2152600 – [RFE] RBD Encryption support does not support clones [6.0]

Bug 2152600 - [RFE] RBD Encryption support does not support clones [6.0]

Summary: [RFE] RBD Encryption support does not support clones [6.0]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	RBD
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	6.0
Assignee:	Ilya Dryomov
QA Contact:	Preethi
Docs Contact:	Eliska
URL:
Whiteboard:
Depends On:
Blocks:	2126050
TreeView+	depends on / blocked

Reported:	2022-12-12 12:27 UTC by Ilya Dryomov
Modified:	2023-03-20 19:00 UTC (History)
CC List:	13 users (show)
Fixed In Version:	ceph-17.2.5-18.el9cp
Doc Type:	Enhancement
Doc Text:	.Layered client-side encryption is now supported With this release, cloned images can be encrypted, each with its own encryption format and passphrase, potentially different from that of the parent image. The efficient copy-on-write semantics used for unformatted regular cloned images are retained.
Clone Of:	2062794
Environment:
Last Closed:	2023-03-20 18:59:40 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	ceph ceph pull 40363	None	Merged	librbd: add encryption format support for clones (part 1/2)	2022-12-12 14:24:56 UTC
Github	ceph ceph pull 48618	None	Merged	librbd: add encryption format support for clones (part 2/2)	2022-12-12 14:24:56 UTC
Red Hat Issue Tracker	RHCEPH-5769	None	None	None	2022-12-12 12:51:33 UTC
Red Hat Product Errata	RHBA-2023:1360	None	None	None	2023-03-20 19:00:50 UTC

Comment 17 Preethi 2023-01-18 18:13:30 UTC

The feature is working as expected. 

Test steps followed

1)Create RBD image1 
2)Apply encryption format LUKS1/LUKS2 to the RBD image1 [root@magna021 ubuntu]# rbd encryption format mypool/myimage6 luks2 passphrase.bin

3)load encryption

4) create file system and mount the device 
5)Run IOs

6) Create a clone  i.e RBD image2, from the snapshot of RBD image1 

7) Encrypt the image with LUKS2 and different passphrase

9) load the encryption and mount the device 

10) Verify the data 

11) Perform RBD flatten to the images loading encryption keys for parent and child images

Expected result- Data is intact, we are able to read the data which was present in RBD1 before snpashot was performed

We have verifed theabove steps for the following scenarios performed to qualify the BZ for 6.0 -
Have a non-formatted parent, LUKS1-formatted clone
non-formatted parent, LUKS2-formatted clone
LUKS1-formatted parent, non-formatted clone
LUKS1-formatted parent, LUKS1-formatted clone (different passphrase)
LUKS1-formatted parent, LUKS2-formatted clone
LUKS2-formatted parent, non-formatted clone (format and passphrase inherited from the parent)
LUKS2-formatted parent, LUKS1-formatted clone
LUKS2-formatted parent, LUKS2-formatted clone (different passphrase)
Resize,shrink operations, flatten operations to the encrypted images
negative tests/usaeblility scnearios around this area

Comment 18 errata-xmlrpc 2023-03-20 18:59:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 6.0 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:1360

Note You need to log in before you can comment on or make changes to this bug.