forked from rudism/pacemaker_dm-crypt_resource-agent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
luksPartition
executable file
·197 lines (171 loc) · 5.36 KB
/
luksPartition
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
#!/bin/sh
#######################################################################
# Initialization:
: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs
: ${__OCF_ACTION=$1}
#######################################################################
meta_data() {
cat <<END
<?xml version="1.0"?>
<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
<resource-agent name="luksPartition" version="1.0">
<version>1.0</version>
<longdesc lang="en">
LUKS partition resource agent.
</longdesc>
<shortdesc lang="en">Open and close a LUKS partition.</shortdesc>
<parameters>
<parameter name="device" unique="1">
<longdesc lang="en">
The device name of the encrypted partition (without /dev/ prefix).
</longdesc>
<shortdesc lang="en">Encrypted device name.</shortdesc>
<content type="string" default="" />
</parameter>
<parameter name="mapped" unique="1">
<longdesc lang="en">
The device name to use for the mapped plaintext volume.
</longdesc>
<shortdesc lang="en">Plaintext device name.</shortdesc>
<content type="string" default="" />
</parameter>
<parameter name="keyfile" unique="0">
<longdesc lang="en">
The path to the keyfile that unlocks the encrypted partition.
</longdesc>
<shortdesc lang="en">Path to keyfile.</shortdesc>
<content type="string" default="" />
</parameter>
<parameter name="options" unique="0">
<longdesc lang="en">
Extra options for cryptsetup luksOpen (like --allow-discards)
</longdesc>
<shortdesc lang="en">cryptsetup luksOpen options</shortdesc>
<content type="string" default="" />
</parameter>
<parameter name="keyscript" unique="0">
<longdesc lang="en">
The path to a script that provides a key that unlocks the encrypted partition.
</longdesc>
<shortdesc lang="en">Path to keyscript.</shortdesc>
<content type="string" default="" />
</parameter>
</parameters>
<actions>
<action name="start" timeout="20" />
<action name="stop" timeout="20" />
<action name="monitor" timeout="20" interval="10" depth="0"/>
<action name="reload" timeout="20" />
<action name="migrate_to" timeout="20" />
<action name="migrate_from" timeout="20" />
<action name="validate-all" timeout="20" />
<action name="meta-data" timeout="5" />
</actions>
</resource-agent>
END
}
#######################################################################
# don't exit on TERM, to test that lrmd makes sure that we do exit
trap sigterm_handler TERM
sigterm_handler() {
ocf_log info "They use TERM to bring us down. No such luck."
return
}
luks_usage() {
cat <<END
usage: $0 {start|stop|monitor|migrate_to|migrate_from|validate-all|meta-data}
Expects to have a fully populated OCF RA-compliant environment set.
END
}
luks_start() {
luks_monitor
if [ $? = $OCF_SUCCESS ]; then
return $OCF_SUCCESS
fi
if [ -n "$OCF_RESKEY_keyfile" ]; then
cryptsetup -d $OCF_RESKEY_keyfile luksOpen /dev/$OCF_RESKEY_device $OCF_RESKEY_mapped $OCF_RESKEY_options
elif [ -n "$OCF_RESKEY_keyscript" ]; then
"$OCF_RESKEY_keyscript" | cryptsetup -d - luksOpen /dev/$OCF_RESKEY_device $OCF_RESKEY_mapped $OCF_RESKEY_options
else
return $OCF_ERR_ARGS
fi
if [ $? != 0 ]; then
return $OCF_ERR_GENERIC
fi
return $OCF_SUCCESS
}
luks_stop() {
luks_monitor
if [ $? = $OCF_SUCCESS ]; then
cryptsetup luksClose $OCF_RESKEY_mapped
if [ $? != 0 ]; then
return $OCF_ERR_GENERIC
fi
fi
return $OCF_SUCCESS
}
luks_monitor() {
# Monitor _MUST!_ differentiate correctly between running
# (SUCCESS), failed (ERROR) or _cleanly_ stopped (NOT RUNNING).
# That is THREE states, not just yes/no.
# "Oops." --Rudis
cryptsetup status $OCF_RESKEY_mapped
if [ $? = 0 ]; then
return $OCF_SUCCESS
fi
return $OCF_NOT_RUNNING
}
luks_validate() {
# does the encrypted device exist?
lsblk | grep "^$OCF_RESKEY_device\\s" > /dev/null
if [ $? != 0 ]; then
return $OCF_ERR_ARGS
fi
# is a keyfile or keyscript passed?
if [ -z "$OCF_RESKEY_keyfile" ] && [ -z "$OCF_RESKEY_keyscript" ]; then
return $OCF_ERR_ARGS
fi
# does the keyfile exist?
if [ -n "$OCF_RESKEY_keyfile" ] && [ !-f $OCF_RESKEY_keyfile ]; then
return $OCF_ERR_ARGS
fi
# does the keyscript exist?
if [ -n "$OCF_RESKEY_keyscript" ] && [ !-f $OCF_RESKEY_keyscript ]; then
return $OCF_ERR_ARGS
fi
# for OCF_RESKEY_options, the manpage says :
# <options> can be [--key-file, --keyfile-offset, --keyfile-size, --readonly, --test-passphrase,
# --allow-discards, --header, --key-slot, --master-key-file].
# FIXME: Not testing validity of OCF_RESKEY_options for now.
return $OCF_SUCCESS
}
: ${OCF_RESKEY_CRM_meta_interval=0}
: ${OCF_RESKEY_CRM_meta_globally_unique:="true"}
case $__OCF_ACTION in
meta-data) meta_data
exit $OCF_SUCCESS
;;
start) luks_start;;
stop) luks_stop;;
monitor) luks_monitor;;
migrate_to) ocf_log info "Migrating ${OCF_RESOURCE_INSTANCE} to ${OCF_RESKEY_CRM_meta_migrate_target}."
luks_stop
;;
migrate_from) ocf_log info "Migrating ${OCF_RESOURCE_INSTANCE} to ${OCF_RESKEY_CRM_meta_migrate_source}."
luks_start
;;
reload) ocf_log err "Reloading..."
luks_start
;;
validate-all) luks_validate;;
usage|help) luks_usage
exit $OCF_SUCCESS
;;
*) luks_usage
exit $OCF_ERR_UNIMPLEMENTED
;;
esac
rc=$?
ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc"
exit $rc