Custom hook script specific for just a container

[omgs]

Hi. I'm using Proxmox 6.1 with Debian buster as host (and as guest while this is possible). I use several containers and in one I need to have a crypted mount point (it could even be the whole container). So, I use a lvmthin for just the system and a non-lvmthin for the data, and this is what needs to be encrypted. I have the lvm for this data manually encrypted via luks and from the host I can manually open and mount, but now I need to use it as mount point. Here is where problems arise. I haven't found any doc about how to manage this, so if I can create a custom script that hook on startup where allows the pass to be typed via console (I don't want any automatic decryption and mount) this could do the work. I've also thought about opening permissions for the volume in the host, but I've found that error-prone because I don't there's a storage for the decrypted volume. So, I don't know how to name a script (if there's any predefined way) so only the specific vm can run this script, I guess via the VMID (and I think that in the old days with openvz this was easier). The main problem for this is that the device is unavailable from the guest container.

Also, as long as the lv is encrypted, I don't care the encryption method for the vm disk, for if there's some existing method that could work for this.

Has anybody faced this problem and solved successfully? Thanks in advance.

 

[dcsapak]

in general there is the 'hookscripts' property on vm/container configs

see 'man pct' and search for hookscripts

an example for this is in /usr/share/pve-docs/examples/guest-example/hookscript.pl

this setting is per vm so this should work for you

 

[omgs]

Thanks for your answer.

It looks like it MUST be a perl script, because a bash script returns a error code 1. I run it from the terminal and prompts for password, but this doesn't happen in the console, what I need to do. I took the example with perl (I'm not good at perl) and I customized it like this:

#!/usr/bin/perl
use strict;
use warnings;

print "GUEST HOOK: " . join(' ', @ARGV). "\n";

# First argument is the vmid
my $vmid = shift;
my $cryptname="vm-$vmid-disk-crypt";
my $phase = shift;

if ($phase eq 'pre-start') {
    print "$vmid is starting, doing preparations.\n";
    system("cryptsetup open --type luks /dev/pve/$cryptname $cryptname");
} elsif ($phase eq 'post-start') {
    print "$vmid started successfully.\n";
    system("mount /dev/mapper/$cryptname /var/lib/crypttest");
} elsif ($phase eq 'post-stop') {
    print "$vmid stopped. Doing cleanup.\n";
    system("umount /dev/mapper/$cryptname; cryptsetup close $cryptname");
} else {
    die "got unknown phase '$phase'\n";
}

How can I get to be prompted at the console for the password?

 

[oguz]

How can I get to be prompted at the console for the password?

you could use a keyfile instead, and pass it with the argument (that way it happens without user interaction)

 

[omgs]

you could use a keyfile instead, and pass it with the argument (that way it happens without user interaction)

Thanks, but I want to force to type the password via console at every reboot, for security reasons.

 

[dcsapak]

Thanks, but I want to force to type the password via console at every reboot, for security reasons.

why do you need a hookscript then? just decrypt and start? (that can be done via script for example...)

 

[omgs]

why do you need a hookscript then? just decrypt and start? (that can be done via script for example...)

I'm aware I can do that at host level and by being root (or sudo), but it's for a user who has access to the guest via proxmox and tries to prevent that others can access to the data if the vm isn't "properly booted". The reason why is beyond, but take that someone steals the server from the office.

Apart, I've seen another thread for direct access to the lv, but now I get access denied to it. Here are the lines:

lxc.mount.entry: /dev/mapper/pve-vm--114--disk--crypt dev/mapper/crypt none bind,create=file
lxc.cgroup.devices.allow: c 253:24 rwm

If I'm not in the right way, can you please provide the details I'm missing?

Thanks in advance.

 

[dcsapak]

but it's for a user who has access to the guest via proxmox and tries to prevent that others can access to the data if the vm isn't "properly booted"

why not give the user a 'real' vm and let him encrypt the disk inside the guest?

 

[omgs]

why not give the user a 'real' vm and let him encrypt the disk inside the guest?

What is your proposal? I'm open to any solution.

 

[dcsapak]

What is your proposal? I'm open to any solution.

i mean that you give the user not a container but a kvm virtual machine
then the user can install any os he wants and use the encryption method of that os (e.g. luks+lvm on linux or bitlocker in windows)
then when the user starts the vm, he has to connect via novnc to decrypt his guest himself

 

[omgs]

i mean that you give the user not a container but a kvm virtual machine
then the user can install any os he wants and use the encryption method of that os (e.g. luks+lvm on linux or bitlocker in windows)
then when the user starts the vm, he has to connect via novnc to decrypt his guest himself

Ok, but there's at least one problem: I have to back up that data (of course to another encrypted disk) and it's several hundreds GB, so I don't think a vm provides a real working solution with this scenario.

And also there has to be a real simple solution for the current permissions issue described previously, which would allow me to script encryption from inside the container, so I'd like to focus on this. Thanks for your help.