Bug 2062794

Summary: [RFE] RBD Encryption support does not support clones [5.3]
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Stephen Blinick <stephen.blinick>
Component: RBDAssignee: Ilya Dryomov <idryomov>
Status: CLOSED ERRATA QA Contact: Preethi <pnataraj>
Severity: high Docs Contact: Akash Raj <akraj>
Priority: unspecified    
Version: 5.1CC: akraj, bniver, ceph-eng-bugs, idryomov, mmuench, mmurthy, sostapov, stephen.blinick, tserlin, vashastr, vereddy, vumrao
Target Milestone: ---Keywords: FutureFeature
Target Release: 5.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-16.2.10-83.el8cp Doc Type: Enhancement
Doc Text:
.Layered client-side encryption is now supported With this release, cloned images can be encrypted, each with its own encryption format and passphrase, potentially different from that of the parent image. The efficient copy-on-write semantics used for unformatted regular cloned images are retained.
 Story Points: ---
Clone Of:
: 2152600 (view as bug list) Environment:
Last Closed: 2023-01-11 17:39:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2126049    

Description Stephen Blinick 2022-03-10 15:42:24 UTC 
Description of problem:
RBD Encryption, a feature available in RHCS 5.0, is unable to handle the case where an RBD is created as a clone of a snapshot, where the same encryption key (or no encryption) isn't used for the underlying RBD. 

There is code available now in the form of a PR to address this. 

This PR: https://github.com/ceph/ceph/pull/40363 is required for functionality in 5.1 to use encryption with cloned RBD's.

Version-Release number of selected component (if applicable):
RHCS 5.0

How reproducible:
Always

Steps to Reproduce:
1. Create RBD1, unencrypted, snapshot the RBD & write protect
2. Create an RBD2 that is a clone RBD1's snapshot, using RBD encryption
3. Read blocks in RBD2 that are served from the underlying snapshot

Actual results:
Data from RBD1 is run through crypto engine, resulting in invalid data

Expected results:
Blocks that aren't present in RBD2 do not use the encryption for RBD2, and are returned intact

Additional info:
Comment 1 Preethi 2022-04-18 05:11:14 UTC 
Hi IIya,

As we have entered Code freeze/blockers only stage for 5.1z1, can you please let us know when QE can expect this BZ to be ON_QA ?

Regards,
Preethi
Comment 3 Scott Ostapovicz 2022-04-20 14:36:18 UTC 
Ok lets move this one out of 5.1 z1 then.
Comment 4 Scott Ostapovicz 2022-04-27 15:24:40 UTC 
Moving it back to 5.1 z1 - this will be an exception
Comment 5 Preethi 2022-05-04 02:28:36 UTC 
Any update on this BZ. When can we expect to be ON_QA. We are close to Test phase completion. We need it by 6th for QE to verify this part of 5.1Z1 release.
Comment 10 Preethi 2022-06-01 04:54:34 UTC 
Any update on this BZ. When can we expect to be ON_QA.
Comment 11 Scott Ostapovicz 2022-07-13 13:21:39 UTC 
Lets keep it in 5.2 for tracking purposes.
Comment 12 Scott Ostapovicz 2022-08-30 18:17:20 UTC 
Tis did not make the code complete cutoff date, so moving to 5.3 z1.
Comment 26 Preethi 2023-01-09 12:40:48 UTC 
The feature is working as expected. We have performed the below steps to verify the BZ 

1)Create RBD image1 
2)Apply encryption format LUKS1/LUKS2 to the RBD image1 [root@magna021 ubuntu]# rbd encryption format mypool/myimage6 luks2 passphrase.bin

3)load encryption

4) create file system and mount the device 
5)Run IOs

6) Create a clone  i.e RBD image2, from the snapshot of RBD image1 

7) Encrypt the image with LUKS2 and different passphrase

9) load the encryption and mount the device 

10) Verify the data 

11) Perform RBD flatten to the images loading encryption keys for parent and child images

Expected result- Data is intact, we are able to read the data which was present in RBD1 before snpashot was performed

We have verifed theabove steps for the following scenarios-
Have a non-formatted parent, LUKS1-formatted clone
non-formatted parent, LUKS2-formatted clone
LUKS1-formatted parent, non-formatted clone
LUKS1-formatted parent, LUKS1-formatted clone (different passphrase)
LUKS1-formatted parent, LUKS2-formatted clone
LUKS2-formatted parent, non-formatted clone (format and passphrase inherited from the parent)
LUKS2-formatted parent, LUKS1-formatted clone
LUKS2-formatted parent, LUKS2-formatted clone (different passphrase)
Resize,shrink operations, flatten operations to the encrypted images
negative tests/usaeblility scnearios around this area
Comment 29 errata-xmlrpc 2023-01-11 17:39:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Ceph Storage 5.3 security update and Bug Fix), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0076