Re: How to verify the use of wire encryption?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Ilya,

On Thu, 2022-08-18 at 13:27 +0200, Ilya Dryomov wrote:
> On Tue, Aug 16, 2022 at 12:44 PM Martin Traxl <martin.traxl@xxxxxxxx>
> wrote:

[...]

> > 
> > 
> 
> Hi Martin,
> 
> For obscure backwards compatibility reasons, the kernel client
> defaults
> to messenger v1.  You would need to specify "ms_mode=secure" option
> when
> mapping your block devices to enable messenger v2 secure mode [1].

This helped, setting the "ms_mode=secure" option on the client side did
the trick.

Out of curiosity, do you know if I disable messenger v1 on the ceph
cluster, would the kernel client without setting "ms_mode=secure" use
messenger v2 or would I still have to set this option?
Until now I was not able to disable msgr1 on my monitor nodes. 
Although in my ceph.conf I configured this
-----
  mon host = [v2:10.88.32.11],[v2:10.88.32.12],[v2:10.88.32.20]
  ms bind msgr1 = false
-----
the monitor node still binds to the msgr1 default port 6789.


[...]

> 
> > 
> > As I understand, "type": "v1" means messenger v1 is used and
> > therefore no secure wire encryption, which comes with messenger v2.
> > Is this understanding correct? How can I enable wire encrytion
> > here? Nautilus should be able to use msgr2. In general, how can I
> > verify a client is using wire encryption or not?
> 
> Your understanding is correct.  Your ceph.conf options +
> "ms_mode=secure" option for the kernel client (whether krbd or
> kcephfs)
> is all that is needed.  Note that mainline kernel 5.11 or CentOS 8.4
> is required.
> 
> As for the verification, you would need to either check monitor and
> OSD logs or resort to wireshark/tcpdump.  There is a proposed change
> from Radek to make this more ergonomic but it is not merged yet.
> 
> [1] 
> https://docs.ceph.com/en/nautilus/man/8/rbd/#kernel-rbd-krbd-options
> [2] https://github.com/ceph/ceph/pull/43791

That is great. I hope this will be merged.

Thank you,
Martin
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux