Bug 2152600

Summary: [RFE] RBD Encryption support does not support clones [6.0]
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Ilya Dryomov <idryomov>
Component: RBDAssignee: Ilya Dryomov <idryomov>
Status: CLOSED ERRATA QA Contact: Preethi <pnataraj>
Severity: high Docs Contact: Eliska <ekristov>
Priority: unspecified    
Version: 6.0CC: bniver, ceph-eng-bugs, cephqe-warriors, ekristov, idryomov, mmuench, mmurthy, pnataraj, sostapov, stephen.blinick, vashastr, vereddy, vumrao
Target Milestone: ---Keywords: FutureFeature
Target Release: 6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-17.2.5-18.el9cp Doc Type: Enhancement
Doc Text:
.Layered client-side encryption is now supported With this release, cloned images can be encrypted, each with its own encryption format and passphrase, potentially different from that of the parent image. The efficient copy-on-write semantics used for unformatted regular cloned images are retained.
 Story Points: ---
Clone Of: 2062794 Environment:
Last Closed: 2023-03-20 18:59:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2126050    

Comment 17 Preethi 2023-01-18 18:13:30 UTC 
The feature is working as expected. 

Test steps followed

1)Create RBD image1 
2)Apply encryption format LUKS1/LUKS2 to the RBD image1 [root@magna021 ubuntu]# rbd encryption format mypool/myimage6 luks2 passphrase.bin

3)load encryption

4) create file system and mount the device 
5)Run IOs

6) Create a clone  i.e RBD image2, from the snapshot of RBD image1 

7) Encrypt the image with LUKS2 and different passphrase

9) load the encryption and mount the device 

10) Verify the data 

11) Perform RBD flatten to the images loading encryption keys for parent and child images

Expected result- Data is intact, we are able to read the data which was present in RBD1 before snpashot was performed

We have verifed theabove steps for the following scenarios performed to qualify the BZ for 6.0 -
Have a non-formatted parent, LUKS1-formatted clone
non-formatted parent, LUKS2-formatted clone
LUKS1-formatted parent, non-formatted clone
LUKS1-formatted parent, LUKS1-formatted clone (different passphrase)
LUKS1-formatted parent, LUKS2-formatted clone
LUKS2-formatted parent, non-formatted clone (format and passphrase inherited from the parent)
LUKS2-formatted parent, LUKS1-formatted clone
LUKS2-formatted parent, LUKS2-formatted clone (different passphrase)
Resize,shrink operations, flatten operations to the encrypted images
negative tests/usaeblility scnearios around this area
Comment 18 errata-xmlrpc 2023-03-20 18:59:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 6.0 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:1360