rbd: fscrypt file encryption support

Integrate basic fscrypt functionality into RBD initialization. To activate file encryption instead of block introduce the new 'encryptionType' storage class key. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
2025-06-14 02:43:36 +00:00 · 2022-05-27 21:55:58 +02:00
parent f1f50e0218
commit 1fa842277a
4 changed files with 156 additions and 34 deletions
--- a/internal/rbd/nodeserver.go
+++ b/internal/rbd/nodeserver.go
@ -27,6 +27,7 @@ import (
 	csicommon "github.com/ceph/ceph-csi/internal/csi-common"
 	"github.com/ceph/ceph-csi/internal/journal"
 	"github.com/ceph/ceph-csi/internal/util"
+	"github.com/ceph/ceph-csi/internal/util/fscrypt"
 	"github.com/ceph/ceph-csi/internal/util/log"

 	librbd "github.com/ceph/go-ceph/rbd"
@ -433,6 +434,12 @@ func (ns *NodeServer) stageTransaction(
 		transaction.isBlockEncrypted = true
 	}

+	if volOptions.isFileEncrypted() {
+		if err = fscrypt.InitializeNode(ctx); err != nil {
+			return transaction, err
+		}
+	}
+
 	stagingTargetPath := getStagingTargetPath(req)

 	isBlock := req.GetVolumeCapability().GetBlock() != nil
@ -444,12 +451,20 @@ func (ns *NodeServer) stageTransaction(
 	transaction.isStagePathCreated = true

 	// nodeStage Path
-	err = ns.mountVolumeToStagePath(ctx, req, staticVol, stagingTargetPath, devicePath)
+	err = ns.mountVolumeToStagePath(ctx, req, staticVol, stagingTargetPath, devicePath, volOptions.isFileEncrypted())
 	if err != nil {
 		return transaction, err
 	}
 	transaction.isMounted = true

+	if volOptions.isFileEncrypted() {
+		log.DebugLog(ctx, "rbd fscrypt: trying to unlock filesystem on %s image %q", stagingTargetPath, volOptions.VolID)
+		err = fscrypt.Unlock(ctx, volOptions.fileEncryption, stagingTargetPath, volOptions.VolID)
+		if err != nil {
+			return transaction, err
+		}
+	}
+
 	// As we are supporting the restore of a volume to a bigger size and
 	// creating bigger size clone from a volume, we need to check filesystem
 	// resize is required, if required resize filesystem.
@ -691,6 +706,17 @@ func (ns *NodeServer) NodePublishVolume(
 		return &csi.NodePublishVolumeResponse{}, nil
 	}

+	fileEncrypted, err := IsFileEncrypted(ctx, req.GetVolumeContext())
+	if err != nil {
+		return nil, status.Error(codes.Internal, err.Error())
+	}
+	if fileEncrypted {
+		stagingPath = fscrypt.AppendEncyptedSubdirectory(stagingPath)
+		if err = fscrypt.IsDirectoryUnlocked(stagingPath, req.GetVolumeCapability().GetMount().GetFsType()); err != nil {
+			return nil, status.Error(codes.Internal, err.Error())
+		}
+	}
+
 	// Publish Path
 	err = ns.mountVolume(ctx, stagingPath, req)
 	if err != nil {
@ -707,6 +733,7 @@ func (ns *NodeServer) mountVolumeToStagePath(
 	req *csi.NodeStageVolumeRequest,
 	staticVol bool,
 	stagingPath, devicePath string,
+	fileEncryption bool,
 ) error {
 	readOnly := false
 	fsType := req.GetVolumeCapability().GetMount().GetFsType()
@ -751,7 +778,11 @@ func (ns *NodeServer) mountVolumeToStagePath(
 		args := []string{}
 		switch fsType {
 		case "ext4":
-			args = []string{"-m0", "-Enodiscard,lazy_itable_init=1,lazy_journal_init=1", devicePath}
+			args = []string{"-m0", "-Enodiscard,lazy_itable_init=1,lazy_journal_init=1"}
+			if fileEncryption {
+				args = append(args, "-Oencrypt")
+			}
+			args = append(args, devicePath)
 		case "xfs":
 			args = []string{"-K", devicePath}
 			// always disable reflink