debug

pkg/operator/ceph/cluster/osd/spec.go

@@ -46,6 +46,7 @@ const (
 	blockEncryptionOpenInitContainer              = "encryption-open"
 	blockEncryptionOpenMetadataInitContainer      = "encryption-open-metadata"
 	blockEncryptionOpenWalInitContainer           = "encryption-open-wal"
+	blockEncryptionRemoveKeyFileContainer         = "encryption-remove-key-file"
 	blockPVCMapperEncryptionInitContainer         = "blkdevmapper-encryption"
 	blockPVCMapperEncryptionMetadataInitContainer = "blkdevmapper-metadata-encryption"
 	blockPVCMapperEncryptionWalInitContainer      = "blkdevmapper-wal-encryption"
@@ -249,57 +250,6 @@ else
 	open_encrypted_block
 fi
 
-# Setting label and subsystem on LUKS1 is not supported and the command will fail
-if cryptsetup luksDump $BLOCK_PATH|grep -qEs "Version:.*2"; then
-	set_luks_subsystem_and_label
-else
-	echo "LUKS version is not 2 so not setting label and subsystem"
-fi
-`
-
-	openEncryptedBlockMeta = `
-set -xe
-
-CEPH_FSID=%s
-PVC_NAME=%s
-KEY_FILE_PATH=%s
-BLOCK_PATH=%s
-DM_NAME=%s
-DM_PATH=%s
-
-# Helps debugging
-dmsetup version
-
-function open_encrypted_block {
-	echo "Opening encrypted device $BLOCK_PATH at $DM_PATH"
-	cryptsetup luksOpen --verbose --disable-keyring --allow-discards --key-file "$KEY_FILE_PATH" "$BLOCK_PATH" "$DM_NAME"
-	ls -l $KEY_FILE_PATH
-	rm -f "$KEY_FILE_PATH"
-}
-
-# This is done for upgraded clusters that did not have the subsystem and label set by the prepare job
-function set_luks_subsystem_and_label {
-	echo "setting LUKS label and subsystem"
-	cryptsetup config $BLOCK_PATH --subsystem ceph_fsid="$CEPH_FSID" --label pvc_name="$PVC_NAME"
-}
-
-if [ -b "$DM_PATH" ]; then
-	echo "Encrypted device $BLOCK_PATH already opened at $DM_PATH"
-	for field in $(dmsetup table "$DM_NAME"); do
-		if [[ "$field" =~ ^[0-9]+\:[0-9]+ ]]; then
-			underlaying_block="/sys/dev/block/$field"
-			if [ ! -d "$underlaying_block" ]; then
-				echo "Underlying block device $underlaying_block of crypt $DM_NAME disappeared!"
-				echo "Removing stale dm device $DM_NAME"
-				dmsetup remove --force "$DM_NAME"
-				open_encrypted_block
-			fi
-		fi
-	done
-else
-	open_encrypted_block
-fi
-
 # Setting label and subsystem on LUKS1 is not supported and the command will fail
 if cryptsetup luksDump $BLOCK_PATH|grep -qEs "Version:.*2"; then
 	set_luks_subsystem_and_label
@@ -1049,19 +999,16 @@ func (c *Cluster) generateEncryptionOpenBlockContainer(resources v1.ResourceRequ
 	}
 }
 
-func (c *Cluster) generateEncryptionOpenBlockContainerMeta(resources v1.ResourceRequirements, containerName, pvcName, volumeMountPVCName, cryptBlockType, blockType, mountPath string) v1.Container {
+func (c *Cluster) generateRemovingKeyFileContainer(resources v1.ResourceRequirements, containerName string) v1.Container {
 	return v1.Container{
 		Name:            containerName,
 		Image:           c.spec.CephVersion.Image,
 		ImagePullPolicy: controller.GetContainerImagePullPolicy(c.spec.CephVersion.ImagePullPolicy),
-		// Running via bash allows us to check whether the device is already opened or not
-		// If we don't the cryptsetup command will fail saying the device is already opened
 		Command: []string{
 			"/bin/bash",
 			"-c",
-			fmt.Sprintf(openEncryptedBlockMeta, c.clusterInfo.FSID, pvcName, encryptionKeyPath(), encryptionBlockDestinationCopy(mountPath, blockType), EncryptionDMName(pvcName, cryptBlockType), EncryptionDMPath(pvcName, cryptBlockType)),
+			fmt.Sprintf("rm -f \"%s\"", encryptionKeyPath()),
 		},
-		VolumeMounts:    []v1.VolumeMount{getPvcOSDBridgeMountActivate(mountPath, volumeMountPVCName), getDeviceMapperMount()},
 		SecurityContext: controller.PrivilegedContext(true),
 		Resources:       resources,
 	}
@@ -1120,7 +1067,7 @@ func (c *Cluster) getPVCEncryptionOpenInitContainerActivate(mountPath string, os
 
 	// If there is a metadata PVC
 	if osdProps.onPVCWithMetadata() {
-		metadataContainer := c.generateEncryptionOpenBlockContainerMeta(osdProps.resources, blockEncryptionOpenMetadataInitContainer, osdProps.metadataPVC.ClaimName, osdProps.pvc.ClaimName, DmcryptMetadataType, bluestoreMetadataName, mountPath)
+		metadataContainer := c.generateEncryptionOpenBlockContainer(osdProps.resources, blockEncryptionOpenMetadataInitContainer, osdProps.metadataPVC.ClaimName, osdProps.pvc.ClaimName, DmcryptMetadataType, bluestoreMetadataName, mountPath)
 		// We use the same key for both block and block.db so we must use osdProps.pvc.ClaimName for the getEncryptionVolume()
 		_, volMount := c.getEncryptionVolume(osdProps)
 		metadataContainer.VolumeMounts = append(metadataContainer.VolumeMounts, volMount)
@@ -1136,6 +1083,10 @@ func (c *Cluster) getPVCEncryptionOpenInitContainerActivate(mountPath string, os
 		containers = append(containers, metadataContainer)
 	}
 
+	// Remove key file
+	removeKeyContainer := c.generateRemovingKeyFileContainer(osdProps.resources, blockEncryptionRemoveKeyFileContainer)
+	containers = append(containers, removeKeyContainer)
+
 	return containers
 }