Re: How to verify the use of wire encryption?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Aug 16, 2022 at 12:44 PM Martin Traxl <martin.traxl@xxxxxxxx> wrote:
>
> Hi,
>
> I am running a Ceph 16.2.9 cluster with wire encryption. From my ceph.conf:
> _____
>   ms client mode = secure
>   ms cluster mode = secure
>   ms mon client mode = secure
>   ms mon cluster mode = secure
>   ms mon service mode = secure
>   ms service mode = secure
> _____
>
> My cluster is running both messenger v1 and messenger v2 listening on the default ports 6789 and 3300. Now I have Nautilus clients (krbd) mounting rados block devices from this cluster.

Hi Martin,

For obscure backwards compatibility reasons, the kernel client defaults
to messenger v1.  You would need to specify "ms_mode=secure" option when
mapping your block devices to enable messenger v2 secure mode [1].

> When looking at the current sessions (ceph daemon <monitor> sessions) for my rbd clients I see something like this:
> _____
>     {
>         "name": "client.*****",
>         "entity_name": "client.fe-*****",
>         "addrs": {
>             "addrvec": [
>                 {
>                     "type": "v1",
>                     "addr": "10.238.194.4:0",
>                     "nonce": 2819469832
>                 }
>             ]
>         },
>         "socket_addr": {
>             "type": "v1",
>             "addr": "10.238.194.4:0",
>             "nonce": 2819469832
>         },
>         "con_type": "client",
>         "con_features": 3387146417253690110,
>         "con_features_hex": "2f018fb87aa4aafe",
>         "con_features_release": "luminous",
>         "open": true,
>         "caps": {
>             "text": "profile rbd"
>         },
>         "authenticated": true,
>         "global_id": 256359885,
>         "global_id_status": "reclaim_ok",
>         "osd_epoch": 13120,
>         "remote_host": ""
>     },
> _____
>
> As I understand, "type": "v1" means messenger v1 is used and therefore no secure wire encryption, which comes with messenger v2. Is this understanding correct? How can I enable wire encrytion here? Nautilus should be able to use msgr2. In general, how can I verify a client is using wire encryption or not?

Your understanding is correct.  Your ceph.conf options +
"ms_mode=secure" option for the kernel client (whether krbd or kcephfs)
is all that is needed.  Note that mainline kernel 5.11 or CentOS 8.4
is required.

As for the verification, you would need to either check monitor and
OSD logs or resort to wireshark/tcpdump.  There is a proposed change
from Radek to make this more ergonomic but it is not merged yet.

[1] https://docs.ceph.com/en/nautilus/man/8/rbd/#kernel-rbd-krbd-options
[2] https://github.com/ceph/ceph/pull/43791

Thanks,

                Ilya
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux