diff options
Diffstat (limited to 'qa/workunits/rbd/luks-encryption.sh')
-rwxr-xr-x | qa/workunits/rbd/luks-encryption.sh | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/qa/workunits/rbd/luks-encryption.sh b/qa/workunits/rbd/luks-encryption.sh new file mode 100755 index 000000000..6ef2dafe9 --- /dev/null +++ b/qa/workunits/rbd/luks-encryption.sh @@ -0,0 +1,101 @@ +#!/usr/bin/env bash +set -ex + +CEPH_ID=${CEPH_ID:-admin} +TMP_FILES="/tmp/passphrase /tmp/testdata1 /tmp/testdata2" + +_sudo() +{ + local cmd + + if [ `id -u` -eq 0 ] + then + "$@" + return $? + fi + + # Look for the command in the user path. If it fails run it as is, + # supposing it is in sudo path. + cmd=`which $1 2>/dev/null` || cmd=$1 + shift + sudo -nE "${cmd}" "$@" +} + +function drop_caches { + echo 3 | sudo tee /proc/sys/vm/drop_caches +} + +function test_encryption_format() { + local format=$1 + clean_up_cryptsetup + + # format + rbd encryption format testimg $format /tmp/passphrase + drop_caches + + # open encryption with cryptsetup + sudo cryptsetup open $RAW_DEV --type $format cryptsetupdev -d /tmp/passphrase + + # open encryption with librbd + LIBRBD_DEV=$(_sudo rbd -p rbd map testimg -t nbd -o encryption-format=$format,encryption-passphrase-file=/tmp/passphrase) + + # write via librbd && compare + sudo dd if=/tmp/testdata1 of=$LIBRBD_DEV conv=fdatasync + drop_caches + sudo cmp -n 16MB $LIBRBD_DEV /dev/mapper/cryptsetupdev + + # write via cryptsetup && compare + sudo dd if=/tmp/testdata2 of=/dev/mapper/cryptsetupdev conv=fdatasync + drop_caches + sudo cmp -n 16MB $LIBRBD_DEV /dev/mapper/cryptsetupdev +} + +function get_nbd_device_paths { + rbd device list -t nbd | tail -n +2 | egrep "\s+rbd\s+testimg\s+" | awk '{print $5;}' +} + +function clean_up_cryptsetup() { + ls /dev/mapper/cryptsetupdev && sudo cryptsetup close cryptsetupdev || true +} + +function clean_up { + sudo rm -f $TMP_FILES + clean_up_cryptsetup + for device in $(get_nbd_device_paths); do + _sudo rbd device unmap -t nbd $device + done + rbd ls | grep testimg > /dev/null && rbd rm testimg || true +} + +if [[ $(uname) != "Linux" ]]; then + echo "LUKS encryption tests only supported on Linux" + exit 0 +fi + + +if [[ $(($(ceph-conf --name client.${CEPH_ID} rbd_default_features) & 64)) != 0 ]]; then + echo "LUKS encryption tests not supported alongside image journaling feature" + exit 0 +fi + +clean_up + +trap clean_up INT TERM EXIT + +# generate test data +dd if=/dev/urandom of=/tmp/testdata1 bs=4M count=4 +dd if=/dev/urandom of=/tmp/testdata2 bs=4M count=4 + +# create passphrase file +echo -n "password" > /tmp/passphrase + +# create an image +rbd create testimg --size=32M + +# map raw data to nbd device +RAW_DEV=$(_sudo rbd -p rbd map testimg -t nbd) + +test_encryption_format luks1 +test_encryption_format luks2 + +echo OK |