Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds dm-crypt support #5739

Merged
merged 1 commit into from
Dec 3, 2019
Merged

Adds dm-crypt support #5739

merged 1 commit into from
Dec 3, 2019

Conversation

vasyl-purchel
Copy link
Contributor

Adds crypt target support in kernel for device mapper
Adds XTS support, AES cipher algorithms and User-space interface for
symmetric key cipher algorithms in kernel

This change is needed to make it possible to encrypt rbd images in ceph-csi with LUKS

Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com
Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com

Adds crypt target support in kernel for device mapper
Adds XTS support, AES cipher algorithms and User-space interface for
symmetric key cipher algorithms in kernel

Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com
Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com
@k8s-ci-robot
Copy link
Contributor

Welcome @vasyl-purchel!

It looks like this is your first PR to kubernetes/minikube 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/minikube has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot
Copy link
Contributor

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Oct 25, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @vasyl-purchel. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 25, 2019
@minikube-bot
Copy link
Collaborator

Can one of the admins verify this patch?

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vasyl-purchel
To complete the pull request process, please assign tstromberg
You can assign the PR to them by writing /assign @tstromberg in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@codecov-io
Copy link

Codecov Report

Merging #5739 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #5739   +/-   ##
=======================================
  Coverage   37.83%   37.83%           
=======================================
  Files         106      106           
  Lines        7773     7773           
=======================================
  Hits         2941     2941           
  Misses       4452     4452           
  Partials      380      380

@medyagh
Copy link
Member

medyagh commented Oct 25, 2019

Thanks for creating this PR ! would you mind giving some examples that this PR would be useful ?
and also an example that the current minikube does not support it ? myabe be output and logs?

@vasyl-purchel
Copy link
Contributor Author

With the change I have created containers from https://github.com/ceph/ceph-csi/pull/697/files and then inside csi-rbdplugin container (kubectl exec -it csi-rbdplugin-hn2bc -c csi-rbdplugin bash) I have created an rbd image in ceph, mapped it and then was able to encrypt it with LUKS:

[root@minikube /]# echo 'hellopassphrase' | cryptsetup luksFormat --hash sha256 /dev/rbd0 -d /dev/stdin
[root@minikube /]# echo $?
0
[root@minikube /]# lsblk
NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
rbd0   251:0    0     1G  0 disk
sr0     11:0    1 143.4M  0 rom
sda      8:0    0  19.5G  0 disk
`-sda1   8:1    0  19.5G  0 part /var/lib/kubelet/plugins
[root@minikube /]# echo 'hellopassphrase' | cryptsetup luksOpen /dev/rbd0 luks-encr-test -d /dev/stdin
[root@minikube /]# lsblk
NAME             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
rbd0             251:0    0     1G  0 disk
`-luks-encr-test 252:0    0  1020M  0 crypt
sr0               11:0    1 143.4M  0 rom
sda                8:0    0  19.5G  0 disk
`-sda1             8:1    0  19.5G  0 part  /var/lib/kubelet/plugins

While with the latest version I was getting:

[root@minikube /]# echo 'hellopassphrase' | cryptsetup -q luksFormat --hash sha256 /dev/rbd0 -d /dev/stdin          
device-mapper: reload ioctl on   failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/rbd0.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info).

Also from cryptsetup documentation:

Before using cryptsetup, always make sure the dm_crypt kernel module is loaded.

without change you get:

[root@minikube /]# modprobe dm_crypt
modprobe: FATAL: Module dm_crypt not found.

after the change:

[root@minikube /]# modprobe dm-crypt
[root@minikube /]# echo $?
0

@RA489
Copy link

RA489 commented Oct 30, 2019

/check-cla

@RA489
Copy link

RA489 commented Nov 22, 2019

@vasyl-purchel Do you have any issue while signing the cla?

@vasyl-purchel
Copy link
Contributor Author

/check-cla

1 similar comment
@vasyl-purchel
Copy link
Contributor Author

/check-cla

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Nov 22, 2019
@tstromberg
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 2, 2019
@tstromberg
Copy link
Contributor

Diff was difficult to parse at first, but change looks good. Thank you!

@tstromberg tstromberg merged commit 6a9e8a7 into kubernetes:master Dec 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants