Add dm-crypt interface to microceph


Could the recent upload of microceph adding support for the dm-crypt interface be approved? It adds support for encrypting Ceph OSDs in microceph!

It would also be appreciated if this interface could be auto-connected as a user asking to encrypt a disk would be surprised that the command didn’t work (microceph disk add --encrypt /dev/sdg). The dm-crypt support in microceph is only used when a user explicitly asks to use encryption.

1 Like

this is the change that added the dm-crypt support to microceph, with the snap’s code and a snap service helper to consume it

i have moved your post into the store-requests category so it shows up in the correct queue …

1 Like

Since this is only used in this case, would it be possible to try and detect at this time whether the interface is connected (snapctl is-connected dm-crypt), and if not, ask the user to connect it manually?

It might be possible to try and detect this, it’s a bit against MicroCephs idea of simplicity however – so from my POV it would be preferable to make the user experience as simple as possible, making “just work”. Are there security concerns around auto-connecting?

There is no specific concern here - just that the use of super-privileged interfaces should be minimised and auto-connecting it increases the attack surface - so if possible it is best to minimise privileges and hence connect it on demand rather than by default.

Hey @alexmurray, we’ve discussed and will add in checks for the interface being connected to nicely handle the case where it isn’t; given that, we’re happy (ok, we’re accepting :stuck_out_tongue: ) with it not auto-connecting. In the meantime, are there any other questions or concerns about the interface, or could it be approved without auto-connection at this point?

@icey that sounds great. +1 from me for use of (but not auto-connect) dm-crypt for microceph.

Note as per the Process for aliases, auto-connections and tracks there is a 7 day voting period for other @reviewers to add their vote, then this can be tallied and actioned.

Can other @reviewers please vote on this request?

No concerns. +1 from me for microceph usage of dm-crypt (without auto-connect).

+2 votes for, 0 against. Granting microceph use of dm-crypt interface. This is now live.

1 Like