kola/tests/ignition: add luks test

[tormath1]

Ignition will set up a key-file based LUKS2 volume on a secondary disk
added to the instance.

Signed-off-by: Mathieu Tortuyaux [email protected]

---

To be tested with: flatcar-archive/coreos-overlay#1760 - tested here: http://jenkins.infra.kinvolk.io:8080/job/os/job/kola/job/qemu/4005/

• Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)

[pothos]

Just an idea if we want to avoid tying it to qemu, we could also use /dev/disk/by-partlabel/USR-B or /dev/disk/by-partlabel/OEM-CONFIG.
Later when clevis and tpm2 may be added we either have to add a software tpm to qemu or use another cloud platform.

[tormath1]

/dev/disk/by-partlabel/USR-B sounds good - let's try that. Thanks for the suggestion !

[pothos]

What key is used now and would it unlock on reboot?

[tormath1]

According to the codebase, the key should be generated and persisted if not key has been provided but I don't know where:

sudo cat /var/run/ignition/state | jq .luksPersistKeyFiles
null

EDIT: this is the state file generated at the end of the ignition run, luksPersistKeyFiles is cleared right after the /etc/crypttab file has been generated.

[tormath1]

Key is persisted in /etc/luks/data:

sudo cat /etc/luks/data
e12a2700e32fb963787e922c12503f42ae5c05cb2...

and with the following entry it's being decrypted automatically:

sudo cat /etc/crypttab
data UUID=65df69d5-9a99-4f3b-a1ec-b38570bd170f /etc/luks/data luks

[tormath1]

@pothos what do you think of providing some documentation around this ⬆️

[pothos]

Thanks, maybe the upstream spec explanation should be improved

[tormath1]

moved this PR in "blocked" column as it requires a new release. :)