From: Sébastien Han Date: Tue, 19 Jul 2016 15:53:21 +0000 (+0200) Subject: ceph-osd: add dmcrypt scenario X-Git-Tag: v1.0.6~36^2~1 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=5978d55d221f435e052514dc328fb701783b2f18;p=ceph-ansible.git ceph-osd: add dmcrypt scenario add the ability to encrypt osd data store using dm-crypt Signed-off-by: Sébastien Han --- diff --git a/group_vars/osds.sample b/group_vars/osds.sample index 8e817d115..458300e20 100644 --- a/group_vars/osds.sample +++ b/group_vars/osds.sample @@ -123,6 +123,12 @@ dummy: #bluestore: false +# VI. Sixth scenario: encrypt osd data and/or journal devices with dm-crypt. +# Keys are stored into the monitors k/v store +# Use 'true' to enable this scenario +#dmcrypt: false + + ########## # DOCKER # ########## diff --git a/roles/ceph-common/tasks/checks/check_mandatory_vars.yml b/roles/ceph-common/tasks/checks/check_mandatory_vars.yml index 2cf5ba39d..43be97554 100644 --- a/roles/ceph-common/tasks/checks/check_mandatory_vars.yml +++ b/roles/ceph-common/tasks/checks/check_mandatory_vars.yml @@ -72,6 +72,7 @@ - not raw_multi_journal - not osd_directory - not bluestore + - not dmcrypt - name: verify only one osd scenario was chosen fail: @@ -85,6 +86,10 @@ or (raw_multi_journal and osd_directory) or (raw_multi_journal and bluestore) or (osd_directory and bluestore) + or (dmcrypt and journal_collocation) + or (dmcrypt and raw_multi_journal) + or (dmcrypt and osd_directory) + or (dmcrypt and bluestore) - name: verify devices have been provided fail: diff --git a/roles/ceph-osd/defaults/main.yml b/roles/ceph-osd/defaults/main.yml index a86bc1dcd..b53f7e8cf 100644 --- a/roles/ceph-osd/defaults/main.yml +++ b/roles/ceph-osd/defaults/main.yml @@ -115,6 +115,12 @@ osd_directory: false bluestore: false +# VI. Sixth scenario: encrypt osd data and/or journal devices with dm-crypt. +# Keys are stored into the monitors k/v store +# Use 'true' to enable this scenario +dmcrypt: false + + ########## # DOCKER # ########## diff --git a/roles/ceph-osd/tasks/main.yml b/roles/ceph-osd/tasks/main.yml index 7dfcf4415..76bc44cdb 100644 --- a/roles/ceph-osd/tasks/main.yml +++ b/roles/ceph-osd/tasks/main.yml @@ -22,5 +22,10 @@ - osd_objectstore == 'bluestore' - not osd_containerized_deployment +- include: ./scenarios/dmcrypt.yml + when: + - dmcrypt + - not osd_containerized_deployment + - include: ./docker/main.yml when: osd_containerized_deployment diff --git a/roles/ceph-osd/tasks/scenarios/dmcrypt.yml b/roles/ceph-osd/tasks/scenarios/dmcrypt.yml new file mode 100644 index 000000000..835b7e4f5 --- /dev/null +++ b/roles/ceph-osd/tasks/scenarios/dmcrypt.yml @@ -0,0 +1,37 @@ +--- +## SCENARIO 5: DMCRYPT + +- include: ../check_devices.yml + +# NOTE (leseb): the prepare process must be parallelized somehow... +# if you have 64 disks with 4TB each, this will take a while +# since Ansible will sequential process the loop + +# NOTE (alahouze): if the device is a partition, the parted command below has +# failed, this is why we check if the device is a partition too. +- name: automatic prepare osd disk(s) without partitions + command: ceph-disk prepare --dmcrypt --cluster "{{ cluster }}" "/dev/{{ item.key }}" + register: prepared_osds + with_dict: ansible_devices + when: + - ansible_devices is defined + - item.value.removable == "0" + - item.value.partitions|count == 0 + - bluestore + - osd_auto_discovery + +- name: manually prepare osd disk(s) + command: ceph-disk prepare --dmcrypt --cluster "{{ cluster }}" "{{ item.2 }}" + with_together: + - combined_parted_results.results + - combined_ispartition_results.results + - devices + when: + - not item.0.get("skipped") + - not item.1.get("skipped") + - item.0.get("rc", 0) != 0 + - item.1.get("rc", 0) != 0 + - bluestore + - not osd_auto_discovery + +- include: ../activate_osds.yml