mirror of
https://github.com/balena-os/balena-supervisor.git
synced 2024-12-24 07:46:41 +00:00
619f644299
On NXP iMX devices the partitions are not encrypted with LUKS but with the lower level dm-crypt subsystem. Adapt the partition mount script to use dmsetup which works for both LUKS and dm-crypt encrypted partitions. Change-type: patch Signed-off-by: Alex Gonzalez <alexg@balena.io>
196 lines
7.1 KiB
Bash
Executable File
196 lines
7.1 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
# Mounts boot, state, & data partitions from balenaOS.
|
|
# The container must be privileged for this to function correctly.
|
|
|
|
# Set overlayfs root mountpoint
|
|
export ROOT_MOUNTPOINT="/mnt/root"
|
|
|
|
# Set DBus system bus address for getting the current boot block device
|
|
export DBUS_SYSTEM_BUS_ADDRESS="${DBUS_SYSTEM_BUS_ADDRESS:-unix:path="${ROOT_MOUNTPOINT}"/run/dbus/system_bus_socket}"
|
|
|
|
# Get the block device from systemd
|
|
# The dbus-send command below should return something like:
|
|
# ```
|
|
# method return time=1680132905.878117 sender=:1.0 -> destination=:1.20155 serial=245193 reply_serial=2
|
|
# variant string "/dev/sda1"
|
|
# ```
|
|
# Usage: dbus_get_mount PARTITION
|
|
# Partition is only the label, e.g. boot, state, data
|
|
dbus_get_mount() {
|
|
part="$1"
|
|
result=$(dbus-send --system --print-reply \
|
|
--dest=org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/mnt_2d${part}_2emount org.freedesktop.DBus.Properties.Get \
|
|
string:"org.freedesktop.systemd1.Mount" string:"What" | grep "string" | cut -d'"' -f2 2>&1)
|
|
# If the output doesn't match the /dev/* device regex, return empty and do not exit
|
|
if [ "$(echo "${result}" | grep -E '^/dev/')" = "" ]; then
|
|
echo ""
|
|
else
|
|
echo "${result}"
|
|
fi
|
|
}
|
|
|
|
# Identify an encrypted partition using dmsetup
|
|
# Works for both dm-crypt and LUKS encrypted partitions
|
|
# Arguments:
|
|
# 1: Partition device - will be converted to a DM device
|
|
# Returns:
|
|
# 0: The partition device is encrypted
|
|
# 1: The partition device is not encrypted
|
|
is_part_encrypted() {
|
|
_part="${1#/dev/}"
|
|
_dm_part="${_part}"
|
|
if command -v dmsetup > /dev/null; then
|
|
if [ "${_part#dm-}" = "${_part}" ]; then
|
|
# Does not start with dm-
|
|
if [ "${_part#mapper/}" = "${_part}" ]; then
|
|
# Does not start with mapper/
|
|
# Find the corresponding DM device to the partition
|
|
_dm_part=$(lsblk -nlo kname "/dev/${_dm_part}" | grep dm)
|
|
if [ -z "${_dm_part}" ]; then
|
|
# No corresponding DM device, no dm-crypt in use
|
|
return 1
|
|
fi
|
|
fi
|
|
fi
|
|
# _dm_part is a DM device, either dm* or mapper/*
|
|
_name=$(lsblk -nlo name "/dev/${_dm_part}")
|
|
if dmsetup ls --target crypt | grep -q "${_name}"; then
|
|
return 0
|
|
fi
|
|
fi
|
|
return 1
|
|
}
|
|
|
|
# Make sure dm-crypt devices are active in the container
|
|
dmsetup_part() {
|
|
_label="${1}"
|
|
if _dmname=$(dmsetup ls --target crypt | grep "${_label}" | awk '{print $1}'); then
|
|
# LUKS DM devices are not named after the partition label
|
|
# so no need to check for LUKS explicitely
|
|
if [ -n "${_dmname}" ]; then
|
|
dmsetup resume "${_dmname}"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# Get the current boot block device in case there are duplicate partition labels
|
|
# for `(balena|resin)-(boot|state|data)` found.
|
|
secure_boot_partitions='efi rpi imx'
|
|
current_boot_block_device=""
|
|
if [ "${TEST}" != 1 ]; then
|
|
mnt_boot_dev=$(dbus_get_mount "boot")
|
|
dmsetup_part "boot"
|
|
if is_part_encrypted "${mnt_boot_dev}"; then
|
|
echo "INFO: Encrypted boot partition detected."
|
|
for part in $secure_boot_partitions; do
|
|
echo "INFO: Trying ${part} as boot partition."
|
|
boot_part=$(dbus_get_mount "${part}")
|
|
if [ -n "${boot_part}" ]; then
|
|
echo "INFO: Using ${part} as boot partition."
|
|
break
|
|
else
|
|
echo "ERROR: Could not determine ${part} device from dbus."
|
|
fi
|
|
done
|
|
else
|
|
boot_part="${mnt_boot_dev}"
|
|
fi
|
|
|
|
if [ -z "${boot_part}" ]; then
|
|
echo "ERROR: Could not determine boot device from dbus. Please launch Supervisor as a privileged container with DBus socket access."
|
|
exit 1
|
|
fi
|
|
|
|
current_boot_block_device=$(lsblk -no pkname "${boot_part}")
|
|
if [ -z "${current_boot_block_device}" ]; then
|
|
echo "ERROR: Could not determine boot device from lsblk. Please launch Supervisor as a privileged container."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
|
|
# Mounts a device to a path if it's not already mounted.
|
|
# Usage: do_mount DEVICE MOUNT_PATH
|
|
do_mount() {
|
|
device=$1
|
|
mount_path=$2
|
|
|
|
# Create the directory if it doesn't exist
|
|
mkdir -p "${mount_path}"
|
|
|
|
# Mount the device if it doesn't exist
|
|
if [ "$(mountpoint -n "${mount_path}" | awk '{ print $1 }')" != "${device}" ]; then
|
|
fs_type=$(lsblk -nlo fstype "${device}")
|
|
mount -t "${fs_type}" "${device}" "${mount_path}"
|
|
fi
|
|
}
|
|
|
|
# Find the devices for each balenaOS partition.
|
|
# Usage: setup_then_mount PARTITION MOUNT_PATH
|
|
# PARTITION should be one of boot, state, or data.
|
|
setup_then_mount() {
|
|
# If in test environment, pretend we've succeeded at mounting everything to their
|
|
# new mountpoints. We don't want to actually mount in a containerized test environment
|
|
# where the Supervisor is probably not running on a host that has the needed partitions.
|
|
if [ "${TEST}" = 1 ]; then
|
|
return 0
|
|
fi
|
|
|
|
partition_label=$1
|
|
target_path=$2
|
|
|
|
dmsetup_part "${partition_label}"
|
|
|
|
# Try FS label first and partition label as a fallback
|
|
for arg in label partlabel; do
|
|
kname=$(lsblk "/dev/${current_boot_block_device}" -nlo "kname,${arg}" | grep -E "(resin|balena)-${partition_label}" | awk '{print $1}')
|
|
device="/dev/${kname}"
|
|
if [ -b "${device}" ]; then
|
|
echo "INFO: Found device $device on current boot device $current_boot_block_device, using as mount for '(resin|balena)-${partition_label}'."
|
|
do_mount "${device}" "${target_path}"
|
|
return 0
|
|
fi
|
|
done
|
|
|
|
# If no devices were found, use legacy mountpoints.
|
|
echo "ERROR: Could not determine which partition to mount for label '(resin|balena)-${partition_label}'. Please make sure the Supervisor is running on a balenaOS device."
|
|
exit 1
|
|
}
|
|
|
|
# Set boot mountpoint
|
|
BOOT_MOUNTPOINT="/mnt/boot"
|
|
setup_then_mount "boot" "${BOOT_MOUNTPOINT}"
|
|
export BOOT_MOUNTPOINT
|
|
|
|
# Read from the os-release of boot partition instead of overlay
|
|
#
|
|
# TODO: We need to remove the dependence on /mnt/root for this particular file.
|
|
# Reading from /mnt/boot/os-release is not always accurate, so we need to work
|
|
# with the OS team to find a better way to get the OS version.
|
|
export HOST_OS_VERSION_PATH="/mnt/root/etc/os-release"
|
|
|
|
# CONFIG_MOUNT_POINT is set to /boot/config.json in Dockerfile.template,
|
|
# but that's a legacy mount provided by host and we should override it.
|
|
export CONFIG_MOUNT_POINT="${BOOT_MOUNTPOINT}/config.json"
|
|
|
|
# Set state mountpoint
|
|
STATE_MOUNTPOINT="/mnt/state"
|
|
setup_then_mount "state" "${STATE_MOUNTPOINT}"
|
|
export STATE_MOUNTPOINT
|
|
|
|
# Set data mountpoint
|
|
DATA_MOUNTPOINT="/mnt/data"
|
|
setup_then_mount "data" "${DATA_MOUNTPOINT}"
|
|
export DATA_MOUNTPOINT
|
|
|
|
# Mount the Supervisor database directory to a more accessible & backwards compatible location.
|
|
# TODO: DB should be moved to a managed volume and mounted to /data in-container.
|
|
# Handle the case of such a Supervisor volume already existing.
|
|
# NOTE: After this PR, it should be good to remove the OS's /data/database.sqlite mount.
|
|
if [ ! -f /data/database.sqlite ] && [ "${TEST}" != 1 ]; then
|
|
mkdir -p "${DATA_MOUNTPOINT}/resin-data/balena-supervisor"
|
|
mount -o bind,shared "${DATA_MOUNTPOINT}"/resin-data/balena-supervisor /data
|
|
fi
|
|
export DATABASE_PATH="/data/database.sqlite"
|