Ceph FS fscrypt support

[irq0]

Add Ceph FS fscrypt support. Supports volumes, snapshots and clones.

Follow up to #3310 (adds fscrypt integration) and second in series towards #1563

Fixes: #1563

Usage Requirements

• Kernel with Ceph FS fscrypt support
  • git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux.git branch ceph-fscrypt
  • or https://github.com/ceph/ceph-client.git branch wip-fscrypt
• https://github.com/google/fscrypt#runtime-dependencies
• Ceph MDS support
  • v17: volumes supported
  • main branch: +snapshots
  • main branch+mgr/volumes: copy fscrypt auth xattr when doing a clone ceph#48410: +clones

End-to-end Testing

Testing on minikube requires a custom ISO with the latest Ceph FS patches. To test snapshots and clones a main branch build of Ceph is needed as well.

Custom Minikube ISO

Use patches from https://github.com/irq0/minikube/tree/custom-ceph-fscrypt-kernel on top of minikube to build an ISO with the current Ceph FS development kernel.

Build summary:

make
make buildroot-image
make out/minikube-x86_64.iso

Then use minikube.sh with MINIKUBE_ISO_URL="file://path of minikube.iso"

Use Ceph Main Branch Images

Either use quay.io/ceph/daemon:latest-main-devel or build using ceph-containers project.

Build

In https://github.com/ceph/ceph-container.git clone:

eval $(minikube docker-env)  # will build inside minikube VM
make BASEOS_REGISTRY=quay.io/centos BASEOS_TAG=stream8 CEPH_DEVEL=true FLAVORS="main,centos,8" build

Optional: patch image with ceph/ceph#48410

[irq0]

Test last push addresses the linter errors.

The failure in ci/centos/upgrade-tests-cephfs is interesting:

The updated deploy/cephfs/* files now have the ceph-csi-encryption-kms-config configmaps attached as volumes (like their RBD counterparts). My read is that the update tests fail, because they are not present. What is the best course of action here? Add the encryption related configmaps to the update path? Fork the file into regular and encryption enabled?

[Madhu-1]

ceph-csi-encryption-kms-config configmaps attached as volumes (like their RBD counterparts). My read is that the update tests fail, because they are not present.

You can set https://github.com/ceph/ceph-csi/blob/devel/e2e/cephfs.go#L73 to true so that it will continue if the file is not present

[irq0]

ceph-csi-encryption-kms-config configmaps attached as volumes (like their RBD counterparts). My read is that the update tests fail, because they are not present.

You can set https://github.com/ceph/ceph-csi/blob/devel/e2e/cephfs.go#L73 to true so that it will continue if the file is not present

Adding deployVault (just like the RBD suites have) to the tests did the trick. It configures the ceph-csi-encryption-kms-config required by the cephfs provisioner / nodeserver

[Madhu-1]

Changes look good, with some minor nits. Can you point to some document that can help us to test this feature on local systems (ceph image, kernel version to use), etc?

[Madhu-1]

use namespace: {{ .Release.Namespace }} here

[irq0]

The RBD analogue doesn't have that construct. It is for use in the helm templates, not?

[Madhu-1]

Any specific reason to start with maybe for both functions?

[irq0]

Both functions only do things if encryption is enabled. The 'maybe' tried to convey that the function may not do anything at all.

[irq0]

Can you point to some document that can help us to test this feature on local systems (ceph image, kernel version to use), etc?

I uploaded a minikube ISO with the current development Ceph FS fscrypt kernel that might be helpful: https://github.com/irq0/minikube/releases

You can test most changes by setting the following when calling scripts/minikube.sh

ROOK_CEPH_CLUSTER_IMAGE=quay.io/ceph/daemon:latest-main-devel
MINIKUBE_ISO_URL="https://github.com/irq0/minikube/releases/download/2022-11-08-master%2Bfscrypt-kernel/minikube-amd64.iso"

My helper scripts are in https://github.com/irq0/dev-ceph-csi-fscrypt-config
Calling kube-deploy-cephcsi from there sets up ceph csi and a deployment using an already set up rook.

[irq0]

Push: Rebase to devel and changes for the comments above

[nixpanic]

Just a few nits, nothing that requires correcting in my opinion. I'm a little sad I can't easily test this out. As long as it does not break anything, we should be good for now.

Ideally we start running weekly tests with a non-standard kernel config (minkube VM?) and Ceph release that contains support for fscrypt.

[nixpanic]

I'm not happy with the extreme indention here... But I also don't immediately see how this can be cleanly simplified.

[nixpanic]

this probably should be squashed in the commit that added the InitKMS() and/or other calls?

[nixpanic]

This is a nice cleanup, and could have been a PR by itself.

[irq0]

Just a few nits, nothing that requires correcting in my opinion. I'm a little sad I can't easily test this out. As long as it does not break anything, we should be good for now.

Thanks! Me too. It would be awesome to get at least some CI coverage of the Ceph FS fscrypt path.

Ideally we start running weekly tests with a non-standard kernel config (minkube VM?) and Ceph release that contains support for fscrypt.

A minikube VM is probably the best option. Comment #3460 (comment) has some details on how.

I think a custom ISO is the only way to go for the foreseeable future, as minikube kernels tend to be behind and fscrypt kernel support isn't (fully) merged yet.

[github-actions]

/test ci/centos/k8s-e2e-external-storage/1.23

[github-actions]

/test ci/centos/k8s-e2e-external-storage/1.24

[github-actions]

/test ci/centos/k8s-e2e-external-storage/1.25

[github-actions]

/test ci/centos/mini-e2e-helm/k8s-1.23

[github-actions]

/test ci/centos/mini-e2e-helm/k8s-1.24

[github-actions]

/test ci/centos/mini-e2e-helm/k8s-1.25

[github-actions]

/test ci/centos/mini-e2e/k8s-1.23

[github-actions]

/test ci/centos/mini-e2e/k8s-1.24

[github-actions]

/test ci/centos/mini-e2e/k8s-1.25

[github-actions]

/test ci/centos/upgrade-tests-cephfs

[github-actions]

/test ci/centos/upgrade-tests-rbd

[Madhu-1]

/test ci/centos/upgrade-tests-cephfs

[humblec]

@irq0 thanks for pulling it ! lgtm.. its also good to add a user facing documentation for CephFS Fscrypt. It could be a kind of placeholder doc with disclaimers ( required kernel support..etc) too .

[github-actions]

/test ci/centos/k8s-e2e-external-storage/1.25

[github-actions]

/test ci/centos/mini-e2e-helm/k8s-1.23

[github-actions]

/test ci/centos/mini-e2e-helm/k8s-1.24

[github-actions]

/test ci/centos/mini-e2e-helm/k8s-1.25

[github-actions]

/test ci/centos/mini-e2e/k8s-1.23

[github-actions]

/test ci/centos/mini-e2e/k8s-1.24

[github-actions]

/test ci/centos/mini-e2e/k8s-1.25

[github-actions]

/test ci/centos/upgrade-tests-cephfs

[github-actions]

/test ci/centos/upgrade-tests-rbd

[nixpanic]

/retest ci/centos/mini-e2e-helm/k8s-1.24

[nixpanic]

@Mergifyio requeue

[mergify]

requeue

✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically

[github-actions]

/test ci/centos/k8s-e2e-external-storage/1.23

[github-actions]

/test ci/centos/k8s-e2e-external-storage/1.24

[github-actions]

/test ci/centos/k8s-e2e-external-storage/1.25

[github-actions]

/test ci/centos/mini-e2e-helm/k8s-1.23

[github-actions]

/test ci/centos/mini-e2e-helm/k8s-1.24

[github-actions]

/test ci/centos/mini-e2e-helm/k8s-1.25

[github-actions]

/test ci/centos/mini-e2e/k8s-1.23

[github-actions]

/test ci/centos/mini-e2e/k8s-1.24

[github-actions]

/test ci/centos/mini-e2e/k8s-1.25

[github-actions]

/test ci/centos/upgrade-tests-cephfs

[github-actions]

/test ci/centos/upgrade-tests-rbd