From: Patrick Donnelly <pdonnell@redhat.com>
To: Jeff Layton <jlayton@redhat.com>
Cc: dev <dev@ceph.io>, Ceph Development <ceph-devel@vger.kernel.org>,
Luis Henriques <lhenriques@suse.com>,
Xiubo Li <xiubli@redhat.com>, Gregory Farnum <gfarnum@redhat.com>,
Douglas Fuller <dfuller@redhat.com>
Subject: Re: ceph-mds infrastructure for fscrypt
Date: Fri, 7 May 2021 10:15:09 -0700 [thread overview]
Message-ID: <CA+2bHPaDTy41f5QWhqJR-b2rUyt=KhD=uoCnC1mtxG054+BL3Q@mail.gmail.com> (raw)
In-Reply-To: <1988ce8168d06dc9a6273fc1021762ed3e49f11c.camel@redhat.com>
On Fri, May 7, 2021 at 6:07 AM Jeff Layton <jlayton@redhat.com> wrote:
>
> On Fri, 2021-04-30 at 18:03 -0700, Patrick Donnelly wrote:
> > On Fri, Apr 30, 2021 at 8:04 AM Jeff Layton <jlayton@redhat.com> wrote:
> > >
> > > On Fri, 2021-04-30 at 07:45 -0700, Patrick Donnelly wrote:
> > > > On Fri, Apr 30, 2021 at 7:33 AM Jeff Layton <jlayton@redhat.com> wrote:
> > > > > We specifically need this for directories and symlinks during pathwalks
> > > > > too. Eventually we may also want to encrypt certain data for other inode
> > > > > types as well (e.g. block/char devices). That's less critical though.
> > > > >
> > > > > The problem with fetching it after the inode is first instantiated is
> > > > > that we can end up recursing into a separate request while encoding a
> > > > > path. For instance, see this stack trace that Luis reported:
> > > > > https://lore.kernel.org/ceph-devel/53d5bebb28c1e0cd354a336a56bf103d5e3a6344.camel@kernel.org/T/#m0f7bbed6280623d761b8b4e70671ed568535d7fa
> > > > >
> > > > > While that implementation stored the context in an xattr, the problem
> > > > > isstill the same if you have to fetch the context in the middle of
> > > > > building a path. The best solution is just to always ensure it's
> > > > > available.
> > > >
> > > > Got it. Splitting the struct makes sense then. The pin cap would be
> > > > suitable for the immutable encryption context (if truly
> > > > immutable?).Otherwise maybe the Axs cap?
> > > >
> > >
> > > Ok. In that case, then we probably need to put the context blob under
> > > AUTH caps so we can ensure that it's consulted during the permission
> > > checks for pathwalks. The size will need to live under FILE.
> > >
> > > Now for the hard part...what do we name these fields?
> > >
> > > fscrypt_context
> > > fscrypt_size
> > >
> > > ...or maybe...
> > >
> > > fscrypt_auth
> > > fscrypt_file
> > >
> > > Since they'll be vector blobs, we can version these too so that we can
> > > add other fields later if the need arises (even for non-fscrypt stuff).
> > > Maybe we could consider:
> > >
> > > client_opaque_auth
> > > client_opaque_file
> >
> > An opaque blob makes sense but you'd want a sentinel indicating it's
> > an fscrypt blob. Don't think we'd be able to have two competing
> > use-cases but it'd be nice to have it generic enough for future
> > encryption libraries maybe.
> >
>
> I'm going with fscrypt_auth and fscrypt_file for now. We can rename them
> later though if we want. What I'll probably do is just declare a
> versioned format for these blobs. The MDS won't care about it, but the
> clients can follow that convention.
>
> I've made a bit of progress on this this week (fixing up the encoding
> and decoding was a bit of a hassle, fwiw). These fields are associated
> with the core inodes. The clients will use SETATTR calls to set them,
> though they will also be updated with cap flushes, etc.
>
> I need to be able to validate this feature in userland though and I
> don't really want to roll dedicated functions for them. What I may do is
> add new vxattrs (ceph.fscrypt_auth and ceph.fscrypt_file) and have those
> expose these fields. Doing a setxattr on them will do a SETATTR under
> the hood. The alternative is to declare new libcephfs routines for
> fetching and setting these.
A client-side vxattr sounds good to me.
--
Patrick Donnelly, Ph.D.
He / Him / His
Principal Software Engineer
Red Hat Sunnyvale, CA
GPG: 19F28A586F808C2402351B93C3301A3E258DD79D
prev parent reply other threads:[~2021-05-07 17:15 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-22 18:18 ceph-mds infrastructure for fscrypt Jeff Layton
2021-04-23 11:46 ` Luis Henriques
2021-04-23 12:27 ` Jeff Layton
2021-04-29 23:46 ` Patrick Donnelly
2021-04-30 13:45 ` Jeff Layton
2021-04-30 14:20 ` Patrick Donnelly
2021-04-30 14:33 ` Jeff Layton
2021-04-30 14:45 ` Patrick Donnelly
2021-04-30 15:03 ` Jeff Layton
2021-05-01 1:03 ` Patrick Donnelly
2021-05-07 13:07 ` Jeff Layton
2021-05-07 17:15 ` Patrick Donnelly [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+2bHPaDTy41f5QWhqJR-b2rUyt=KhD=uoCnC1mtxG054+BL3Q@mail.gmail.com' \
--to=pdonnell@redhat.com \
--cc=ceph-devel@vger.kernel.org \
--cc=dev@ceph.io \
--cc=dfuller@redhat.com \
--cc=gfarnum@redhat.com \
--cc=jlayton@redhat.com \
--cc=lhenriques@suse.com \
--cc=xiubli@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.