How to Run "pre boot" ssh command to unlock luks volumes

18 views
Skip to first unread message

Robert Heinzmann

unread,
Mar 23, 2018, 3:38:17 PM3/23/18
to Vagrant
Hello, 

I created a vagrant driver (https://github.com/elconas/vagrant-hetznercloud) and now I want to add support for dracut-crypt-ssh (https://github.com/dracut-crypt-ssh/dracut-crypt-ssh) to use it with encrypted volumes.

To do this I need to be able to run a ssh pre boot command during vagrant up. 

Workflow:

 - power on machine
 - Optionally verify ssh fingerprint
 - ssh to port 222 providing passphrase via stdin
 - wait
 - perform normal ssh on port 22 

However the ssh daemon uses a different user and password. Also I need to provide the passphrase via stdin. 

I played with Vagrant::Util::SSH.exec() and use it like this:

luks_ssh_info = env[:machine].ssh_info.dup
luks_ssh_info[:port] = 222 luks_ssh_info[:username] = 'root' luks_ssh_info[:private_key_path] = [ '/path/to/keyfile' ] luks_ssh_info[:keys_only] = true
...
Vagrant::Util::SSH.exec(luks_ssh_info, { :subprocess => true, :extra_args => [ 'unlock' ])

However I need to run vagrant with stdin redirect now:

vagrant up machine < /path/to/passphrase_file

I'd rather wan't to provide the luks unlock passphrase via Vagrantfile + Environment variable. However I did not find any helper / proper way how to do this.

Any hints how to do this ??

Regard,
Robert

Alvaro Miranda Aguilera

unread,
Mar 24, 2018, 2:04:17 PM3/24/18
to vagra...@googlegroups.com
seems you need a plugin, ie create your own custom plugin.

other option will be check vagrant-triggers and see if there is anything you can use there.


question, since this is development, making things so secure is required?

Alvaro

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/mitchellh/vagrant/issues
IRC: #vagrant on Freenode
---
You received this message because you are subscribed to the Google Groups "Vagrant" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vagrant-up+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vagrant-up/f0479014-9e3a-4e9e-865e-be9fbd8a31a8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Alvaro

Reply all
Reply to author
Forward
0 new messages