Alexandre and I have been working on adding basic dm-crypt support to ceph-disk-prepare/activate. At this point it is working reasonably well, but before we move forward I thought I'd see if anyone has feedback/comments on the implementation.
The initial goals are very simple: transparently dm-crypt the volumes for the osd data and journal befor we use them, and store the keys somewhere on the local host (currently /etc/ceph/dmcrypt-keys). Eventually we'll want to something more sophisticated there--there is a whole industry to supprot key management and compliance for this sort of thing--but slotting that in later should be pretty simple. For now, the basic process looks like this: ceph-disk-prepare --dmcrypt DATADISK [JOURNALDISK] When --dmcrypt is passed, we generate a unique UUID for the data and journal both (the data one matches the OSD uuid), and label the GPT partitions. We also set the type to special "dmcrypted osd" and "dmcrypted journal" types. The dm-crypt mapped devices appear in /dev/mapper/$UUID, so the journal symlink inside the data dir of the data volume points there. Keys are stored in /etc/ceph/dmcrypt-keys/$UUID. Normally, to activate an OSD, a udev rule triggres on teh osd partition type and runs ceph-disk-active. In this case, it's slightly more complicated. A udev rule triggers on the encrypted journal partition type and starts dm-crypt (using the key in /etc/ceph/...). For the encrypted osd partition, we first start dm-crypt, then run ceph-disk-activate on the resulting /dev/mapper/$UUID volume. That's basically it. Leveraging udev makes this pretty simple, and should be portable to any distro (vs, say, using upstart events to do the same steps). Later, we may want to add some super-simple key management so that the keys are stored on the monitor instead of in a local directory, but for some users at least this is sufficient (where the concern is really about disposal of disks). See wip-dmcrypt in ceph.git to take a look. Thanks! sage -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
