[openstack-dev] [Cinder] encryption is not supported in ceph volume

Adam Heczko aheczko at mirantis.com
Mon Aug 3 00:41:40 UTC 2015


Indeed, it works only for iSCSI Cinder backends.
I believe there are at least two ways in which volume encryption for Ceph
could be achieved:
- by implementing encryption at librbd level (user space)
- rewriting Ceph's Cinder plugin, to attach RBD images not through
libvirt/librbd but for accessing Ceph use native Linux kernel RBD driver
and stack LUKS atop of RBD (device-mapper way)

Regards,

Adam

On Thu, Jul 30, 2015 at 8:02 AM, Li, Xiaoyan <xiaoyan.li at intel.com> wrote:

> Hi all,
>
> I created an encryption type, and create a volume in Ceph with the volume
> type.
> >> cinder encryption-type-create
>
> But failed to attach it to a VM. The error message shows that no
> device_path in connection_info.
>
> ^[[01;31m2015-07-30 05:55:57.117 TRACE oslo_messaging.rpc.dispatcher
> ^[[01;35m^[[00m    self.symlink_path =
> connection_info['data']['device_path']^M
> ^[[01;31m2015-07-30 05:55:57.117 TRACE oslo_messaging.rpc.dispatcher
> ^[[01;35m^[[00mKeyError: 'device_path'
>
> Two questions:
> 1. Is it not supported to create volume in Ceph with encrypted volume type?
> 2. If yes, should we prohibit to create a Ceph volume with encrypted
> volume type.
>
> Best wishes
> Lisa
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150803/1745895d/attachment.html>


More information about the OpenStack-dev mailing list