Replace crypttab with lineinfile #228
Conversation
Crypttab is not available in ansible-core, hence need to replace it
| name: "{{ entry.name }}" | ||
| backing_device: "{{ entry.backing_device }}" | ||
| password: "{{ entry.password }}" | ||
| lineinfile: |
There was a problem hiding this comment.
Hi @dwlehman, do you know if we can use the cryptsetup command for this? I didn't find a way to set password via it, and the crypttab module simply handles the config file, so I ended up using lineinfile, but maybe you can help.
The current solution with the lineinfile module works in tests_luks* consistently.
Thank you
There was a problem hiding this comment.
as far as I can tell - the cryptsetup command is used for modifying the runtime configuration, not the persistent configuration - it doesn't modify /etc/crypttab - the crypttab module only modifies the persistent configuration, it does not modify the runtime configuration
There was a problem hiding this comment.
Are the changes I made good to go then?
There was a problem hiding this comment.
Are the changes I made good to go then?
I think so - let's see if we can get some better test results.
[citest]
|
[citest bad] |
|
[citest pending] |
|
[citest bad] |
|
@spetrosi looks like the tests_luks.yml test is failing, and it looks like it has something to do with crypttab: This is rhel 8.5 and rhel 9 |
spetrosi
force-pushed
the
replace-crypttab
branch
2 times, most recently
from
6efc053
to
8161493
Compare
spetrosi
force-pushed
the
replace-crypttab
branch
from
8161493
to
17da2f5
Compare
Use lower case title for consistency Set mode properly
spetrosi
force-pushed
the
replace-crypttab
branch
from
17da2f5
to
acc112e
Compare
|
[citest] |
|
There is definitely a bug with the new implementation. |
The issue was that the crypttab module allowed removing entries from /etc/crypttab without providing a password. I made lineinfile ignore the password when |
|
[citest pending] |
|
[citest bad] |
spetrosi
force-pushed
the
replace-crypttab
branch
from
f04b152
to
b6d84f2
Compare
tasks/main-blivet.yml
Outdated
| state: "{{ entry.state }}" | ||
| create: true | ||
| mode: "{{ __storage_crypttab.stat.mode | d('0600') }}" | ||
| mode: "{{ __storage_crypttab.stat.mode | d('0622') }}" |
There was a problem hiding this comment.
this is an unusual mode - -rw--w--w- - the file has to be writable by all but not readable?
There was a problem hiding this comment.
Sorry my bad, it should be -rw-r--r--, changed to 0644 now.
There was a problem hiding this comment.
does the file have to be world-readable? It has a password in it?
There was a problem hiding this comment.
On master, the role does 0600. I mistakenly used 0644 because that's what lineinfile does by default. The file indeed stores an unencrypted password in it, so 0600 is the way to go. Sorry for the confusion and thank you for the thorough review!
spetrosi
force-pushed
the
replace-crypttab
branch
from
b6d84f2
to
ec52403
Compare
spetrosi
force-pushed
the
replace-crypttab
branch
from
ec52403
to
fad0ad0
Compare
|
[citest] |
|
[citest bad] |
Crypttab is not available in ansible-core, hence need to replace it