Bug 1329797

Summary: Document manual steps for creating encrypted OSD
Product: Red Hat Ceph Storage Reporter: Vikhyat Umrao <vumrao>
Component: DocumentationAssignee: Bara Ancincova <bancinco>
Status: CLOSED WONTFIX QA Contact: Tejas <tchandra>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 1.3.2CC: adeza, asriram, bancinco, flucifre, hnallurv, kdreyer, khartsoe, ldachary, vumrao
Target Milestone: rc   
Target Release: 1.3.3   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-05 14:40:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1378090    
Bug Blocks:    

Description Vikhyat Umrao 2016-04-23 07:12:45 UTC 
Description of problem:
Manual encrypted OSD creation same as ceph-deploy osd create --dmcrypt 

 [Ubuntu] ceph-deploy-1.5.27.4-4redhat1 failing to add osd with dmcrypt flag 
https://bugzilla.redhat.com/show_bug.cgi?id=1327628
We are facing this issue and until this bug is not fixed we need as soon as possible manual steps to add encrypted OSD.

As we have steps to add OSD manually but it does not talk about encrypted one :
https://access.redhat.com/documentation/en/red-hat-ceph-storage/version-1.3/administration-guide/#manually_3

Please update this section with steps to create encrypted OSD manually.




Version-Release number of selected component (if applicable):
Red Hat Ceph Storage 1.3.2
Comment 2 Loic Dachary 2016-09-06 10:54:45 UTC 
The general idea is to create a dmcrypt device manually (a reference to the dmcrypt documentation would be useful). Once it is created, it can be used as an argument to ceph-deploy, as if it was a regular disk. That is essentially what the dmcrypt flag does.
Comment 4 Loic Dachary 2016-09-08 14:58:49 UTC 
That sounds good. You may want to check with ceph-deploy developers if there is any roadblocks.
Comment 5 Ken Dreyer (Red Hat) 2016-09-08 16:39:51 UTC 
(In reply to Loic Dachary from comment #4)
> check with ceph-deploy developers

So it's clear to all, "ceph-deploy developers" here would be Alfredo Deza <adeza>
Comment 9 Federico Lucifredi 2016-09-15 10:14:56 UTC 
Just like 1325744 — decrypt OSDs are already supported, this is only a doc bug.

Please complete Dev & QA acks.
Comment 11 Federico Lucifredi 2016-09-15 12:07:49 UTC 
We will address this using Alfredo's solution in #7.
Comment 13 Tejas 2016-09-20 12:54:10 UTC 
Hi Loic,

   The doc about encrption has a lot of steps , most of which are not needed for ceph:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html#sec-Using_LUKS_Disk_Encryption

Could you please point out the necessary steps needed to create a encrypted disk?


Bara,

    In the section "encrpted OSD", second part where you mention to create a encrypted disk manually. Could we add the steps to create a encrpted disk here ?
instead of  pointing to the security guide.

Thanks,
Tejas
Comment 16 Vikhyat Umrao 2016-09-21 10:00:48 UTC 
I am not sure buddy , but I think you should try:

# ceph-deploy osd create  magna061:/dev/dm-0 

If still it is not working , please check with Loic.
Comment 17 Tejas 2016-09-21 13:11:29 UTC 
comment 15 seems like a functional issue, which we are tracking through:
https://bugzilla.redhat.com/show_bug.cgi?id=1378090
Comment 18 Federico Lucifredi 2016-09-21 16:22:46 UTC 
Alfredo, looks like there is confusion about how to set up an encrypted volume. Could you provide the steps to Doc for adding to the manuals here?
Comment 19 Alfredo Deza 2016-09-21 17:17:59 UTC 
ceph-deploy usually doesn't create anything directly to support dmcrypt. This is all ceph-disk

Loic, would you be so kind to expand on what you think it is required per your comment #2 ?
Comment 20 Loic Dachary 2016-09-22 14:51:22 UTC 
@Tejas the specifics of how the sysadmin wants to create an encrypted disk is, I think, outside of the scope of the ceph documentation. The --dmcrypt is a helper that creates the encrypted disk. However after it is done ceph does not behave differently: it's a block device which is no different than other block devices.

@Frederico I think the confusion comes from the fact that there seems to be a bug and we're investigating it at https://bugzilla.redhat.com/show_bug.cgi?id=1378090. All this is unrelated to ceph-deploy.
Comment 21 Federico Lucifredi 2016-09-22 17:57:17 UTC 
@loic: I thought you said in 1378090#11 that there are too many issues making this work through ceph-disk... that leaves only the manual steps as our option if I understand you correctly?
Comment 22 Federico Lucifredi 2016-09-22 18:00:08 UTC 
Unless Loic has a better solution, we will document the steps in 1378090#11 as the process to set up an encrypted OSD in Hammer.
Comment 23 Federico Lucifredi 2016-09-22 18:33:19 UTC 
Looks like a better solution was found: https://bugzilla.redhat.com/show_bug.cgi?id=1377639#c16 — let's document these steps instead, it is somewhat shorter.