Jeff Byers
2017-Jan-07 02:54 UTC
[Gluster-users] Fwd: Very slow writes through Samba mount to Gluster with crypt on
Jeff Darcy,
So the GlusterFS "encryption-at-rest" feature is unsupported,
"use at your own risk", "deprecated", how would we know?
I'm not sure about the GlusterFS 'encryption-at-rest' feature
being only in the source tree, as it is compiled in GlusterFS
3.7.18 with the crypt volume options being documented in
"gluster volume help set".
There is no indication of "use at your own risk" or
"unsupported", or "deprecated" status anywhere that I could
find. There is no mention of this feature status in the on-
line help, nor any mention in the feature doc at:
glusterfs-specs/Disk Encryption.md at master ? GitHub
https://github.com/gluster/glusterfs-specs/blob/master/done/GlusterFS%203.5/Disk%20Encryption.md
which anyone wanting to use the feature would need to read.
There are a number of relatively recent bug reports, so people
do seem to be using the feature:
Bug 1368455 ? memory-leak in crypt xlator glusterfs 3.7.14
https://bugzilla.redhat.com/show_bug.cgi?id=1368455
Bug 1376858 ? crypt xlator should use linker and compile options
from pkg-config instaed of "-lssl -lcrypo"
https://bugzilla.redhat.com/show_bug.cgi?id=1376858
Bug 1301804 ? Failure to read files from NAS volume snapshots if
volume is encrypted.
https://bugzilla.redhat.com/show_bug.cgi?id=1301804
Bug 1065639 ? Crash in nfs with encryption enabled
https://bugzilla.redhat.com/show_bug.cgi?id=1065639
Bug 1298520 ? tests : Modifying tests for crypt xlator
https://bugzilla.redhat.com/show_bug.cgi?id=1298520
Bug 1065634 ? Enabling compression and encryption translators on
the same volume causes data corruption
https://bugzilla.redhat.com/show_bug.cgi?id=1065634
However, it does seem that these are not really being
worked on, bug 1368455 being a serious problem, and is
confirmed to still exist in 3.7.18.
Should we assume that nobody should be creating any new
GlusterFS volumes using the encryption-at-rest feature?
There is no easy migration from GlusterFS volume encryption to
non- encryption. It would basically need to be: block volume
users access, backup volume, verify backup, delete volume, re-
create volume, restore volume, and allow users access. :-(
What is the recommended alternative to GlusterFS "encryption-
at-rest"? This is an important capability for some
applications.
Jeff, Whit, thanks for bringing this up, and mentioning the
more or less "abandoned" status of the GlusterFS "encryption-
at-rest" feature; otherwise even more people would be using it
than already are.
~ Jeff Byers ~