Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NVMe-TCP TLS encryption #147

Closed
wants to merge 33 commits into from
Closed

NVMe-TCP TLS encryption #147

wants to merge 33 commits into from

Conversation

hreinecke
Copy link
Contributor

This patchset implements tests for TLS-encrypted TCP connections.

hreinecke and others added 30 commits October 9, 2024 15:23
There is no reason why loop is required, so switch to the default
transport type.

Signed-off-by: Hannes Reinecke <[email protected]>
All invocations are using 'nvme_trtype' as argument to
_create_nvmet_ports(), so we can also make it optional and default
to nvme_trtype.

Signed-off-by: Hannes Reinecke <[email protected]>
We need to sanitize the transport parameters in _create_nvmet_port()
to avoid having invalid transport values when selecting a transport
type.

Signed-off-by: Hannes Reinecke <[email protected]>
When _find_nvme_ns() fails it should return a non-zero statue to allow for
the error to be propagated to the caller.

Signed-off-by: Hannes Reinecke <[email protected]>
Rework the loop to iterate over ports, and check for the correct
subsysnqn afterwards. With that we can drop 'sed' calls and simplify
the loop.

Signed-off-by: Hannes Reinecke <[email protected].
When calling 'nvme connect' we cannot assume that a namespace is
always present (eg if connecting to a discovery service), so better
check for the controller device to ensure that 'nvme connect' has
succeeded.

Signed-off-by: Hannes Reinecke <[email protected]>
A subsystem might have more than one port, and that port might be
configured differently from the default settings. So rather than
to rely on the default settings we should extract the parameters
from the passed in ports on that subsystem and issue 'nvme connect'
with the extracted parameters.

Signed-off-by: Hannes Reinecke <[email protected]>
The -n option of the bash local variable declaration declares that
the variable is used as nameref. However, this nameref feature was
introduced to bash at its version 4.3. While blktests requires bash
version 4.2. To not rely on the bash version 4.3, replace the nameref
feature with a loop to parse arguments.

Signed-off-by: Shin'ichiro Kawasaki <[email protected]>
A subsystem might have more than one namespace, so delete all of
them in _remove_nvmet_subsystem().

Signed-off-by: Hannes Reinecke <[email protected]>
Support only long options for _create_nvmet_ns() to simplify calling
sequence and allow to pass in an options ANA group id.
If no UUID is passed the kernel will generate a UUID, so return
the UUID to allow the caller to identify the generated namespace.

Signed-off-by: Hannes Reinecke <[email protected]>
Most callers use the default settings anyway, so simplify them
by using long options for _create_nvmet_subsystem().

Signed-off-by: Hannes Reinecke <[email protected]>
Add an option '--blkdev none' for _nvmet_target_setup() to indicate
that no block devices (and no namespaces) should be created when
setting up the target.

Signed-off-by: Hannes Reinecke <[email protected]>
_nvmet_target_setup() is in tests/nvme/rc, but _nvmet_target_cleanup()
is in common/nvme. So move the former into common/nvme to have both
functions in the same place.

Signed-off-by: Hannes Reinecke <[email protected]>
Simplify the testcase by not creating a namespace when setting up
the target and have to loop iterating over all namespaces.

Signed-off-by: Hannes Reinecke <[email protected]>
Simplify the testcase by not creating a namespace when setting up
the target and have to loop iterating over all namespaces.

Signed-off-by: Hannes Reinecke <[email protected]>
Simplify the testcase by not creating a namespace when setting up
the target and have to loop iterating over all namespaces.

Signed-off-by: Hannes Reinecke <[email protected]>
Most of the steps in _nvmet_setup() are not required here, and doesn't
work with discovery connections. So open-code it to avoid the pitfalls
and make the test simpler.

Signed-off-by: Hannes Reinecke <[email protected]>
The default helper functions are doing quite some things which are unneccesary for
this test, so open-code them to call just the required functions.

Signed-off-by: Hannes Reinecke <[email protected]>
Rework fcloop handling to create only one local port but several
remote ports. That way we can keep the global setting for local port
addresses and don't need to worry about passing the correct local
port address when calling 'nvme connect'.

Signed-off-by: Hannes Reinecke <[email protected]>
Always called without arguments, so drop the assignment.

Signed-off-by: Hannes Reinecke <[email protected]>
Add a function to set the ANA state and group id for a port.

Signed-off-by: Hannes Reinecke <[email protected]>
Add a function to set the ANA groupid for a namespace.

Signed-off-by: Hannes Reinecke <[email protected]>
Add an argument '--ports' to _nvmet_target_setup() to specify the
number of ports to create.

Signed-off-by: Hannes Reinecke <[email protected]>
A port might have several ANA groups, and we have to remove all
ANA groups with a group id other than 1, otherwise we cannot
remove the port itself.

Signed-off-by: Hannes Reinecke <[email protected]>
Add a test for basic ANA support by creating 4 paths, run a fio
process to generate load, and then switch port states to check
if I/O continues uninterrupted.

Signed-off-by: Hannes Reinecke <[email protected]>
Add a test for rapid namespace remapping to simulate short-lived
namespaces being created and deleted in rapid succession with a
cluster.

Signed-off-by: Hannes Reinecke <[email protected]>
Most callers use the default subsystem NQN as argument to
_find_nvme_ns(), so make it optional.

Signed-off-by: Hannes Reinecke <[email protected]>
Add a function to restrict testcases to TCP transport.

Signed-off-by: Hannes Reinecke <[email protected]>
To start TLS-encrypted connections.

Signed-off-by: Hannes Reinecke <[email protected]>
Add --tls option to _create_nvmet_subsystem and allow to specify
the tls requirements in _create_nvmet_port.

Signed-off-by: Hannes Reinecke <[email protected]>
TCP connections can be encrypted using in-kernel TLS, so add a
testcase to exercise the various combinations.

Signed-off-by: Hannes Reinecke <[email protected]>
@hreinecke
Copy link
Contributor Author

It is based on the 'ANA support' patches, so will need to be rebased once they are merged.

To start secure concatenation the option '--concat' has to be passed
to the 'nvme connect' command.

Signed-off-by: Hannes Reinecke <[email protected]>
Add testcase for secure concatenation on NVMe-over-TCP.

Signed-off-by: Hannes Reinecke <[email protected]>
@hreinecke
Copy link
Contributor Author

Superseded by #158

@hreinecke hreinecke closed this Jan 22, 2025
@hreinecke hreinecke deleted the tls.v2 branch January 22, 2025 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants