|
v 4.2 |
Copyright © 2018 HyTrust, Inc. All Rights Reserved. |
Follow us: |
On Linux, it is normal to add entries to the Filesystem Table (/etc/fstab) to have the filesystems automatically mount on boot. While you could add the clear text path to the device in the /etc/fstab file manually, doing so could cause the system to hang during reboot.
The issues arise because the Linux boot process is asynchronous. As the HyTrust DataControl Policy Agent is querying KeyControl to get the keys for the registered devices and then attaching them, Linux is processing the /etc/fstab file in the background. If the system processes an fstab entry for a device that the Policy Agent has not yet attached, the clear text path will not be available yet and the device will fail to mount. If the device is marked as "required at boot", the system will hang during the boot process.
In addition, if the device name changes during the boot process due to a hardware device swap or similar process, then the clear text path to the device will change and any manually-created fstab entry will be incorrect. Again, the system will hang during boot if this renamed device is marked "required at boot".
To resolve all of these issues, HyTrust provides a way to automatically mount the drives using hcl. By letting HyTrust control the auto-mount process, you can be certain that the devices are mounted after the clear text paths are available, and that device name changes will be handled automatically.
| Note: | If you specified the -m option and provided a user-defined clear text path name when you added the VM to KeyControl, hcl always uses that clear text path regardless of the device name. |
Procedure
root.To check the existing mount points and options, use hcl status command:
# hcl status Summary -------------------------------------------------------------------------------- KeyControl: 192.168.140.151:443 KeyControl list: 192.168.140.151:443 Status: Connected Last heartbeat: Thu Apr 19 09:42:58 2016 (successful) Registered Devices -------------------------------------------------------------------------------- Disk Name Clear Cipher Status -------------------------------------------------------------------------------- sdb1 /dev/mapper/clear_sdb1 AES-XTS-512 Attached
Enable auto-mount for the device using the hcl set mntpt=/path diskname command, where path is the mount point for the device and diskname is the short form of the device name. For example, you would use sdb1 instead of /dev/sdb1. For example:
# hcl set mntpt=/my_mountpoint sdb1
If you want to set any mount options, use the hcl set mntopts="option1 option2 ..." diskname command. For example:
# hcl set mntopts="-t ext4 -o ro,noatime" sdb1
hcl stores these options and then, whenever the VM reboots, hcl checks to make sure that the mount point exists and then mounts the filesystem using the specified options. Using the example above, hcl would make the following call during boot:
# mount -t ext4 -o ro,noatime /dev/mapper/clear_sdb1 /my_mountpoint
| Note: | To see the default attach handler script HyTrust uses, see VM Handlers for Attach/Detach in Linux. |
To verify your changes, use the hcl status command.
# hcl status Summary -------------------------------------------------------------------------------- KeyControl: 192.168.140.151:443 KeyControl list: 192.168.140.151:443 Status: Connected Last heartbeat: Thu Apr 19 09:42:58 2018 (successful) Registered Devices -------------------------------------------------------------------------------- Disk Name Clear Cipher Status -------------------------------------------------------------------------------- sdb1 /dev/mapper/clear_sdb1 AES-XTS-512 Attached '--> auto_attach=ENABLED, mntpt=/my_mountpoint, mntopts="-t ext4 -o ro,noatime", attach_handler=DEFAULT, detach_handler=DEFAULT
What to Do Next
If you want to change the order in which the devices are mounted, see Changing the Mount Order on Linux.
|
v 4.2 |
Copyright © 2018 HyTrust, Inc. All Rights Reserved. |
Follow us: |
