RBD fscrypt support #3310
RBD fscrypt support #3310
Commits on Oct 17, 2022
-
util: Make encryption passphrase size a parameter
fscrypt support requires keys longer than 20 bytes. As a preparation, make the new passphrase length configurable, but default to 20 bytes. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
util: Add util to fetch encryption type from vol options
Fetch encryption type from vol options. Make fallback type configurable to support RBD (default block) and Ceph FS (default file) Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
kms: Add GetSecret() to metadata KMS
Add GetSecret() to allow direct access to passphrases without KDF and wrapping by a DEKStore. This will be used by fscrypt, which has its own KDF and wrapping. It will allow users to take a k8s secret, for example, and use that directly as a password in fscrypt. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
kms: testing: add KMS test dummy registry
Add registry similar to the providers one. This allows testers to add and use GetKMSTestDummy() to create stripped down provider instances suitable for use in unit tests. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
kms: Add basic GetSecret() test
Add rudimentary test to ensure that we can get a valid passphrase from the GetSecret() feature Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
rbd: Rename encryption to blockEncryption prep for fscrypt
In preparation of fscrypt support for RBD filesystems, rename block encryption related function to include the word 'block'. Add struct fields and IsFileEncrypted. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
journal: Store encryptionType in Config struct
Add encryptionType next to kmsID to support both block and file encryption. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
Integrate google/fscrypt into Ceph CSI KMS and encryption setup. Adds dependencies to google/fscrypt and pkg/xattr. Be as generic as possible to support integration with both RBD and Ceph FS. Add the following public functions: InitializeNode: per-node initialization steps. Must be called before Unlock at least once. Unlock: All steps necessary to unlock an encrypted directory including setting it up initially. IsDirectoryUnlocked: Test if directory is really encrypted Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
vendor: vendor fscrypt integration dependencies
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
fscrypt: Unlock: Fetch keys early
Fetch keys from KMS before doing anything else. This will catch KMS errors before setting up any fscrypt metadata. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
fscrypt: Fetch passphrase when keyFn is invoked not created
Fetch password when keyFn is invoked, not when it is created. This allows creation of the keyFn before actually creating the passphrase. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
fscrypt: Determine best supported fscrypt policy on node init
Currently fscrypt supports policies version 1 and 2. 2 is the best choice and was the only choice prior to this commit. This adds support for kernels < 5.4, by selecting policy version 1 there. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
fscrypt: Update mount info before create context
NewContextFrom{Mountpoint,Path} functions use cached `/proc/self/mountinfo` to find mounted file systems by device ID. Since we run fscrypt as a library in a long-lived process the cached information is likely to be stale. Stale entries may map device IDs to mount points of already destroyed RBDs and fail context creation. Updating the cache beforehand prevents this. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com> -
fscrypt: Use constant protector name
Use constant protector name 'ceph-csi' instead of constant prefix concatenated with the volume ID. When cloning volumes the ID changes and fscrypt protected directories become inunlockable due to the protector name change Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
fscrypt: fsync encrypted dir after setting policy [workaround]
Revert once our google/fscrypt dependency is upgraded to a version that includes google/fscrypt#359 gets accepted Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
fscrypt: fix metadata directory permissions
Call Mount.Setup with SingleUserWritable constant instead of 0o755, which is silently ignored and causes the /.fscrypt/{policy,protector}/ directories to have mode 000. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com> -
rbd: fscrypt file encryption support
Integrate basic fscrypt functionality into RBD initialization. To activate file encryption instead of block introduce the new 'encryptionType' storage class key. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
rbd: Handle encryption type default at a more meaningful place
Different places have different meaningful fallback. When parsing from user we should default to block, when parsing stored config we should default to invalid and handle that as an error. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
rbd: Document new encryptionType storage class example
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
rbd: Add volume journal encryption support
Add fscrypt support to the journal to support operations like snapshotting. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
rbd: support file encrypted snapshots
Support fscrypt on RBD snapshots Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
rbd: Add context to fscrypt errors
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
e2e: Add fscrypt on rbd helper
Add validation functions for fscrypt on RBD volumes Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
e2e: Add helper to run encryption tests on block and file
Add a `By` wrapper to parameterize encryption related test functions and run them on both block and file encryption Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
e2e: Add PVC validator to ByFileAndBlockEncryption
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
e2e: Run encryption related tests on file and block type
Replace `By` with `ByFileAndBlockEncryption` in all encryption related tests to parameterize them to file and block encryption. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
e2e: Add encrypted PVC with default settings test
Add test that enables encryption with default type. Check that we set up block encryption. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
e2e: Apply formatting to rbd suite and helper
Apply formatting for previous changes separately to make the commit diffs easier to read. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
e2e: Use utilEncryptionType instead of string in rbd suite
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
kms: Add GetSecret() to KMIP KMS
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
scripts: Add env to set minikube iso url
Make iso url configurable to use pre-release minikube images or local-built (file://) Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
util: Add EncryptionTypeNone and unit tests
Add type none to distinguish disabled encryption (positive result) from invalid configuration (negative result). Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
cephfs: Add placeholder journal fscrypt support
Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
-
e2e: Feature flag RBD fscrypt tests (default disabled)
Add test-rbd-fscrypt feature flag to e2e suite. Default disabled as the current CI system's kernel doesn't have the required features enabled. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
