3 # Copyright (C) The Arvados Authors. All rights reserved.
5 # SPDX-License-Identifier: Apache-2.0
12 LVPATH="/dev/mapper/${VGNAME}-${LVNAME}"
13 CRYPTPATH=/dev/mapper/tmp
17 findmnt "$@" >/dev/null
21 if findmntq "$1"; then
26 if findmntq --source "$CRYPTPATH" --target "$MOUNTPATH"; then
31 while [[ ! "$CLOUD_SERVER" ]]; do
32 CLOUD_SERVER="$(curl --silent --head http://169.254.169.254/ \
33 | awk '($1 == "Server:"){sub("\\r+$", ""); print substr($0, 9)}')"
37 case "$CLOUD_SERVER" in
39 EC2ws) DISK_PATTERN=/dev/xvd ;;
41 "Metadata Server for VM") DISK_PATTERN=/dev/sd ;;
43 Microsoft-IIS/*) DISK_PATTERN=/dev/sd ;;
46 if [[ -z "$DISK_PATTERN" ]]; then
47 echo "ensure-encrypted-partitions: Unknown disk configuration; can't run." >&2
51 declare -a LVM_DEVS=()
53 ROOT_PARTITION=`findmnt / -f -o source -n`
54 if [[ "$ROOT_PARTITION" =~ ^\/dev\/nvme ]]; then
55 # e.g. /dev/nvme0n1p1, strip last 4 characters
56 ROOT_DEVICE_STRING=${ROOT_PARTITION%????}
58 # e.g. /dev/xvda1, strip last character
59 ROOT_DEVICE_STRING=${ROOT_PARTITION//[0-9]/}
62 # Newer AWS node types use another pattern, /dev/nvmeXn1 for fast instance SSD disks
63 if [[ "$CLOUD_SERVER" == "EC2ws" ]]; then
64 for dev in `ls /dev/nvme* 2>/dev/null`; do
65 if [[ "$dev" == "$ROOT_PARTITION" ]] || [[ "$dev" =~ ^$ROOT_DEVICE_STRING ]]; then
68 if [[ -e ${dev}n1 ]]; then
69 ensure_umount "${dev}n1"
70 if [[ "$devtype" = disk ]]; then
71 dd if=/dev/zero of="${dev}n1" bs=512 count=1
73 LVM_DEVS+=("${dev}n1")
78 # Look for traditional disks but only if we're not on AWS or if we haven't found
79 # a fast instance /dev/nvmeXn1 disk
80 if [[ "$CLOUD_SERVER" != "EC2ws" ]] || [[ ${#LVM_DEVS[@]} -eq 0 ]]; then
81 for dev in `ls $DISK_PATTERN* 2>/dev/null`; do
82 # On Azure, we are dealing with /dev/sdb1, on GCP, /dev/sdb, on AWS, /dev/xvdb
83 if [[ "$dev" == "$ROOT_PARTITION" ]] || [[ "$dev" =~ ^$ROOT_DEVICE_STRING ]]; then
86 if [[ ! "$dev" =~ [a-z]$ ]]; then
89 if [[ -e ${dev}1 ]]; then
96 if [[ "$devtype" = disk ]]; then
97 dd if=/dev/zero of="$dev" bs=512 count=1
103 if [[ "${#LVM_DEVS[@]}" -eq 0 ]]; then
104 echo "ensure-encrypted-partitions: No extra disks found." >&2
108 vgcreate --force --yes "$VGNAME" "${LVM_DEVS[@]}"
109 lvcreate --extents 100%FREE --name "$LVNAME" "$VGNAME"
111 KEYPATH="$(mktemp -p /var/tmp key-XXXXXXXX.tmp)"
112 modprobe dm_mod aes sha256
113 head -c321 /dev/urandom >"$KEYPATH"
114 echo YES | cryptsetup luksFormat "$LVPATH" "$KEYPATH"
115 cryptsetup --key-file "$KEYPATH" luksOpen "$LVPATH" "$(basename "$CRYPTPATH")"
117 mkfs.xfs -f "$CRYPTPATH"
119 # First make sure docker is not using /tmp, then unmount everything under it.
120 if [ -d /etc/sv/docker.io ]
122 sv stop docker.io || service stop docker.io || true
124 systemctl disable --now docker.service docker.socket || true
127 ensure_umount "$MOUNTPATH/docker/aufs"
130 mount -o ${MOUNTOPTIONS} "$CRYPTPATH" "$MOUNTPATH"
131 chmod a+w,+t "$MOUNTPATH"
133 # Make sure docker uses the big partition
134 cat <<EOF > /etc/docker/daemon.json
136 "data-root": "$MOUNTPATH/docker-data"
141 if [ -d /etc/sv/docker.io ]
146 systemctl enable --now docker.service docker.socket || true
151 while [ $SECONDS -lt $end ]; do
152 if /usr/bin/docker ps -q >/dev/null; then
158 # Docker didn't start within a minute, abort