def osd_encryption_verification():
"""
Verify if OSD encryption at rest if successfully deployed on OCS
Raises:
UnsupportedFeatureError: OCS version is smaller than 4.6
EnvironmentError: The OSD is not encrypted
"""
ocs_version = float(config.ENV_DATA["ocs_version"])
if ocs_version < 4.6:
error_message = "Encryption at REST can be enabled only on OCS >= 4.6!"
raise UnsupportedFeatureError(error_message)
osd_size = get_osd_size()
log.info("Get 'lsblk' command output on nodes where osd running")
osd_node_names = get_osds_per_node()
lsblk_output_list = []
for worker_node in osd_node_names:
lsblk_cmd = "oc debug node/" + worker_node + " -- chroot /host lsblk"
out = run_cmd(lsblk_cmd)
log.info(f"the output from lsblk command is {out}")
lsblk_output_list.append((out, len(osd_node_names[worker_node])))
log.info("Verify 'lsblk' command results are as expected")
for node_output_lsblk in lsblk_output_list:
node_lsb = node_output_lsblk[0].split()
log.info("Search 'crypt' in node_lsb list")
all_occurrences_crypt = [
index for index, element in enumerate(node_lsb)
if element == "crypt"
]
log.info("Verify all OSDs encrypted on node")
if len(all_occurrences_crypt) != node_output_lsblk[1]:
raise EnvironmentError("OSD is not encrypted")
log.info(
"Verify that OSD is encrypted, and not another component like sda")
for index_crypt in all_occurrences_crypt:
encrypted_component_size = int(
(re.findall(r"\d+", node_lsb[index_crypt - 2]))[0])
if encrypted_component_size != osd_size:
raise EnvironmentError(
"The OSD is not encrypted, another mount encrypted.")
def osd_encryption_verification():
"""
Verify if OSD encryption at rest if successfully deployed on OCS
Raises:
UnsupportedFeatureError: OCS version is smaller than 4.6
EnvironmentError: The OSD is not encrypted
"""
ocs_version = version.get_semantic_ocs_version_from_config()
if ocs_version < version.VERSION_4_6:
error_message = "Encryption at REST can be enabled only on OCS >= 4.6!"
raise UnsupportedFeatureError(error_message)
log.info("Get 'lsblk' command output on nodes where osd running")
osd_node_names = get_osds_per_node()
for worker_node in osd_node_names:
lsblk_cmd = f"oc debug node/{worker_node} -- chroot /host lsblk"
lsblk_out = run_cmd(lsblk_cmd)
log.info(
f"the output of lsblk command on node {worker_node} is:\n {lsblk_out}"
)
osd_node_names[worker_node].append(lsblk_out)
log.info("Verify 'lsblk' command results are as expected")
for worker_node in osd_node_names:
osd_number_per_node = len(osd_node_names[worker_node]) - 1
lsblk_output = osd_node_names[worker_node][-1]
lsblk_output_split = lsblk_output.split()
logging.info(f"lsblk split:{lsblk_output_split}")
logging.info(f"osd_node_names dictionary: {osd_node_names}")
logging.info(f"count crypt {lsblk_output_split.count('crypt')}")
logging.info(f"osd_number_per_node = {osd_number_per_node}")
if lsblk_output_split.count("crypt") != osd_number_per_node:
logging.error(
f"The output of lsblk command on node {worker_node} is not as expected:\n{lsblk_output}"
)
raise ValueError("OSD is not encrypted")
def osd_encryption_verification():
"""
Verify if OSD encryption at rest if successfully deployed on OCS
Raises:
UnsupportedFeatureError: OCS version is smaller than 4.6
EnvironmentError: The OSD is not encrypted
"""
ocs_version = version.get_semantic_ocs_version_from_config()
if ocs_version < version.VERSION_4_6:
error_message = "Encryption at REST can be enabled only on OCS >= 4.6!"
raise UnsupportedFeatureError(error_message)
log.info("Get 'lsblk' command output on nodes where osd running")
osd_node_names = get_osds_per_node()
for worker_node in osd_node_names:
lsblk_cmd = f"oc debug node/{worker_node} -- chroot /host lsblk"
lsblk_out = run_cmd(lsblk_cmd)
log.info(
f"the output of lsblk command on node {worker_node} is:\n {lsblk_out}"
)
osd_node_names[worker_node].append(lsblk_out)
log.info("Verify 'lsblk' command results are as expected")
for worker_node in osd_node_names:
osd_number_per_node = len(osd_node_names[worker_node]) - 1
lsblk_output = osd_node_names[worker_node][-1]
lsblk_output_split = lsblk_output.split()
log.info(f"lsblk split:{lsblk_output_split}")
log.info(f"osd_node_names dictionary: {osd_node_names}")
log.info(f"count crypt {lsblk_output_split.count('crypt')}")
log.info(f"osd_number_per_node = {osd_number_per_node}")
if lsblk_output_split.count("crypt") != osd_number_per_node:
log.error(
f"The output of lsblk command on node {worker_node} is not as expected:\n{lsblk_output}"
)
raise ValueError("OSD is not encrypted")
# skip OCS 4.8 as the fix for luks header info is still not available on it
if ocs_version > version.VERSION_4_6 and ocs_version != version.VERSION_4_8:
log.info("Verify luks header label for encrypted devices")
worker_nodes = get_osd_running_nodes()
failures = 0
failure_message = ""
node_obj = OCP(kind="node")
for node in worker_nodes:
luks_devices = get_encrypted_osd_devices(node_obj, node)
for luks_device_name in luks_devices:
luks_device_name = luks_device_name.strip()
log.info(
f"Checking luks header label on Luks device {luks_device_name} for node {node}"
)
cmd = "cryptsetup luksDump /dev/" + str(luks_device_name)
cmd_out = node_obj.exec_oc_debug_cmd(node=node, cmd_list=[cmd])
if "(no label)" in str(cmd_out) or "(no subsystem)" in str(
cmd_out):
failures += 1
failure_message += (
f"\nNo label found on Luks header information for node {node}\n"
)
if failures != 0:
log.error(failure_message)
raise ValueError("Luks header label is not found")
log.info("Luks header info found for all the encrypted osds")