-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace crypttab with lineinfile #228
Conversation
Crypttab is not available in ansible-core, hence need to replace it
name: "{{ entry.name }}" | ||
backing_device: "{{ entry.backing_device }}" | ||
password: "{{ entry.password }}" | ||
lineinfile: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @dwlehman, do you know if we can use the cryptsetup
command for this? I didn't find a way to set password via it, and the crypttab
module simply handles the config file, so I ended up using lineinfile
, but maybe you can help.
The current solution with the lineinfile
module works in tests_luks*
consistently.
Thank you
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as far as I can tell - the cryptsetup
command is used for modifying the runtime configuration, not the persistent configuration - it doesn't modify /etc/crypttab - the crypttab
module only modifies the persistent configuration, it does not modify the runtime configuration
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the changes I made good to go then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the changes I made good to go then?
I think so - let's see if we can get some better test results.
[citest]
[citest bad] |
[citest pending] |
[citest bad] |
@spetrosi looks like the tests_luks.yml test is failing, and it looks like it has something to do with crypttab:
This is rhel 8.5 and rhel 9 |
6efc053
to
8161493
Compare
8161493
to
17da2f5
Compare
Use lower case title for consistency Set mode properly
17da2f5
to
acc112e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
[citest] |
There is definitely a bug with the new implementation. |
The issue was that the crypttab module allowed removing entries from /etc/crypttab without providing a password. I made lineinfile ignore the password when |
[citest pending] |
[citest bad] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
f04b152
to
b6d84f2
Compare
tasks/main-blivet.yml
Outdated
state: "{{ entry.state }}" | ||
create: true | ||
mode: "{{ __storage_crypttab.stat.mode | d('0600') }}" | ||
mode: "{{ __storage_crypttab.stat.mode | d('0622') }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is an unusual mode - -rw--w--w-
- the file has to be writable by all but not readable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry my bad, it should be -rw-r--r--
, changed to 0644 now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does the file have to be world-readable? It has a password in it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On master, the role does 0600
. I mistakenly used 0644
because that's what lineinfile does by default. The file indeed stores an unencrypted password in it, so 0600
is the way to go. Sorry for the confusion and thank you for the thorough review!
b6d84f2
to
ec52403
Compare
ec52403
to
fad0ad0
Compare
[citest] |
[citest bad] |
Crypttab is not available in ansible-core, hence need to replace it