[buildd-tools-devel] Bug#639105: please consider adding support for lvm-snapshot on crypted LV
Marc Haber
mh+debian-bugs at zugschlus.de
Wed Aug 24 06:52:01 UTC 2011
Package: schroot
Version: 1.4.23-1
Severity: wishlist
Hi,
this is admittedly an exotic use case, and I would perfectly understand
a wontfix tag on this. However, I would like to document the use case
to make clear that it exists.
Contrary to Debian's normal setup, I create my file systems on an
encrypted LV on an unencrypted PV (Debian creates file sytems on an LV
on an encrypted PV by default). This allows me to keep LVs with really
sensitive information locked until they're actually needed, but needs
support in every script that handles LVs and Snapshots. schroot is one
of these scripts.
To avoid having build chroots unencrypted, the lvm-snapshot method
would need to have the possibility to
(1) take the snapshot from a different volume name than the one being
actually mounted
(2) unlock the snapshot LV using information from /etc/crypttab
(3) mount the device that was created during step (2)
(4) do steps (1) to (3) in reverse when the snapshot is being removed
Please consider adding this in a future version of schroot.
Encrypted build chroots may be important in settings where an schroot
installation is being used on a machine in untrusted housing to make
it harder to trojan the build system.
In the mean time, I'll use a VM on an encrypted volume which is an
acceptable workaround for me. It's, however, a waste of resources.
Greetings
Marc
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.1-zgws1 (SMP w/6 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages schroot depends on:
ii libboost-filesystem1.46.1 1.46.1-7 filesystem operations (portable pa
ii libboost-program-options1.4 1.46.1-7 program options library for C++
ii libboost-regex1.46.1 1.46.1-7 regular expression library for C++
ii libboost-system1.46.1 1.46.1-7 Operating system (e.g. diagnostics
ii libc6 2.13-17 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.6.1-7 GCC support library
ii liblockdev1 1.0.3-1.4+b1 Run-time shared library for lockin
ii libpam0g 1.1.3-2 Pluggable Authentication Modules l
ii libstdc++6 4.6.1-7 GNU Standard C++ Library v3
ii libuuid1 2.19.1-5 Universally Unique ID library
ii schroot-common 1.4.23-1 common files for schroot
schroot recommends no packages.
Versions of packages schroot suggests:
pn aufs-modules | unionfs-modul <none> (no description available)
pn btrfs-tools <none> (no description available)
ii debootstrap 1.0.36 Bootstrap a basic Debian system
ii lvm2 2.02.84-3.1 The Linux Logical Volume Manager
ii unzip 6.0-5 De-archiver for .zip files
-- no debconf information
More information about the Buildd-tools-devel
mailing list