1978286 – [TestOnly] Verify deployment of Ceph on-wire encryption (msgr2 protocol) with director - Full Support

Bug 1978286 - [TestOnly] Verify deployment of Ceph on-wire encryption (msgr2 protocol) with director - Full Support

Summary: [TestOnly] Verify deployment of Ceph on-wire encryption (msgr2 protocol) with...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	ceph
Sub Component:
Version:	16.2 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	z2
Target Release:	16.2 (Train on RHEL 8.4)
Assignee:	Giulio Fidente
QA Contact:	Yogev Rabl
Docs Contact:
URL:
Whiteboard:
Depends On:	1814033 1855678
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-01 13:13 UTC by Gregory Charot
Modified:	2022-06-07 09:34 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:	Starting with Red Hat Ceph Storage 4, you can enable encryption for all traffic generated by the Ceph daemons over the network. + The secure mode setting for messenger v2 encrypts the communication between Ceph daemons and Ceph clients, effecting an end-to-end encryption. + A new tripleo-heat-templates parameter can enable the on-wire encryption between daemons and clients. To configure Ceph to enable the on-wire encryption between daemons and clients, add the following lines to the overcloud deployment environment files: + ---- parameter_defaults: CephMsgrSecureMode: true ----
Clone Of:	1814033
Environment:
Last Closed:	2022-06-07 09:34:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-5710	0	None	None	None	2022-01-03 15:57:37 UTC
Red Hat Issue Tracker	RHOSPDOC-771	0	None	None	None	2021-09-30 17:43:38 UTC

Description Gregory Charot 2021-07-01 13:13:04 UTC

This bugs aims to promote OSP + Ceph on-wire encryption from TP to GA

+++ This bug was initially created as a clone of Bug #1814033 +++

Ceph on-wire encryption via the msgr2 protocol as deployed by director needs to be verified by the Ceph Squad within the Storage DFG.

More details on how to implement the deployment captured in BZ1810315.

This is a TestOnly BZ.

--- Additional comment from RHEL Program Management on 2020-03-19 08:07:09 CET ---

This item has been properly Triaged and planned for the release, and Target Release is now set to match the release flag. For details, see https://mojo.redhat.com/docs/DOC-1144661#jive_content_id_OSP_Release_Planning

--- Additional comment from Giulio Fidente on 2020-03-19 08:08:49 CET ---

Yogev, if we're unable to test this for 16.0.2 let's change release flag and target milestone appropriately

--- Additional comment from RHEL Program Management on 2020-03-20 16:21:42 CET ---

This item has been properly Triaged and planned for the release, and Target Release is now set to match the release flag. For details, see https://mojo.redhat.com/docs/DOC-1195410

--- Additional comment from Scott Lewis on 2020-03-23 21:28:05 CET ---

This item has been properly Triaged and planned for the appropriate release, and is being tagged for tracking.

--- Additional comment from Chuck Copello on 2020-03-26 18:42:07 CET ---

Hi John, should Target Milestone be Beta or earlier for 16.1?

--- Additional comment from Gregory Charot on 2020-03-26 18:49:07 CET ---

We don't have the capacity to test this for 16.1GA so targeting 16.1.1 (hence the z1 TM)

--- Additional comment from Scott Lewis on 2020-03-30 17:30:15 CEST ---

This item has had a change in release flag, and has been removed from tracking for the GA.

--- Additional comment from Ben England on 2020-06-10 20:35:11 CEST ---

Has anyone succeeded in turning on Ceph encryption?  and verifying that it is being used?  I'm trying to use it in this build:

http://download.eng.bos.redhat.com/rhel-8/composes/auto/ceph-4.1-rhel-8/RHCEPH-4.1-RHEL-8-20200603.ci.1/

which installs RPMs with version 
with this documentation:

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4/html/data_security_and_hardening_guide/assembly-encryption-and-key-management#enabling-the-messenger-v2-protocol_sec

The installation procedure is described here:

https://docs.google.com/document/d/1iSL5PPXVn_6aDBcKGjvHVp5w0o3E9ztmSEDAQAisYEI/edit#heading=h.fwqv6d8xumgp

--- Additional comment from Gregory Charot on 2020-06-11 18:26:02 CEST ---

We planning to test this after 16.1GA as a testonly to ensure this does not break any OSP service integration. We target this for fall or so this year.

Thanks for your test/doc Ben, any concern / issue you would like to share?

--- Additional comment from Chuck Copello on 2020-06-16 14:45:17 CEST ---

Adding Andy to the CC: list and removing myself.

--- Additional comment from Chuck Copello on 2020-06-16 14:49:12 CEST ---

Adding Andy to the CC: list and removing myself.

--- Additional comment from Gregory Charot on 2020-06-25 14:25:32 CEST ---

Moving to z2 as z1 will be blockers only

--- Additional comment from Gregory Charot on 2020-10-21 11:55:03 CEST ---

moving to tech preview as per discussion with the Ceph team

--- Additional comment from Yogev Rabl on 2020-11-18 18:14:09 CET ---

Verified

Note You need to log in before you can comment on or make changes to this bug.