mirror of
https://github.com/ceph/ceph
synced 2025-01-04 10:12:30 +00:00
rbd, rbd-nbd: make --encryption-format optional
If no --encryption-format specified at all, default to "luks" for each specified --encryption-passphrase-file. Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
This commit is contained in:
parent
e62e3b6613
commit
a27ee2bdf8
@ -136,9 +136,11 @@ A batch of such unaligned writes can lead to IO races which will further
|
|||||||
deteriorate performance. Thus it is advisable to avoid using RBD encryption
|
deteriorate performance. Thus it is advisable to avoid using RBD encryption
|
||||||
in cases where incoming writes cannot be guaranteed to be sector-aligned.
|
in cases where incoming writes cannot be guaranteed to be sector-aligned.
|
||||||
|
|
||||||
To mount a LUKS-encrypted image run::
|
To map a LUKS-formatted image run:
|
||||||
|
|
||||||
$ rbd -p {pool-name} device map -t nbd -o encryption-format=luks,encryption-passphrase-file={passphrase-file}
|
.. prompt:: bash #
|
||||||
|
|
||||||
|
rbd device map -t nbd -o encryption-passphrase-file={passphrase-file} {image-spec}
|
||||||
|
|
||||||
Note that for security reasons, both the encryption format and encryption load
|
Note that for security reasons, both the encryption format and encryption load
|
||||||
operations are CPU-intensive, and may take a few seconds to complete. For the
|
operations are CPU-intensive, and may take a few seconds to complete. For the
|
||||||
|
@ -43,7 +43,7 @@ function test_encryption_format() {
|
|||||||
sudo chmod 666 /dev/mapper/cryptsetupdev
|
sudo chmod 666 /dev/mapper/cryptsetupdev
|
||||||
|
|
||||||
# open encryption with librbd
|
# open encryption with librbd
|
||||||
LIBRBD_DEV=$(_sudo rbd -p rbd map testimg -t nbd -o encryption-format=luks,encryption-passphrase-file=/tmp/passphrase)
|
LIBRBD_DEV=$(_sudo rbd -p rbd map testimg -t nbd -o encryption-passphrase-file=/tmp/passphrase)
|
||||||
sudo chmod 666 $LIBRBD_DEV
|
sudo chmod 666 $LIBRBD_DEV
|
||||||
|
|
||||||
# write via librbd && compare
|
# write via librbd && compare
|
||||||
@ -117,9 +117,10 @@ function test_clone_and_load_with_a_single_passphrase {
|
|||||||
|
|
||||||
if [ "$expectedfail" = "true" ]
|
if [ "$expectedfail" = "true" ]
|
||||||
then
|
then
|
||||||
expect_false rbd flatten testimg1 --encryption-format luks --encryption-passphrase-file /tmp/passphrase2
|
expect_false rbd flatten testimg1 --encryption-passphrase-file /tmp/passphrase2
|
||||||
|
rbd flatten testimg1 --encryption-passphrase-file /tmp/passphrase2 --encryption-passphrase-file /tmp/passphrase
|
||||||
else
|
else
|
||||||
rbd flatten testimg1 --encryption-format luks --encryption-passphrase-file /tmp/passphrase2
|
rbd flatten testimg1 --encryption-passphrase-file /tmp/passphrase2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rbd remove testimg1
|
rbd remove testimg1
|
||||||
|
@ -879,6 +879,7 @@
|
|||||||
--image arg image name
|
--image arg image name
|
||||||
--no-progress disable progress output
|
--no-progress disable progress output
|
||||||
--encryption-format arg encryption format (luks, luks1, luks2)
|
--encryption-format arg encryption format (luks, luks1, luks2)
|
||||||
|
[default: luks]
|
||||||
--encryption-passphrase-file arg path to file containing passphrase for
|
--encryption-passphrase-file arg path to file containing passphrase for
|
||||||
unlocking the image
|
unlocking the image
|
||||||
|
|
||||||
@ -2254,6 +2255,7 @@
|
|||||||
--allow-shrink permit shrinking
|
--allow-shrink permit shrinking
|
||||||
--no-progress disable progress output
|
--no-progress disable progress output
|
||||||
--encryption-format arg encryption format (luks, luks1, luks2)
|
--encryption-format arg encryption format (luks, luks1, luks2)
|
||||||
|
[default: luks]
|
||||||
--encryption-passphrase-file arg path to file containing passphrase for
|
--encryption-passphrase-file arg path to file containing passphrase for
|
||||||
unlocking the image
|
unlocking the image
|
||||||
|
|
||||||
|
@ -333,7 +333,7 @@ void add_encryption_options(boost::program_options::options_description *opt) {
|
|||||||
opt->add_options()
|
opt->add_options()
|
||||||
(ENCRYPTION_FORMAT.c_str(),
|
(ENCRYPTION_FORMAT.c_str(),
|
||||||
po::value<std::vector<EncryptionFormat>>(),
|
po::value<std::vector<EncryptionFormat>>(),
|
||||||
"encryption format (luks, luks1, luks2)");
|
"encryption format (luks, luks1, luks2) [default: luks]");
|
||||||
|
|
||||||
opt->add_options()
|
opt->add_options()
|
||||||
(ENCRYPTION_PASSPHRASE_FILE.c_str(),
|
(ENCRYPTION_PASSPHRASE_FILE.c_str(),
|
||||||
|
@ -731,6 +731,9 @@ int get_encryption_options(const boost::program_options::variables_map &vm,
|
|||||||
std::vector<at::EncryptionFormat> formats;
|
std::vector<at::EncryptionFormat> formats;
|
||||||
if (vm.count(at::ENCRYPTION_FORMAT)) {
|
if (vm.count(at::ENCRYPTION_FORMAT)) {
|
||||||
formats = vm[at::ENCRYPTION_FORMAT].as<decltype(formats)>();
|
formats = vm[at::ENCRYPTION_FORMAT].as<decltype(formats)>();
|
||||||
|
} else if (vm.count(at::ENCRYPTION_PASSPHRASE_FILE)) {
|
||||||
|
formats.resize(passphrase_files.size(),
|
||||||
|
at::EncryptionFormat{RBD_ENCRYPTION_FORMAT_LUKS});
|
||||||
}
|
}
|
||||||
|
|
||||||
if (formats.size() != passphrase_files.size()) {
|
if (formats.size() != passphrase_files.size()) {
|
||||||
|
@ -153,7 +153,7 @@ static void usage()
|
|||||||
<< "Map and attach options:\n"
|
<< "Map and attach options:\n"
|
||||||
<< " --device <device path> Specify nbd device path (/dev/nbd{num})\n"
|
<< " --device <device path> Specify nbd device path (/dev/nbd{num})\n"
|
||||||
<< " --encryption-format luks|luks1|luks2\n"
|
<< " --encryption-format luks|luks1|luks2\n"
|
||||||
<< " Image encryption format\n"
|
<< " Image encryption format (default: luks)\n"
|
||||||
<< " --encryption-passphrase-file Path of file containing passphrase for unlocking image encryption\n"
|
<< " --encryption-passphrase-file Path of file containing passphrase for unlocking image encryption\n"
|
||||||
<< " --exclusive Forbid writes by other clients\n"
|
<< " --exclusive Forbid writes by other clients\n"
|
||||||
<< " --notrim Turn off trim/discard\n"
|
<< " --notrim Turn off trim/discard\n"
|
||||||
@ -2194,6 +2194,12 @@ static int parse_args(vector<const char*>& args, std::ostream *err_msg,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (cfg->encryption_formats.empty() &&
|
||||||
|
!cfg->encryption_passphrase_files.empty()) {
|
||||||
|
cfg->encryption_formats.resize(cfg->encryption_passphrase_files.size(),
|
||||||
|
RBD_ENCRYPTION_FORMAT_LUKS);
|
||||||
|
}
|
||||||
|
|
||||||
if (cfg->encryption_formats.size() != cfg->encryption_passphrase_files.size()) {
|
if (cfg->encryption_formats.size() != cfg->encryption_passphrase_files.size()) {
|
||||||
*err_msg << "rbd-nbd: Encryption formats count does not match "
|
*err_msg << "rbd-nbd: Encryption formats count does not match "
|
||||||
<< "passphrase files count";
|
<< "passphrase files count";
|
||||||
|
Loading…
Reference in New Issue
Block a user