dmcrypt support / osd disk encryption support
related prod:
PROD-15919
Change-Id: I80c84b8bd7df45959d4a6dc1bbc643d0df4720fe
diff --git a/README.rst b/README.rst
index 0f90573..3a0abd2 100644
--- a/README.rst
+++ b/README.rst
@@ -316,6 +316,7 @@
journal: /dev/ssd
class: bestssd
weight: 1.5
+ dmcrypt: true
- dev: /dev/sdl
journal: /dev/ssd
class: bestssd
@@ -328,6 +329,7 @@
block_wal: /dev/ssd
class: ssd
weight: 1.666
+ dmcrypt: true
- dev: /dev/sdd
enabled: false
diff --git a/_grains/ceph.py b/_grains/ceph.py
index a678404..003fcd0 100644
--- a/_grains/ceph.py
+++ b/_grains/ceph.py
@@ -9,9 +9,9 @@
import re
# osd
- mount_path = check_output("df -h | awk '{print $6}' | grep ceph | sed 's/[0-9]*//g' | awk 'NR==1{print $1}'", shell=True).rstrip()
+ mount_path = check_output("df -h | awk '{print $6}' | grep ceph | grep -v lockbox | sed 's/[0-9]*//g' | awk 'NR==1{print $1}'", shell=True).rstrip()
sed = 'sed \'s#{0}##g\''.format(mount_path)
- cmd = "df -h | awk '{print $1,$6}' | grep ceph | " + sed
+ cmd = "lsblk -rp | awk '{print $1,$6,$7}' | grep -v lockbox | grep ceph | " + sed
osd_output = check_output(cmd, shell=True)
grain = {}
grain["ceph"] = {}
@@ -19,10 +19,21 @@
devices = {}
for line in osd_output.splitlines():
device = line.split()
- dev = device[0].replace('1','')
- device[0] = device[1]
+ encrypted = False
+ if "crypt" in device[1]:
+ output = check_output("lsblk -rp | grep -B1 " + device[0], shell=True)
+ for l in output.splitlines():
+ d = l.split()
+ dev = d[0].replace('1','')
+ encrypted = True
+ break
+ else:
+ dev = device[0].replace('1','')
+ device[0] = device[2]
devices[device[0]] = {}
devices[device[0]]['dev'] = dev
+ if encrypted:
+ devices[device[0]]['dmcrypt'] = 'true'
tline = check_output("ceph osd tree | awk '{print $1,$2,$3,$4}' | grep -w 'osd." + device[0] + "'", shell=True)
osd = tline.split()
if "osd" not in osd[2]:
diff --git a/ceph/common.sls b/ceph/common.sls
index 0e4fb1a..8ae0532 100644
--- a/ceph/common.sls
+++ b/ceph/common.sls
@@ -12,22 +12,18 @@
- require:
- pkg: common_packages
-{% for keyring_name, keyring in common.get('keyring', {}).iteritems() %}
+{%- if common.keyring is defined and common.keyring.admin is defined %}
-{%- if keyring_name == 'admin' and keyring.key is undefined %}
-
-ceph_create_keyring_{{ keyring_name }}:
+ceph_create_keyring_admin:
cmd.run:
- - name: "ceph-authtool --create-keyring /etc/ceph/ceph.client.{{ keyring_name }}.keyring --gen-key -n client.{{ keyring_name }} {%- for cap_name, cap in keyring.caps.iteritems() %} --cap {{ cap_name }} '{{ cap }}' {%- endfor %}"
- - unless: "test -f /etc/ceph/ceph.client.{{ keyring_name }}.keyring"
+ - name: "ceph-authtool --create-keyring /etc/ceph/ceph.client.admin.keyring --gen-key -n client.admin {%- for cap_name, cap in common.keyring.admin.caps.iteritems() %} --cap {{ cap_name }} '{{ cap }}' {%- endfor %}"
+ - unless: "test -f /etc/ceph/ceph.client.admin.keyring"
- require:
- pkg: common_packages
- file: common_config
{%- endif %}
-{% endfor %}
-
/etc/ceph/ceph.client.admin.keyring:
file.managed:
- source: salt://ceph/files/keyring
diff --git a/ceph/osd/setup.sls b/ceph/osd/setup.sls
index 79d7e9f..cb772c8 100644
--- a/ceph/osd/setup.sls
+++ b/ceph/osd/setup.sls
@@ -80,25 +80,37 @@
{%- endif %}
+{%- set cmd = [] %}
+{%- if disk.get('dmcrypt', False) %}
+{%- do cmd.append('--dmcrypt') %}
+{%- do cmd.append('--dmcrypt-key-dir ' + disk.get('dmcrypt_key_dir', '/etc/ceph/dmcrypt-keys')) %}
+{%- endif %}
+{%- do cmd.append('--prepare-key /etc/ceph/ceph.client.bootstrap-osd.keyring') %}
+{%- if backend_name == 'bluestore' %}
+{%- do cmd.append('--bluestore') %}
+{%- if disk.block_db is defined %}
+{%- do cmd.append('--block.db ' + disk.block_db) %}
+{%- endif %}
+{%- if disk.block_wal is defined %}
+{%- do cmd.append('--block.wal ' + disk.block_wal) %}
+{%- endif %}
+{%- do cmd.append(dev) %}
+{%- elif backend_name == 'filestore' and ceph_version not in ['kraken', 'jewel'] %}
+{%- do cmd.append('--filestore') %}
+{%- do cmd.append(dev) %}
+{%- if disk.journal is defined %}
+{%- do cmd.append(disk.journal) %}
+{%- endif %}
+{%- elif backend_name == 'filestore' %}
+{%- do cmd.append(dev) %}
+{%- if disk.journal is defined %}
+{%- do cmd.append(disk.journal) %}
+{%- endif %}
+{%- endif %}
+
prepare_disk_{{ dev }}:
cmd.run:
- {%- if backend_name == 'bluestore' and disk.block_db is defined and disk.block_wal is defined %}
- - name: "ceph-disk prepare --bluestore {{ dev }} --block.db {{ disk.block_db }} --block.wal {{ disk.block_wal }}"
- {%- elif backend_name == 'bluestore' and disk.block_db is defined %}
- - name: "ceph-disk prepare --bluestore {{ dev }} --block.db {{ disk.block_db }}"
- {%- elif backend_name == 'bluestore' and disk.block_wal is defined %}
- - name: "ceph-disk prepare --bluestore {{ dev }} --block.wal {{ disk.block_wal }}"
- {%- elif backend_name == 'bluestore' %}
- - name: "ceph-disk prepare --bluestore {{ dev }}"
- {%- elif backend_name == 'filestore' and disk.journal is defined and ceph_version == 'luminous' %}
- - name: "ceph-disk prepare --filestore {{ dev }} {{ disk.journal }}"
- {%- elif backend_name == 'filestore' and ceph_version == 'luminous' %}
- - name: "ceph-disk prepare --filestore {{ dev }}"
- {%- elif backend_name == 'filestore' and disk.journal is defined and ceph_version != 'luminous' %}
- - name: "ceph-disk prepare {{ dev }} {{ disk.journal }}"
- {%- else %}
- - name: "ceph-disk prepare {{ dev }}"
- {%- endif %}
+ - name: "yes | ceph-disk prepare {{ cmd|join(' ') }}"
- unless: "ceph-disk list | grep {{ dev }} | grep ceph"
- require:
- cmd: zap_disk_{{ dev }}
@@ -111,7 +123,7 @@
reload_partition_table_{{ dev }}:
cmd.run:
- name: "partprobe"
- - unless: "ceph-disk list | grep {{ dev }} | grep active"
+ - unless: "lsblk -p | grep {{ dev }} -A1 | grep -v lockbox | grep ceph | grep osd"
- require:
- cmd: prepare_disk_{{ dev }}
- cmd: zap_disk_{{ dev }}
@@ -123,8 +135,12 @@
activate_disk_{{ dev }}:
cmd.run:
+{%- if disk.get('dmcrypt', False) %}
+ - name: "ceph-disk activate --dmcrypt --activate-key /etc/ceph/ceph.client.bootstrap-osd.keyring {{ dev }}1"
+{%- else %}
- name: "ceph-disk activate --activate-key /etc/ceph/ceph.client.bootstrap-osd.keyring {{ dev }}1"
- - unless: "ceph-disk list | grep {{ dev }} | grep active"
+{%- endif %}
+ - unless: "lsblk -p | grep {{ dev }} -A1 | grep -v lockbox | grep ceph | grep osd"
- require:
- cmd: prepare_disk_{{ dev }}
- cmd: zap_disk_{{ dev }}
diff --git a/tests/pillar/ceph_osd_single.sls b/tests/pillar/ceph_osd_single.sls
index 3c84d53..ce1c36a 100644
--- a/tests/pillar/ceph_osd_single.sls
+++ b/tests/pillar/ceph_osd_single.sls
@@ -42,6 +42,7 @@
fs_type: xfs
class: bestssd
weight: 1.5
+ dmcrypt: true
- dev: /dev/sdo
journal: /dev/sdo
fs_type: xfs