Re: [openstack-dev] [Cinder] encryption is not supported in ceph volume
On 7/30/2015 1:02 AM, Li, Xiaoyan wrote: Hi all, I created an encryption type, and create a volume in Ceph with the volume type. cinder encryption-type-create But failed to attach it to a VM. The error message shows that no device_path in connection_info. ^[[01;31m2015-07-30 05:55:57.117 TRACE oslo_messaging.rpc.dispatcher ^[[01;35m^[[00mself.symlink_path = connection_info['data']['device_path']^M ^[[01;31m2015-07-30 05:55:57.117 TRACE oslo_messaging.rpc.dispatcher ^[[01;35m^[[00mKeyError: 'device_path' Two questions: 1. Is it not supported to create volume in Ceph with encrypted volume type? 2. If yes, should we prohibit to create a Ceph volume with encrypted volume type. Best wishes Lisa __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev This is a known issue and was pointed out in the mailing list earlier [1]. A change was made to make that fail fast and obvious now rather than let users think they had encrypted rbd volumes. The KeyError in nova should have a better exception raised with this change [2]. nagyz is working on adding the encryption support for rbd to nova here [3]. [1] http://lists.openstack.org/pipermail/openstack-dev/2015-July/068457.html [2] https://review.openstack.org/#/c/193830/ [3] https://review.openstack.org/#/c/206576/ -- Thanks, Matt Riedemann __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Cinder] encryption is not supported in ceph volume
Indeed, it works only for iSCSI Cinder backends. I believe there are at least two ways in which volume encryption for Ceph could be achieved: - by implementing encryption at librbd level (user space) - rewriting Ceph's Cinder plugin, to attach RBD images not through libvirt/librbd but for accessing Ceph use native Linux kernel RBD driver and stack LUKS atop of RBD (device-mapper way) Regards, Adam On Thu, Jul 30, 2015 at 8:02 AM, Li, Xiaoyan wrote: > Hi all, > > I created an encryption type, and create a volume in Ceph with the volume > type. > >> cinder encryption-type-create > > But failed to attach it to a VM. The error message shows that no > device_path in connection_info. > > ^[[01;31m2015-07-30 05:55:57.117 TRACE oslo_messaging.rpc.dispatcher > ^[[01;35m^[[00mself.symlink_path = > connection_info['data']['device_path']^M > ^[[01;31m2015-07-30 05:55:57.117 TRACE oslo_messaging.rpc.dispatcher > ^[[01;35m^[[00mKeyError: 'device_path' > > Two questions: > 1. Is it not supported to create volume in Ceph with encrypted volume type? > 2. If yes, should we prohibit to create a Ceph volume with encrypted > volume type. > > Best wishes > Lisa > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Adam Heczko Security Engineer @ Mirantis Inc. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev