Deploying a GDPR enabled Content Runtime

As part of GDPR enablement, it is recommended that you encrypt specific directories that may contain personal information. These include directories that contain Content Runtime configuration information and Content Runtime Pattern Manager logs.

Provisioning a GDPR enabled Content Runtime requires using an existing virtual machine with mounted encrypted block devices.

General steps

Additional information

Deploy a system to host the Content Runtime

For a GDPR enabled deployment of the Content Runtime, a virtual machine meeting infrastructure requirements must exist and be accessible by Managed services. In addition to the general infrastructure requirements, two unformatted disks must be attached to the virtual machine.

The following set of steps contains example commands for configuring a virtual machine where a Content Runtime instance will be deployed. In this example, two logical volumes are created and mounted in well-known locations used by the Pattern Manager.

Encrypt and mount volumes

dm-crypt provides transparent encryption of block devices. You can access the data immediately after you mount the device. For more information about dm-crypt, see https://wiki.archlinux.org/index.php/dm-crypt.

Prerequisites

Ensure that the following packages are installed on all the nodes of your Content Runtime VM:

Create a partition table

Before encrypting volumes, a label and at least one partition must be created in the drive.

  1. Use the parted tool on the disk
    parted <full path and name of the physical volume>
    Example commands and output
    $ parted /dev/sdb
GNU Parted 3.2
Using /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted)

  2. Add a partition table to the volume using mklabel

    Example commands

    (parted) mklabel gpt

  3. Create a partition, in this case a single partition will be created using all available space. Note: Multiple logical volumes can later be defined inside a single partition.

    Example commands

    (parted) mkpart primary 1 -1
  4. Exit parted by typing quit
  5. Repeat steps 1-4 for other disks. In this example, repeat for /dev/sdc

Encrypting the volumes

These commands will create and encrypt a logical volume. That logical volumes will be mounted to the corresponding directories the may contain personal information.

Run these commands as root.

  1. Configure logical volume management (LVM) to store the encrypted data:

    1. Create a physical volume.

      pvcreate <full path and name of the partition>

      Example commands and outputs:

      $ pvcreate /dev/sdb1
Physical volume "/dev/sdb1" successfully created.
$ pvcreate /dev/sdc1
Physical volume "/dev/sdc1" successfully created.

    2. Create a volume group.

      vgcreate <name of the volume group> <full path to the physical volume>

      Example commands and outputs:

      $ vgcreate pmvg /dev/sdb1
Volume group "pmvg" successfully created.
$ vgcreate pmlogvg /dev/sdc1
Volume group "pmlogvg" successfully created.

    3. Create a logical volume.

      lvcreate -L <amount of space required> <name of the volume group> -n <name of the logical volume>

      Example commands and outputs:

      $ lvcreate -L1G pmvg -n pmlv
Logical volume "pmlv" created.
$ lvcreate -L5G pmlogvg -n pmloglv
Logical volume "pmloglv" created.

  2. Create a dm-crypt LUKS Container in the volume.

    $ cryptsetup -y luksFormat <full path to the logical volume>

    If you want to use a passphrase for decrypting, you can specify it now. This passphrase will be needed for deploying the Content Runtime later. The passphrase needs to be common for both logical volumes.

    The following is an example command and output:

    cryptsetup -y luksFormat /dev/pmvg/pmlv

WARNING!
========
This will overwrite data on /dev/pmvg/pmlv irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:

$ cryptsetup -y luksFormat /dev/pmlogvg/pmloglv

WARNING!
========
This will overwrite data on /dev/pmlogvg/pmloglv irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:

  3. (Optional) Add LUKS key to your encrypted device.

    cryptsetup supports adding a key to your logical volume using a keyfile. This keyfile can be added to /etc/crypttab to allow your encrypted drives to be auto-unlocked at boot time. Your keyfile can be random data or something specific. It is recommended that the permissions on your keyfile be set to root only.

    Create keyfile examples:

    $ dd if=/dev/random bs=32 count=1 of=/etc/keys/pm_key
$ printf "This is a plaintext passphrase key file" > /etc/keys/pmlog_key

    Add the keyfile to your LUKS partition:

    $ cryptsetup luksAddKey <full path to logical volume> <full path to key file>

    The following is an example command and output:

    $ cryptsetup luksAddKey /dev/pmvg/pmlv /etc/keys/pm_key
Enter any passphrase:

$ cryptsetup luksAddKey /dev/pmlogvg/pmloglv /etc/keys/pmlog_key
Enter any passphrase:

  4. Open the LUKS container and map the logical volume to the volume group.

    $ cryptsetup  luksOpen <full path to the logical volume> <name of the logical volume>

    The following is an example command and output:

    $ cryptsetup luksOpen /dev/pmvg/pmlv pmlv
Enter passphrase for /dev/pmvg/pmlv:

$ cryptsetup luksOpen /dev/pmlogvg/pmloglv pmloglv
Enter passphrase for /dev/pmlogvg/pmloglv:

  5. Create a file system on the logical volume. You can use any file system. The command here is for using an XFS file system.

    $ mkfs.xfs /dev/mapper/<name of the logical volume>

    The following is an example command and output:

    $ mkfs.xfs /dev/mapper/pmlv

meta-data=/dev/mapper/pmlv       isize=512    agcount=4, agsize=65408 blks
         =                       sectsz=512   attr=2, projid32bit=1
         =                       crc=1        finobt=0, sparse=0
data     =                       bsize=4096   blocks=261632, imaxpct=25
         =                       sunit=0      swidth=0 blks
naming   =version 2              bsize=4096   ascii-ci=0 ftype=1
log      =internal log           bsize=4096   blocks=855, version=2
         =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

$ mkfs.xfs /dev/mapper/pmloglv

meta-data=/dev/mapper/pmloglv     isize=512    agcount=4, agsize=327552 blks
          =                       sectsz=512   attr=2, projid32bit=1
          =                       crc=1        finobt=0, sparse=0
data      =                       bsize=4096   blocks=1310208, imaxpct=25
          =                       sunit=0      swidth=0 blks
naming    =version 2              bsize=4096   ascii-ci=0 ftype=1
log       =internal log           bsize=4096   blocks=2560, version=2
          =                       sectsz=512   sunit=0 blks, lazy-count=1
realtime =none                   extsz=4096   blocks=0, rtextents=0

  6. Create a mount location to mount the file systems for the pattern manager config directory and docker container log directories

    $ mkdir <mount location>

    The following is an example command and output:

    $ mkdir -p /opt/ibm/docker/pattern-manager
$ mkdir -p /var/log/ibm/docker

  7. Mount the pattern manager config and docker container log filesystems

    $ mount /dev/mapper/<name of the logical volume> <mount location>

    The following is an example command and output:

    $ mount /dev/mapper/pmlv /opt/ibm/docker/pattern-manager
$ mount /dev/mapper/pmloglv /var/log/ibm/docker

    To automatically mount between system restarts, add the following lines to the /etc/crypttab and /etc/fstab files:

    • Add the following line to /etc/crypttab file, where is a unique name of your choosing: 

      <target name> <full path to the logical volume> {none|<absolute_path_to_keyfile>} luks

      Where, add none if you used a passphrase for decrypting, or add the full path to the key file, if you used a key file for decrypting.

      The following are example lines in /etc/crypttab:

      pm_crypt /dev/pmvg/pmlv /etc/keys/pm_key luks
pmlog_crypt /dev/pmlogvg/pmloglv /etc/keys/pmlog_key luks

    • Add the following line to the /etc/fstab file, where matches the unique name added to /etc/crypttab: 

      /dev/mapper/<target name> <full path to the volume group> xfs defaults 0 2

      The following are example lines in /etc/fstab:

      /dev/mapper/pm_crypt /opt/ibm/docker/pattern-manager xfs defaults 0 2
/dev/mapper/pmlog_crypt /var/log/ibm/docker xfs defaults 0 2
  8. Reboot the virtual machine

Deploy Content Runtime

  1. In the CAM UI, click Manage > Content runtimes.

  2. Select the Other Cloud Provider after clicking the Create content runtime button. Choose any of the three Runtime options as they will all support encrypted volumes. Name the instance and press the Create button.

  3. Provide the information required for establishing a connection with the existing virtual machine and other parameters. Include the encryption passphrase for the encrypted volumes in the File system encryption passphrase field.

Pattern Manager and Software Repository Logs

The Content Runtime's Pattern Manager and Software Repository logs can be found on the content runtime virtual machine under the /var/log/ibm/docker directory in the pattern-manager and software-repository directories, respectively. Should it be required to delete personal data from the Content Runtime logs, this is where you will find them.

Broadcast messages

The following message may be broadcast on your system during the content runtime installation process. It can be ignored.

Broadcast message from root@ibm-cam-runtime (Mon 2018-05-14 15:46:50 UTC):

Password entry required for 'Please enter passphrase for disk pmlogvg-pmloglv (pmlogvg)!' (PID 32283).
Please enter password with the systemd-tty-ask-password-agent tool!