diff options
| author | Andrew Bartlett <abartlet@catalyst.net.nz> | 2014-10-30 22:29:36 +0100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2015-01-30 02:34:42 +0100 |
| commit | c83a288ab84bf06cd9b09e823626a2ccdf2852f9 (patch) | |
| tree | 42dcfa1362c19503f429efdfa8426bc2ddf21bfa /udev | |
| parent | Only create a key of 256 bits length, not 256 bytes (diff) | |
| download | ceph-c83a288ab84bf06cd9b09e823626a2ccdf2852f9.tar.xz ceph-c83a288ab84bf06cd9b09e823626a2ccdf2852f9.zip | |
Rework ceph-disk to allow LUKS for encrypted partitions
LUKS allows for validation of the key at mount time (rather than
simply mounting a random partition), specification of the encryption
parameters in the header and key rollover of the slot key (the one
that needs to be stored).
New parameters 'osd cryptsetup parameters' and 'osd dmcrypt key size' are
added. These allow these important policy choices to be overridden or
kept consistent per-site.
The previous default plain mode (rather than using LUKS) remains, select
LUKS by setting 'osd dmcrypt type = luks'
Signed-off-by: Andrew Bartlett <abartlet@catalyst.net.nz>
Diffstat (limited to 'udev')
| -rw-r--r-- | udev/95-ceph-osd.rules | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/udev/95-ceph-osd.rules b/udev/95-ceph-osd.rules index ec2c4a463aa..6498cfeab4a 100644 --- a/udev/95-ceph-osd.rules +++ b/udev/95-ceph-osd.rules @@ -10,18 +10,34 @@ ACTION=="add", SUBSYSTEM=="block", \ ENV{ID_PART_ENTRY_TYPE}=="45b0969e-9b03-4f30-b4c6-b4b80ceff106", \ RUN+="/usr/sbin/ceph-disk activate-journal /dev/$name" -# Map journal if using dm-crypt +# Map journal if using dm-crypt and plain ACTION=="add" SUBSYSTEM=="block", \ ENV{DEVTYPE}=="partition", \ ENV{ID_PART_ENTRY_TYPE}=="45b0969e-9b03-4f30-b4c6-5ec00ceff106", \ RUN+="/sbin/cryptsetup --key-file /etc/ceph/dmcrypt-keys/$env{ID_PART_ENTRY_UUID} --key-size 256 create $env{ID_PART_ENTRY_UUID} /dev/$name" +# Map journal if using dm-crypt and luks +ACTION=="add" SUBSYSTEM=="block", \ + ENV{DEVTYPE}=="partition", \ + ENV{ID_PART_ENTRY_TYPE}=="45b0969e-9b03-4f30-b4c6-35865ceff106", \ + RUN+="/sbin/cryptsetup --key-file /etc/ceph/dmcrypt-keys/$env{ID_PART_ENTRY_UUID}.luks.key luksOpen /dev/$name $env{ID_PART_ENTRY_UUID}" + # Map data device and # activate ceph-tagged partitions -# for dm-crypted data devices +# for dm-crypted data devices and plain ACTION=="add" SUBSYSTEM=="block", \ ENV{DEVTYPE}=="partition", \ ENV{ID_PART_ENTRY_TYPE}=="4fbd7e29-9d25-41b8-afd0-5ec00ceff05d", \ RUN+="/sbin/cryptsetup --key-file /etc/ceph/dmcrypt-keys/$env{ID_PART_ENTRY_UUID} --key-size 256 create $env{ID_PART_ENTRY_UUID} /dev/$name", \ RUN+="/bin/bash -c 'while [ ! -e /dev/mapper/$env{ID_PART_ENTRY_UUID} ];do sleep 1; done'", \ RUN+="/usr/sbin/ceph-disk-activate /dev/mapper/$env{ID_PART_ENTRY_UUID}" + +# Map data device and +# activate ceph-tagged partitions +# for dm-crypted data devices and luks +ACTION=="add" SUBSYSTEM=="block", \ + ENV{DEVTYPE}=="partition", \ + ENV{ID_PART_ENTRY_TYPE}=="4fbd7e29-9d25-41b8-afd0-35865ceff05d", \ + RUN+="/sbin/cryptsetup --key-file /etc/ceph/dmcrypt-keys/$env{ID_PART_ENTRY_UUID}.luks.key luksOpen /dev/$name $env{ID_PART_ENTRY_UUID}", \ + RUN+="/bin/bash -c 'while [ ! -e /dev/mapper/$env{ID_PART_ENTRY_UUID} ];do sleep 1; done'", \ + RUN+="/usr/sbin/ceph-disk-activate /dev/mapper/$env{ID_PART_ENTRY_UUID}" |