Project

General

Profile

Actions
Copy link

Tasks #70979

closed

Tasks #63293: Implement fscrypt in libcephfs and cephfs-fuse

cached fscrypt_file information lost during snap create

Added by Christopher Hoffman 10 months ago. Updated 10 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Christopher Hoffman
Category:
-
Target version:
-
% Done:

0%

Reviewed:
Affected Versions:
Component(FS):
Labels (FS):
Pull request ID:
Tags (freeform):
Merge Commit:
Fixed In:
Released In:
Upkeep Timestamp:

Description

When a snapshot is created on an encrypted inode, the cached fscrypt_file xattr information is lost.

Steps to reproduce:

+ sudo CEPH_CONF=ceph.conf ./bin/ceph-fuse --client_fs cephfs /mnt/mycephfs
2025-04-18T14:56:13.921+0000 7f3b396fb600 -1 WARNING: all dangerous and experimental features are enabled.
2025-04-18T14:56:13.931+0000 7f3b396fb600 -1 WARNING: all dangerous and experimental features are enabled.
2025-04-18T14:56:13.934+0000 7f3b396fb600 -1 WARNING: all dangerous and experimental features are enabled.
2025-04-18T14:56:13.939+0000 7f3b396fb600 -1 init, newargv = 0x55cf83eff2c0 newargc=13
2025-04-18T14:56:13.939+0000 7f3b396fb600 -1 init, args.argv = 0x55cf83ec5170 args.argc=4
ceph-fuse[3454218]: starting ceph client
ceph-fuse[3454218]: starting fuse
+ fscrypt setup /mnt/mycephfs
Allow users other than choffman to create fscrypt metadata on this filesystem? (See
https://github.com/google/fscrypt#setting-up-fscrypt-on-a-filesystem) [y/N] 
Metadata directories created at "/mnt/mycephfs/.fscrypt", writable by choffman only.
+ mkdir /mnt/mycephfs/enc1
+ fscrypt encrypt /mnt/mycephfs/enc1
The following protector sources are available:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]: 
Enter a name for the new protector: t
Enter custom passphrase for protector "t": 
Confirm passphrase: 
"/mnt/mycephfs/enc1" is now encrypted, unlocked, and ready for use.
+ echo contents > /mnt/mycephfs/enc1/filea
+ getfattr -n ceph.fscrypt.file /mnt/mycephfs/enc1/filea
getfattr: Removing leading '/' from absolute path names
# file: mnt/mycephfs/enc1/filea
ceph.fscrypt.file=0sCQAAAAAAAAA=

+ mkdir /mnt/mycephfs/.snap/snap1
+ ls -alh /mnt/mycephfs/enc1/filea
-rw-------. 1 choffman choffman 9 Apr 18 14:56 /mnt/mycephfs/enc1/filea
+ ls -alh /mnt/mycephfs/.snap/snap1/enc1/filea
-rw-------. 1 choffman choffman 4.0K Apr 18 14:56 /mnt/mycephfs/.snap/snap1/enc1/filea
+ getfattr -n ceph.fscrypt.file /mnt/mycephfs/enc1/filea
getfattr: Removing leading '/' from absolute path names
# file: mnt/mycephfs/enc1/filea
ceph.fscrypt.file=0sABAAAAAAAAA=

+ getfattr -n ceph.fscrypt.file /mnt/mycephfs/.snap/snap1/enc1/filea
getfattr: Removing leading '/' from absolute path names
# file: mnt/mycephfs/.snap/snap1/enc1/filea
ceph.fscrypt.file=0sABAAAAAAAAA=

Related issues 1 (0 open1 closed)

Related to CephFS - Tasks #69840: Support subvolume cloneResolvedChristopher Hoffman

Actions
Actions
Copy link
 #1

Updated by Christopher Hoffman 10 months ago

Actions
Copy link
 #2

Updated by Christopher Hoffman 10 months ago

  • Status changed from In Progress to Resolved

fscrypt fields were missing during capsnap.

Author: Christopher Hoffman <[email protected]>
Date:   Fri Apr 18 20:55:02 2025 +0000

    client: provide fscrypt vxattrs in CapSnap

    Fixes: https://tracker.ceph.com/issues/70979
    Signed-off-by: Christopher Hoffman <[email protected]>

diff --git a/src/client/Client.cc b/src/client/Client.cc
index 0314a620308..747e0672ab0 100644
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -4362,6 +4362,8 @@ void Client::finish_cap_snap(Inode *in, CapSnap &capsnap, int used)
 {
   ldout(cct, 10) << __func__ << " " << *in << " capsnap " << (void *)&capsnap << " used " << ccap_string(used) << dendl;
   capsnap.size = in->size;
+  capsnap.fscrypt_auth = in->fscrypt_auth;
+  capsnap.fscrypt_file = in->fscrypt_file;
   capsnap.mtime = in->mtime;
   capsnap.atime = in->atime;
   capsnap.ctime = in->ctime;
@@ -4416,6 +4418,8 @@ void Client::send_flush_snap(Inode *in, MetaSession *session,
   m->head.xattr_version = capsnap.xattr_version;
   encode(capsnap.xattrs, m->xattrbl);

+  m->fscrypt_file = capsnap.fscrypt_auth;
+  m->fscrypt_file = capsnap.fscrypt_file;
   m->ctime = capsnap.ctime;
   m->btime = capsnap.btime;
   m->mtime = capsnap.mtime;
diff --git a/src/client/Inode.h b/src/client/Inode.h
index 9a124029eca..36a8d0ab4bc 100644
--- a/src/client/Inode.h
+++ b/src/client/Inode.h
@@ -99,6 +99,8 @@ struct CapSnap {
   gid_t      gid = 0;
   std::map<std::string,bufferptr> xattrs;
   version_t xattr_version = 0;
+  std::vector<uint8_t> fscrypt_auth;
+  std::vector<uint8_t> fscrypt_file;

   bufferlist inline_data;
   version_t inline_version = 0;
Actions
Copy link
 #3

Updated by Christopher Hoffman 10 months ago

  • Subject changed from fscrypt_file information lost during snap create to cached fscrypt_file information lost during snap create
  • Description updated (diff)
Actions
Copy link

Also available in: Atom PDF