https://tracker.ceph.com/https://tracker.ceph.com/favicon.ico2016-02-07T08:58:32ZCeph Ceph - Feature #14669: ceph-disk: support indirect dmcrypt key retrievalhttps://tracker.ceph.com/issues/14669?journal_id=654722016-02-07T08:58:32ZLoïc Dacharyloic@dachary.org
<ul><li><strong>Status</strong> changed from <i>12</i> to <i>In Progress</i></li></ul><p><a class="external" href="https://github.com/ceph/ceph/pull/7552">https://github.com/ceph/ceph/pull/7552</a></p> Ceph - Feature #14669: ceph-disk: support indirect dmcrypt key retrievalhttps://tracker.ceph.com/issues/14669?journal_id=662132016-02-23T07:09:34ZLoïc Dacharyloic@dachary.org
<ul></ul><p>osd dm-crypt key management scheme<br />----------------------------------</p>
<p>- create new partition type OSD_LOCKBOX (or similar)<br /> - populate with tiny file system<br /> - automount, read-only, at /var/lib/ceph/osd-lockbox/$uuid (where uuid can be random, doesn't matter.. either unique to this device, or the osd uuid)<br />- 'km-mode' file indicates which key management scheme we are using.</p>
<p>creation<br />--------</p>
<p>- create lockbox partition on device (unencrypted), with tiny fs<br />- store luks key on monitor<br /> - ceph config-key put dm-crypt/osd/$osd_uuid/luks $secret<br />- create a ceph user that can fetch it<br /> - ceph auth get-or-create client.osd-lockbox.$osd_uuid mon 'allow command "config-key get" with key="dm-crypt/osd/$osd_uuid"' > /var/lib/ceph/osd-lockbox/$osd_uuid/keyring<br />- echo 'ceph-mon v1' > /var/lib/ceph/osd-lockbox/$osd_uuid/km-mode</p>
<p>activation<br />----------</p>
<p>- if km-mode == "ceph-mon v1" ...<br /> - use user and key from 'keyring' file:<br /> - 'ceph -n client.osd-lockbox.$osd_uuid -k /var/lib/ceph/osd-lockbox/$osd_uuid/keyring config-key get dm-crypt/osd/$osd_uuid' will write the secret to stdout</p>
<p>- when we encounter a dm-crypt device,<br /> - first check legacy location (/etc/ceph/dmcrypt-keys/$osd_uuid)<br /> - then check for lockbox (/var/lib/ceph/osd-lockbox/$osd_uuid)</p>
<p>- after we mount the lockbox, re-probe any dm-crypt devices with the same uuid (in case they tried before but lockbox wasn't mounted yet)</p>
<p>- if there are alternative key managers in use, indicate them in the lockbox, and adjust the "get key" method accordingly</p> Ceph - Feature #14669: ceph-disk: support indirect dmcrypt key retrievalhttps://tracker.ceph.com/issues/14669?journal_id=662522016-02-24T08:06:31ZLoïc Dacharyloic@dachary.org
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/66252/diff?detail_id=63439">diff</a>)</li></ul> Ceph - Feature #14669: ceph-disk: support indirect dmcrypt key retrievalhttps://tracker.ceph.com/issues/14669?journal_id=662632016-02-24T14:51:50ZLoïc Dacharyloic@dachary.org
<ul></ul><pre>
[root@target167114242062 ceph-disk]# cryptsetup remove /dev/mapper/b2ba96fe-e05e-49a0-818b-9ba459ad6256
[root@target167114242062 ceph-disk]# cryptsetup --key-file /etc/ceph/dmcrypt-keys/b2ba96fe-e05e-49a0-818b-9ba459ad6256 create b2ba96fe-e05e-49a0-818b-9ba459ad6256 /dev/vdb1 --key-size 256
[root@target167114242062 ceph-disk]# mount -t xfs -o noatime,inode64 -- /dev/mapper/b2ba96fe-e05e-49a0-818b-9ba459ad6256 /mnt
[root@target167114242062 ceph-disk]# umount /mnt
[root@target167114242062 ceph-disk]# cryptsetup remove /dev/mapper/b2ba96fe-e05e-49a0-818b-9ba459ad6256
[root@target167114242062 ceph-disk]# cat /etc/ceph/dmcrypt-keys/b2ba96fe-e05e-49a0-818b-9ba459ad6256 | cryptsetup --key-file - create b2ba96fe-e05e-49a0-818b-9ba459ad6256 /dev/vdb1 --key-size 256
[root@target167114242062 ceph-disk]# mount -t xfs -o noatime,inode64 -- /dev/mapper/b2ba96fe-e05e-49a0-818b-9ba459ad6256 /mnt
mount: wrong fs type, bad option, bad superblock on /dev/mapper/b2ba96fe-e05e-49a0-818b-9ba459ad6256,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so.
</pre> Ceph - Feature #14669: ceph-disk: support indirect dmcrypt key retrievalhttps://tracker.ceph.com/issues/14669?journal_id=676812016-03-17T08:16:58ZLoïc Dacharyloic@dachary.org
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Resolved</i></li></ul>