Bug 1812301

Summary: Generate keyfile instead of passphrase for additional disks
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: SATHEESARAN <sasundar>
Component: gluster-ansibleAssignee: Gobinda Das <godas>
Status: CLOSED ERRATA QA Contact: SATHEESARAN <sasundar>
Severity: high Docs Contact:
Priority: unspecified    
Version: rhgs-3.5CC: godas, pprakash, rhs-bugs, sabose, sasundar
Target Milestone: ---Keywords: ZStream
Target Release: RHGS 3.5.z Batch Update 2   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: gluster-ansible-infra-1.0.4-6.el8rhgs Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1812300 Environment:
rhhiv, rhel8
Last Closed: 2020-06-16 05:57:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1812300    

Description SATHEESARAN 2020-03-11 00:57:34 UTC 
Description of problem:
-----------------------
User input passphrase may be weak and may not fit in to password quality check.
Instead of asking for passphrase from users, it should be good to generate the random content key-file and use it to encrypt the additional disks.

Max supported key size in cryptsetup is 8192K, so generate the key file of that size and use it for encryption

Following command generates the key for disk for example sdb:
dd bs=1024 count=8192 if=/dev/urandom of=/root/sdb_key iflag=fullblock

Also set proper perms on this file:
# chmod 0400 /root/sdb_key

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
gluster-ansible-infra-1.0.4-5.el8rhgs.noarch.rpm 

How reproducible:
-----------------
Always

Steps to Reproduce:
-------------------
1. Run the playbook to set up NBDE
2. Input weak password for additional disks as 'test'

Actual results:
---------------
No keyfile is used but the weak password is used

Expected results:
-----------------
User may expected to key-in weak password.
Preferable to generate new keyfile of size 8192K and set proper permission on that key file
Comment 3 SATHEESARAN 2020-03-21 09:59:03 UTC 
Verified with gluster-ansible-infra-1.0.4-6.el8rhgs

1. Initially passphrase keyfile is generated under /root/sdx_key
2. Later /etc/sdx_keyfile is generated random
3. Passphrase based keyfile is removed
4. /etc/sdx_keyfile is used for unlocking the additional disks
Comment 7 errata-xmlrpc 2020-06-16 05:57:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:2575