Hide Forgot
Description of problem: Manual encrypted OSD creation same as ceph-deploy osd create --dmcrypt [Ubuntu] ceph-deploy-1.5.27.4-4redhat1 failing to add osd with dmcrypt flag https://bugzilla.redhat.com/show_bug.cgi?id=1327628 We are facing this issue and until this bug is not fixed we need as soon as possible manual steps to add encrypted OSD. As we have steps to add OSD manually but it does not talk about encrypted one : https://access.redhat.com/documentation/en/red-hat-ceph-storage/version-1.3/administration-guide/#manually_3 Please update this section with steps to create encrypted OSD manually. Version-Release number of selected component (if applicable): Red Hat Ceph Storage 1.3.2
The general idea is to create a dmcrypt device manually (a reference to the dmcrypt documentation would be useful). Once it is created, it can be used as an argument to ceph-deploy, as if it was a regular disk. That is essentially what the dmcrypt flag does.
That sounds good. You may want to check with ceph-deploy developers if there is any roadblocks.
(In reply to Loic Dachary from comment #4) > check with ceph-deploy developers So it's clear to all, "ceph-deploy developers" here would be Alfredo Deza <adeza>
Just like 1325744 — decrypt OSDs are already supported, this is only a doc bug. Please complete Dev & QA acks.
We will address this using Alfredo's solution in #7.
Hi Loic, The doc about encrption has a lot of steps , most of which are not needed for ceph: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html#sec-Using_LUKS_Disk_Encryption Could you please point out the necessary steps needed to create a encrypted disk? Bara, In the section "encrpted OSD", second part where you mention to create a encrypted disk manually. Could we add the steps to create a encrpted disk here ? instead of pointing to the security guide. Thanks, Tejas
I am not sure buddy , but I think you should try: # ceph-deploy osd create magna061:/dev/dm-0 If still it is not working , please check with Loic.
comment 15 seems like a functional issue, which we are tracking through: https://bugzilla.redhat.com/show_bug.cgi?id=1378090
Alfredo, looks like there is confusion about how to set up an encrypted volume. Could you provide the steps to Doc for adding to the manuals here?
ceph-deploy usually doesn't create anything directly to support dmcrypt. This is all ceph-disk Loic, would you be so kind to expand on what you think it is required per your comment #2 ?
@Tejas the specifics of how the sysadmin wants to create an encrypted disk is, I think, outside of the scope of the ceph documentation. The --dmcrypt is a helper that creates the encrypted disk. However after it is done ceph does not behave differently: it's a block device which is no different than other block devices. @Frederico I think the confusion comes from the fact that there seems to be a bug and we're investigating it at https://bugzilla.redhat.com/show_bug.cgi?id=1378090. All this is unrelated to ceph-deploy.
@loic: I thought you said in 1378090#11 that there are too many issues making this work through ceph-disk... that leaves only the manual steps as our option if I understand you correctly?
Unless Loic has a better solution, we will document the steps in 1378090#11 as the process to set up an encrypted OSD in Hammer.
Looks like a better solution was found: https://bugzilla.redhat.com/show_bug.cgi?id=1377639#c16 — let's document these steps instead, it is somewhat shorter.