VeraCrypt
VeraCrypt copied to clipboard
Veracrypt exFat inside Kubernetes pod
Hi,
I have a working solution to run this veracrypt command inside a pod:
veracrypt --text --quick --non-interactive --create /media/vera --volume-type normal --size 200M --password 123456 --hash SHA-512 --encryption AES --filesystem exFat --force
The related settings in the deployment yml:
spec:
containers:
- name: api
securityContext:
capabilities:
- SYS_ADMIN
privileged: true
volumeMounts:
- name: dev
mountPath: /dev
volumes:
- name: dev
hostPath:
path: /dev
My current goal is to remove the host /dev
mount and the privileged: true
field to improve security.
I've found a git repository called smarter-device-manager and it provides a way to access host devices inside the container by describing the required devices in the resource request/limit section of deployment yml file.
Right now the pod has the SYS_ADMIN
capability, the fuse
, loop-control
, loop[0-7]
and mapper/control
devices mounted by the smarter-device-manager and the container.apparmor.security.beta.kubernetes.io/<container_name>: unconfined
annotation.
The result of the veracrypt command above:
Done: 100.000% Speed: 5.2 MiB/s Left: 0s
Error: device-mapper: create ioctl on veracrypt1 failed: Device or resource busy
Command failed.
dmsetup ls
lists a veracrypt1
device, and after executing dmsetup remove veracrypt1
it is not on the list anymore.
Executing the veracrypt command again results in this:
Done: 100.000% Speed: 5.2 MiB/s Left: 0s
Error: No such file or directory
/dev/mapper/veracrypt1
dmsetup ls
shows the veracrypt1
device again and executing the veracrypt command again results in the same way as before. (Error: device-mapper: create ioctl on veracrypt1 failed
)
ls /dev/mapper/
in this container does not show the veracrypt1
device, but it shows up in the container with mounted /dev
and privileged: true
.
The veracrypt command with --filesystem Fat
instead of --filesystem exFat
can be executed successfully.
Kubernetes node kernel version is 4.4.0-190-generic
Veracrypt version is 1.24-Update4
I don't know for sure that it is a Veracrypt issue, but I lack the required knowledge on Linux devices and kernel magic.
What other devices or capabilities or anything else does the container need to execute the example command successfully?
Any help would be highly appreciated.