide file tree

Showing 9 changed files with 44 additions and 5 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -8,3 +8,4 @@ dist
 images
 examples/build
 e2e
+**/*_test.go
diff --git a/Dockerfile b/Dockerfile
@@ -38,7 +38,7 @@ RUN apt-get update && \
         mount \
         tar \
         extlinux \
-        cryptsetup \
+        cryptsetup-bin \
         qemu-utils && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*

diff --git a/README.md b/README.md
@@ -29,7 +29,9 @@ or when running without *root* privileges.
 Working and tested:
 
 - [x] Ubuntu (18.04+)
+  Luks support is available only on Ubuntu 20.04+
 - [x] Debian (stretch+)
+  Luks support is available only on Debian buster+
 - [x] Alpine
 - [x] CentOS (8+)
 

diff --git a/builder.go b/builder.go
@@ -153,6 +153,9 @@ func NewBuilder(ctx context.Context, workdir, imgTag, disk string, size uint64,
 		if !splitBoot {
 			return nil, fmt.Errorf("luks encryption requires split boot")
 		}
+		if !osRelease.SupportsLUKS() {
+			return nil, fmt.Errorf("luks encryption not supported on %s %s", osRelease.ID, osRelease.VersionID)
+		}
 	}
 	f := strings.ToLower(format)
 	valid := false
@@ -505,7 +508,7 @@ func (b *builder) installKernel(ctx context.Context) error {
 		case ReleaseCentOS:
 			cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s rd.luks.name=UUID=%s rd.luks.uuid=%s rd.luks.crypttab=0", b.cmdLineExtra, b.rootUUID, b.cryptUUID))
 		default:
-			// for some versions of debian, the cryptopts parameter MUST contain all the following: target,srouce,key,opts...
+			// for some versions of debian, the cryptopts parameter MUST contain all the following: target,source,key,opts...
 			// see https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/buster/debian/functions
 			// and https://cryptsetup-team.pages.debian.net/cryptsetup/README.initramfs.html
 			cfg = fmt.Sprintf(sysconfig, b.rootUUID, fmt.Sprintf("%s root=/dev/mapper/root cryptopts=target=root,source=UUID=%s,key=none,luks", b.cmdLineExtra, b.cryptUUID))

diff --git a/convert.go b/convert.go
@@ -45,6 +45,11 @@ func Convert(ctx context.Context, img string, opts ...ConvertOption) error {
 	if err != nil {
 		return err
 	}
+
+	if o.luksPassword != "" && !r.SupportsLUKS() {
+		return fmt.Errorf("luks is not supported for %s %s", r.Name, r.Version)
+	}
+
 	if !o.raw {
 		d, err := NewDockerfile(r, img, o.password, o.networkManager, o.luksPassword != "")
 		if err != nil {

diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
@@ -45,8 +45,9 @@ type img struct {
 
 var images = []img{
 	{name: "alpine:3.17", luks: "Enter passphrase for /dev/sda2:"},
-	{name: "ubuntu:18.04", luks: "Please unlock disk root:"},
+	{name: "ubuntu:20.04", luks: "Please unlock disk root:"},
 	{name: "ubuntu:22.04", luks: "Please unlock disk root:"},
+	{name: "debian:10", luks: "Please unlock disk root:"},
 	{name: "debian:11", luks: "Please unlock disk root:"},
 	{name: "centos:8", luks: "Please enter passphrase for disk"},
 }

diff --git a/os_release.go b/os_release.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"text/template"
 
@@ -66,6 +67,31 @@ type OSRelease struct {
 	VersionCodeName string
 }
 
+func (r OSRelease) SupportsLUKS() bool {
+	switch r.ID {
+	case ReleaseUbuntu:
+		return r.VersionID >= "20.04"
+	case ReleaseDebian:
+		v, err := strconv.Atoi(r.VersionID)
+		if err != nil {
+			logrus.Warnf("%s: failed to parse version id: %v", r.Version, err)
+			return false
+		}
+		return v >= 10
+	case ReleaseKali:
+		// TODO: check version
+		return true
+	case ReleaseCentOS:
+		return true
+	case ReleaseAlpine:
+		return true
+	case ReleaseRHEL:
+		return false
+	default:
+		return false
+	}
+}
+
 func ParseOSRelease(s string) (OSRelease, error) {
 	env, err := godotenv.Parse(strings.NewReader(s))
 	if err != nil {

diff --git a/templates/debian.Dockerfile b/templates/debian.Dockerfile
@@ -45,5 +45,6 @@ iface eth0 inet dhcp\n\
 
 {{- if .Luks }}
 RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cryptsetup-initramfs && \
-     update-initramfs -u -v
+    echo "CRYPTSETUP=y" >> /etc/cryptsetup-initramfs/conf-hook && \
+    update-initramfs -u -v
 {{- end }}
diff --git a/templates/ubuntu.Dockerfile b/templates/ubuntu.Dockerfile
@@ -43,5 +43,5 @@ iface eth0 inet dhcp\n\
 
 {{- if .Luks }}
 RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cryptsetup-initramfs && \
-     update-initramfs -u -v
+    update-initramfs -u -v
 {{- end }}
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,3 +8,4 @@ dist @@
     images
     examples/build
     e2e
+    **/*_test.go