Encrypt keys before saving in OMAP file.

Fixes ceph#960

Signed-off-by: Gil Bregman <[email protected]>

.env

@@ -101,3 +101,5 @@ DHCHAP_KEY6="DHHC-1:01:Bu4tZd7X2oW7XxmVH5tGCdoS30pDX6bZvexHYoudeVlJW9yz:"
 DHCHAP_KEY7="DHHC-1:01:JPJkDQ2po2FfLmKYlTF/sJ2HzVO/FKWxgXKE/H6XfL8ogQ1T:"
 DHCHAP_KEY8="DHHC-1:01:e0B0vDxKleDzYVtG42xqFvoWZfiufkoywmfRKrETzayRdf1j:"
 DHCHAP_KEY9="DHHC-1:01:KD+sfH3/o2bRQoV0ESjBUywQlMnSaYpZISUbVa0k0nsWpNST:"
+DHCHAP_KEY10="DHHC-1:00:rWf0ZFYO7IgWGttM8w6jUrAY4cTQyqyXPdmxHeOSve3w5QU9:"
+DHCHAP_KEY11="DHHC-1:02:j3uUz05r5aQy42vX4tDXqVf9HgUPPdEp3kXTgUWl9EphsG7jwpr9KSIt3bmRLXBijPTIDQ==:"

ceph-nvmeof.conf

@@ -17,6 +17,8 @@ state_update_notify = True
 state_update_timeout_in_msec = 2000
 state_update_interval_sec = 5
 enable_spdk_discovery_controller = False
+enable_key_encryption = True
+encryption_key = /etc/ceph/encryption.key
 rebalance_period_sec = 7
 max_gws_in_grp = 16
 max_ns_to_change_lb_grp = 8
@@ -27,12 +29,12 @@ max_ns_to_change_lb_grp = 8
 #enable_prometheus_exporter = True
 #prometheus_exporter_ssl = True
 #prometheus_port = 10008
-#prometheus_bdev_pools = rbd
+#prometheus_bdev_pools =
 #prometheus_stats_interval = 10
 #verify_nqns = True
 #allowed_consecutive_spdk_ping_failures = 1
 #spdk_ping_interval_in_seconds = 2.0
-#max_hosts_per_namespace = 1
+#max_hosts_per_namespace = 8
 #max_namespaces_with_netmask = 1000
 #max_subsystems = 128
 #max_namespaces = 1024

control/cli.py

@@ -769,6 +769,11 @@ def subsystem_list(self, args):
         if args.format == "text" or args.format == "plain":
             if subsystems.status == 0:
                 subsys_list = []
+                created_without_key = False
+                for s in subsystems.subsystems:
+                    if s.created_without_key:
+                        created_without_key = True
+                        break
                 for s in subsystems.subsystems:
                     if args.subsystem and args.subsystem != s.nqn:
                         err_func("Failure listing subsystem {args.subsystem}: Got subsystem {s.nqn} instead")
@@ -780,15 +785,20 @@ def subsystem_list(self, args):
                     has_dhchap = "Yes" if s.has_dhchap_key else "No"
                     allow_any = "Yes" if s.allow_any_host else "No"
                     one_subsys = [s.subtype, s.nqn, s.serial_number, ctrls_id, s.namespace_count, s.max_namespaces, allow_any, has_dhchap]
+                    if created_without_key:
+                        one_subsys.append("Yes" if s.created_without_key else "No")
                     subsys_list.append(one_subsys)
                 if len(subsys_list) > 0:
                     if args.format == "text":
                         table_format = "fancy_grid"
                     else:
                         table_format = "plain"
+                    headers_list = ["Subtype", "NQN", "Serial\nNumber", "Controller IDs",
+                                    "Namespace\nCount", "Max\nNamespaces", "Allow\nAny Host", "DHCHAP\nKey"]
+                    if created_without_key:
+                        headers_list.append("Created\nWithout Key")
                     subsys_out = tabulate(subsys_list,
-                                      headers = ["Subtype", "NQN", "Serial\nNumber", "Controller IDs",
-                                                 "Namespace\nCount", "Max\nNamespaces", "Allow\nAny Host", "DHCHAP\nKey"],
+                                      headers = headers_list,
                                       tablefmt=table_format)
                     prefix = "Subsystems"
                     if args.subsystem:
@@ -1269,17 +1279,28 @@ def host_list(self, args):
                 hosts_list = []
                 if hosts_info.allow_any_host:
                     hosts_list.append(["Any host", "n/a"])
+                created_without_key = False
+                for h in hosts_info.hosts:
+                    if h.created_without_key:
+                        created_without_key = True
+                        break
                 for h in hosts_info.hosts:
                     use_psk = "Yes" if h.use_psk else "No"
                     use_dhchap = "Yes" if h.use_dhchap else "No"
-                    hosts_list.append([h.nqn, use_psk, use_dhchap])
+                    one_host = [h.nqn, use_psk, use_dhchap]
+                    if created_without_key:
+                        one_host.append("Yes" if h.created_without_key else "No")
+                    hosts_list.append(one_host)
                 if len(hosts_list) > 0:
                     if args.format == "text":
                         table_format = "fancy_grid"
                     else:
                         table_format = "plain"
+                    headers_list = ["Host NQN", "Uses PSK", "Uses DHCHAP"]
+                    if created_without_key:
+                        headers_list.append("Created\nWithout Key")
                     hosts_out = tabulate(hosts_list,
-                                      headers = ["Host NQN", "Uses PSK", "Uses DHCHAP"],
+                                      headers = headers_list,
                                       tablefmt=table_format, stralign="center")
                     out_func(f"Hosts allowed to access {args.subsystem}:\n{hosts_out}")
                 else:

control/discovery.py

@@ -13,6 +13,7 @@
 from .config import GatewayConfig
 from .state import GatewayState, LocalGatewayState, OmapGatewayState, GatewayStateHandler
 from .utils import GatewayLogger
+from .utils import GatewayUtilsCrypto
 from .proto import gateway_pb2 as pb2
 
 import rados
@@ -1129,8 +1130,10 @@ def start_service(self):
         t.start()
 
         local_state = LocalGatewayState()
+        dummy_crypto = GatewayUtilsCrypto(None)
         gateway_state = GatewayStateHandler(self.config, local_state,
-                                            self.omap_state, self._state_notify_update, f"discovery-{socket.gethostname()}")
+                                            self.omap_state, self._state_notify_update,
+                                            dummy_crypto, f"discovery-{socket.gethostname()}")
         gateway_state.start_update()
 
         try: