From: Jeff Layton <jlayton@kernel.org>
To: "Xiubo Li" <xiubli@redhat.com>, "Luís Henriques" <lhenriques@suse.de>
Cc: Ilya Dryomov <idryomov@gmail.com>,
Ceph Development <ceph-devel@vger.kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption
Date: Thu, 17 Mar 2022 08:41:17 -0400 [thread overview]
Message-ID: <93ac97c750456fe77d33f432629bad209dc14e81.camel@kernel.org> (raw)
In-Reply-To: <a4d26edc-a65f-27e2-2ea9-ef43f364eb9b@redhat.com>
On Thu, 2022-03-17 at 20:31 +0800, Xiubo Li wrote:
> On 3/17/22 8:01 PM, Jeff Layton wrote:
> > On Thu, 2022-03-17 at 11:11 +0000, Luís Henriques wrote:
> > > Xiubo Li <xiubli@redhat.com> writes:
> > >
> > > > On 3/17/22 6:01 PM, Jeff Layton wrote:
> > > > > I'm not sure we want to worry about .snap directories here since they
> > > > > aren't "real". IIRC, snaps are inherited from parents too, so you could
> > > > > do something like
> > > > >
> > > > > mkdir dir1
> > > > > mkdir dir1/.snap/snap1
> > > > > mkdir dir1/dir2
> > > > > fscrypt encrypt dir1/dir2
> > > > >
> > > > > There should be nothing to prevent encrypting dir2, but I'm pretty sure
> > > > > dir2/.snap will not be empty at that point.
> > > > If we don't take care of this. Then we don't know which snapshots should do
> > > > encrypt/dencrypt and which shouldn't when building the path in lookup and when
> > > > reading the snapdir ?
> > > In my patchset (which I plan to send a new revision later today, I think I
> > > still need to rebase it) this is handled by using the *real* snapshot
> > > parent inode. If we're decrypting/encrypting a name for a snapshot that
> > > starts with a '_' character, we first find the parent inode for that
> > > snapshot and only do the operation if that parent is encrypted.
> > >
> > > In the other email I suggested that we could prevent enabling encryption
> > > in a directory when there are snapshots above in the hierarchy. But now
> > > that I think more about it, it won't solve any problem because you could
> > > create those snapshots later and then you would still need to handle these
> > > (non-encrypted) "_name_xxxx" snapshots anyway.
> > >
> > Yeah, that sounds about right.
> >
> > What happens if you don't have the snapshot parent's inode in cache?
> > That can happen if you (e.g.) are running NFS over ceph, or if you get
> > crafty with name_to_handle_at() and open_by_handle_at().
> >
> > Do we have to do a LOOKUPINO in that case or does the trace contain that
> > info? If it doesn't then that could really suck in a big hierarchy if
> > there are a lot of different snapshot parent inodes to hunt down.
> >
> > I think this is a case where the client just doesn't have complete
> > control over the dentry name. It may be better to just not encrypt them
> > if it's too ugly.
> >
> > Another idea might be to just use the same parent inode (maybe the
> > root?) for all snapshot names. It's not as secure, but it's probably
> > better than nothing.
>
> Does it allow to have different keys for the subdirs in the hierarchy ?
> From my test it doesn't.
>
No. Once you set a key on directory you can't set another on a subtree
of it.
> If so we can always use the same oldest ancestor in the hierarchy, who
> has encryption key, to encyrpt/decrypt all the .snap in the hierarchy,
> then just need to lookup oldest ancestor inode only once.
>
That's a possibility.
--
Jeff Layton <jlayton@kernel.org>
next prev parent reply other threads:[~2022-03-17 12:41 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-15 16:19 [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption Luís Henriques
2022-03-15 16:19 ` [RFC PATCH v2 1/3] ceph: add support for encrypted snapshot names Luís Henriques
2022-03-16 0:07 ` Xiubo Li
2022-03-15 16:19 ` [RFC PATCH v2 2/3] ceph: add support for handling " Luís Henriques
2022-03-16 0:47 ` Xiubo Li
2022-03-16 11:00 ` Luís Henriques
2022-03-15 16:19 ` [RFC PATCH v2 3/3] ceph: update documentation regarding snapshot naming limitations Luís Henriques
2022-03-16 0:48 ` Xiubo Li
2022-03-17 5:27 ` [RFC PATCH v2 0/3] ceph: add support for snapshot names encryption Xiubo Li
2022-03-17 10:01 ` Jeff Layton
2022-03-17 10:52 ` Xiubo Li
2022-03-17 11:11 ` Luís Henriques
2022-03-17 11:28 ` Xiubo Li
2022-03-17 12:01 ` Jeff Layton
2022-03-17 12:31 ` Xiubo Li
2022-03-17 12:41 ` Jeff Layton [this message]
2022-03-17 12:44 ` Xiubo Li
2022-03-17 15:59 ` Luís Henriques
2022-03-17 10:14 ` Luís Henriques
2022-03-17 11:02 ` Xiubo Li
2022-03-17 11:22 ` Xiubo Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=93ac97c750456fe77d33f432629bad209dc14e81.camel@kernel.org \
--to=jlayton@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=idryomov@gmail.com \
--cc=lhenriques@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=xiubli@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox