RBD fscrypt support #3310
RBD fscrypt support #3310
Conversation
|
Was #3158 As this is already pretty large, I left out the Ceph FS bits for now. (They are on https://github.com/irq0/ceph-csi/tree/wip/fscrypt-go-rbd-cephfs) |
|
This pull request now has conflicts with the target branch. Could you please resolve conflicts and force push the corrected changes? 🙏 |
nixpanic
added
enhancement
irq0
force-pushed
the
wip/fscrypt-go-rbd
branch
2 times, most recently
from
2a1a995
to
c3a2790
Compare
|
The last push rebased on current develop branch and addressed the linter errors. The minikube tests on CI will again fail, as minikube doesn't have ext4 fscrypt support. The tests failing with timeouts raise a question though: Maybe not having kernel support should return a not retryable error instead of an internal error. |
|
This pull request now has conflicts with the target branch. Could you please resolve conflicts and force push the corrected changes? 🙏 |
irq0
force-pushed
the
wip/fscrypt-go-rbd
branch
4 times, most recently
from
7588f66
to
395ca31
Compare
|
🥳 the e2e suites passed. The linter finds a line that is a bit too long. I already fixed it in my local branch. I suggest I push the fix with the first round of review changes. From my side this is ready to review. |
irq0
force-pushed
the
wip/fscrypt-go-rbd
branch
4 times, most recently
from
80a0541
to
059f179
Compare
|
The last push addresses the review comments and adds a small fix to the fscrypt integration code (fscrypt: fix metadata directory permissions). It didn't cause problems on rbd+ext4, but on cephfs. ci/centos/k8s-e2e-external-storage/1.23, ci/centos/mini-e2e-helm/k8s-1.22 failed in the 'reserve bare-metal machine' stage. Is there a way to trigger them individually? |
|
/retest ci/centos/k8s-e2e-external-storage/1.23 |
|
/retest ci/centos/mini-e2e-helm/k8s-1.22 |
Found it :) |
Currently fscrypt supports policies version 1 and 2. 2 is the best choice and was the only choice prior to this commit. This adds support for kernels < 5.4, by selecting policy version 1 there. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
NewContextFrom{Mountpoint,Path} functions use cached
`/proc/self/mountinfo` to find mounted file systems by device ID.
Since we run fscrypt as a library in a long-lived process the cached
information is likely to be stale. Stale entries may map device IDs to
mount points of already destroyed RBDs and fail context creation.
Updating the cache beforehand prevents this.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Use constant protector name 'ceph-csi' instead of constant prefix concatenated with the volume ID. When cloning volumes the ID changes and fscrypt protected directories become inunlockable due to the protector name change Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Revert once our google/fscrypt dependency is upgraded to a version that includes google/fscrypt#359 gets accepted Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Call Mount.Setup with SingleUserWritable constant instead of 0o755,
which is silently ignored and causes the /.fscrypt/{policy,protector}/
directories to have mode 000.
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Integrate basic fscrypt functionality into RBD initialization. To activate file encryption instead of block introduce the new 'encryptionType' storage class key. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Different places have different meaningful fallback. When parsing from user we should default to block, when parsing stored config we should default to invalid and handle that as an error. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Add fscrypt support to the journal to support operations like snapshotting. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Support fscrypt on RBD snapshots Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Add validation functions for fscrypt on RBD volumes Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Add a `By` wrapper to parameterize encryption related test functions and run them on both block and file encryption Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Replace `By` with `ByFileAndBlockEncryption` in all encryption related tests to parameterize them to file and block encryption. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Add test that enables encryption with default type. Check that we set up block encryption. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Apply formatting for previous changes separately to make the commit diffs easier to read. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Make iso url configurable to use pre-release minikube images or local-built (file://) Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Add type none to distinguish disabled encryption (positive result) from invalid configuration (negative result). Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Add test-rbd-fscrypt feature flag to e2e suite. Default disabled as the current CI system's kernel doesn't have the required features enabled. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
Madhu-1
force-pushed
the
wip/fscrypt-go-rbd
branch
from
88d81b7
to
eccb1a7
Compare
Add fscrypt integration with the Ceph CSI KMS. Supports ext4 on RBD. Snapshots are supported as well.
Implementation is based on the design doc https://github.com/ceph/ceph-csi/blob/devel/docs/design/proposals/cephfs-fscrypt.md.
Testing requires kernel support (see https://github.com/google/fscrypt#runtime-dependencies). Minikube needs kubernetes/minikube#14783 to run the e2e test suite.
Commits are ordered as follows :