From d98d4dbc2741295723f0a316b5bf81f07b140041 Mon Sep 17 00:00:00 2001 From: Erwan Velu Date: Tue, 15 Nov 2016 14:15:18 +0100 Subject: [PATCH 1/2] ceph-disk: Adding cluster name support for dmcrypt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prior to this commit we were not able to configure an OSD using dmcrypt on a cluster with a different name than 'ceph'. Wwe have to propagate the cluster name (args.cluster) to the get_dmcrypt_key() fonction, which imply changing the prototype of it by adding a "cluster" argument. This changes imply that dmcrypt_map(), mount_activate(), main_activate_space() functions prototypes are changing to get the cluster name for their respective callers. It's usually a way just to make args.cluster available for the functions they call. Note that we introduce the "cluster" argument of mount_activate() _before_ the last argument (reactivate) as this one have a default value : as we don't have any for "cluster", that would make a python exception. This patch has been tested with the following commands : - deactivate - destroy - prepare Fixes: http://tracker.ceph.com/issues/17821 Signed-off-by: Sébastien Han Signed-off-by: Erwan Velu --- src/ceph-disk/ceph_disk/main.py | 39 +++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/src/ceph-disk/ceph_disk/main.py b/src/ceph-disk/ceph_disk/main.py index 5283484ab00ba..13dc492221549 100755 --- a/src/ceph-disk/ceph_disk/main.py +++ b/src/ceph-disk/ceph_disk/main.py @@ -1161,8 +1161,10 @@ def get_dmcrypt_key_path( def get_dmcrypt_key( _uuid, key_dir, - luks + luks, + cluster ): + legacy_path = get_dmcrypt_key_path(_uuid, key_dir, luks) if os.path.exists(legacy_path): return (legacy_path,) @@ -1174,6 +1176,8 @@ def get_dmcrypt_key( key, stderr, ret = command( [ 'ceph', + '--cluster', + cluster, '--name', 'client.osd-lockbox.' + osd_uuid, '--keyring', @@ -1739,7 +1743,7 @@ def setup_crypt(self): self.osd_dm_key = get_dmcrypt_key( self.get_uuid(), self.args.dmcrypt_key_dir, - False) + False, self.args.cluster) def set_variables_ptype(self): self.ptype_map = PTYPE['plain'] @@ -1765,7 +1769,7 @@ def setup_crypt(self): self.osd_dm_key = get_dmcrypt_key( self.get_uuid(), self.args.dmcrypt_key_dir, - True) + True, self.args.cluster) def set_variables_ptype(self): self.ptype_map = PTYPE['luks'] @@ -2462,7 +2466,7 @@ def set_or_create_partition(self): self.args.lockbox) self.partition = self.create_partition() - def create_key(self): + def create_key(self, cluster): key_size = CryptHelpers.get_dmcrypt_keysize(self.args) key = open('/dev/urandom', 'rb').read(key_size / 8) base64_key = base64.b64encode(key) @@ -2474,6 +2478,8 @@ def create_key(self): 'ceph', '--name', 'client.bootstrap-osd', '--keyring', bootstrap, + '--cluster', + cluster, 'config-key', 'put', 'dm-crypt/osd/' + self.args.osd_uuid + '/luks', @@ -2485,6 +2491,8 @@ def create_key(self): 'ceph', '--name', 'client.bootstrap-osd', '--keyring', bootstrap, + '--cluster', + cluster, 'auth', 'get-or-create', 'client.osd-lockbox.' + self.args.osd_uuid, @@ -2520,7 +2528,7 @@ def populate(self): LOG.debug('Mounting lockbox ' + str(" ".join(args))) command_check_call(args) write_one_line(path, 'osd-uuid', self.args.osd_uuid) - self.create_key() + self.create_key(self.args.cluster) self.symlink_spaces(path) write_one_line(path, 'magic', CEPH_LOCKBOX_ONDISK_MAGIC) if self.device is not None: @@ -3208,7 +3216,7 @@ def dmcrypt_is_mapped(uuid): return None -def dmcrypt_map(dev, dmcrypt_key_dir): +def dmcrypt_map(dev, dmcrypt_key_dir, cluster): ptype = get_partition_type(dev) if ptype in Ptype.get_ready_by_type('plain'): luks = False @@ -3220,7 +3228,7 @@ def dmcrypt_map(dev, dmcrypt_key_dir): raise Error('--dmcrypt called for dev %s with invalid ptype %s' % (dev, ptype)) part_uuid = get_partition_uuid(dev) - dmcrypt_key = get_dmcrypt_key(part_uuid, dmcrypt_key_dir, luks) + dmcrypt_key = get_dmcrypt_key(part_uuid, dmcrypt_key_dir, luks, cluster) return _dmcrypt_map( rawdev=dev, key=dmcrypt_key, @@ -3237,12 +3245,13 @@ def mount_activate( init, dmcrypt, dmcrypt_key_dir, + cluster, reactivate=False, ): if dmcrypt: part_uuid = get_partition_uuid(dev) - dev = dmcrypt_map(dev, dmcrypt_key_dir) + dev = dmcrypt_map(dev, dmcrypt_key_dir, cluster) try: fstype = detect_fstype(dev=dev) except (subprocess.CalledProcessError, @@ -3540,6 +3549,7 @@ def main_activate(args): init=args.mark_init, dmcrypt=args.dmcrypt, dmcrypt_key_dir=args.dmcrypt_key_dir, + cluster=args.cluster, reactivate=args.reactivate, ) osd_data = get_mount_point(cluster, osd_id) @@ -3777,7 +3787,7 @@ def _deallocate_osd_id(cluster, osd_id): ]) -def _remove_lockbox(uuid): +def _remove_lockbox(uuid, cluster): command([ 'ceph', 'auth', @@ -3786,6 +3796,8 @@ def _remove_lockbox(uuid): ]) command([ 'ceph', + '--cluster', + cluster, 'config-key', 'del', 'dm-crypt/osd/' + uuid + '/luks', @@ -3818,7 +3830,8 @@ def destroy_lookup_device(args, predicate, description): unmap = False else: dmcrypt_path = dmcrypt_map(partition['path'], - args.dmcrypt_key_dir) + args.dmcrypt_key_dir, + args.cluster) unmap = True list_dev_osd(dmcrypt_path, {}, partition) if unmap: @@ -3883,7 +3896,7 @@ def main_destroy_locked(args): for name in Space.NAMES: if target_dev.get(name + '_uuid'): dmcrypt_unmap(target_dev[name + '_uuid']) - _remove_lockbox(target_dev['uuid']) + _remove_lockbox(target_dev['uuid'], args.cluster) # Check zap flag. If we found zap flag, we need to find device for # destroy this osd data. @@ -3937,7 +3950,7 @@ def main_activate_space(name, args): dev = None with activate_lock: if args.dmcrypt: - dev = dmcrypt_map(args.dev, args.dmcrypt_key_dir) + dev = dmcrypt_map(args.dev, args.dmcrypt_key_dir, args.cluster) else: dev = args.dev # FIXME: For an encrypted journal dev, does this return the @@ -3963,6 +3976,7 @@ def main_activate_space(name, args): init=args.mark_init, dmcrypt=args.dmcrypt, dmcrypt_key_dir=args.dmcrypt_key_dir, + cluster=args.cluster, reactivate=args.reactivate, ) @@ -4006,6 +4020,7 @@ def main_activate_all(args): activate_key_template=args.activate_key_template, init=args.mark_init, dmcrypt=False, + cluster=args.cluster, dmcrypt_key_dir='', ) start_daemon( From 1c747473600a9a7f528ad71a889c35d85ac115b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Han?= Date: Wed, 18 Jan 2017 14:03:44 +0100 Subject: [PATCH 2/2] ceph-disk: change get_dmcrypt_key test to support different cluster name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Sébastien Han --- src/ceph-disk/ceph_disk/main.py | 4 ++-- src/ceph-disk/tests/test_prepare.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ceph-disk/ceph_disk/main.py b/src/ceph-disk/ceph_disk/main.py index 13dc492221549..e5031ac8c30fe 100755 --- a/src/ceph-disk/ceph_disk/main.py +++ b/src/ceph-disk/ceph_disk/main.py @@ -2466,7 +2466,7 @@ def set_or_create_partition(self): self.args.lockbox) self.partition = self.create_partition() - def create_key(self, cluster): + def create_key(self): key_size = CryptHelpers.get_dmcrypt_keysize(self.args) key = open('/dev/urandom', 'rb').read(key_size / 8) base64_key = base64.b64encode(key) @@ -2528,7 +2528,7 @@ def populate(self): LOG.debug('Mounting lockbox ' + str(" ".join(args))) command_check_call(args) write_one_line(path, 'osd-uuid', self.args.osd_uuid) - self.create_key(self.args.cluster) + self.create_key() self.symlink_spaces(path) write_one_line(path, 'magic', CEPH_LOCKBOX_ONDISK_MAGIC) if self.device is not None: diff --git a/src/ceph-disk/tests/test_prepare.py b/src/ceph-disk/tests/test_prepare.py index 2e475832d8dc7..1877b19657560 100644 --- a/src/ceph-disk/tests/test_prepare.py +++ b/src/ceph-disk/tests/test_prepare.py @@ -316,7 +316,7 @@ def get_conf(**kwargs): partition.map() assert m['_dmcrypt_map'].called m['get_dmcrypt_key'].assert_called_with( - uuid, '/etc/ceph/dmcrypt-keys', True) + uuid, '/etc/ceph/dmcrypt-keys', True, 'ceph') class TestCryptHelpers(Base):