librbd: add encryption format support for clones (part 1/2) #40363
Conversation
orozery
force-pushed
the
rbd-clone-encryption
branch
4 times, most recently
from
ee29748
to
0285ee0
Compare
|
@trociny for the flattening operation, I will need to read/write the LUKS header.
Thoughts? |
Sorry, I am still not quite familiar with the crypto code. I am not sure I understand why you need to read/write the LUKS header on flatten? I thought the child header, written on the clone operation, was going to be used for all child objects. Why would you need to overwrite? it on flatten? |
I will be changing the LUKS magic string in the LUKS header to prevent external applications (e.g. dm-crypt) to try and open the cloned formatted volume. When flattening an image, I will restore the LUKS magic to re-allow parsing the image by external tools. |
Sorry for a dumb question, but why do we need to prevent external applications from doing this? |
Ah, it is because krbd has not implemented the encryption yet. I see. Ok. Then am I right understanding the problem is that when you want to change the "non-compatible" header to "compatible" after flatten is complete, for only this operation you have to write (read?) bypassing the crypto layer. If this is the case, then may be just open a new image context (with crypto disabled) for this update? |
|
@orozery sorry, I seemed to edit your comment and writing my response there instead of making a new comment. Restoring your response (to my dumb question) here:
|
Yep, so I need to read the old header, modify it and write. So I should do something like to duplicate an image_ctx: ? |
Yes. I would try this way. |
|
@trociny another question: Currently I see these relevant places that we need to address: It would be nice to cover other places as well, e.g. |
I suppose it should rather be
How do you suppose the spec would look? Actually I thought you would need to add And I think it is not necessary to update all commands in this PR, it could be done in the future requests. But sure you are free to do it in a way you like. |
I just noticed that the flatten flag is parsed at
Well you got me thinking... |
Yes. But it is just stored in the migration header on this stage. The real flattening happens on execute (if the flag was set on prepare). |
|
@trociny So I plan to add an optional encryption spec argument to: One option is to change the format of image-spec, from: This will be the easiest to implement. Second option will be to add a new optional argument like Thoughts? |
I don't like the idea of overloading the image spec. I can see reasons why qemu would need, but in our case, when it can be easily provided via optional arguments... And If you plan to avoid optional arguments this way, you will not, because we allow to specify image spec both via one positional argument and via optional arguments (like --pool and --image).
I still don't understand, why don't you want to use |
Same thing, that's what I meant. But for deep copy, we'll do: |
We are still talking about flatten case only, right? Then do we need the destination encryption? I though we just needed the source encryption settings in this case. Or are you also thinking about the case when we want to change the destination image encryption? If you are going to work only on the flatten case right now, then I think just |
Got you. |
|
And again, making flatten work could be a goal for another PR. In this PR you could just add a check and make the commands (with flatten option) fail if encryption is used. But as you wish. |
Could it be encrypted as the source? Because I suppose this will be the case when --flatten is not specified and this is what the user will likely to expect. If it requires much additional work (i.e. implementing the destination encryption) then may be just forbid flatten with encryption right now? Because we will not be able to change this behavior (encrypted -> plain) later. |
orozery
force-pushed
the
rbd-clone-encryption
branch
from
f60190c
to
c42bad3
Compare
| * FLUSH | ||
| * | | ||
| * v | ||
| * <finish> (+ RESTORE_CRYPTO) |
There was a problem hiding this comment.
I think I already addressed the review you posted a few weeks ago. There are a few other nits you posted a few days ago which should be addressed in the changes I pushed today.
Those are indeed addressed but there are still three nits (one in luks/test_mock_FlattenRequest.cc, one in luks/test_mock_LoadRequest.cc and one in luks/LoadRequest.cc) from July:
- librbd: add encryption format support for clones (part 1/2) #40363 (comment)
- librbd: add encryption format support for clones (part 1/2) #40363 (comment)
- librbd: add encryption format support for clones (part 1/2) #40363 (comment)
As for this flattening issue, I'm still experimenting. I believe I have something promising but it is not complete (yet to be fully compiled even -- I keep being distracted). I will update this thread when I have more.
CryptoInterface was being a reference counted for lifecycle management. In this commit, we remove the ref-counting, and instead have it owned by EncryptionFormat, which in turn is owned by ImageCtx. This commit also changes crypto::LoadRequest to actually load new encryption instances to parent images, instead of blind-copying the encryption instances from the child image. Signed-off-by: Or Ozeri <oro@il.ibm.com>
Add further useful debug loggings to librbd crypto code. Additionally, increase libcryptsetup debug level to 30 (as it prints out to stdout). Signed-off-by: Or Ozeri <oro@il.ibm.com>
Currently luks format operation sets the data offset to be aligned with the image object size. When using non-trivial striping, rbd objects can contain a combination of luks header and actual encrypted data, which will pose a problem later on for flattening a cloned image that was formatted. Therefore, we change the data offset to align with stripe_period instead. Furthermore, the written header is zero-padded to stripe period alignment, to ensure that parent plaintext won't be copied-up while writing it. Signed-off-by: Or Ozeri <oro@il.ibm.com>
The LUKS master key is read in LoadRequest<I>::read_volume_key() and saved to the stack. Add a wipe to that key at the end of the function. Signed-off-by: Or Ozeri <oro@il.ibm.com>
crypto loading involves reading image data. This data may get cached and should be invalidated before completing the load. This commit adds a complete image flush before loading, as well as complete cache invalidation after loading completes. Signed-off-by: Or Ozeri <oro@il.ibm.com>
handle_read so far assumed that a successful read returns 0. This is true for the core layer which returns 0 at ObjectRequest.cc. However, this is not the case for ParentCacheObjectDispatch, which returns the (possibly positive) size of data read, instead of 0. To account for that, we change the success check from r==0 to r>=0. Signed-off-by: Or Ozeri <oro@il.ibm.com>
This commit fixes ParentCacheObjectDispatch to treat read_flags, specifically READ_FLAG_DISABLE_READ_FROM_PARENT. Signed-off-by: Or Ozeri <oro@il.ibm.com>
This commit changes ShutDownCryptoRequest to shutdown crypto not only on the given image context, but also for for ancestor (e.g. parent) image contexts. Signed-off-by: Or Ozeri <oro@il.ibm.com>
This commit switches the luks magic from LUKS to RBDL when formatting a cloned image, so that if the user tries to load the image using external LUKS parser (such as dm-crypt) it will fail. Note that formatted clones are not valid LUKS format, and thus we aim to fail LUKS parsers. Signed-off-by: Or Ozeri <oro@il.ibm.com>
This commit adds a flatten operation to EncryptionFormat, which allows defining custom format-specific flattening operation. Specifically, when flattening a LUKS format, we replace back the magic from RBDL to LUKS, to make the image parse-able again by LUKS parsers, such as dm-crypt. Furthermore, we copy the LUKS header from the parent to the child image. Signed-off-by: Or Ozeri <oro@il.ibm.com>
This commits extends the crypto FormatRequest and LoadRequest to support thin formatting of cloned images. This code is shadowed, as it is currently non-reachable from the librbd external API. Signed-off-by: Or Ozeri <oro@il.ibm.com>
This commit enables correct flattening of images where encryption is loaded. In particular, this means: 1. Flattening the encryption header (which is non addressable when encryption is loaded) 2. Running format-specific flattening operation (i.e. reverting the LUKS magic in the encryption header) The allow the above 2 operations, we shut-down the crypto layers, and restore them back when these operations end. The above operations are performed as part of a format-specific handler (LUKSEncryptionFormat::flatten). Signed-off-by: Or Ozeri <oro@il.ibm.com>
Encryption loading (i.e. rbd_encryption_load) gets a single passphrase and tries to applies it to all ancestor images. If it fails, the entire load fails. This commits extends encryption loading to assume ancestor is actually in plaintext format if no known encryption header magic is detected. Signed-off-by: Or Ozeri <oro@il.ibm.com>
This commit extends encryption_format and adds encryption_load2 to librbd API, which enables crypto formatting and loading of cloned images. i.e. the child image is encrypted with a key different from its parent, while keeping the child thinly-provisioned. Signed-off-by: Or Ozeri <oro@il.ibm.com>
This commit adds the encryption format support for cloned images via the RBD cli, making the child image be encrypted with a key different from it parent, while keeping the child thinly-provisioned. Additionally, other APIs are extended to support flattening of such images. Signed-off-by: Or Ozeri <oro@il.ibm.com>
This commit changes the format for encrypted disks to have the child image and the parent image encrypted with different keys. This to allow testing of the new formatted clones feature in librbd/crypto. Signed-off-by: Or Ozeri <oro@il.ibm.com>
orozery
force-pushed
the
rbd-clone-encryption
branch
from
c42bad3
to
3b2908b
Compare
|
Seemingly no related failures but all CentOS and RHEL jobs are broken, see https://tracker.ceph.com/issues/57332. The second and third runs which look much better are with the main CentOS and RHEL facets taken out of the matrix: https://pulpito.ceph.com/dis-2022-08-27_23:30:08-rbd-wip-dis-testing-distro-default-smithi/ |
|
jenkins test make check |
|
jenkins test api |
1 similar comment
|
jenkins test api |
|
No related failures (about a dozen jobs didn't run due to infrastructure issues but this would be tested again with encrypted flatten, etc changes anyway): https://pulpito.ceph.com/dis-2022-10-24_00:37:15-rbd-wip-dis-testing-distro-default-smithi/ |
idryomov
changed the title
Summary of changes:
FormatRequestandLoadRequestto store/read ancestor cryptors to/from image metadata.get_cryptoandset_cryptotoImageCtxwith relevant lock acquiring.Still to come: documentation update