]> git.proxmox.com Git - mirror_lxc.git/blob - hooks/mountecryptfsroot
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2842 from brauner/2019-02-11/fix_licensing
[mirror_lxc.git] / hooks / mountecryptfsroot
1 #!/bin/sh
2
3 # (C) Copyright Canonical 2011-2013
4
5 # This library is free software; you can redistribute it and/or
6 # modify it under the terms of the GNU Lesser General Public
7 # License as published by the Free Software Foundation; either
8 # version 2.1 of the License, or (at your option) any later version.
9
10 # This library is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 # Lesser General Public License for more details.
14
15 # You should have received a copy of the GNU Lesser General Public
16 # License along with this library; if not, write to the Free Software
17 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
18
19 # This hook can be used to mount an ecryptfs filesystem as a container's
20 # rootfs.
21 # To use this hook, assuming your container is called q1,
22 # 1. add 'lxc.hook.pre-mount = /usr/share/lxc/hooks/mountecryptfsroot' to
23 # the container's configuration file
24 # 2. Create /var/lib/lxc/q1/ecryptfs-root
25 # a. mkdir /var/lib/lxc/q1/ecryptfs-root
26 # 3. convert your container's root filesystem to be ecryptfs-backed. Assuming
27 # your container is called 'q1', do
28 # a. c=q1
29 # b. mv /var/lib/lxc/$c/rootfs /var/lib/lxc/$c/rootfs.plain
30 # c. mkdir /var/lib/lxc/$c/rootfs{,.crypt}
31 # d. sig=`echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut -d[ -f 2 | cut -d] -f 1`
32 # e. echo $sig > /var/lib/lxc/$c/sig
33 # f. mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 /var/lib/lxc/$c/rootfs.crypt /var/lib/lxc/$c/rootfs
34 # g. rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/
35 # h. umount /var/lib/lxc/$c/rootfs
36 # i. rm -rf /var/lib/lxc/$c/rootfs.plain
37 # 4. Now you can start your container by adding the passphrase to your
38 # in-kernel keyring using 'ecryptfs-add-passphrase', then starting your
39 # container as normal.
40 # a. echo none | ecryptfs-add-passphrase
41 # b. lxc-start -n q1
42 # Note that you may well want to use a wrapped passphrase (see the ecryptfs-wrap-passphrase(1) manual page).
43
44 set -e
45 ecryptfs_crypt=$(echo $LXC_ROOTFS_PATH | sed 's/rootfs$/rootfs.crypt/')
46 sigfile=$(echo $LXC_CONFIG_FILE | sed 's/config$/sig/')
47
48 sig=`cat $sigfile`
49 mount -n -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 $ecryptfs_crypt $LXC_ROOTFS_PATH
50 exit 0
LXC mirror