From 5b3526535c9e2f9e117e73d8fbea24b6f9c849ef Mon Sep 17 00:00:00 2001 From: Alexandre Mulatinho Date: Wed, 11 Sep 2019 15:45:33 -0300 Subject: [PATCH] luks_device.py: allows user explicity define luks format version (#61812) * luks_device.py: allow the user create LUKS based on specific versions - Allow user pass an option 'type' that explicits define the version of LUKS container that will be created. It should be 'luks1' or 'luks2' format. - If 'label' option is defined the 'type' option will be 'luks2' independently of the option 'type' informed by user. (labels NEED luks2 format) Fixes: #58973 Signed-off-by: Alexandre Mulatinho * added the changelog fragment Signed-off-by: Alexandre Mulatinho * luks_device.py: make it fail in certain conditions - Not allow user especify luks1 type and label at the same playbook Signed-off-by: Alexandre Mulatinho --- .../58973-luks_device_add-type-option.yml | 2 ++ lib/ansible/modules/crypto/luks_device.py | 33 +++++++++++++++++-- 2 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 changelogs/fragments/58973-luks_device_add-type-option.yml diff --git a/changelogs/fragments/58973-luks_device_add-type-option.yml b/changelogs/fragments/58973-luks_device_add-type-option.yml new file mode 100644 index 00000000000..78c1458cf56 --- /dev/null +++ b/changelogs/fragments/58973-luks_device_add-type-option.yml @@ -0,0 +1,2 @@ +minor_changes: +- luks_device - added the ``type`` option that allows user explicit define the LUKS container format version diff --git a/lib/ansible/modules/crypto/luks_device.py b/lib/ansible/modules/crypto/luks_device.py index 73339216102..04cc5be047f 100644 --- a/lib/ansible/modules/crypto/luks_device.py +++ b/lib/ansible/modules/crypto/luks_device.py @@ -107,6 +107,7 @@ options: label on later usages." - "Will only be used on container creation, or when I(device) is not specified." + - "This cannot be specified if I(type) is set to C(luks1)." type: str version_added: "2.10" uuid: @@ -115,6 +116,14 @@ options: - "Will only be used when I(device) and I(label) are not specified." type: str version_added: "2.10" + type: + description: + - "This option allow the user explicit define the format of LUKS + container that wants to work with. Options are C(luks1) or C(luks2)" + type: str + choices: [luks1, luks2] + version_added: "2.10" + requirements: @@ -195,6 +204,13 @@ EXAMPLES = ''' uuid: 03ecd578-fad4-4e6c-9348-842e3e8fa340 state: "closed" name: "mycrypt" + +- name: create a container using luks2 format + luks_device: + device: "/dev/loop0" + state: "present" + keyfile: "/vault/keyfile" + type: luks2 ''' RETURN = ''' @@ -317,16 +333,22 @@ class CryptHandler(Handler): def run_luks_create(self, device, keyfile, keysize): # create a new luks container; use batch mode to auto confirm - label = self._module.params.get('label') + luks_type = self._module.params['type'] + label = self._module.params['label'] + options = [] if keysize is not None: options.append('--key-size=' + str(keysize)) if label is not None: - # create luks container v2 with label - options.extend(['--type', 'luks2', '--label', label]) + options.extend(['--label', label]) + luks_type = 'luks2' + if luks_type is not None: + options.extend(['--type', luks_type]) + args = [self._cryptsetup_bin, 'luksFormat'] args.extend(options) args.extend(['-q', device, keyfile]) + result = self._run_command(args) if result[RETURN_CODE] != 0: raise ValueError('Error while creating LUKS on %s: %s' @@ -541,6 +563,7 @@ def run_module(): keysize=dict(type='int'), label=dict(type='str'), uuid=dict(type='str'), + type=dict(type='str', choices=['luks1', 'luks2']), ) # seed the result dict in the object @@ -564,6 +587,10 @@ def run_module(): crypt = CryptHandler(module) conditions = ConditionsHandler(module, crypt) + # conditions not allowed to run + if module.params['label'] is not None and module.params['type'] == 'luks1': + module.fail_json(msg='You cannot combine type luks1 with the label option.') + # The conditions are in order to allow more operations in one run. # (e.g. create luks and add a key to it)