Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ceph: add support for encrypted metadata pvc #5977

Merged
merged 5 commits into from Aug 12, 2020
Merged

ceph: add support for encrypted metadata pvc #5977

merged 5 commits into from Aug 12, 2020

Conversation

leseb
Copy link
Member

@leseb leseb commented Aug 5, 2020
edited by travisn

Description of your changes:

Now the metadata pvc will also be encrypted if the storageClassDeviceSet
has the "encrypted" flag turned on.

Signed-off-by: Sébastien Han seb@redhat.com

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
  • Skip Tests for Docs: Add the flag for skipping the build if this is only a documentation change. See here for the flag.
  • Skip Unrelated Tests: Add a flag to run tests for a specific storage provider. See test options.
  • Reviewed the developer guide on Submitting a Pull Request
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.
  • Pending release notes updated with breaking and/or notable changes, if necessary.
  • Upgrade from previous release is tested and upgrade user guide is updated, if necessary.
  • Code generation (make codegen) has been run to update object specifications, if necessary.

// known CI issue
[skip ci]

@leseb leseb requested a review from travisn August 5, 2020 11:36
travisn
travisn requested changes Aug 5, 2020
View reviewed changes
Copy link
Member

@travisn travisn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

holding for testing

@leseb leseb mentioned this pull request Aug 5, 2020
Merged
11 tasks
@leseb leseb force-pushed the encryption-metadata-pvc branch 5 times, most recently from dce34f7 to 7414463 Compare August 6, 2020 20:55
travisn
travisn requested changes Aug 7, 2020
View reviewed changes
pkg/operator/ceph/cluster/osd/osd.go Outdated
errMsg := fmt.Sprintf("failed to validate storageClassDeviceSet %q. min required ceph version to support encryption is %q", volume.Name, cephVolumeRawEncryptionModeMinCephVersion.String())
if osdProps.encrypted &&
!c.clusterInfo.CephVersion.IsAtLeast(cephVolumeRawEncryptionModeMinNautilusCephVersion) &&
!c.clusterInfo.CephVersion.IsAtLeast(cephVolumeRawEncryptionModeMinOctopusCephVersion) {
Copy link
Member

@travisn travisn Aug 7, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't look like it will allow for any nautilus version. The octopus check will override the nautilus check. How about a helper function to check the version and then unit test it?

pkg/operator/ceph/cluster/osd/spec.go Outdated

func (c *Cluster) getPVCEncryptionOpenInitContainerActivate(osdProps osdProperties) []v1.Container {
containers := []v1.Container{}
containers = append(containers, c.generateEncryptionOpenBlockContainer(osdProps.resources, blockEncryptionOpenInitContainer, osdProps.pvc.ClaimName))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: initialize the container with all its properties to a local var, then append it to the containers slice. This way, you wouldn't have to reference the slice with containers[0] or containers[1] below. It's more readable IMO that way.

@leseb leseb force-pushed the encryption-metadata-pvc branch 2 times, most recently from eaa13f1 to d110df0 Compare August 10, 2020 14:57
@mergify
Copy link

mergify bot commented Aug 11, 2020

This pull request has merge conflicts that must be resolved before it can be merged. @leseb please rebase it. https://rook.io/docs/rook/master/development-flow.html#updating-your-fork

@leseb leseb force-pushed the encryption-metadata-pvc branch 2 times, most recently from 27ff4d9 to cffbe7e Compare August 11, 2020 16:05
travisn
travisn approved these changes Aug 11, 2020
View reviewed changes
Copy link
Member

@travisn travisn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a small suggestion

pkg/operator/ceph/cluster/osd/config.go Outdated Show resolved Hide resolved
@leseb
ceph: add octopus validation for pvc encryption
7d6974b 
The c-v encryption is part of 15.2.5 on Octopus.

Signed-off-by: Sébastien Han <seb@redhat.com>
@leseb leseb mentioned this pull request Aug 12, 2020
Closed
@leseb leseb force-pushed the encryption-metadata-pvc branch 2 times, most recently from c23840b to 964ffe7 Compare August 12, 2020 14:07
satoru-takeuchi
satoru-takeuchi reviewed Aug 12, 2020
View reviewed changes
tests/scripts/localPathPV.sh Outdated
lsblk
# dump data of the disk to check whether it is an osd or not
sudo dd if="$test_scratch_device" of=data bs=4k count=1
sudo cat data
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It prints the raw binary data to stdout. It's difficult to read and it would break the terminal's setting when running in the local environment. How about using the binary dump tools like hexdump or xxd? In addition, I consider 4K is too long and printing "bluestore" signature and fsid is enough.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, this was mostly for quick debug, this commit is going away :)

@leseb
ceph: add support for encrypted metadata pvc
a91c96c 
Now the metadata pvc will also be encrypted if the storageClassDeviceSet
has the "encrypted" flag turned on.

Signed-off-by: Sébastien Han <seb@redhat.com>
@leseb
ceph: use callCephVolume() to list osds
9738c2b 
Small refactor to use the common function helper callCephVolume() to
build ceph-volume arguments.

Signed-off-by: Sébastien Han <seb@redhat.com>
@leseb
ceph: do not list on empty device
f75a6e9 
If the device is empty let's not use an empty space as an argument for
the c-v call.

Signed-off-by: Sébastien Han <seb@redhat.com>
@leseb
ceph: return cv debug logs
dd2166b 
So that the operator can print it.

Signed-off-by: Sébastien Han <seb@redhat.com>
@travisn travisn merged commit 52a6071 into rook:master Aug 12, 2020
@satoru-takeuchi
Copy link
Member

satoru-takeuchi commented Aug 13, 2020
edited

@leseb Could you tell me whether dropping the following change is intentional or not?

c23840b#diff-d1ca60bbccae22948f1847a6b9747cd5L445-R447

In my local environment, MultiClusterTestSuite fails as before. Here is the log of failed osd prepare pod

2020-08-13 00:17:55.061801 I | cephosd: discovering hardware
2020-08-13 00:17:55.061809 D | exec: Running command: lsblk /mnt/set1-data-0-qg7c6 --bytes --nodeps --pairs --paths --output SIZE,ROTA,RO,TYPE,PKNAME,NAME,KNAME
2020-08-13 00:17:55.066795 D | exec: Running command: sgdisk --print /mnt/set1-data-0-qg7c6
2020-08-13 00:17:55.070501 D | exec: Running command: udevadm info --query=property /dev/sdb
2020-08-13 00:17:55.089585 I | cephosd: creating and starting the osds
2020-08-13 00:17:55.094524 D | cephosd: No Drive Groups configured.
2020-08-13 00:17:55.094573 D | cephosd: desiredDevices are [{Name:/mnt/set1-data-0-qg7c6 OSDsPerDevice:1 MetadataDevice: DatabaseSizeMB:0 DeviceClass: IsFilter:false IsDevicePathFilter:false}]
2020-08-13 00:17:55.094581 D | cephosd: context.Devices are [0xc0003f0240]
2020-08-13 00:17:55.095366 D | exec: Running command: stdbuf -oL ceph-volume --log-path /tmp/ceph-log raw list /mnt/set1-data-0-qg7c6 --format json
2020-08-13 00:17:55.795997 D | cephosd: stderr: unable to read label for /mnt/set1-data-0-qg7c6: (2) No such file or directory
{}
2020-08-13 00:17:55.796059 I | cephosd: skipping device "/mnt/set1-data-0-qg7c6": failed to detect if there is already an osd. failed to unmarshal ceph-volume raw list results: invalid character 's' looking for beginning of value.
2020-08-13 00:17:55.796120 I | cephosd: configuring osd devices: {"Entries":{}}
2020-08-13 00:17:55.796124 I | cephosd: no new devices to configure. returning devices already configured with ceph-volume.
2020-08-13 00:17:55.796129 D | exec: Running command: pvdisplay -C -o lvpath --noheadings /mnt/set1-data-0-qg7c6
2020-08-13 00:17:55.932887 W | cephosd: failed to retrieve logical volume path for "/mnt/set1-data-0-qg7c6". exit status 5
2020-08-13 00:17:55.932927 D | exec: Running command: stdbuf -oL ceph-volume --log-path /tmp/ceph-log lvm list  --format json
2020-08-13 00:17:56.514691 D | cephosd: {}
2020-08-13 00:17:56.514743 I | cephosd: 0 ceph-volume lvm osd devices configured on this node
2020-08-13 00:17:56.514758 D | exec: Running command: stdbuf -oL ceph-volume --log-path /tmp/ceph-log raw list /mnt/set1-data-0-qg7c6 --format json
2020-08-13 00:17:57.013571 D | cephosd: stderr: unable to read label for /mnt/set1-data-0-qg7c6: (2) No such file or directory
{}
2020-08-13 00:17:57.013618 I | cephosd: failed to get device already provisioned by ceph-volume raw. failed to unmarshal ceph-volume raw list results: invalid character 's' looking for beginning of value
2020-08-13 00:17:57.013624 W | cephosd: skipping OSD configuration as no devices matched the storage settings for this node "set1-data-0-qg7c6"

Although this PR was merged without CI, I guess the integration test still fail in upstream/master too.

@satoru-takeuchi
Copy link
Member

Hm, my integration test in the local environment also failed even with the following change.

c23840b#diff-d1ca60bbccae22948f1847a6b9747cd5L445-R447

The log of OSD prepare pod.

2020-08-13 01:00:05.276775 I | cephosd: discovering hardware
2020-08-13 01:00:05.276786 D | exec: Running command: lsblk /mnt/set1-data-0-ks77x --bytes --nodeps --pairs --paths --output SIZE,ROTA,RO,TYPE,PKNAME,NAME,KNAME
2020-08-13 01:00:05.280903 D | exec: Running command: sgdisk --print /mnt/set1-data-0-ks77x
2020-08-13 01:00:05.284097 D | exec: Running command: udevadm info --query=property /dev/sdb
2020-08-13 01:00:05.288536 I | cephosd: creating and starting the osds
2020-08-13 01:00:05.296175 D | cephosd: No Drive Groups configured.
2020-08-13 01:00:05.296234 D | cephosd: desiredDevices are [{Name:/mnt/set1-data-0-ks77x OSDsPerDevice:1 MetadataDevice: DatabaseSizeMB:0 DeviceClass: IsFilter:false IsDevicePathFilter:false}]
2020-08-13 01:00:05.296244 D | cephosd: context.Devices are [0xc0002017a0]
2020-08-13 01:00:05.296988 D | exec: Running command: stdbuf -oL ceph-volume --log-path /tmp/ceph-log raw list /mnt/set1-data-0-ks77x --format json
2020-08-13 01:00:05.861963 D | cephosd: stderr: unable to read label for /mnt/set1-data-0-ks77x: (2) No such file or directory
{}
2020-08-13 01:00:05.862134 I | cephosd: skipping device "/mnt/set1-data-0-ks77x": failed to detect if there is already an osd. failed to unmarshal ceph-volume raw list results: invalid character 's' looking for beginning of value.
2020-08-13 01:00:05.862310 I | cephosd: configuring osd devices: {"Entries":{}}
2020-08-13 01:00:05.862335 I | cephosd: no new devices to configure. returning devices already configured with ceph-volume.
2020-08-13 01:00:05.862343 D | exec: Running command: pvdisplay -C -o lvpath --noheadings /mnt/set1-data-0-ks77x
2020-08-13 01:00:05.998355 W | cephosd: failed to retrieve logical volume path for "/mnt/set1-data-0-ks77x". exit status 5
2020-08-13 01:00:05.998453 D | exec: Running command: stdbuf -oL ceph-volume --log-path /tmp/ceph-log lvm list  --format json
2020-08-13 01:00:06.607446 D | cephosd: {}
2020-08-13 01:00:06.607488 I | cephosd: 0 ceph-volume lvm osd devices configured on this node
2020-08-13 01:00:06.607506 D | exec: Running command: stdbuf -oL ceph-volume --log-path /tmp/ceph-log raw list /mnt/set1-data-0-ks77x --format json
2020-08-13 01:00:07.096787 D | cephosd: stderr: unable to read label for /mnt/set1-data-0-ks77x: (2) No such file or directory
{}
2020-08-13 01:00:07.096841 I | cephosd: failed to get device already provisioned by ceph-volume raw. failed to unmarshal ceph-volume raw list results: invalid character 's' looking for beginning of value
2020-08-13 01:00:07.096846 W | cephosd: skipping OSD configuration as no devices matched the storage settings for this node "set1-data-0-ks77x"

@tenzen-y tenzen-y mentioned this pull request Aug 13, 2020
Closed
10 tasks
@leseb leseb deleted the encryption-metadata-pvc branch August 13, 2020 06:47
@leseb leseb mentioned this pull request Aug 13, 2020
Merged
@leseb
Copy link
Member Author

leseb commented Aug 13, 2020

Hm, my integration test in the local environment also failed even with the following change.

c23840b#diff-d1ca60bbccae22948f1847a6b9747cd5L445-R447

The log of OSD prepare pod.

2020-08-13 01:00:05.276775 I | cephosd: discovering hardware
2020-08-13 01:00:05.276786 D | exec: Running command: lsblk /mnt/set1-data-0-ks77x --bytes --nodeps --pairs --paths --output SIZE,ROTA,RO,TYPE,PKNAME,NAME,KNAME
2020-08-13 01:00:05.280903 D | exec: Running command: sgdisk --print /mnt/set1-data-0-ks77x
2020-08-13 01:00:05.284097 D | exec: Running command: udevadm info --query=property /dev/sdb
2020-08-13 01:00:05.288536 I | cephosd: creating and starting the osds
2020-08-13 01:00:05.296175 D | cephosd: No Drive Groups configured.
2020-08-13 01:00:05.296234 D | cephosd: desiredDevices are [{Name:/mnt/set1-data-0-ks77x OSDsPerDevice:1 MetadataDevice: DatabaseSizeMB:0 DeviceClass: IsFilter:false IsDevicePathFilter:false}]
2020-08-13 01:00:05.296244 D | cephosd: context.Devices are [0xc0002017a0]
2020-08-13 01:00:05.296988 D | exec: Running command: stdbuf -oL ceph-volume --log-path /tmp/ceph-log raw list /mnt/set1-data-0-ks77x --format json
2020-08-13 01:00:05.861963 D | cephosd: stderr: unable to read label for /mnt/set1-data-0-ks77x: (2) No such file or directory
{}
2020-08-13 01:00:05.862134 I | cephosd: skipping device "/mnt/set1-data-0-ks77x": failed to detect if there is already an osd. failed to unmarshal ceph-volume raw list results: invalid character 's' looking for beginning of value.
2020-08-13 01:00:05.862310 I | cephosd: configuring osd devices: {"Entries":{}}
2020-08-13 01:00:05.862335 I | cephosd: no new devices to configure. returning devices already configured with ceph-volume.
2020-08-13 01:00:05.862343 D | exec: Running command: pvdisplay -C -o lvpath --noheadings /mnt/set1-data-0-ks77x
2020-08-13 01:00:05.998355 W | cephosd: failed to retrieve logical volume path for "/mnt/set1-data-0-ks77x". exit status 5
2020-08-13 01:00:05.998453 D | exec: Running command: stdbuf -oL ceph-volume --log-path /tmp/ceph-log lvm list  --format json
2020-08-13 01:00:06.607446 D | cephosd: {}
2020-08-13 01:00:06.607488 I | cephosd: 0 ceph-volume lvm osd devices configured on this node
2020-08-13 01:00:06.607506 D | exec: Running command: stdbuf -oL ceph-volume --log-path /tmp/ceph-log raw list /mnt/set1-data-0-ks77x --format json
2020-08-13 01:00:07.096787 D | cephosd: stderr: unable to read label for /mnt/set1-data-0-ks77x: (2) No such file or directory
{}
2020-08-13 01:00:07.096841 I | cephosd: failed to get device already provisioned by ceph-volume raw. failed to unmarshal ceph-volume raw list results: invalid character 's' looking for beginning of value
2020-08-13 01:00:07.096846 W | cephosd: skipping OSD configuration as no devices matched the storage settings for this node "set1-data-0-ks77x"

I have the fix, PR soon :)

@leseb
Copy link
Member Author

leseb commented Aug 13, 2020

@satoru-takeuchi #6059

leseb added a commit to leseb/rook that referenced this pull request Aug 13, 2020
@leseb
ceph: add support for wal encrypted device on pvc
fe92267 
Similar to rook#5977 but for wal devices.
So if a cluster is deployed on PVC and wal devices, those will be
encrypted as well.

Signed-off-by: Sébastien Han <seb@redhat.com>
@leseb leseb mentioned this pull request Aug 13, 2020
Merged
10 tasks
@leseb
Copy link
Member Author

leseb commented Aug 13, 2020

@satoru-takeuchi and yes dropping this c23840b#diff-d1ca60bbccae22948f1847a6b9747cd5L445-R447 was intentional as I don't think it was fixing anything, NAME always exists... Still digging!

leseb added a commit to leseb/rook that referenced this pull request Aug 13, 2020
@leseb
ceph: add support for wal encrypted device on pvc
4f9435d 
Similar to rook#5977 but for wal devices.
So if a cluster is deployed on PVC and wal devices, those will be
encrypted as well.

Signed-off-by: Sébastien Han <seb@redhat.com>
travisn added a commit that referenced this pull request Aug 13, 2020
@travisn
Merge pull request #6058 from leseb/bkp-5977
0bd5d47 
ceph: add support for encrypted metadata pvc (bp #5977)
mergify bot pushed a commit that referenced this pull request Aug 17, 2020
@leseb
ceph: add support for wal encrypted device on pvc
e1b488d 
Similar to #5977 but for wal devices.
So if a cluster is deployed on PVC and wal devices, those will be
encrypted as well.

Signed-off-by: Sébastien Han <seb@redhat.com>
(cherry picked from commit 4f9435d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@travisn travisn travisn approved these changes

@satoru-takeuchi satoru-takeuchi satoru-takeuchi approved these changes

Assignees
No one assigned
Labels
ceph main ceph tag
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@leseb @satoru-takeuchi @travisn