From 5978d55d221f435e052514dc328fb701783b2f18 Mon Sep 17 00:00:00 2001 From: =?utf8?q?S=C3=A9bastien=20Han?= Date: Tue, 19 Jul 2016 17:53:21 +0200 Subject: [PATCH] ceph-osd: add dmcrypt scenario MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit add the ability to encrypt osd data store using dm-crypt Signed-off-by: Sébastien Han --- group_vars/osds.sample | 6 +++ .../tasks/checks/check_mandatory_vars.yml | 5 +++ roles/ceph-osd/defaults/main.yml | 6 +++ roles/ceph-osd/tasks/main.yml | 5 +++ roles/ceph-osd/tasks/scenarios/dmcrypt.yml | 37 +++++++++++++++++++ 5 files changed, 59 insertions(+) create mode 100644 roles/ceph-osd/tasks/scenarios/dmcrypt.yml diff --git a/group_vars/osds.sample b/group_vars/osds.sample index 8e817d115..458300e20 100644 --- a/group_vars/osds.sample +++ b/group_vars/osds.sample @@ -123,6 +123,12 @@ dummy: #bluestore: false +# VI. Sixth scenario: encrypt osd data and/or journal devices with dm-crypt. +# Keys are stored into the monitors k/v store +# Use 'true' to enable this scenario +#dmcrypt: false + + ########## # DOCKER # ########## diff --git a/roles/ceph-common/tasks/checks/check_mandatory_vars.yml b/roles/ceph-common/tasks/checks/check_mandatory_vars.yml index 2cf5ba39d..43be97554 100644 --- a/roles/ceph-common/tasks/checks/check_mandatory_vars.yml +++ b/roles/ceph-common/tasks/checks/check_mandatory_vars.yml @@ -72,6 +72,7 @@ - not raw_multi_journal - not osd_directory - not bluestore + - not dmcrypt - name: verify only one osd scenario was chosen fail: @@ -85,6 +86,10 @@ or (raw_multi_journal and osd_directory) or (raw_multi_journal and bluestore) or (osd_directory and bluestore) + or (dmcrypt and journal_collocation) + or (dmcrypt and raw_multi_journal) + or (dmcrypt and osd_directory) + or (dmcrypt and bluestore) - name: verify devices have been provided fail: diff --git a/roles/ceph-osd/defaults/main.yml b/roles/ceph-osd/defaults/main.yml index a86bc1dcd..b53f7e8cf 100644 --- a/roles/ceph-osd/defaults/main.yml +++ b/roles/ceph-osd/defaults/main.yml @@ -115,6 +115,12 @@ osd_directory: false bluestore: false +# VI. Sixth scenario: encrypt osd data and/or journal devices with dm-crypt. +# Keys are stored into the monitors k/v store +# Use 'true' to enable this scenario +dmcrypt: false + + ########## # DOCKER # ########## diff --git a/roles/ceph-osd/tasks/main.yml b/roles/ceph-osd/tasks/main.yml index 7dfcf4415..76bc44cdb 100644 --- a/roles/ceph-osd/tasks/main.yml +++ b/roles/ceph-osd/tasks/main.yml @@ -22,5 +22,10 @@ - osd_objectstore == 'bluestore' - not osd_containerized_deployment +- include: ./scenarios/dmcrypt.yml + when: + - dmcrypt + - not osd_containerized_deployment + - include: ./docker/main.yml when: osd_containerized_deployment diff --git a/roles/ceph-osd/tasks/scenarios/dmcrypt.yml b/roles/ceph-osd/tasks/scenarios/dmcrypt.yml new file mode 100644 index 000000000..835b7e4f5 --- /dev/null +++ b/roles/ceph-osd/tasks/scenarios/dmcrypt.yml @@ -0,0 +1,37 @@ +--- +## SCENARIO 5: DMCRYPT + +- include: ../check_devices.yml + +# NOTE (leseb): the prepare process must be parallelized somehow... +# if you have 64 disks with 4TB each, this will take a while +# since Ansible will sequential process the loop + +# NOTE (alahouze): if the device is a partition, the parted command below has +# failed, this is why we check if the device is a partition too. +- name: automatic prepare osd disk(s) without partitions + command: ceph-disk prepare --dmcrypt --cluster "{{ cluster }}" "/dev/{{ item.key }}" + register: prepared_osds + with_dict: ansible_devices + when: + - ansible_devices is defined + - item.value.removable == "0" + - item.value.partitions|count == 0 + - bluestore + - osd_auto_discovery + +- name: manually prepare osd disk(s) + command: ceph-disk prepare --dmcrypt --cluster "{{ cluster }}" "{{ item.2 }}" + with_together: + - combined_parted_results.results + - combined_ispartition_results.results + - devices + when: + - not item.0.get("skipped") + - not item.1.get("skipped") + - item.0.get("rc", 0) != 0 + - item.1.get("rc", 0) != 0 + - bluestore + - not osd_auto_discovery + +- include: ../activate_osds.yml -- 2.39.5