Bug 2362689

Summary: [CephFS - FScrypt] Subvolume snapshot directory contents are not accessible in encrypt unlocked mode
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: sumr
Component: CephFSAssignee: Christopher Hoffman <choffman>
Status: CLOSED DUPLICATE QA Contact: sumr
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.1CC: ceph-eng-bugs, cephqe-warriors, choffman, gfarnum, ngangadh
Target Milestone: ---Flags: choffman: needinfo+
Target Release: 8.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-05-13 15:46:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description sumr 2025-04-28 11:43:18 UTC 
Description of problem:
Subvolume snapshot contents are not viewable from test directory with encrypt enabled but in unlocked mode.

[root@ceph-sumar-fscrypt-az0v8f-node6 testdir2]# ls -al .snap
ls: cannot access '.snap/???': No such file or directory
total 1
drwx------. 2 root root     0 Jan  1  1970  .
drwx------. 2 root root 32768 Apr 28 10:53  ..
d?????????? ? ?    ?        ?            ? '???'
[root@ceph-sumar-fscrypt-az0v8f-node6 testdir2]# fscrypt status ../testdir2
"../testdir2" is encrypted with fscrypt.

Policy:   43399fee26967bc347421fa2839ccf7b
Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Yes

Protected with 1 protector:
PROTECTOR         LINKED  DESCRIPTION
3e429880957ffb16  No      custom protector "cephfs1"

It is viewable in regular non-encrypt directory,

[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# mkdir tempdir
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# cd tempdir
[root@ceph-sumar-fscrypt-az0v8f-node6 tempdir]# ls -al .snap
total 1
drwxr-xr-x. 2 root root 0 Apr 28 11:22 .
drwxr-xr-x. 2 root root 0 Apr 28 11:26 ..
[root@ceph-sumar-fscrypt-az0v8f-node6 tempdir]# ls -al .snap/
total 1
drwxr-xr-x. 2 root root 0 Apr 28 11:22 .
drwxr-xr-x. 2 root root 0 Apr 28 11:26 ..
[root@ceph-sumar-fscrypt-az0v8f-node6 tempdir]# ls -al .snap/
total 2
drwxr-xr-x. 2 root root 0 Apr 28 11:22 .
drwxr-xr-x. 2 root root 0 Apr 28 11:26 ..
drwxr-xr-x. 2 root root 0 Apr 28 11:26 _snap2_1099511637819

Version-Release number of selected component (if applicable): 19.2.1-161.el9cp


How reproducible:


Steps to Reproduce:
1.Create testdir in Ceph-Fuse mount of subvolume and encrypt it
2. In unlocked mode, add contents and take subvolume snapshot
3. Try viewing the snapshot contents from testdir encrypted but unlocked.

Actual results: Snapshot contents not viewable in encrypted directory in unlocked mode.


Expected results: Snapshot contents to be viewable in unlocked mode.


Additional info:

Snapshot name or directory is viewable and is not encrypted when viewed in locked mode, but file name within directory is encrypted.

Is it allowed to view snapshot directory name as is in locked mode?

[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# ls -al testdir4
total 34
drwx------. 2 root root      36864 Apr 28 11:38 .
drwxr-xr-x. 8 root root 1138863490 Apr 28 11:37 ..
-rw-------. 1 root root      33087 Apr 28 11:38 nb6LMEUJiDfVdGFmnLhd1YesK1JW9t7n6ffA3aQu,4s
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# ls -al testdir4/.snap
total 2
drwx------. 2 root root     0 Apr 28 11:39 .
drwx------. 2 root root 36864 Apr 28 11:38 ..
drwx------. 2 root root 36864 Apr 28 11:38 _snap3_1099511637819
[root@ceph-sumar-fscrypt-az0v8f-node6 fuse_sv4]# ls -al testdir4/.snap/_snap3_1099511637819/
total 34
drwx------. 2 root root 36864 Apr 28 11:38 .
drwx------. 2 root root     0 Apr 28 11:39 ..
-rw-------. 1 root root 33087 Apr 28 11:38 nb6LMEUJiDfVdGFmnLhd1YesK1JW9t7n6ffA3aQu,4s