UbuntuHelp:UbuntuLTSP/IscsiEcryptfs
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
| This page is specific to Ubuntu version 9.10 |
目录
LTSP + iSCSI + eCryptfs
Overview
The idea is that the LTSP server is to contain just the operating system and the binaries used by the thin clients. For storage of user data, it attaches an iSCSI disk (iSCSI target) from a remote server (the iSCSI server) that it then mounts as the home directory. This directory then becomes the "upper mountpoint" for an eCryptfs filesystem to ensure in-transit encryption. The LTSP server acts as the iSCSI client (or iSCSI initiator).
For this article, both iSCSI client and server were running Ubuntu 9.10. You can use the information here to convert an existing LTSP server home directory into an eCryptfs/iSCSI volume (especially if you're using LVM, see below, because you can recoup your uneeded disk space by shrinking the filesystem and then the LVM volume). However, it would be simplest to set up the volume first and then create your user directories within it.
As of Ubuntu 9.10, eCryptfs does not work well with networked filesystems [1]. The described setup does not suffer from this limitation because the initiator sees an iSCSI target as a regular block device.
The eCryptfs filesystem needs to be unlocked by a key/passphrase upon boot of the LTSP server. This passphrase can be stored on any block device and commonly it is placed on a USB key. Here we will simply use a second (small) iSCSI target for this purpose. This places a considerable restriction on the decryption of the data: both systems need to be networked together (i.e. the removal of the LTSP server or it's hard drive from the premises will not result in a compromise of data).
You can get extra functionality by running both the LTSP and iSCSI servers as KVM virtual machines. The iSCSI LU (logical unit; the exported disk) can also be an LVM logical volume which is seen by the guest as a raw disk. This addition of virtualization allows for easy maintenance (ex: system-wide upgrades and, to a lesser extent, dist-upgrades) because a second VM, to which the maintenance tasks have been applied, can be swapped in with almost zero downtime. Secondly, using a logical volume as iSCSI LU allows for real-time data backups by way of LVM snapshots.
iSCSI server
Begin by installing the required software on the iSCSI server:
sudo aptitude install open-iscsi iscsitarget iscsitarget-source
Edit /etc/default/iscsitarget and have the line:
ISCSITARGET_ENABLE=true
Make a disk available (/dev/sdc for example). Then edit /etc/ietd.conf. Comment out the default entry and add one for our target:
Target iqn.192.168.1.94:disk_c Lun 0 Path=/dev/sdc,Type=fileio
Restart the iscsitarget daemon:
sudo service iscsitarget restart
The file /proc/net/iet/volume should have:
tid:1 name:iqn.192.168.1.94:disk_c
lun:0 state:0 iotype:fileio iomode:wt path:/dev/sdc
That's all you need to do on the iSCSI server. Redo the procedure to set up the second small target to be used to contain the eCryptfs passphrase.
iSCSI client/initiator (LTSP server)
This procedure is for setting up a single iSCSI target. You will need to duplicate some steps in order to set up the second target. Begin by installing the required software on the LTSP server and discovering the iSCSI target(s):
sudo aptitude install open-iscsi export ISCSI_TARGET=192.168.1.94 sudo iscsiadm -m discovery -t st -p $ISCSI_TARGET
Sample output:
192.168.1.94:3260,1 iqn.192.168.1.94:disk_c
Note: iqn.192.168.1.94:disk_c is the record id. The discovery command above will result in a directory structure (under /etc/iscsi/nodes) showing all LUs found. The directories are named according to the respective record id of each LU. Log in to the target:
export RECORD_ID=iqn.iqn.192.168.1.94:disk_c sudo iscsiadm -m node -T $RECORD_ID -p $ISCSI_TARGET --login
Your LTSP server should now be aware of a new block device. Check the output of dmesg for evidence of this. We can see the session between the LTSP server (192.168.1.93) and the iSCSI server (192.168.1.94). On LTSP:
sudo lsof -i4tcp:3260 -L -n
Output should look like this:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME iscsid 24293 root 9u IPv4 2547755 TCP 192.168.1.93:46181->192.168.1.94:3260 (ESTABLISHED)
On the iSCSI server you can view this session in the file /proc/net/iet/session.
You would now treat the block device like any other: create a partition table, build a filesystem, and mount it (commands: fdisk, mkfs, and mount).
To automatically start up a session (i.e. instead of issuing the --login command):
sudo iscsiadm -m node -T $RECORD_ID -p $ISCSI_TARGET -o update -n node.startup -v automatic
Verify that both targets are available as block devices and that their filesystems are mounted upon reboot. The mount points I'm using here are:
/home2 (temporarily) <
>
/mnt/key
eCryptfs (LTSP server)
Since we'll be creating a new partition with a mountpoint of /home we'll need to address the fact that this directory may contain data and may also already be in use as a mountpoint. Remember that we will be placing the passphrase on the second auxiliary iSCSI target (mounted for me on /mnt/key).
sudo aptitude install ecryptfs-utils sudo mount -t ecryptfs /home2 /home2
A dialog will ensue ( here is a sample session). You will end up with a passphrase (here called ubuntu) to decrypt the key and a "key signature" to identify the key. The latter ends up in /root/.ecryptfs/sig-cache.txt. We use these 2 pieces of information to mount the eCryptfs filesystem upon boot of the LTSP server. Create the file /root/.ecryptfsrc with the following contents (my sample signature is 5826dd62cf81c615):
key=passphrase:passphrase_passwd_file=/mnt/key/passwd_file.txt ecryptfs_sig=5826dd62cf81c615 ecryptfs_cipher=aes ecryptfs_key_bytes=16 ecryptfs_passthrough=n ecryptfs_enable_filename_crypto=n
The contents of /mnt/key/passwd_file.txt will then be:
passphrase_passwd=[ubuntu]
Verify that the main target is being mounted as an eCryptfs filesystem upon reboot. This mount should be configurable in /etc/fstab but this did not work for me (see Problems below, #3).
Dealing with existing home directories
Now that the iSCSI and eCryptfs layers have been covered we need to deal with any existing /home data. Begin by copying everything under /home2. After verifying that the data has been properly copied; delete the original data (or move it somewhere else if you have the space); unmount /home2 (both eCryptfs and ext4); unmount /home if it's a mountpoint; mount the iSCSI target on /home; and finally remount eCryptfs under /home:
sudo cp -a /home/* /home2
sudo rm -rf /home/*
sudo umount /home2 {eCryptfs}
sudo umount /home2 {ext4}
sudo umount /home {maybe}
sudo mount /dev/sdb1 /home
sudo mount -t ecryptfs /home
If everything works, your filesystems should look similar to:
Filesystem Size Used Avail Use% Mounted on /dev/sda1 8.5G 3.2G 4.9G 40% / udev 2.0G 224K 2.0G 1% /dev none 2.0G 132K 2.0G 1% /dev/shm none 2.0G 80K 2.0G 1% /var/run none 2.0G 0 2.0G 0% /var/lock none 2.0G 0 2.0G 0% /lib/init/rw /dev/sdb1 296G 66G 216G 24% /home /dev/sdc1 3.9M 1.1M 2.7M 29% /mnt/key /home 296G 66G 216G 24% /home
Authentication for iSCSI target discovery and login
It is highly recommended to require authentication for both target discovery and login. Otherwise, even though the data remains hidden (encrypted) a network client will remain free to discover and then log in to the target device. Once this is accomplished, the target disk can be formatted. Not nice. Note that discovery and login authentication are mutually independent (you can have one
Problems
- When a thin client attempted to log in for the first time there was an error about not being able to read the ~/.ICEauthority file. I had to remove this file manually and recreate it as an empty file (with touch). This may be due to the fact that I upgraded the LTSP server to Karmic but the home (iSCSI volume) was still in Jaunty-land somehow. To be verified.
- I could not get my mounted iSCSI volumes to unmount properly upon reboot or shutdown. I needed to change the sequence of /etc/rc{0,6} links so that I had the following order: umount -> open-iscsi -> networking. See bug 345957.
- The eCryptfs filesystem would not mount properly from /etc/fstab. I had to put a manual command in /etc/rc.local.
Resources
iSCSI
eCryptfs
- https://help.ubuntu.com/9.10/serverguide/C/ecryptfs.html
- https://help.ubuntu.com/community/EncryptedPrivateDirectory
- http://ecryptfs.sourceforge.net/ecryptfs-faq.html
[1] https://bugs.launchpad.net/ecryptfs/+bug/277578 <
>
[2] https://bugs.launchpad.net/ubuntu/karmic/+source/ecryptfs-utils/+bug/372014
