-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSD failing to start if encrypted and also have metadata device #13737
Comments
I reproducing your situation. |
I deleted |
I think it is only a problem when using encryption, and |
I succeeded in reproducing your situation at #13773. |
I am busy with another matter and will not be able to investigate until the end of next week. |
The key file is deleted in the shell script commonly used by both The cause has been identified. I will create PR. Instead of deleting the key file here, the container that is just to delete the key file will be added at the end of the sequence of containers that use the key file. (I will work on it from about next Tuesday due to the holiday.) |
The key file is deleted in the shell script commonly used by both encryption-open and encryption-open-metadata initContainers. Failed to open key file. in encryption-open-metadata because the key file has been deleted when encryption-open is run. Instead of deleting the key file, the container that is just to delete the key file will be added at the end of the sequence of containers that use the key file. Fixes: rook#13737 Signed-off-by: Yuma Ogami <yuma-ogami@cybozu.co.jp>
The key file is deleted in the shell script commonly used by both encryption-open and encryption-open-metadata initContainers. Failed to open key file. in encryption-open-metadata because the key file has been deleted when encryption-open is run. Instead of deleting the key file, the container that is just to delete the key file will be added at the end of the sequence of containers that use the key file. Fixes: rook#13737 Signed-off-by: Yuma Ogami <yuma-ogami@cybozu.co.jp>
The key file is deleted in the shell script commonly used by both encryption-open and encryption-open-metadata initContainers. Failed to open key file. in encryption-open-metadata because the key file has been deleted when encryption-open is run. Instead of deleting the key file, the container that is just to delete the key file will be added at the end of the sequence of containers that use the key file. Fixes: rook#13737 Signed-off-by: Yuma Ogami <yuma-ogami@cybozu.co.jp>
The key file deletion process is in the shell script commonly used by all of encryption-open, encryption-open-metadata, and encryption-open-wal init containers. The key file is deleted at the encryption-open init container and encryption-open-metadata and encryption-open-wal init containers are failed to open the key file. The key file is in the /etc/ceph folder. Unless that folder is shared, the key file anyway won't be available in the other init containers even if it is not deleted by these init containers. And it will naturally anyway be deleted after the init containers are completed. So The key file deletion process in shell scripts is unnecessary. Fixes: rook#13737 Signed-off-by: Yuma Ogami <yuma-ogami@cybozu.co.jp>
The key file deletion process is in the shell script commonly used by all of encryption-open, encryption-open-metadata, and encryption-open-wal init containers. The key file is deleted at the encryption-open init container and encryption-open-metadata and encryption-open-wal init containers are failed to open the key file. The key file is in the /etc/ceph folder. Unless that folder is shared, the key file anyway won't be available in the other init containers even if it is not deleted by these init containers. And it will naturally anyway be deleted after the init containers are completed. So The key file deletion process in shell scripts is unnecessary. Fixes: #13737 Signed-off-by: Yuma Ogami <yuma-ogami@cybozu.co.jp> (cherry picked from commit cdd655e)
Is this a bug report or feature request?
Deviation from expected behavior:
Metadata device is not decrypted, on first pod start, because decryption of data device deletes key, before running decryption of metadata.
Expected behavior:
Expected that both data and metadata devices is decrypted the first time.
How to reproduce it (minimal and precise):
Setup using pvc with encryption enabled, with metadata device.
Use vault as KMS.
Start osd with both data and metadata device encrypted, waiting for decrypt.
File(s) to submit:
cluster.yaml
, if necessaryLogs to submit:
Cluster Status to submit:
N/A
Environment:
uname -a
): 6.5.0-17-genericrook version
inside of a Rook Pod): 1.13.3ceph -v
): 18.2.1kubectl version
): 1.26.4ceph health
in the Rook Ceph toolbox):The text was updated successfully, but these errors were encountered: