ceph-osd: add dmcrypt scenario

add the ability to encrypt osd data store using dm-crypt

Signed-off-by: Sébastien Han <seb@redhat.com>

group_vars/osds.sample

@@ -123,6 +123,12 @@ dummy:
 #bluestore: false
 
 
+# VI. Sixth scenario: encrypt osd data and/or journal devices with dm-crypt.
+# Keys are stored into the monitors k/v store
+# Use 'true' to enable this scenario
+#dmcrypt: false
+
+
 ##########
 # DOCKER #
 ##########

roles/ceph-common/tasks/checks/check_mandatory_vars.yml

@@ -72,6 +72,7 @@
     - not raw_multi_journal
     - not osd_directory
     - not bluestore
+    - not dmcrypt
 
 - name: verify only one osd scenario was chosen
   fail:
@@ -85,6 +86,10 @@
       or (raw_multi_journal and osd_directory)
       or (raw_multi_journal and bluestore)
       or (osd_directory and bluestore)
+      or (dmcrypt and journal_collocation)
+      or (dmcrypt and raw_multi_journal)
+      or (dmcrypt and osd_directory)
+      or (dmcrypt and bluestore)
 
 - name: verify devices have been provided
   fail:

roles/ceph-osd/defaults/main.yml

@@ -115,6 +115,12 @@ osd_directory: false
 bluestore: false
 
 
+# VI. Sixth scenario: encrypt osd data and/or journal devices with dm-crypt.
+# Keys are stored into the monitors k/v store
+# Use 'true' to enable this scenario
+dmcrypt: false
+
+
 ##########
 # DOCKER #
 ##########

roles/ceph-osd/tasks/main.yml

@@ -22,5 +22,10 @@
     - osd_objectstore == 'bluestore'
     - not osd_containerized_deployment
 
+- include: ./scenarios/dmcrypt.yml
+  when:
+    - dmcrypt
+    - not osd_containerized_deployment
+
 - include: ./docker/main.yml
   when: osd_containerized_deployment

roles/ceph-osd/tasks/scenarios/dmcrypt.yml

@@ -0,0 +1,37 @@
+---
+## SCENARIO 5: DMCRYPT
+
+- include: ../check_devices.yml
+
+# NOTE (leseb): the prepare process must be parallelized somehow...
+# if you have 64 disks with 4TB each, this will take a while
+# since Ansible will sequential process the loop
+
+# NOTE (alahouze): if the device is a partition, the parted command below has
+# failed, this is why we check if the device is a partition too.
+- name: automatic prepare osd disk(s) without partitions
+  command: ceph-disk prepare --dmcrypt --cluster "{{ cluster }}" "/dev/{{ item.key }}"
+  register: prepared_osds
+  with_dict: ansible_devices
+  when:
+    - ansible_devices is defined
+    - item.value.removable == "0"
+    - item.value.partitions|count == 0
+    - bluestore
+    - osd_auto_discovery
+
+- name: manually prepare osd disk(s)
+  command: ceph-disk prepare --dmcrypt --cluster "{{ cluster }}" "{{ item.2 }}"
+  with_together:
+    - combined_parted_results.results
+    - combined_ispartition_results.results
+    - devices
+  when:
+    - not item.0.get("skipped")
+    - not item.1.get("skipped")
+    - item.0.get("rc", 0) != 0
+    - item.1.get("rc", 0) != 0
+    - bluestore
+    - not osd_auto_discovery
+
+- include: ../activate_osds.yml