149 full disk luks encrpytion option for Installer

[Hooverdan96]

Fixes #149.

• Adding optional (commented) parameters for Rockstor OS disk LUKS encryption to LEAP 15.5 profile.
• Adding section to Readme highlighting above installer option for the roll-your-own crowd

[phillxnet]

@Hooverdan96 Nice addition, and well done on doing all the experimentation to get us this far.

There is however a mixture of tabs and spaces! It probably doesn't matter but do you fancy correcting that? We likely already have the same elsewhere: and of course spaces is the way forward here :) . A follow-up commit would do so-as not to have the hassle of rebase etc. Plus once a force push has occurred on a PR our test backend often fails to be able to test the results there after!

[Hooverdan96]

I'll take care of it, the mix of tabs and spaces.
I will not force push it.

[Hooverdan96]

see whether that latest push addressed it. I think (though my eyes might deceive me) all my changes are spaces instead of tabs now.

[phillxnet]

@Hooverdan96 I've just run a test build for the 15.5 x86_64 profile, with this PR pre-merged, and I get the following:

[ INFO    ]: 13:39:49 | Loading XML description
[ INFO    ]: 13:39:49 | Support for XML markup available
[ ERROR   ]: 13:39:49 | KiwiConfigFileFormatNotSupported: Configuration file could not be parsed. In case your configuration file is XML it most likely contains a syntax error. For other formats the Python anymarkup module is required

Not looked any further yet unfortunately. But did confirm an invalid XML for the resulting config file using an online XML linting tool. We could do with a basic format sanity checker for PR's in this repo actually.

[Hooverdan96]

well, that's on me. I thought I could get away without doing a test build again after reformatting/commenting. thanks for keeping me honest. I will check into why this is happening and adjust accordingly. My apologies.

For the XML-challenged like me, one cannot add a comment attribute within a tag (which I unfortunately did), only before or after. I will correct this.

[Hooverdan96]

Well, it turns out it's still "complicated". In the luksformat section, the double-hyphen of the crypto option causes yet another failure when it's commented out (since XML interprets it as an "end of comment" at the wrong time, hence making kiwi fail):

<!-- <option name="--pbkdf" value="PBKDF2"/> -->

My workaround for this is to write the comment line like this:

<!-- <option name="&#45;&#45;pbkdf" value="PBKDF2"/> -->

which works while it's commented out (i.e. no error, and the iso is built), as well as when it's "active" (i.e. the LUKS based image is built and can be successfully installed and rebooted).

Let me know whether that's acceptable? Anybody that wants to add other cryptsetup parameters and has them active, doesn't need to use the Unicode codes, but could use the double-hyphen ... this is only to enable the ability to have this tag commented out in the rockstor.kiwi file.

If this is acceptable I will push the updated file. I can also add a comment to the readme when discussing the LUKS setup and state that any additional parameters in that section can be stated with -- instead of the XML codes.

[Hooverdan96]

@phillxnet, when you get a chance, see whether that works better. Before pushing I ran the tests as described above ... but since I flip between PC and Linux boxes there's always a chance that something gets messed up ...

[phillxnet]

@Hooverdan96 Just re-tested this again and we have the following:

[ INFO    ]: 08:41:29 | Loading XML description
[ INFO    ]: 08:41:29 | Support for XML markup available
[ INFO    ]: 08:41:30 | Schematron validation failed:
[ INFO    ]: 08:41:30 | --> luks attribute must be set when using luksformat option(s)
[ ERROR   ]: 08:41:30 | KiwiDescriptionInvalid: Failed to validate schema and/or schematron rules. Use --debug for more details

So it's a comment all-or-nothing setup currently. I'll push on with our existing installer release and we can fix this additional comment requirement there after. The XML format is quite picky all-in. Maybe once we are there on this one we can squash and re-present to avoid the development noise.

If you fancy doing another commit here first re last issue I can re-run installer build to see if it's happy again before squashing.

[Hooverdan96]

@phillxnet, apparently I pushed a kiwi file version where I had not commented out all LUKS related entries, no idea how that happened. In any case, as you can see, I rebased my branch to include your recently merged kiwi file version, and made the remaining adjustments. Hope, this time it's the charm.

[phillxnet]

@Hooverdan96 I've just done a fresh TW X86-64 profile installer build and all is well now: as expected.
Build test was done by way of unrelated rpm upgrades but never-the-less indicates the tricky XML comment sensitivities here are now gone.

Thanks again for looking into, and noting in comments, these LUKS options. Much appreciated.
We can re-visit any updates in new pull requests re side-channel discussions on our directions here, and upstream LUKS movements.

Merging pull request as-is give we are not too precious about git commit squashing in this repo given it's relatively slow turn-over.

[Hooverdan96]

Thanks @phillxnet

Leaving these two links behind here, in case a recent discussion about a LUKS keyfile/password bug will result in a change upstream that negatively impacts current approach to enable a LUKS encryption of the boot drive during the initial Rockstor setup:

Reported SUSE issue upstream: https://bugzilla.suse.com/show_bug.cgi?id=1218181
Proposed PR (not merged as of 2/15/2024) for kiwi installer: OSInside/kiwi#2466