Ceph ansible now supports dmcrypt
I recently worked on a new feature that ceph-ansible was laking of: support for dmcrypt. This dmcrypt scenario basically allows you to deploy encrypted OSD data directories. The encrypted key is stored on the monitor’s key/value store. Until recently ceph-ansible wasn’t capable of deploying such configuration. Let’s see how this can be configured.
Within the dmcrypt implementation we support 2 sub scenarios:
- dmcrypt_journal_collocation: where the OSD journal is collocated on the same device as the OSD data directory
- dmcrypt_dedicated_journal: where the OSD journal is stored on a different device than the OSD data directory
This is quite straightforward simply open your
group_vars/osds and uncomment the following:
dmcrypt_journal_collocation: true devices: - /dev/sdb - /dev/sdc
Same for dedicated journal device:
dmcrypt_dedicated_journal: true devices: - /dev/sdb - /dev/sdc raw_journal_devices: - /dev/sdd - /dev/sdd
Let’s encrypt everything!