luks_device.py: allows user explicity define luks format version (#61812)

* luks_device.py: allow the user create LUKS based on specific versions

- Allow user pass an option 'type' that explicits define the version of LUKS
  container that will be created. It should be 'luks1' or 'luks2' format.
- If 'label' option is defined the 'type' option will be 'luks2' independently
  of the option 'type' informed by user. (labels NEED luks2 format)

Fixes: #58973
Signed-off-by: Alexandre Mulatinho <alex@mulatinho.net>

* added the changelog fragment

Signed-off-by: Alexandre Mulatinho <alex@mulatinho.net>

* luks_device.py: make it fail in certain conditions

- Not allow user especify luks1 type and label at the same playbook

Signed-off-by: Alexandre Mulatinho <alex@mulatinho.net>
pull/62160/head
Alexandre Mulatinho 5 years ago committed by Felix Fontein
parent 5eb5f74083
commit 5b3526535c

@ -0,0 +1,2 @@
minor_changes:
- luks_device - added the ``type`` option that allows user explicit define the LUKS container format version

@ -107,6 +107,7 @@ options:
label on later usages." label on later usages."
- "Will only be used on container creation, or when I(device) is - "Will only be used on container creation, or when I(device) is
not specified." not specified."
- "This cannot be specified if I(type) is set to C(luks1)."
type: str type: str
version_added: "2.10" version_added: "2.10"
uuid: uuid:
@ -115,6 +116,14 @@ options:
- "Will only be used when I(device) and I(label) are not specified." - "Will only be used when I(device) and I(label) are not specified."
type: str type: str
version_added: "2.10" version_added: "2.10"
type:
description:
- "This option allow the user explicit define the format of LUKS
container that wants to work with. Options are C(luks1) or C(luks2)"
type: str
choices: [luks1, luks2]
version_added: "2.10"
requirements: requirements:
@ -195,6 +204,13 @@ EXAMPLES = '''
uuid: 03ecd578-fad4-4e6c-9348-842e3e8fa340 uuid: 03ecd578-fad4-4e6c-9348-842e3e8fa340
state: "closed" state: "closed"
name: "mycrypt" name: "mycrypt"
- name: create a container using luks2 format
luks_device:
device: "/dev/loop0"
state: "present"
keyfile: "/vault/keyfile"
type: luks2
''' '''
RETURN = ''' RETURN = '''
@ -317,16 +333,22 @@ class CryptHandler(Handler):
def run_luks_create(self, device, keyfile, keysize): def run_luks_create(self, device, keyfile, keysize):
# create a new luks container; use batch mode to auto confirm # create a new luks container; use batch mode to auto confirm
label = self._module.params.get('label') luks_type = self._module.params['type']
label = self._module.params['label']
options = [] options = []
if keysize is not None: if keysize is not None:
options.append('--key-size=' + str(keysize)) options.append('--key-size=' + str(keysize))
if label is not None: if label is not None:
# create luks container v2 with label options.extend(['--label', label])
options.extend(['--type', 'luks2', '--label', label]) luks_type = 'luks2'
if luks_type is not None:
options.extend(['--type', luks_type])
args = [self._cryptsetup_bin, 'luksFormat'] args = [self._cryptsetup_bin, 'luksFormat']
args.extend(options) args.extend(options)
args.extend(['-q', device, keyfile]) args.extend(['-q', device, keyfile])
result = self._run_command(args) result = self._run_command(args)
if result[RETURN_CODE] != 0: if result[RETURN_CODE] != 0:
raise ValueError('Error while creating LUKS on %s: %s' raise ValueError('Error while creating LUKS on %s: %s'
@ -541,6 +563,7 @@ def run_module():
keysize=dict(type='int'), keysize=dict(type='int'),
label=dict(type='str'), label=dict(type='str'),
uuid=dict(type='str'), uuid=dict(type='str'),
type=dict(type='str', choices=['luks1', 'luks2']),
) )
# seed the result dict in the object # seed the result dict in the object
@ -564,6 +587,10 @@ def run_module():
crypt = CryptHandler(module) crypt = CryptHandler(module)
conditions = ConditionsHandler(module, crypt) conditions = ConditionsHandler(module, crypt)
# conditions not allowed to run
if module.params['label'] is not None and module.params['type'] == 'luks1':
module.fail_json(msg='You cannot combine type luks1 with the label option.')
# The conditions are in order to allow more operations in one run. # The conditions are in order to allow more operations in one run.
# (e.g. create luks and add a key to it) # (e.g. create luks and add a key to it)

Loading…
Cancel
Save