Bug 2062794
Summary: | [RFE] RBD Encryption support does not support clones [5.3] | |||
---|---|---|---|---|
Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Stephen Blinick <stephen.blinick> | |
Component: | RBD | Assignee: | Ilya Dryomov <idryomov> | |
Status: | CLOSED ERRATA | QA Contact: | Preethi <pnataraj> | |
Severity: | high | Docs Contact: | Akash Raj <akraj> | |
Priority: | unspecified | |||
Version: | 5.1 | CC: | akraj, bniver, ceph-eng-bugs, idryomov, mmuench, mmurthy, sostapov, stephen.blinick, tserlin, vashastr, vereddy, vumrao | |
Target Milestone: | --- | Keywords: | FutureFeature | |
Target Release: | 5.3 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ceph-16.2.10-83.el8cp | Doc Type: | Enhancement | |
Doc Text: |
.Layered client-side encryption is now supported
With this release, cloned images can be encrypted, each with its own encryption format and passphrase, potentially different from that of the parent image.
The efficient copy-on-write semantics used for unformatted regular cloned images are retained.
|
Story Points: | --- | |
Clone Of: | ||||
: | 2152600 (view as bug list) | Environment: | ||
Last Closed: | 2023-01-11 17:39:05 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2126049 |
Description
Stephen Blinick
2022-03-10 15:42:24 UTC
Hi IIya, As we have entered Code freeze/blockers only stage for 5.1z1, can you please let us know when QE can expect this BZ to be ON_QA ? Regards, Preethi Ok lets move this one out of 5.1 z1 then. Moving it back to 5.1 z1 - this will be an exception Any update on this BZ. When can we expect to be ON_QA. We are close to Test phase completion. We need it by 6th for QE to verify this part of 5.1Z1 release. Any update on this BZ. When can we expect to be ON_QA. Lets keep it in 5.2 for tracking purposes. Tis did not make the code complete cutoff date, so moving to 5.3 z1. The feature is working as expected. We have performed the below steps to verify the BZ 1)Create RBD image1 2)Apply encryption format LUKS1/LUKS2 to the RBD image1 [root@magna021 ubuntu]# rbd encryption format mypool/myimage6 luks2 passphrase.bin 3)load encryption 4) create file system and mount the device 5)Run IOs 6) Create a clone i.e RBD image2, from the snapshot of RBD image1 7) Encrypt the image with LUKS2 and different passphrase 9) load the encryption and mount the device 10) Verify the data 11) Perform RBD flatten to the images loading encryption keys for parent and child images Expected result- Data is intact, we are able to read the data which was present in RBD1 before snpashot was performed We have verifed theabove steps for the following scenarios- Have a non-formatted parent, LUKS1-formatted clone non-formatted parent, LUKS2-formatted clone LUKS1-formatted parent, non-formatted clone LUKS1-formatted parent, LUKS1-formatted clone (different passphrase) LUKS1-formatted parent, LUKS2-formatted clone LUKS2-formatted parent, non-formatted clone (format and passphrase inherited from the parent) LUKS2-formatted parent, LUKS1-formatted clone LUKS2-formatted parent, LUKS2-formatted clone (different passphrase) Resize,shrink operations, flatten operations to the encrypted images negative tests/usaeblility scnearios around this area Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat Ceph Storage 5.3 security update and Bug Fix), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0076 |