From: Ilya Dryomov Date: Mon, 21 Nov 2022 19:31:18 +0000 (+0100) Subject: rbd, rbd-nbd: make --encryption-format optional X-Git-Tag: v18.1.0~754^2~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a27ee2bdf87ca1419418f3b6c8c00cdf335d7b43;p=ceph.git rbd, rbd-nbd: make --encryption-format optional If no --encryption-format specified at all, default to "luks" for each specified --encryption-passphrase-file. Signed-off-by: Ilya Dryomov --- diff --git a/doc/rbd/rbd-encryption.rst b/doc/rbd/rbd-encryption.rst index 20bfb2f288b5..06cd62f071f8 100644 --- a/doc/rbd/rbd-encryption.rst +++ b/doc/rbd/rbd-encryption.rst @@ -136,9 +136,11 @@ A batch of such unaligned writes can lead to IO races which will further deteriorate performance. Thus it is advisable to avoid using RBD encryption in cases where incoming writes cannot be guaranteed to be sector-aligned. -To mount a LUKS-encrypted image run:: +To map a LUKS-formatted image run: - $ rbd -p {pool-name} device map -t nbd -o encryption-format=luks,encryption-passphrase-file={passphrase-file} +.. prompt:: bash # + + rbd device map -t nbd -o encryption-passphrase-file={passphrase-file} {image-spec} Note that for security reasons, both the encryption format and encryption load operations are CPU-intensive, and may take a few seconds to complete. For the diff --git a/qa/workunits/rbd/luks-encryption.sh b/qa/workunits/rbd/luks-encryption.sh index 91e8758e2672..b85bb0e546a3 100755 --- a/qa/workunits/rbd/luks-encryption.sh +++ b/qa/workunits/rbd/luks-encryption.sh @@ -43,7 +43,7 @@ function test_encryption_format() { sudo chmod 666 /dev/mapper/cryptsetupdev # open encryption with librbd - LIBRBD_DEV=$(_sudo rbd -p rbd map testimg -t nbd -o encryption-format=luks,encryption-passphrase-file=/tmp/passphrase) + LIBRBD_DEV=$(_sudo rbd -p rbd map testimg -t nbd -o encryption-passphrase-file=/tmp/passphrase) sudo chmod 666 $LIBRBD_DEV # write via librbd && compare @@ -117,9 +117,10 @@ function test_clone_and_load_with_a_single_passphrase { if [ "$expectedfail" = "true" ] then - expect_false rbd flatten testimg1 --encryption-format luks --encryption-passphrase-file /tmp/passphrase2 + expect_false rbd flatten testimg1 --encryption-passphrase-file /tmp/passphrase2 + rbd flatten testimg1 --encryption-passphrase-file /tmp/passphrase2 --encryption-passphrase-file /tmp/passphrase else - rbd flatten testimg1 --encryption-format luks --encryption-passphrase-file /tmp/passphrase2 + rbd flatten testimg1 --encryption-passphrase-file /tmp/passphrase2 fi rbd remove testimg1 diff --git a/src/test/cli/rbd/help.t b/src/test/cli/rbd/help.t index c70d76f4cd70..8d8d30273810 100644 --- a/src/test/cli/rbd/help.t +++ b/src/test/cli/rbd/help.t @@ -879,6 +879,7 @@ --image arg image name --no-progress disable progress output --encryption-format arg encryption format (luks, luks1, luks2) + [default: luks] --encryption-passphrase-file arg path to file containing passphrase for unlocking the image @@ -2254,6 +2255,7 @@ --allow-shrink permit shrinking --no-progress disable progress output --encryption-format arg encryption format (luks, luks1, luks2) + [default: luks] --encryption-passphrase-file arg path to file containing passphrase for unlocking the image diff --git a/src/tools/rbd/ArgumentTypes.cc b/src/tools/rbd/ArgumentTypes.cc index 231264e57b2d..17a06c805f7d 100644 --- a/src/tools/rbd/ArgumentTypes.cc +++ b/src/tools/rbd/ArgumentTypes.cc @@ -333,7 +333,7 @@ void add_encryption_options(boost::program_options::options_description *opt) { opt->add_options() (ENCRYPTION_FORMAT.c_str(), po::value>(), - "encryption format (luks, luks1, luks2)"); + "encryption format (luks, luks1, luks2) [default: luks]"); opt->add_options() (ENCRYPTION_PASSPHRASE_FILE.c_str(), diff --git a/src/tools/rbd/Utils.cc b/src/tools/rbd/Utils.cc index 47203dcba1cc..71da0bd274ac 100644 --- a/src/tools/rbd/Utils.cc +++ b/src/tools/rbd/Utils.cc @@ -731,6 +731,9 @@ int get_encryption_options(const boost::program_options::variables_map &vm, std::vector formats; if (vm.count(at::ENCRYPTION_FORMAT)) { formats = vm[at::ENCRYPTION_FORMAT].as(); + } else if (vm.count(at::ENCRYPTION_PASSPHRASE_FILE)) { + formats.resize(passphrase_files.size(), + at::EncryptionFormat{RBD_ENCRYPTION_FORMAT_LUKS}); } if (formats.size() != passphrase_files.size()) { diff --git a/src/tools/rbd_nbd/rbd-nbd.cc b/src/tools/rbd_nbd/rbd-nbd.cc index cc42491ca081..3130e8bc750e 100644 --- a/src/tools/rbd_nbd/rbd-nbd.cc +++ b/src/tools/rbd_nbd/rbd-nbd.cc @@ -153,7 +153,7 @@ static void usage() << "Map and attach options:\n" << " --device Specify nbd device path (/dev/nbd{num})\n" << " --encryption-format luks|luks1|luks2\n" - << " Image encryption format\n" + << " Image encryption format (default: luks)\n" << " --encryption-passphrase-file Path of file containing passphrase for unlocking image encryption\n" << " --exclusive Forbid writes by other clients\n" << " --notrim Turn off trim/discard\n" @@ -2194,6 +2194,12 @@ static int parse_args(vector& args, std::ostream *err_msg, } } + if (cfg->encryption_formats.empty() && + !cfg->encryption_passphrase_files.empty()) { + cfg->encryption_formats.resize(cfg->encryption_passphrase_files.size(), + RBD_ENCRYPTION_FORMAT_LUKS); + } + if (cfg->encryption_formats.size() != cfg->encryption_passphrase_files.size()) { *err_msg << "rbd-nbd: Encryption formats count does not match " << "passphrase files count";