Merge pull request ceph#58140 from guits/cv-tpm2-support

ceph-volume: add TPM2 token enrollment support for encrypted OSDs

Author: guits

doc/ceph-volume/lvm/prepare.rst

@@ -61,6 +61,12 @@ For enabling :ref:`encryption <ceph-volume-lvm-encryption>`, the ``--dmcrypt`` f
 
     ceph-volume lvm prepare --bluestore --dmcrypt --data vg/lv
 
+Starting with Ceph Squid, you can opt for TPM2 token enrollment for the created LUKS2 devices with the ``--with-tpm`` flag:
+
+.. prompt:: bash #
+
+    ceph-volume lvm prepare --bluestore --dmcrypt --with-tpm --data vg/lv
+
 If a ``block.db`` device or a ``block.wal`` device is needed, it can be
 specified with ``--block.db`` or ``--block.wal``. These can be physical
 devices, partitions, or logical volumes. ``block.db`` and ``block.wal`` are

doc/cephadm/services/osd.rst

@@ -666,6 +666,21 @@ This example would deploy all OSDs with encryption enabled.
         all: true
       encrypted: true
 
+Ceph Squid onwards support tpm2 token enrollment to LUKS2 devices.
+You can add the `tpm2` to your OSD spec:
+
+.. code-block:: yaml
+
+    service_type: osd
+    service_id: example_osd_spec_with_tpm2
+    placement:
+      host_pattern: '*'
+    spec:
+      data_devices:
+        all: true
+      encrypted: true
+      tpm2: true
+
 See a full list in the DriveGroupSpecs
 
 .. py:currentmodule:: ceph.deployment.drive_group

src/ceph-volume/ceph_volume/__init__.py

@@ -1,8 +1,33 @@
+import os
+import logging
 from collections import namedtuple
 
 
 sys_info = namedtuple('sys_info', ['devices'])
 sys_info.devices = dict()
+logger = logging.getLogger(__name__)
+
+
+class AllowLoopDevices:
+    allow = False
+    warned = False
+
+    @classmethod
+    def __call__(cls) -> bool:
+        val = os.environ.get("CEPH_VOLUME_ALLOW_LOOP_DEVICES", "false").lower()
+        if val not in ("false", 'no', '0'):
+            cls.allow = True
+            if not cls.warned:
+                logger.warning(
+                    "CEPH_VOLUME_ALLOW_LOOP_DEVICES is set in your "
+                    "environment, so we will allow the use of unattached loop"
+                    " devices as disks. This feature is intended for "
+                    "development purposes only and will never be supported in"
+                    " production. Issues filed based on this behavior will "
+                    "likely be ignored."
+                )
+                cls.warned = True
+        return cls.allow
 
 
 class UnloadedConfig(object):
@@ -14,6 +39,8 @@ class UnloadedConfig(object):
     def __getattr__(self, *a):
         raise RuntimeError("No valid ceph configuration file was loaded.")
 
+
+allow_loop_devices = AllowLoopDevices()
 conf = namedtuple('config', ['ceph', 'cluster', 'verbosity', 'path', 'log_path', 'dmcrypt_no_workqueue'])
 conf.ceph = UnloadedConfig()
 conf.dmcrypt_no_workqueue = None

src/ceph-volume/ceph_volume/devices/lvm/batch.py

@@ -267,6 +267,12 @@ def __init__(self, argv):
             action=arg_validators.DmcryptAction,
             help='Enable device encryption via dm-crypt',
         )
+        parser.add_argument(
+            '--with-tpm',
+            dest='with_tpm',
+            help='Whether encrypted OSDs should be enrolled with TPM.',
+            action='store_true'
+        )
         parser.add_argument(
             '--crush-device-class',
             dest='crush_device_class',
@@ -423,6 +429,7 @@ def _execute(self, plan):
         global_args = [
             'bluestore',
             'dmcrypt',
+            'with_tpm',
             'crush_device_class',
             'no_systemd',
         ]

src/ceph-volume/ceph_volume/devices/lvm/common.py

@@ -83,6 +83,11 @@ def rollback_osd(args, osd_id=None):
         'action': arg_validators.DmcryptAction,
         'help': 'Enable device encryption via dm-crypt',
     },
+    '--with-tpm': {
+        'dest': 'with_tpm',
+        'help': 'Whether encrypted OSDs should be enrolled with TPM.',
+        'action': 'store_true'
+    },
     '--no-systemd': {
         'dest': 'no_systemd',
         'action': 'store_true',

src/ceph-volume/ceph_volume/devices/raw/activate.py

@@ -39,12 +39,19 @@ def main(self):
             '--device',
             help='The device for the OSD to start'
         )
+        parser.add_argument(
+            '--devices',
+            help='The device for the OSD to start',
+            nargs='*',
+            default=[]
+        )
         parser.add_argument(
             '--osd-id',
             help='OSD ID to activate'
         )
         parser.add_argument(
             '--osd-uuid',
+            dest='osd_fsid',
             help='OSD UUID to active'
         )
         parser.add_argument(
@@ -82,15 +89,11 @@ def main(self):
             return
         self.args = parser.parse_args(self.argv)
 
-        devs = []
         if self.args.device:
-            devs = [self.args.device]
-        if self.args.block_wal:
-            devs.append(self.args.block_wal)
-        if self.args.block_db:
-            devs.append(self.args.block_db)
+            if self.args.devices is None:
+                self.args.devices = [self.args.device]
+            else:
+                self.args.devices.append(self.args.device)
+
         self.objectstore = objectstore.mapping['RAW'][self.args.objectstore](args=self.args)
-        self.objectstore.activate(devs=devs,
-                                  start_osd_id=self.args.osd_id,
-                                  start_osd_uuid=self.args.osd_uuid,
-                                  tmpfs=not self.args.no_tmpfs)
+        self.objectstore.activate()

src/ceph-volume/ceph_volume/devices/raw/common.py

@@ -1,7 +1,7 @@
 import argparse
 from ceph_volume.util import arg_validators
 
-def create_parser(prog, description):
+def create_parser(prog: str, description: str) -> argparse.ArgumentParser:
     """
     Both prepare and create share the same parser, those are defined here to
     avoid duplication
@@ -58,6 +58,12 @@ def create_parser(prog, description):
         action=arg_validators.DmcryptAction,
         help='Enable device encryption via dm-crypt',
     )
+    parser.add_argument(
+        '--with-tpm',
+        dest='with_tpm',
+        help='Whether encrypted OSDs should be enrolled with TPM.',
+        action='store_true'
+    ),
     parser.add_argument(
         '--osd-id',
         help='Reuse an existing OSD id',

src/ceph-volume/ceph_volume/devices/raw/list.py

@@ -5,7 +5,7 @@
 from textwrap import dedent
 from ceph_volume import decorators, process
 from ceph_volume.util import disk
-from typing import Any, Dict, List
+from typing import Any, Dict, List as _List
 
 logger = logging.getLogger(__name__)
 
@@ -20,50 +20,35 @@ def direct_report(devices):
     _list = List([])
     return _list.generate(devices)
 
-def _get_bluestore_info(dev):
+def _get_bluestore_info(dev: str) -> Dict[str, Any]:
+    result: Dict[str, Any] = {}
     out, err, rc = process.call([
         'ceph-bluestore-tool', 'show-label',
         '--dev', dev], verbose_on_failure=False)
     if rc:
         # ceph-bluestore-tool returns an error (below) if device is not bluestore OSD
         #   > unable to read label for <device>: (2) No such file or directory
         # but it's possible the error could be for a different reason (like if the disk fails)
-        logger.debug('assuming device {} is not BlueStore; ceph-bluestore-tool failed to get info from device: {}\n{}'.format(dev, out, err))
-        return None
-    oj = json.loads(''.join(out))
-    if dev not in oj:
-        # should be impossible, so warn
-        logger.warning('skipping device {} because it is not reported in ceph-bluestore-tool output: {}'.format(dev, out))
-        return None
-    try:
-        r = {
-            'osd_uuid': oj[dev]['osd_uuid'],
-        }
-        if oj[dev]['description'] == 'main':
-            whoami = oj[dev]['whoami']
-            r.update({
-                'type': 'bluestore',
-                'osd_id': int(whoami),
-                'ceph_fsid': oj[dev]['ceph_fsid'],
-                'device': dev,
-            })
-        elif oj[dev]['description'] == 'bluefs db':
-            r['device_db'] = dev
-        elif oj[dev]['description'] == 'bluefs wal':
-            r['device_wal'] = dev
-        return r
-    except KeyError as e:
-        # this will appear for devices that have a bluestore header but aren't valid OSDs
-        # for example, due to incomplete rollback of OSDs: https://tracker.ceph.com/issues/51869
-        logger.error('device {} does not have all BlueStore data needed to be a valid OSD: {}\n{}'.format(dev, out, e))
-        return None
+        logger.debug(f'assuming device {dev} is not BlueStore; ceph-bluestore-tool failed to get info from device: {out}\n{err}')
+    else:
+        oj = json.loads(''.join(out))
+        if dev not in oj:
+            # should be impossible, so warn
+            logger.warning(f'skipping device {dev} because it is not reported in ceph-bluestore-tool output: {out}')
+        try:
+            result = disk.bluestore_info(dev, oj)
+        except KeyError as e:
+            # this will appear for devices that have a bluestore header but aren't valid OSDs
+            # for example, due to incomplete rollback of OSDs: https://tracker.ceph.com/issues/51869
+            logger.error(f'device {dev} does not have all BlueStore data needed to be a valid OSD: {out}\n{e}')
+    return result
 
 
 class List(object):
 
     help = 'list BlueStore OSDs on raw devices'
 
-    def __init__(self, argv):
+    def __init__(self, argv: _List[str]) -> None:
         self.argv = argv
 
     def is_atari_partitions(self, _lsblk: Dict[str, Any]) -> bool:
@@ -81,7 +66,7 @@ def is_atari_partitions(self, _lsblk: Dict[str, Any]) -> bool:
                 return True
         return False
 
-    def exclude_atari_partitions(self, _lsblk_all: Dict[str, Any]) -> List[Dict[str, Any]]:
+    def exclude_atari_partitions(self, _lsblk_all: Dict[str, Any]) -> _List[Dict[str, Any]]:
         return [_lsblk for _lsblk in _lsblk_all if not self.is_atari_partitions(_lsblk)]
 
     def generate(self, devs=None):
@@ -113,7 +98,7 @@ def generate(self, devs=None):
         logger.debug('inspecting devices: {}'.format(devs))
         for info_device in info_devices:
             bs_info = _get_bluestore_info(info_device['NAME'])
-            if bs_info is None:
+            if not bs_info:
                 # None is also returned in the rare event that there is an issue reading info from
                 # a BlueStore disk, so be sure to log our assumption that it isn't bluestore
                 logger.info('device {} does not have BlueStore information'.format(info_device['NAME']))

src/ceph-volume/ceph_volume/devices/raw/prepare.py

@@ -42,11 +42,13 @@ def main(self):
         self.args = parser.parse_args(self.argv)
         if self.args.bluestore:
             self.args.objectstore = 'bluestore'
-        if self.args.dmcrypt and not os.getenv('CEPH_VOLUME_DMCRYPT_SECRET'):
-            terminal.error('encryption was requested (--dmcrypt) but environment variable ' \
-                           'CEPH_VOLUME_DMCRYPT_SECRET is not set, you must set ' \
-                           'this variable to provide a dmcrypt secret.')
-            raise SystemExit(1)
+        if self.args.dmcrypt:
+            if not self.args.with_tpm and not os.getenv('CEPH_VOLUME_DMCRYPT_SECRET'):
+                terminal.error('encryption was requested (--dmcrypt) but environment variable ' \
+                               'CEPH_VOLUME_DMCRYPT_SECRET is not set, you must set ' \
+                               'this variable to provide a dmcrypt secret or use --with-tpm ' \
+                               'in order to enroll a tpm2 token.')
+                raise SystemExit(1)
 
         self.objectstore = objectstore.mapping['RAW'][self.args.objectstore](args=self.args)
         self.objectstore.safe_prepare(self.args)

src/ceph-volume/ceph_volume/objectstore/__init__.py

@@ -1,7 +1,9 @@
 from . import lvmbluestore
 from . import rawbluestore
+from typing import Any, Dict
 
-mapping = {
+
+mapping: Dict[str, Any] = {
     'LVM': {
         'bluestore': lvmbluestore.LvmBlueStore
     },