Uploaded image for project: 'Data Foundation Bugs'
  1. Data Foundation Bugs
  2. DFBUGS-705

[2259886] [ODF-Hackaton]: Please add further documentation about the internals of ODF encryption in transit

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • odf-4.15
    • odf-4.14
    • Documentation
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • ?
    • If docs needed, set a value
    • None

      *Describe the issue:*

      The documentation doesn't detail how encryption in transit works for an ODF cluster. It just refers to how to enable it in the Deployment Guides very briefly:

      > To enable in-transit encryption, select In-transit encryption.
      >
      > Select a Network.
      > Click Next.

      There are no references in the Architecture or Troubleshooting guides regarding this feature. For example, one thing that will be worth covering is how the option `ms_mode=secure` is passed to the CephFS mount points. From my lab setup, this is from a pod mounting a CephFS file system with encryption on the wire enabled:

      sh-4.4$ mount | grep mnt
      10.0.91.79:3300,10.0.93.41:3300,10.0.93.166:3300,10.0.93.53:3300,10.0.93.164:3300:/volumes/csi/csi-vol-05e577bd-11be-4e5c-82b0-c3d2398b5e11/36bfbd9a-2e67-415b-a2eb-7be623b9e0e7 on /mnt type ceph (rw,relatime,seclabel,name=csi-cephfs-node,secret=<hidden>,*ms_mode=secure*,fsid=00000000-0000-0000-0000-000000000000,acl,mds_namespace=my-filesystem)

      I thought either would set this parameter:

      • Adding the variable `ROOK_CSI_ENABLE_CEPHFS": "true"` to the `rook-ceph-operator-config` cm.
      • Setting the kernel mount option `kernelMountOptions: ms_mode=secure` in the CephFS storage class.

      However, this is not the case. Neither the cm nor the sc is modified. The encryption annotation

      oc get storagecluster ocs-external-storagecluster -n openshift-storage -o json | jq -r '.spec.network.connections'
      {
      "encryption":

      { "enabled": true }

      }

      in the storagecluster seems to suffice to set the `ms_mode=secure` mount option in the CephFS mount points. More details on how it works behind the scenes will be worth it.

      *Describe the task you were trying to accomplish:*

      Provide further information on how the encryption in transit feature works internally.

      *Provide some further documentation details*

      N/A

      *Suggestions for improvement:*

      Add information about how the option `ms_mode=secure` is set for CephFS mount points.

      *Document URL:*

      Troubleshooting Guide: https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/troubleshooting_openshift_data_foundation
      Architecture Guide: https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.14/html/red_hat_openshift_data_foundation_architecture

      *Chapter/Section Number and Title:*

      N/A, as there's no section covering this feature.

      *Product Version:*

      ODF 4.14

      *Environment Details:*

      N/A

      *Any other versions of this document that also need this update:*

      No

      *Additional information:*

      N/A

              asriram@redhat.com Anjana Sriram
              rhn-support-nravinas Natalia Ravina Sepulveda
              Neha Berry Neha Berry
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: