Could the recent upload of microceph adding support for the dm-crypt interface be approved? It adds support for encrypting Ceph OSDs in microceph!
It would also be appreciated if this interface could be auto-connected as a user asking to encrypt a disk would be surprised that the command didn’t work (microceph disk add --encrypt /dev/sdg). The dm-crypt support in microceph is only used when a user explicitly asks to use encryption.
Since this is only used in this case, would it be possible to try and detect at this time whether the interface is connected (snapctl is-connected dm-crypt), and if not, ask the user to connect it manually?
It might be possible to try and detect this, it’s a bit against MicroCephs idea of simplicity however – so from my POV it would be preferable to make the user experience as simple as possible, making “just work”. Are there security concerns around auto-connecting?
There is no specific concern here - just that the use of super-privileged interfaces should be minimised and auto-connecting it increases the attack surface - so if possible it is best to minimise privileges and hence connect it on demand rather than by default.
Hey @alexmurray, we’ve discussed and will add in checks for the interface being connected to nicely handle the case where it isn’t; given that, we’re happy (ok, we’re accepting ) with it not auto-connecting. In the meantime, are there any other questions or concerns about the interface, or could it be approved without auto-connection at this point?