VeraCrypt icon indicating copy to clipboard operation
VeraCrypt copied to clipboard

Published 20 hours ago verified publisher icon veracrypt

Veracrypt exFat inside Kubernetes pod

Open madimaa opened this issue 2 years ago • 0 comments

Hi,

I have a working solution to run this veracrypt command inside a pod:
veracrypt --text --quick --non-interactive --create /media/vera --volume-type normal --size 200M --password 123456 --hash SHA-512 --encryption AES --filesystem exFat --force

The related settings in the deployment yml:

    spec:
      containers:
      - name: api
        securityContext:
          capabilities:
          - SYS_ADMIN
          privileged: true
        volumeMounts:
        - name: dev
          mountPath: /dev
      volumes:
      - name: dev
        hostPath:
          path: /dev

My current goal is to remove the host /dev mount and the privileged: true field to improve security.

I've found a git repository called smarter-device-manager and it provides a way to access host devices inside the container by describing the required devices in the resource request/limit section of deployment yml file.

Right now the pod has the SYS_ADMIN capability, the fuse, loop-control, loop[0-7] and mapper/control devices mounted by the smarter-device-manager and the container.apparmor.security.beta.kubernetes.io/<container_name>: unconfined annotation.

The result of the veracrypt command above:

Done: 100.000% Speed: 5.2 MiB/s Left: 0s
Error: device-mapper: create ioctl on veracrypt1  failed: Device or resource busy
Command failed.

dmsetup ls lists a veracrypt1 device, and after executing dmsetup remove veracrypt1 it is not on the list anymore.
Executing the veracrypt command again results in this:

Done: 100.000% Speed: 5.2 MiB/s Left: 0s
Error: No such file or directory
/dev/mapper/veracrypt1

dmsetup ls shows the veracrypt1 device again and executing the veracrypt command again results in the same way as before. (Error: device-mapper: create ioctl on veracrypt1 failed)

ls /dev/mapper/ in this container does not show the veracrypt1 device, but it shows up in the container with mounted /dev and privileged: true.

The veracrypt command with --filesystem Fat instead of --filesystem exFat can be executed successfully.

Kubernetes node kernel version is 4.4.0-190-generic
Veracrypt version is 1.24-Update4

I don't know for sure that it is a Veracrypt issue, but I lack the required knowledge on Linux devices and kernel magic.
What other devices or capabilities or anything else does the container need to execute the example command successfully?

Any help would be highly appreciated.

madimaa avatar Feb 14 '22 08:02 madimaa