mds: add protection from clients without fscrypt support #54725
Conversation
lxbsz
force-pushed
the
fscrypt-pro-clients
branch
from
cfc098d
to
a8643cd
Compare
lxbsz
force-pushed
the
fscrypt-pro-clients
branch
from
a8643cd
to
d3de83d
Compare
|
Locally the xfstests passed. |
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
1 similar comment
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
lxbsz
force-pushed
the
fscrypt-pro-clients
branch
from
d3de83d
to
83f1e0e
Compare
|
@lxbsz Is this ready for review? |
There was a problem hiding this comment.
I'm happy to see there's been discussion about server side semantics enforcement.
Do we need any tests included in this PR to ensure our intended behavior doesn't change? We can't one day inadvertently allow older or non-friendly clients to be able to do known malicious things.
Yeah, we need to run qa. |
To be more specific, I was proposing new tests. For example testing a client working on a fscrypt tree that the client doesn't know about fscrypt. We want to make sure server enforced behavior fails on unaware clients. What do you think? Do we already test this? If so, can you point me to it? |
Hmm, sounds reasonable to me. Currently there has not thus test yet. |
lxbsz
force-pushed
the
fscrypt-pro-clients
branch
6 times, most recently
from
035f6e3
to
fdc897f
Compare
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
lxbsz
force-pushed
the
fscrypt-pro-clients
branch
from
fdc897f
to
06b547d
Compare
lxbsz
force-pushed
the
fscrypt-pro-clients
branch
6 times, most recently
from
43303ff
to
bd65286
Compare
|
This is ready to review! |
|
@luis-henrix @vshankar @chrisphoffman Could you guys to have a look ? I am planing to push this to the recently releases. Thanks! |
|
The qa test passed and one failure is a known issue: https://pulpito.ceph.com/xiubli-2024-03-28_06:19:38-fs:fscrypt:-wip-lxb-fscrypt-20240328-1137-distro-default-smithi/ |
|
jenkins test make check arm64 |
|
jenkins test windows |
lxbsz
force-pushed
the
fscrypt-pro-clients
branch
from
bd65286
to
372408b
Compare
|
Added a tracker for this https://tracker.ceph.com/issues/65217. |
|
What's the impact of this PR going to be on the manager, which doesn't yet support fscrypt? It's very important that we still be able to create snapshots and manipulate subvolumes. ;) |
For the clients which hasn't support fscrypt yet, they couldn't do any of mkdir/mknod/mksnap/create/link/symlink/truncate/write operations to the encrypted directories/files. But they could only read and rm them. The non-fscrypt supporting client couldn't make new directories/files, that because for each directory/file the key will be unique and since this client doesn't support the fscrypt, so this couldn't be done. Else, for example when a non-fscrypt client creates a directory/file under it the kclient will try to dencrypt the dentry name, including the snapshot names, with the key and then will just assume the dentry name is corrupted as shown in tracker https://tracker.ceph.com/issues/65217. So for manager they should create the snapshot under the kclient anyway, won't it ? For the And the manager still could create new |
Does this mean move operations also won't work? I'm thinking about manual intervention when doing disaster recovery, here.
Ah. I did not realize these dentries aren't flagged individually as encrypted.
No, the manager doesn't have a kernel mount and we can't give it one.
I don't know the exact tree structure for subvolumes; I guess the encrypted directory will be one below where we take snapshots? @vshankar @kotreshhr your thoughts here? |
I tried the following on the ext4 implementation: mv of a locked encrypted file to a different dir within the same locked encrypted tree, doesn't work. The Consider: Under "Without the key" it states: I expect your scenario will be supported in the future, see: |
Yeah, this has already supported: In kclient: Then in fuse client, no matter the |
Clients that do not support fscrypt can execute operations that may cause unrecoverable data loss. Add protection on the MDS so that it prevents these clients from executing some operations. Note, however, that clients will still be able corrupt encrypted files by appending data to them. And they will still be able to read encrypted data from those files. Fixes: https://tracker.ceph.com/issues/64852 Signed-off-by: Luís Henriques <lhenriques@suse.de> Signed-off-by: Xiubo Li <xiubli@redhat.com>
Clients that do not support fscrypt can open & trunc a file and cause unrecoverable data loss. This commit will just block it. Fixes: https://tracker.ceph.com/issues/64961 Fixes: https://tracker.ceph.com/issues/64852 Signed-off-by: Xiubo Li <xiubli@redhat.com>
In kclient the 'fscrypt_file' is a u64 number, while in MDS and libcephfs it just switch it to a vector of uint8_t, which couldn't be covert to a integer back by the stoll() and will crash the client daemon in userspace. Fixes: https://tracker.ceph.com/issues/64961 Fixes: https://tracker.ceph.com/issues/64852 Signed-off-by: Xiubo Li <xiubli@redhat.com>
Actually the libcephfs hasn't support the fscrypt yet, we shouldn't add the CEPHFS_FEATURE_ALTERNATE_NAME feature bit. Fixes: https://tracker.ceph.com/issues/64852 Signed-off-by: Xiubo Li <xiubli@redhat.com>
Just preparse for the fscrypt-protect tests. Fixes: https://tracker.ceph.com/issues/64852 Signed-off-by: Xiubo Li <xiubli@redhat.com>
s/task/tasks/ Fixes: https://tracker.ceph.com/issues/64852 Signed-off-by: Xiubo Li <xiubli@redhat.com>
We need to mount a kclient and a fuse client to run the test, and the kclient will creat and write to a encrypted file, when the fuse client try to write the encrypted file it should fail and the file contents won't change. Fixes: https://tracker.ceph.com/issues/64852 Signed-off-by: Xiubo Li <xiubli@redhat.com>
lxbsz
force-pushed
the
fscrypt-pro-clients
branch
from
372408b
to
b0a4385
Compare
|
jenkins retest this please |
There was a problem hiding this comment.
Can you explain what your trying to do here further? Do you have a recent teuthology run for this?
There was a problem hiding this comment.
Let's make sure to get #56326 merged before this PR
Clients that do not support fscrypt can execute operations that may cause unrecoverable data loss. Add protection on the MDS so that it prevents these clients from executing some operations.
Note, however, that clients will still be able corrupt encrypted files by appending data to them. And they will still be able to read encrypted data from those files.
This PR originally from @luis-henrix 's PR #45073. And I just fix the lock order issue, and will run more tests for it.
Please note this PR will fix one issue from Luis' previous PR:
1, MDS crash issue https://tracker.ceph.com/issues/63685
Fixes: https://tracker.ceph.com/issues/65217
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an
xbetween the brackets:[x]. Spaces and capitalization matter when checking off items this way.Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume toxjenkins test windowsjenkins test rook e2e