Hi Ilya, On Thu, 2022-08-18 at 13:27 +0200, Ilya Dryomov wrote: > On Tue, Aug 16, 2022 at 12:44 PM Martin Traxl <martin.traxl@xxxxxxxx> > wrote: [...] > > > > > > Hi Martin, > > For obscure backwards compatibility reasons, the kernel client > defaults > to messenger v1. You would need to specify "ms_mode=secure" option > when > mapping your block devices to enable messenger v2 secure mode [1]. This helped, setting the "ms_mode=secure" option on the client side did the trick. Out of curiosity, do you know if I disable messenger v1 on the ceph cluster, would the kernel client without setting "ms_mode=secure" use messenger v2 or would I still have to set this option? Until now I was not able to disable msgr1 on my monitor nodes. Although in my ceph.conf I configured this ----- mon host = [v2:10.88.32.11],[v2:10.88.32.12],[v2:10.88.32.20] ms bind msgr1 = false ----- the monitor node still binds to the msgr1 default port 6789. [...] > > > > > As I understand, "type": "v1" means messenger v1 is used and > > therefore no secure wire encryption, which comes with messenger v2. > > Is this understanding correct? How can I enable wire encrytion > > here? Nautilus should be able to use msgr2. In general, how can I > > verify a client is using wire encryption or not? > > Your understanding is correct. Your ceph.conf options + > "ms_mode=secure" option for the kernel client (whether krbd or > kcephfs) > is all that is needed. Note that mainline kernel 5.11 or CentOS 8.4 > is required. > > As for the verification, you would need to either check monitor and > OSD logs or resort to wireshark/tcpdump. There is a proposed change > from Radek to make this more ergonomic but it is not merged yet. > > [1] > https://docs.ceph.com/en/nautilus/man/8/rbd/#kernel-rbd-krbd-options > [2] https://github.com/ceph/ceph/pull/43791 That is great. I hope this will be merged. Thank you, Martin _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |