]>
Commit | Line | Data |
---|---|---|
906f8c4d SG |
1 | #!/bin/sh |
2 | ||
3 | # (C) Copyright Canonical 2011-2013 | |
4 | ||
5 | # This library is free software; you can redistribute it and/or | |
6 | # modify it under the terms of the GNU Lesser General Public | |
7 | # License as published by the Free Software Foundation; either | |
8 | # version 2.1 of the License, or (at your option) any later version. | |
9 | ||
10 | # This library is distributed in the hope that it will be useful, | |
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
13 | # Lesser General Public License for more details. | |
14 | ||
15 | # You should have received a copy of the GNU Lesser General Public | |
16 | # License along with this library; if not, write to the Free Software | |
250b1eec | 17 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
906f8c4d SG |
18 | |
19 | # This hook can be used to mount an ecryptfs filesystem as a container's | |
20 | # rootfs. | |
21 | # To use this hook, assuming your container is called q1, | |
22 | # 1. add 'lxc.hook.pre-mount = /usr/share/lxc/hooks/mountecryptfsroot' to | |
23 | # the container's configuration file | |
24 | # 2. Create /var/lib/lxc/q1/ecryptfs-root | |
25 | # a. mkdir /var/lib/lxc/q1/ecryptfs-root | |
26 | # 3. convert your container's root filesystem to be ecryptfs-backed. Assuming | |
27 | # your container is called 'q1', do | |
28 | # a. c=q1 | |
29 | # b. mv /var/lib/lxc/$c/rootfs /var/lib/lxc/$c/rootfs.plain | |
30 | # c. mkdir /var/lib/lxc/$c/rootfs{,.crypt} | |
31 | # d. sig=`echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut -d[ -f 2 | cut -d] -f 1` | |
32 | # e. echo $sig > /var/lib/lxc/$c/sig | |
33 | # f. mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 /var/lib/lxc/$c/rootfs.crypt /var/lib/lxc/$c/rootfs | |
34 | # g. rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/ | |
35 | # h. umount /var/lib/lxc/$c/rootfs | |
36 | # i. rm -rf /var/lib/lxc/$c/rootfs.plain | |
37 | # 4. Now you can start your container by adding the passphrase to your | |
38 | # in-kernel keyring using 'ecryptfs-add-passphrase', then starting your | |
39 | # container as normal. | |
40 | # a. echo none | ecryptfs-add-passphrase | |
41 | # b. lxc-start -n q1 | |
71cce97f | 42 | # Note that you may well want to use a wrapped passphrase (see the ecryptfs-wrap-passphrase(1) manual page). |
906f8c4d SG |
43 | |
44 | set -e | |
45 | ecryptfs_crypt=$(echo $LXC_ROOTFS_PATH | sed 's/rootfs$/rootfs.crypt/') | |
46 | sigfile=$(echo $LXC_CONFIG_FILE | sed 's/config$/sig/') | |
47 | ||
48 | sig=`cat $sigfile` | |
49 | mount -n -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 $ecryptfs_crypt $LXC_ROOTFS_PATH | |
50 | exit 0 |