-
Notifications
You must be signed in to change notification settings - Fork 3
/
luks_setup.sh
143 lines (132 loc) · 4.48 KB
/
luks_setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/bin/bash
# Convert LKE base Debian install into an encrypted root filesystem on /deb/sdb
export KUBECONFIG=/etc/kubernetes/kubelet.conf
cd /root
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
export LUKS_KEY=`openssl rand -base64 4096 | sha256sum | awk '{print $1}'`
if ! lsblk /dev/sdb | grep "NAME"; then
echo "Invalid disk configuration. /dev/sdb must be a raw disk to hold encrypted contents.";
exit 0;
fi
if cryptsetup status secure | grep "/dev/mapper/secure is active and is in use"; then
echo \"This instance is already running an encrypted filesystem.\";
exit 0;
fi
while kubectl get nodes | grep SchedulingDisabled; do
echo "Waiting for all other nodes to leave drain status"
sleep 10
done
# Move node into maintenance mode and shutdown any still running pods
kubectl drain `hostname` --ignore-daemonsets
systemctl stop kubelet
systemctl stop docker
systemctl stop docker.socket
systemctl stop containerd
# Post install script
cat > /etc/rc.local <<EOF
#!/bin/bash
export KUBECONFIG=/etc/kubernetes/kubelet.conf
cd /root
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
if cryptsetup status secure | grep "/dev/mapper/secure is active and is in use"; then
kubectl label nodes `hostname` luks=enabled
kubectl uncordon `hostname`;
dd if=/dev/zero of=/dev/sda bs=500M status=progress;
mkfs.ext4 /dev/sda -F;
rm /etc/rc.local;
exit 0
fi
EOF
chmod +x /etc/rc.local
# Update grub with static IP as DHCP in initrd is unreliable
IP=`ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1`
QUADS=($(echo $IP | tr "." "\n"))
GATEWAY=${QUADS[0]}.${QUADS[1]}.${QUADS[2]}.1
echo "IP:" $IP
echo "Default Gateway: " $GATEWAY
ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:
sed -i "s/GRUB_CMDLINE_LINUX_DEFAULT=\"\"/GRUB_CMDLINE_LINUX_DEFAULT=\"ip=$IP::$GATEWAY:255.255.255.0::::8.8.8.8\"/" /etc/default/grub
# Disk layout creating 2GB /boot and the remainder for your root filesystem
cat > lke_setup_fdisk.txt << EOF
g
n
1
2048
4096
t
4
n
2
+2G
n
3
w
EOF
fdisk /dev/sdb < lke_setup_fdisk.txt
mkfs.ext4 /dev/sdb2
mkfs.ext4 /dev/sdb3
export DEBIAN_FRONTEND=noninteractive
apt update
apt-get upgrade -yq
apt install -y joe net-tools clevis clevis-systemd clevis-luks clevis-initramfs cryptsetup-initramfs rsync
echo -n $LUKS_KEY | cryptsetup -q luksFormat --type luks2 /dev/sdb3 -d -
echo -n $LUKS_KEY | cryptsetup luksOpen /dev/sdb3 secure -d -
mkfs.ext4 /dev/mapper/secure
mount /dev/mapper/secure /mnt
mkdir /mnt/boot
mount /dev/sdb2 /mnt/boot/
cd /mnt
rsync -aAX / /mnt/ --exclude /sys/ --exclude /proc/ --exclude /dev/ --exclude /tmp/ --exclude /media/ --exclude /mnt/ --exclude /run/
mkdir sys proc dev tmp media mnt run
mount -t proc none /mnt/proc
mount -o bind /dev /mnt/dev
mount -t sysfs sys /mnt/sys
cat > /mnt/tmp/chroot.sh << EOFF
#!/bin/sh
export LUKS_KEY=$LUKS_KEY
cat > /etc/fstab <<EOF
/dev/mapper/secure / ext4 defaults 0 1
UUID=`lsblk --nodeps --noheadings -o UUID /dev/sdb2` /boot ext4 defaults 0 0
EOF
cat > /etc/crypttab <<EOF
secure UUID=`lsblk --nodeps --noheadings -o UUID /dev/sdb3` none
EOF
update-grub
grub-install /dev/sdb
echo $LUKS_KEY | clevis luks bind -y -d /dev/sdb3 tang '{"url": "http://50.116.0.10"}' -k -
mkdir /var/tmp
update-initramfs -u -k 'all'
EOFF
chmod +x /mnt/tmp/chroot.sh
chroot /mnt /tmp/chroot.sh
rm /mnt/tmp/chroot.sh
umount /mnt/proc
umount /mnt/dev
umount /mnt/sys
umount /mnt/boot
# Install lindode-cli, change configuration profile to direct disk boot and then reboot.
apt install -y pip
pip3 install linode-cli
LINODE_API_TOKEN=`kubectl -n kube-system get secret linode -o yaml | grep "token:" | awk '{print $2}' | base64 -d`
LINODE_REGION=`kubectl -n kube-system get secret linode -o yaml | grep "region:" | awk '{print $2}' | base64 -d`
HOSTNAME=`hostname`
LINODE_ID=`kubectl get node $HOSTNAME -o yaml | grep providerID | awk '{print $2}' | tr "/" " " | awk '{print $2}'`
echo $LINODE_API_TOKEN
echo $LINODE_REGION
echo $LINODE_ID
cat > cli_setup.txt <<EOF
$LINODE_API_TOKEN
1
1
1
1
1
EOF
rm ~/.config/linode-cli
linode-cli < cli_setup.txt > /dev/null
echo "Linodes in Cluster:"
linode-cli linodes list --text
LINODE_CONFIG_ID=`linode-cli linodes configs-list $LINODE_ID --text --no-headers | awk '{print $1}'`
echo "Linode Config ID: " $LINODE_CONFIG_ID
linode-cli linodes config-update $LINODE_ID $LINODE_CONFIG_ID --kernel linode/direct-disk --root_device /dev/sdb --label "LUKS Encrypted Direct Boot"
linode-cli linodes reboot $LINODE_ID