From 257b2ee6f634e7c8305161d196c62113dea9d286 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Mon, 22 Jun 2020 12:03:13 -0400 Subject: [PATCH] Integrate encryption-at-rest support --- .travis.yml | 2 - ehdd/README.md | 35 +++++++++++++++ ehdd/mount.sh | 2 +- ehdd/shutdown.sh | 14 ++++++ ehdd/start-encrypted.sh | 13 +++--- setup/start.sh | 3 ++ tests/system-setup/remote-nextcloud-docker.sh | 2 +- tests/system-setup/setup-defaults.sh | 10 ++--- tests/system-setup/setup-funcs.sh | 41 +++++++++++++++++- tests/system-setup/upgrade-from-upstream.sh | 2 + tests/vagrant/Vagrantfile | 43 +++++++++++++------ 11 files changed, 136 insertions(+), 31 deletions(-) create mode 100644 ehdd/README.md create mode 100755 ehdd/shutdown.sh diff --git a/.travis.yml b/.travis.yml index 9ca03542..8ca14149 100644 --- a/.travis.yml +++ b/.travis.yml @@ -36,7 +36,6 @@ jobs: script: # launch automated tests, but skip tests that require remote # smtp support because Travis-CI blocks outgoing port 25 - - sudo touch /etc/dovecot/sieve-spam.svbin - sudo tests/runner.sh -dumpoutput -no-smtp-remote default remote-nextcloud upgrade-basic # JOB: Upgrade from upstream install @@ -49,5 +48,4 @@ jobs: script: # launch automated tests, but skip tests that require remote # smtp support because Travis-CI blocks outgoing port 25 - - sudo touch /etc/dovecot/sieve-spam.svbin - sudo tests/runner.sh -dumpoutput -no-smtp-remote default upgrade-basic diff --git a/ehdd/README.md b/ehdd/README.md new file mode 100644 index 00000000..fe2d0595 --- /dev/null +++ b/ehdd/README.md @@ -0,0 +1,35 @@ +# Encryption-at-rest support + +This directory contains support for encryption-at-rest of the +user-data directory. Also known as STORAGE_ROOT, the user-data +directory is typically located at /home/user-data, and is where +non-system data is stored, like email, ssl certificates, backups, etc. + +Encryption-at-rest of STORAGE_ROOT is provided by a LUKS formatted +hard disk (file) created and stored at /home/user-data.HDD. + +To enable encryption-at-rest ON A FRESH INSTALL, you must run +`ehdd/setup-encrypted.sh` instead of setup/start.sh. This will set +things up by creating and mounting the encypted disk for +/home/user-data. Once created and mounted, setup/start.sh is run to +continue normal setup operation. + +At the end of setup, services that utilize /home/user-data will be +disabled from starting automatically after a reboot (because +/home/user-data will not have been mounted). Run `ehdd/startup.sh` +after a reboot to remount the encrypted hard drive and launch the +disabled services. + +Do not forget your encryption passphrase - otherwise your +/home/user-data files will be unrecoverable! + +For a non-interactive install, setting EHDD_GB will create a luks +drive of that size without prompting, and EHDD_KEYFILE must be set to +a file containing the encryption key (the file should not have any +newlines). DO NOT USE A KEYFILE ON A PRODUCTION MACHINE. + +To upgrade a system to encryption-at-rest, shut down all services that +use STORAGE_ROOT (postfix, dovecot, slapd, etc). Rename STORAGE_ROOT +to something else. Run ehdd/create_hdd.sh, then ehdd/mount.sh. Copy or +move the contents of the renamed directory to STORAGE_ROOT. Restart +all services. diff --git a/ehdd/mount.sh b/ehdd/mount.sh index 64836149..36accea9 100755 --- a/ehdd/mount.sh +++ b/ehdd/mount.sh @@ -3,7 +3,7 @@ . "ehdd/ehdd_funcs.sh" || exit 1 if [ ! -e "$EHDD_IMG" ]; then - echo "Warning: ecrypted HDD not found at $EHDD_IMG, not mounting" + echo "No ecrypted HDD not found at $EHDD_IMG, not mounting" exit 0 fi diff --git a/ehdd/shutdown.sh b/ehdd/shutdown.sh new file mode 100755 index 00000000..ad593289 --- /dev/null +++ b/ehdd/shutdown.sh @@ -0,0 +1,14 @@ +#!/bin/bash +if [ -s /etc/mailinabox.conf ]; then + systemctl stop mailinabox + systemctl stop nginx + systemctl stop php7.2-fpm + systemctl stop postfix + systemctl stop dovecot + systemctl stop cron + #systemctl stop nsd + [ -x /usr/sbin/slapd ] && systemctl stop slapd + systemctl stop fail2ban +fi + +ehdd/umount.sh diff --git a/ehdd/start-encrypted.sh b/ehdd/start-encrypted.sh index b2c9a86f..fc3fc4d2 100755 --- a/ehdd/start-encrypted.sh +++ b/ehdd/start-encrypted.sh @@ -21,13 +21,10 @@ elif [ ! -e "$EHDD_IMG" ]; then fi - -if ehdd/mount.sh; then - setup/start.sh $@ - if [ $? -eq 0 ]; then - ehdd/postinstall.sh || exit 1 - else - echo "setup/start.sh failed" - fi +setup/start.sh $@ +if [ $? -eq 0 ]; then + ehdd/postinstall.sh || exit 1 +else + echo "setup/start.sh failed" fi diff --git a/setup/start.sh b/setup/start.sh index 91848873..31cf0121 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -27,6 +27,9 @@ export LC_TYPE=en_US.UTF-8 # Fix so line drawing characters are shown correctly in Putty on Windows. See #744. export NCURSES_NO_UTF8_ACS=1 +# if encryption-at-rest is enabled, make sure the drive is mounted +ehdd/mount.sh + # Recall the last settings used if we're running this a second time. if [ -f /etc/mailinabox.conf ]; then # Run any system migrations before proceeding. Since this is a second run, diff --git a/tests/system-setup/remote-nextcloud-docker.sh b/tests/system-setup/remote-nextcloud-docker.sh index c1a72826..f9beb5c7 100755 --- a/tests/system-setup/remote-nextcloud-docker.sh +++ b/tests/system-setup/remote-nextcloud-docker.sh @@ -47,7 +47,7 @@ fi init() { H1 "INIT" init_test_system - init_miab_testing || die "Initialization failed" + init_miab_testing || die "Initialization failed" } diff --git a/tests/system-setup/setup-defaults.sh b/tests/system-setup/setup-defaults.sh index 2f2bfe06..d36612e9 100755 --- a/tests/system-setup/setup-defaults.sh +++ b/tests/system-setup/setup-defaults.sh @@ -1,6 +1,7 @@ #!/bin/bash # Used by setup/start.sh +export PRIMARY_HOSTNAME=${PRIMARY_HOSTNAME:-$(hostname --fqdn || hostname)} export NONINTERACTIVE=${NONINTERACTIVE:-1} export SKIP_NETWORK_CHECKS=${SKIP_NETWORK_CHECKS:-1} export STORAGE_USER="${STORAGE_USER:-user-data}" @@ -10,11 +11,10 @@ export EMAIL_PW="${EMAIL_PW:-Test_1234}" export PUBLIC_IP="${PUBLIC_IP:-$(source ${MIAB_DIR:-.}/setup/functions.sh; get_default_privateip 4)}" export LOCAL_MODS_DIR="${LOCAL_MODS_DIR:-local}" -if [ "$TRAVIS" == "true" ]; then - export PRIMARY_HOSTNAME=${PRIMARY_HOSTNAME:-box.abc.com} -elif [ -z "$PRIMARY_HOSTNAME" ]; then - export PRIMARY_HOSTNAME=${PRIMARY_HOSTNAME:-$(hostname --fqdn || hostname)} -fi +# Used by ehdd/start-encrypted.sh +export EHDD_KEYFILE="${EHDD_KEYFILE:-}" +export EHDD_GB="${EHDD_GB:-2}" + # Placing this var in STORAGE_ROOT/ldap/miab_ldap.conf before running # setup/start.sh will avoid a random password from being used for the diff --git a/tests/system-setup/setup-funcs.sh b/tests/system-setup/setup-funcs.sh index 2416bd1e..12837dda 100755 --- a/tests/system-setup/setup-funcs.sh +++ b/tests/system-setup/setup-funcs.sh @@ -102,6 +102,17 @@ init_miab_testing() { && echo "Error: STORAGE_ROOT not set" 1>&2 \ && return 1 + # If EHDD_KEYFILE is set, use encryption-at-rest support. The + # drive must be created and mounted so that our QA files can be + # copied there. + H2 "Encryption-at-rest" + if [ ! -z "$EHDD_KEYFILE" ]; then + ehdd/create_hdd.sh ${EHDD_GB} || die "create luks drive failed" + ehdd/mount.sh || die "unable to mount luks drive" + else + echo "Not configured for encryption-at-rest" + fi + H2 "QA prerequisites" local rc=0 @@ -129,6 +140,11 @@ init_miab_testing() { echo "LDAP_NEXTCLOUD_PASSWORD=\"$LDAP_NEXTCLOUD_PASSWORD\"" >> $STORAGE_ROOT/ldap/miab_ldap.conf fi fi + + # now that we've copied our files, unmount STORAGE_ROOT if + # encryption-at-rest was enabled + ehdd/umount.sh + return $rc } @@ -155,21 +171,42 @@ tag_from_readme() { } +workaround_dovecot_sieve_bug() { + # Workaround a bug in dovecot/sieve that causes attempted sieve + # compilation when a compiled sieve has the same date as the + # source file. The fialure occurs with miab-installed "spam" + # sieve, which can't be recompiled due to the read-only /etc + # filesystem restriction in systemd (ProtectSystem=efull is set, + # see `systemctl cat dovecot.service`). + sleep 1 + touch /etc/dovecot/sieve-spam.svbin +} + + miab_ldap_install() { H1 "MIAB-LDAP INSTALL" # ensure we're in a MiaB-LDAP working directory if [ ! -e setup/ldap.sh ]; then die "Cannot install: the working directory is not MiaB-LDAP!" fi + + # if EHDD_KEYFILE is set, use encryption-at-rest support + if [ ! -z "$EHDD_KEYFILE" ]; then + ehdd/start-encrypted.sh + else + setup/start.sh + fi - if ! setup/start.sh; then + if [ $? -ne 0 ]; then H1 "OUTPUT OF SELECT FILES" dump_file "/var/log/syslog" 100 dump_conf_files "$TRAVIS" H2; H2 "End"; H2 - die "MiaB-LDAP setup/start.sh failed!" + die "MiaB-LDAP setup failed!" fi + workaround_dovecot_sieve_bug + # set actual STORAGE_ROOT, STORAGE_USER, PRIVATE_IP, etc . /etc/mailinabox.conf || die "Could not source /etc/mailinabox.conf" } diff --git a/tests/system-setup/upgrade-from-upstream.sh b/tests/system-setup/upgrade-from-upstream.sh index 7384f188..3793e3ac 100755 --- a/tests/system-setup/upgrade-from-upstream.sh +++ b/tests/system-setup/upgrade-from-upstream.sh @@ -88,6 +88,8 @@ upstream_install() { fi popd >/dev/null + workaround_dovecot_sieve_bug + H2 "Upstream info" echo "Code version: $(git describe)" echo "Migration version: $(cat "$STORAGE_ROOT/mailinabox.version")" diff --git a/tests/vagrant/Vagrantfile b/tests/vagrant/Vagrantfile index aecd35bd..8e019e93 100644 --- a/tests/vagrant/Vagrantfile +++ b/tests/vagrant/Vagrantfile @@ -4,23 +4,42 @@ Vagrant.configure("2") do |config| config.vm.synced_folder "../..", "/mailinabox", id: "mailinabox", automount: false config.vm.provision "file", source:"globals.sh", destination:"globals.sh" - # remote-nextcloud-docker + # fresh install with encryption-at-rest - config.vm.define "remote-nextcloud-docker" do |m1| + config.vm.define "remote-nextcloud-docker-ehdd" do |m1| m1.vm.box = "ubuntu/bionic64" m1.vm.provision :shell, :inline => <<-SH source globals.sh || exit 1 export PRIMARY_HOSTNAME=qa1.abc.com export FEATURE_MUNIN=false +export EHDD_KEYFILE=$HOME/keyfile +echo -n "boo" >$EHDD_KEYFILE cd /mailinabox -if tests/system-setup/remote-nextcloud-docker.sh upgrade basic -then - tests/runner.sh default remote-nextcloud upgrade-basic +tests/system-setup/remote-nextcloud-docker.sh; rc=$? +if [ $rc -eq 0 ]; then + tests/runner.sh default remote-nextcloud; rc=$? fi -echo "EXITCODE: $?" +echo "EXITCODE: $rc" SH end - + + # remote-nextcloud-docker w/basic data + + config.vm.define "remote-nextcloud-docker" do |m1| + m1.vm.box = "ubuntu/bionic64" + m1.vm.provision :shell, :inline => <<-SH +source globals.sh || exit 1 +export PRIMARY_HOSTNAME=qa2.abc.com +export FEATURE_MUNIN=false +cd /mailinabox +tests/system-setup/remote-nextcloud-docker.sh upgrade basic; rc=$? +if [ $rc -eq 0 ]; then + tests/runner.sh default remote-nextcloud upgrade-basic; rc=$? +fi +echo "EXITCODE: $rc" +SH + end + # upgrade-from-upstream @@ -28,14 +47,14 @@ SH m2.vm.box = "ubuntu/bionic64" m2.vm.provision :shell, :inline => <<-SH source globals.sh || exit 1 -export PRIMARY_HOSTNAME=qa2.abc.com +export PRIMARY_HOSTNAME=qa3.abc.com export UPSTREAM_TAG=master cd /mailinabox -if tests/system-setup/upgrade-from-upstream.sh basic -then - tests/runner.sh default upgrade-basic +tests/system-setup/upgrade-from-upstream.sh basic; rc=$? +if [ $rc -eq 0 ]; then + tests/runner.sh default upgrade-basic; rc=$? fi -echo "EXITCODE: $?" +echo "EXITCODE: $rc" SH end