ceph-osd: add dmcrypt scenario

add the ability to encrypt osd data store using dm-crypt Signed-off-by: Sébastien Han <seb@redhat.com>
2016-07-19 17:53:21 +02:00 · 2016-07-19 17:53:21 +02:00 · 5978d55d22
parent b0a26aeeb3
commit 5978d55d22
5 changed files with 59 additions and 0 deletions
--- a/group_vars/osds.sample
+++ b/group_vars/osds.sample
@ -123,6 +123,12 @@ dummy:
 #bluestore: false


+# VI. Sixth scenario: encrypt osd data and/or journal devices with dm-crypt.
+# Keys are stored into the monitors k/v store
+# Use 'true' to enable this scenario
+#dmcrypt: false
+
+
 ##########
 # DOCKER #
 ##########
--- a/roles/ceph-common/tasks/checks/check_mandatory_vars.yml
+++ b/roles/ceph-common/tasks/checks/check_mandatory_vars.yml
@ -72,6 +72,7 @@
    - not raw_multi_journal
    - not osd_directory
    - not bluestore
+    - not dmcrypt

 - name: verify only one osd scenario was chosen
  fail:
@ -85,6 +86,10 @@
      or (raw_multi_journal and osd_directory)
      or (raw_multi_journal and bluestore)
      or (osd_directory and bluestore)
+      or (dmcrypt and journal_collocation)
+      or (dmcrypt and raw_multi_journal)
+      or (dmcrypt and osd_directory)
+      or (dmcrypt and bluestore)

 - name: verify devices have been provided
  fail:
--- a/roles/ceph-osd/defaults/main.yml
+++ b/roles/ceph-osd/defaults/main.yml
@ -115,6 +115,12 @@ osd_directory: false
 bluestore: false


+# VI. Sixth scenario: encrypt osd data and/or journal devices with dm-crypt.
+# Keys are stored into the monitors k/v store
+# Use 'true' to enable this scenario
+dmcrypt: false
+
+
 ##########
 # DOCKER #
 ##########
--- a/roles/ceph-osd/tasks/main.yml
+++ b/roles/ceph-osd/tasks/main.yml
@ -22,5 +22,10 @@
    - osd_objectstore == 'bluestore'
    - not osd_containerized_deployment

+- include: ./scenarios/dmcrypt.yml
+  when:
+    - dmcrypt
+    - not osd_containerized_deployment
+
 - include: ./docker/main.yml
  when: osd_containerized_deployment
--- a/roles/ceph-osd/tasks/scenarios/dmcrypt.yml
+++ b/roles/ceph-osd/tasks/scenarios/dmcrypt.yml
@ -0,0 +1,37 @@
+---
+## SCENARIO 5: DMCRYPT
+
+- include: ../check_devices.yml
+
+# NOTE (leseb): the prepare process must be parallelized somehow...
+# if you have 64 disks with 4TB each, this will take a while
+# since Ansible will sequential process the loop
+
+# NOTE (alahouze): if the device is a partition, the parted command below has
+# failed, this is why we check if the device is a partition too.
+- name: automatic prepare osd disk(s) without partitions
+  command: ceph-disk prepare --dmcrypt --cluster "{{ cluster }}" "/dev/{{ item.key }}"
+  register: prepared_osds
+  with_dict: ansible_devices
+  when:
+    - ansible_devices is defined
+    - item.value.removable == "0"
+    - item.value.partitions|count == 0
+    - bluestore
+    - osd_auto_discovery
+
+- name: manually prepare osd disk(s)
+  command: ceph-disk prepare --dmcrypt --cluster "{{ cluster }}" "{{ item.2 }}"
+  with_together:
+    - combined_parted_results.results
+    - combined_ispartition_results.results
+    - devices
+  when:
+    - not item.0.get("skipped")
+    - not item.1.get("skipped")
+    - item.0.get("rc", 0) != 0
+    - item.1.get("rc", 0) != 0
+    - bluestore
+    - not osd_auto_discovery
+
+- include: ../activate_osds.yml