Documentation
¶
Index ¶
- Constants
- Variables
- func GrowPartition(partitionPath string) error
- func Init(name, underlying string, encryptionKey []byte, mode Mode) (string, error)
- func MakeBlockDevices(ctx context.Context, updateSvc *update.Service) error
- func Map(name string, underlying string, encryptionKey []byte, mode Mode) (string, error)
- func Unmap(name string, mode Mode) error
- type Mode
Constants ¶
const ( ESPDevicePath = "/dev/esp" NodeDataRawPath = "/dev/data-raw" SystemADevicePath = "/dev/system-a" SystemBDevicePath = "/dev/system-b" )
Variables ¶
var ( SystemAType = uuid.MustParse("ee96054b-f6d0-4267-aaaa-724b2afea74c") SystemBType = uuid.MustParse("ee96054b-f6d0-4267-bbbb-724b2afea74c") )
var NodeDataPartitionType = uuid.MustParse("9eeec464-6885-414a-b278-4305c51f7966")
NodeDataPartitionType is the partition type value for a Metropolis Node data partition.
Functions ¶
func GrowPartition ¶
GrowPartition grows the GPT partition corresponding to the given block device path, by adding all free space immediately following the partition to the partition. The main use for this are virtual machines which are launched from an image which is smaller than the virtual disk.
func Init ¶
Init sets up encryption/authentication as defined by mode on an underlying block device path. After initialization, the setup/mapping is preserved and the path of the resulting top-level block device is returned.
Any existing data present on the underlying storage will be ignored. If authentication is enabled, the underlying storage will also be fully overwritten.
The given name will be used as a base for the device mapper targets created, and is used to uniquely identify this particular mapping setup. The same name must then be used to unmap the device.
The encryption key must be exactly 32 bytes / 256 bits long when authentication and/or encryption is enabled, and nil / 0 bytes long when insecure mode is used.
func MakeBlockDevices ¶
MakeBlockDevices looks for the ESP and the node data partition and maps them to ESPDevicePath and NodeDataCryptPath respectively. This doesn't fail if it doesn't find the partitions, only if something goes catastrophically wrong.
func Map ¶
Map sets up an underlying block device (at path 'underlying') for access. Depending on the given mode, authentication/integrity device-mapper targets will be set up, and the top-level new block device path will be returned.
The given name will be used as a base for the device mapper targets created, and is used to uniquely identify this particular mapping setup. The same name must then be used to unmap the device.
If an error occurs during Map, cleanup will be attempted and an error will be returned.
The encryption key must be exactly 32 bytes / 256 bits long when authentication and/or encryption is enabled, and nil / 0 bytes long when insecure mode is used.
Note: a successful Map does not necessarily mean the underlying device is ready to access. Integrity errors or data corruption might mean accesses to the newly mapped device will fail. The caller is responsible for catching these conditions.
Types ¶
type Mode ¶
type Mode string
Mode of block device encryption and/or authentication, if any. See the package-level documentation for information about how encryption and authentication is implemented and what guarantees they provide.
const ModeAuthenticated Mode = "authenticated"
ModeAuthenticated means the device will be authenticated using dm-integrity, but will not be encrypted.
A key needs to be provided when initializing and mapping a block device.
const ModeEncrypted Mode = "encrypted"
ModeEncrypted means the device will be encrypted using dm-crypt, but will not be authenticated.
A key needs to be provided when initializing and mapping a block device.
const ModeEncryptedAuthenticated Mode = "encrypted+authenticated"
ModeEncryptedAuthenticated means the block device will first be authenticated using dm-integrity, then encrypted using dm-crypt.
A key needs to be provided when initializing and mapping a block device.
const ModeInsecure Mode = "insecure"
ModeInsecure means the device will be neither authenticated nor encrypted.
A key must not be provided, or must be exactly zero bytes long.
Source Files