luks_device.py: allows user explicity define luks format version (#61812)

* luks_device.py: allow the user create LUKS based on specific versions - Allow user pass an option 'type' that explicits define the version of LUKS container that will be created. It should be 'luks1' or 'luks2' format. - If 'label' option is defined the 'type' option will be 'luks2' independently of the option 'type' informed by user. (labels NEED luks2 format) Fixes: #58973 Signed-off-by: Alexandre Mulatinho <alex@mulatinho.net> * added the changelog fragment Signed-off-by: Alexandre Mulatinho <alex@mulatinho.net> * luks_device.py: make it fail in certain conditions - Not allow user especify luks1 type and label at the same playbook Signed-off-by: Alexandre Mulatinho <alex@mulatinho.net>
2019-09-11 15:45:33 -03:00 · 2019-09-11 15:45:33 -03:00 · 5b3526535c
commit 5b3526535c
parent 5eb5f74083
2 changed files with 32 additions and 3 deletions
--- a/changelogs/fragments/58973-luks_device_add-type-option.yml
+++ b/changelogs/fragments/58973-luks_device_add-type-option.yml
@ -0,0 +1,2 @@
+minor_changes:
+- luks_device - added the ``type`` option that allows user explicit define the LUKS container format version
--- a/lib/ansible/modules/crypto/luks_device.py
+++ b/lib/ansible/modules/crypto/luks_device.py
@ -107,6 +107,7 @@ options:
              label on later usages."
            - "Will only be used on container creation, or when I(device) is
              not specified."
+            - "This cannot be specified if I(type) is set to C(luks1)."
        type: str
        version_added: "2.10"
    uuid:
@ -115,6 +116,14 @@ options:
            - "Will only be used when I(device) and I(label) are not specified."
        type: str
        version_added: "2.10"
+    type:
+        description:
+            - "This option allow the user explicit define the format of LUKS
+              container that wants to work with. Options are C(luks1) or C(luks2)"
+        type: str
+        choices: [luks1, luks2]
+        version_added: "2.10"
+


 requirements:
@ -195,6 +204,13 @@ EXAMPLES = '''
    uuid: 03ecd578-fad4-4e6c-9348-842e3e8fa340
    state: "closed"
    name: "mycrypt"
+
+- name: create a container using luks2 format
+  luks_device:
+    device: "/dev/loop0"
+    state: "present"
+    keyfile: "/vault/keyfile"
+    type: luks2
 '''

 RETURN = '''
@ -317,16 +333,22 @@ class CryptHandler(Handler):

    def run_luks_create(self, device, keyfile, keysize):
        # create a new luks container; use batch mode to auto confirm
-        label = self._module.params.get('label')
+        luks_type = self._module.params['type']
+        label = self._module.params['label']
+
        options = []
        if keysize is not None:
            options.append('--key-size=' + str(keysize))
        if label is not None:
-            # create luks container v2 with label
-            options.extend(['--type', 'luks2', '--label', label])
+            options.extend(['--label', label])
+            luks_type = 'luks2'
+        if luks_type is not None:
+            options.extend(['--type', luks_type])
+
        args = [self._cryptsetup_bin, 'luksFormat']
        args.extend(options)
        args.extend(['-q', device, keyfile])
+
        result = self._run_command(args)
        if result[RETURN_CODE] != 0:
            raise ValueError('Error while creating LUKS on %s: %s'
@ -541,6 +563,7 @@ def run_module():
        keysize=dict(type='int'),
        label=dict(type='str'),
        uuid=dict(type='str'),
+        type=dict(type='str', choices=['luks1', 'luks2']),
    )

    # seed the result dict in the object
@ -564,6 +587,10 @@ def run_module():
    crypt = CryptHandler(module)
    conditions = ConditionsHandler(module, crypt)

+    # conditions not allowed to run
+    if module.params['label'] is not None and module.params['type'] == 'luks1':
+        module.fail_json(msg='You cannot combine type luks1 with the label option.')
+
    # The conditions are in order to allow more operations in one run.
    # (e.g. create luks and add a key to it)