canonical · TheRealFalcon · Apr 27, 2022 · Sep 22, 2021 · Sep 22, 2021 · Nov 4, 2021
diff --git a/cloudinit/config/cc_growpart.py b/cloudinit/config/cc_growpart.py
@@ -7,11 +7,17 @@
 # This file is part of cloud-init. See LICENSE file for license information.
 """Growpart: Grow partitions"""
 
+import base64
+import copy
+import json
 import os
 import os.path
 import re
 import stat
+from contextlib import suppress
+from pathlib import Path
 from textwrap import dedent
+from typing import Tuple
 
 from cloudinit import log as logging
 from cloudinit import subp, temp_utils, util
@@ -85,6 +91,8 @@
     "ignore_growroot_disabled": False,
 }
 
+KEYDATA_PATH = Path("/cc_growpart_keydata")
+
 
 class RESIZE(object):
     SKIPPED = "SKIPPED"
@@ -293,10 +301,128 @@ def devent2dev(devent):
     return dev
 
 
+def get_mapped_device(blockdev):
+    """Returns underlying block device for a mapped device.
+
+    If it is mapped, blockdev will usually take the form of
+    /dev/mapper/some_name
+
+    If blockdev is a symlink pointing to a /dev/dm-* device, return
+    the device pointed to. Otherwise, return None.
+    """
+    realpath = os.path.realpath(blockdev)
+    if realpath.startswith("/dev/dm-"):
+        LOG.debug("%s is a mapped device pointing to %s", blockdev, realpath)
+        return realpath
+    return None
+
+
+def is_encrypted(blockdev, partition) -> bool:
+    """
+    Check if a device is an encrypted device. blockdev should have
+    a /dev/dm-* path whereas partition is something like /dev/sda1.
+    """
+    if not subp.which("cryptsetup"):
+        LOG.debug("cryptsetup not found. Assuming no encrypted partitions")
+        return False
+    try:
+        subp.subp(["cryptsetup", "status", blockdev])
+    except subp.ProcessExecutionError as e:
+        if e.exit_code == 4:
+            LOG.debug("Determined that %s is not encrypted", blockdev)
+        else:
+            LOG.warning(
+                "Received unexpected exit code %s from "
+                "cryptsetup status. Assuming no encrypted partitions.",
+                e.exit_code,
+            )
+        return False
+    with suppress(subp.ProcessExecutionError):
+        subp.subp(["cryptsetup", "isLuks", partition])
+        LOG.debug("Determined that %s is encrypted", blockdev)
+        return True
+    return False
+
+
+def get_underlying_partition(blockdev):
+    command = ["dmsetup", "deps", "--options=devname", blockdev]
+    dep: str = subp.subp(command)[0]  # type: ignore
+    # Returned result should look something like:
+    # 1 dependencies : (vdb1)
+    if not dep.startswith("1 depend"):
+        raise RuntimeError(
+            f"Expecting '1 dependencies' from 'dmsetup'. Received: {dep}"
+        )
+    try:
+        return f'/dev/{dep.split(": (")[1].split(")")[0]}'
+    except IndexError as e:
+        raise RuntimeError(
+            f"Ran `{command}`, but received unexpected stdout: `{dep}`"
+        ) from e
+
+
+def resize_encrypted(blockdev, partition) -> Tuple[str, str]:
+    """Use 'cryptsetup resize' to resize LUKS volume.
+
+    The loaded keyfile is json formatted with 'key' and 'slot' keys.
+    key is base64 encoded. Example:
+    {"key":"XFmCwX2FHIQp0LBWaLEMiHIyfxt1SGm16VvUAVledlY=","slot":5}
+    """
+    if not KEYDATA_PATH.exists():
+        return (RESIZE.SKIPPED, "No encryption keyfile found")
+    try:
-    try:
+    if not KEYDATA_PATH.exists():
+        return (RESIZE.SKIPPED, f"No  {KEYDATA_PATH} exists to decrypt device {blockdev}")
+    try:
-    try:
+    if not KEYDATA_PATH.exists():
+        return (RESIZE.SKIPPED, f"No  {KEYDATA_PATH} exists to decrypt device {blockdev}")
+    try:
+        with KEYDATA_PATH.open() as f:
+            keydata = json.load(f)
+        key = keydata["key"]
+        decoded_key = base64.b64decode(key)
+        slot = keydata["slot"]
+    except Exception as e:
+        raise RuntimeError(
+            "Could not load encryption key. This is expected if "
+            "the volume has been previously resized."
+        ) from e
+
+    try:
+        subp.subp(
+            ["cryptsetup", "--key-file", "-", "resize", blockdev],
+            data=decoded_key,
+        )
+    finally:
+        try:
+            subp.subp(
+                [
+                    "cryptsetup",
+                    "luksKillSlot",
+                    "--batch-mode",
+                    partition,
+                    str(slot),
+                ]
+            )
+        except subp.ProcessExecutionError as e:
+            LOG.warning(
+                "Failed to kill luks slot after resizing encrypted volume: %s",
+                e,
+            )
+        try:
+            KEYDATA_PATH.unlink()
+        except Exception:
+            util.logexc(
+                LOG, "Failed to remove keyfile after resizing encrypted volume"
+            )
+
+    return (
+        RESIZE.CHANGED,
+        f"Successfully resized encrypted volume '{blockdev}'",
+    )
+
+
 def resize_devices(resizer, devices):
     # returns a tuple of tuples containing (entry-in-devices, action, message)
+    devices = copy.copy(devices)
     info = []
-    for devent in devices:
+
+    while devices:
+        devent = devices.pop(0)
         try:
             blockdev = devent2dev(devent)
         except ValueError as e:
@@ -333,6 +459,49 @@ def resize_devices(resizer, devices):
             )
             continue
 
+        underlying_blockdev = get_mapped_device(blockdev)
+        if underlying_blockdev:
+            try:
+                # We need to resize the underlying partition first
+                partition = get_underlying_partition(blockdev)
+                if is_encrypted(underlying_blockdev, partition):
+                    if partition not in [x[0] for x in info]:
+                        # We shouldn't attempt to resize this mapped partition
+                        # until the underlying partition is resized, so re-add
+                        # our device to the beginning of the list we're
+                        # iterating over, then add our underlying partition
+                        # so it can get processed first
+                        devices.insert(0, devent)
+                        devices.insert(0, partition)
+                        continue
+                    status, message = resize_encrypted(blockdev, partition)
+                    info.append(
+                        (
+                            devent,
+                            status,
+                            message,
+                        )
+                    )
+                else:
+                    info.append(
+                        (
+                            devent,
+                            RESIZE.SKIPPED,
+                            f"Resizing mapped device ({blockdev}) skipped "
+                            "as it is not encrypted.",
+                        )
+                    )
+            except Exception as e:
+                info.append(
+                    (
+                        devent,
+                        RESIZE.FAILED,
+                        f"Resizing encrypted device ({blockdev}) failed: {e}",
+                    )
+                )
+            # At this point, we WON'T resize a non-encrypted mapped device
+            # though we should probably grow the ability to
+            continue
         try:
             (disk, ptnum) = device_part_info(blockdev)
         except (TypeError, ValueError) as e:

diff --git a/test-requirements.txt b/test-requirements.txt
@@ -2,6 +2,7 @@
 httpretty>=0.7.1
 pytest
 pytest-cov
+pytest-mock
 
 # Only really needed on older versions of python
 setuptools