Ceph FS fscrypt support #3460
Ceph FS fscrypt support #3460
Conversation
irq0
force-pushed
the
pr/fscrypt-go-cephfs
branch
from
e4897bc
to
8343acb
Compare
|
Test last push addresses the linter errors. The failure in ci/centos/upgrade-tests-cephfs is interesting: The updated deploy/cephfs/* files now have the ceph-csi-encryption-kms-config configmaps attached as volumes (like their RBD counterparts). My read is that the update tests fail, because they are not present. What is the best course of action here? Add the encryption related configmaps to the update path? Fork the file into regular and encryption enabled? |
nixpanic
added
enhancement
You can set https://github.com/ceph/ceph-csi/blob/devel/e2e/cephfs.go#L73 to true so that it will continue if the file is not present |
irq0
force-pushed
the
pr/fscrypt-go-cephfs
branch
from
8343acb
to
e2df7c3
Compare
Adding deployVault (just like the RBD suites have) to the tests did the trick. It configures the ceph-csi-encryption-kms-config required by the cephfs provisioner / nodeserver |
| @@ -3,3 +3,46 @@ apiVersion: v1 | |||
| kind: ServiceAccount | |||
| metadata: | |||
| name: cephfs-csi-nodeplugin | |||
| namespace: default | |||
There was a problem hiding this comment.
use namespace: {{ .Release.Namespace }} here
There was a problem hiding this comment.
The RBD analogue doesn't have that construct. It is for use in the helm templates, not?
| @@ -118,6 +119,40 @@ func validateSnapshotBackedVolCapability(volCap *csi.VolumeCapability) error { | |||
| return nil | |||
| } | |||
|
|
|||
| // maybeUnlockFileEncryption unlocks fscrypt on stagingTargetPath, iff volOptions enable encryption. | |||
| func maybeUnlockFileEncryption( | |||
There was a problem hiding this comment.
Any specific reason to start with maybe for both functions?
There was a problem hiding this comment.
Both functions only do things if encryption is enabled. The 'maybe' tried to convey that the function may not do anything at all.
I uploaded a minikube ISO with the current development Ceph FS fscrypt kernel that might be helpful: https://github.com/irq0/minikube/releases You can test most changes by setting the following when calling scripts/minikube.sh My helper scripts are in https://github.com/irq0/dev-ceph-csi-fscrypt-config |
irq0
force-pushed
the
pr/fscrypt-go-cephfs
branch
from
9d0a59b
to
8518d8f
Compare
|
Push: Rebase to devel and changes for the comments above |
There was a problem hiding this comment.
Just a few nits, nothing that requires correcting in my opinion. I'm a little sad I can't easily test this out. As long as it does not break anything, we should be good for now.
Ideally we start running weekly tests with a non-standard kernel config (minkube VM?) and Ceph release that contains support for fscrypt.
| for kmsID, kmsConf := range kmsToTest { | ||
| kmsID := kmsID | ||
| kmsConf := kmsConf | ||
| By("create a storageclass with pool and an encrypted PVC then bind it to an app with "+kmsID, func() { |
There was a problem hiding this comment.
I'm not happy with the extreme indention here... But I also don't immediately see how this can be cleanly simplified.
| @@ -210,6 +210,7 @@ func fmtBackingSnapshotOptionMismatch(optName, expected, actual string) error { | |||
|
|
|||
| // NewVolumeOptions generates a new instance of volumeOptions from the provided | |||
| // CSI request parameters. | |||
| // nolint:gocyclo,cyclop // TODO: reduce complexity | |||
There was a problem hiding this comment.
this probably should be squashed in the commit that added the InitKMS() and/or other calls?
| @@ -10,10 +10,6 @@ apiVersion: rbac.authorization.k8s.io/v1 | |||
| metadata: | |||
| name: cephfs-csi-nodeplugin | |||
| rules: | |||
There was a problem hiding this comment.
This is a nice cleanup, and could have been a PR by itself.
Thanks! Me too. It would be awesome to get at least some CI coverage of the Ceph FS fscrypt path.
A minikube VM is probably the best option. Comment #3460 (comment) has some details on how. I think a custom ISO is the only way to go for the foreseeable future, as minikube kernels tend to be behind and fscrypt kernel support isn't (fully) merged yet. |
|
/test ci/centos/k8s-e2e-external-storage/1.23 |
|
/test ci/centos/k8s-e2e-external-storage/1.24 |
|
/test ci/centos/k8s-e2e-external-storage/1.25 |
|
/test ci/centos/mini-e2e-helm/k8s-1.23 |
|
/test ci/centos/mini-e2e-helm/k8s-1.24 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/test ci/centos/mini-e2e/k8s-1.23 |
|
/test ci/centos/mini-e2e/k8s-1.24 |
|
/test ci/centos/mini-e2e/k8s-1.25 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
|
/test ci/centos/upgrade-tests-cephfs |
|
@irq0 thanks for pulling it ! lgtm.. its also good to add a user facing documentation for CephFS Fscrypt. It could be a kind of placeholder doc with disclaimers ( required kernel support..etc) too . |
|
/test ci/centos/k8s-e2e-external-storage/1.25 |
|
/test ci/centos/mini-e2e-helm/k8s-1.23 |
|
/test ci/centos/mini-e2e-helm/k8s-1.24 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/test ci/centos/mini-e2e/k8s-1.23 |
|
/test ci/centos/mini-e2e/k8s-1.24 |
|
/test ci/centos/mini-e2e/k8s-1.25 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
|
/retest ci/centos/mini-e2e-helm/k8s-1.24 |
|
@Mergifyio requeue |
✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically |
|
/test ci/centos/k8s-e2e-external-storage/1.23 |
|
/test ci/centos/k8s-e2e-external-storage/1.24 |
|
/test ci/centos/k8s-e2e-external-storage/1.25 |
|
/test ci/centos/mini-e2e-helm/k8s-1.23 |
|
/test ci/centos/mini-e2e-helm/k8s-1.24 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/test ci/centos/mini-e2e/k8s-1.23 |
|
/test ci/centos/mini-e2e/k8s-1.24 |
|
/test ci/centos/mini-e2e/k8s-1.25 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
Add Ceph FS fscrypt support. Supports volumes, snapshots and clones.
Follow up to #3310 (adds fscrypt integration) and second in series towards #1563
Fixes: #1563
Usage Requirements
End-to-end Testing
Testing on minikube requires a custom ISO with the latest Ceph FS patches. To test snapshots and clones a main branch build of Ceph is needed as well.
Custom Minikube ISO
Use patches from https://github.com/irq0/minikube/tree/custom-ceph-fscrypt-kernel on top of minikube to build an ISO with the current Ceph FS development kernel.
Build summary:
Then use minikube.sh with MINIKUBE_ISO_URL="file://path of minikube.iso"
Use Ceph Main Branch Images
Either use
quay.io/ceph/daemon:latest-main-develor build using ceph-containers project.Build
In https://github.com/ceph/ceph-container.git clone:
Optional: patch image with ceph/ceph#48410