[buildd-tools-devel] Bug#639105: please consider adding support for lvm-snapshot on crypted LV

Marc Haber mh+debian-bugs at zugschlus.de
Wed Aug 24 06:52:01 UTC 2011 

Package: schroot
Version: 1.4.23-1
Severity: wishlist

Hi,

this is admittedly an exotic use case, and I would perfectly understand
a wontfix tag on this. However, I would like to document the use case
to make clear that it exists.

Contrary to Debian's normal setup, I create my file systems on an
encrypted LV on an unencrypted PV (Debian creates file sytems on an LV
on an encrypted PV by default). This allows me to keep LVs with really
sensitive information locked until they're actually needed, but needs
support in every script that handles LVs and Snapshots. schroot is one
of these scripts.

To avoid having build chroots unencrypted, the lvm-snapshot method
would need to have the possibility to

(1) take the snapshot from a different volume name than the one being
    actually mounted
(2) unlock the snapshot LV using information from /etc/crypttab
(3) mount the device that was created during step (2)
(4) do steps (1) to (3) in reverse when the snapshot is being removed

Please consider adding this in a future version of schroot.

Encrypted build chroots may be important in settings where an schroot
installation is being used on a machine in untrusted housing to make
it harder to trojan the build system.

In the mean time, I'll use a VM on an encrypted volume which is an
acceptable workaround for me. It's, however, a waste of resources.

Greetings
Marc


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.1-zgws1 (SMP w/6 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages schroot depends on:
ii  libboost-filesystem1.46.1   1.46.1-7     filesystem operations (portable pa
ii  libboost-program-options1.4 1.46.1-7     program options library for C++
ii  libboost-regex1.46.1        1.46.1-7     regular expression library for C++
ii  libboost-system1.46.1       1.46.1-7     Operating system (e.g. diagnostics
ii  libc6                       2.13-17      Embedded GNU C Library: Shared lib
ii  libgcc1                     1:4.6.1-7    GCC support library
ii  liblockdev1                 1.0.3-1.4+b1 Run-time shared library for lockin
ii  libpam0g                    1.1.3-2      Pluggable Authentication Modules l
ii  libstdc++6                  4.6.1-7      GNU Standard C++ Library v3
ii  libuuid1                    2.19.1-5     Universally Unique ID library
ii  schroot-common              1.4.23-1     common files for schroot

schroot recommends no packages.

Versions of packages schroot suggests:
pn  aufs-modules | unionfs-modul <none>      (no description available)
pn  btrfs-tools                  <none>      (no description available)
ii  debootstrap                  1.0.36      Bootstrap a basic Debian system
ii  lvm2                         2.02.84-3.1 The Linux Logical Volume Manager
ii  unzip                        6.0-5       De-archiver for .zip files

-- no debconf information

More information about the Buildd-tools-devel mailing list