NVMe-TCP TLS encryption #147
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There is no reason why loop is required, so switch to the default transport type. Signed-off-by: Hannes Reinecke <[email protected]>
All invocations are using 'nvme_trtype' as argument to _create_nvmet_ports(), so we can also make it optional and default to nvme_trtype. Signed-off-by: Hannes Reinecke <[email protected]>
We need to sanitize the transport parameters in _create_nvmet_port() to avoid having invalid transport values when selecting a transport type. Signed-off-by: Hannes Reinecke <[email protected]>
When _find_nvme_ns() fails it should return a non-zero statue to allow for the error to be propagated to the caller. Signed-off-by: Hannes Reinecke <[email protected]>
Rework the loop to iterate over ports, and check for the correct subsysnqn afterwards. With that we can drop 'sed' calls and simplify the loop. Signed-off-by: Hannes Reinecke <[email protected].
When calling 'nvme connect' we cannot assume that a namespace is always present (eg if connecting to a discovery service), so better check for the controller device to ensure that 'nvme connect' has succeeded. Signed-off-by: Hannes Reinecke <[email protected]>
A subsystem might have more than one port, and that port might be configured differently from the default settings. So rather than to rely on the default settings we should extract the parameters from the passed in ports on that subsystem and issue 'nvme connect' with the extracted parameters. Signed-off-by: Hannes Reinecke <[email protected]>
The -n option of the bash local variable declaration declares that the variable is used as nameref. However, this nameref feature was introduced to bash at its version 4.3. While blktests requires bash version 4.2. To not rely on the bash version 4.3, replace the nameref feature with a loop to parse arguments. Signed-off-by: Shin'ichiro Kawasaki <[email protected]>
A subsystem might have more than one namespace, so delete all of them in _remove_nvmet_subsystem(). Signed-off-by: Hannes Reinecke <[email protected]>
Support only long options for _create_nvmet_ns() to simplify calling sequence and allow to pass in an options ANA group id. If no UUID is passed the kernel will generate a UUID, so return the UUID to allow the caller to identify the generated namespace. Signed-off-by: Hannes Reinecke <[email protected]>
Most callers use the default settings anyway, so simplify them by using long options for _create_nvmet_subsystem(). Signed-off-by: Hannes Reinecke <[email protected]>
Add an option '--blkdev none' for _nvmet_target_setup() to indicate that no block devices (and no namespaces) should be created when setting up the target. Signed-off-by: Hannes Reinecke <[email protected]>
_nvmet_target_setup() is in tests/nvme/rc, but _nvmet_target_cleanup() is in common/nvme. So move the former into common/nvme to have both functions in the same place. Signed-off-by: Hannes Reinecke <[email protected]>
Simplify the testcase by not creating a namespace when setting up the target and have to loop iterating over all namespaces. Signed-off-by: Hannes Reinecke <[email protected]>
Simplify the testcase by not creating a namespace when setting up the target and have to loop iterating over all namespaces. Signed-off-by: Hannes Reinecke <[email protected]>
Simplify the testcase by not creating a namespace when setting up the target and have to loop iterating over all namespaces. Signed-off-by: Hannes Reinecke <[email protected]>
Most of the steps in _nvmet_setup() are not required here, and doesn't work with discovery connections. So open-code it to avoid the pitfalls and make the test simpler. Signed-off-by: Hannes Reinecke <[email protected]>
The default helper functions are doing quite some things which are unneccesary for this test, so open-code them to call just the required functions. Signed-off-by: Hannes Reinecke <[email protected]>
Rework fcloop handling to create only one local port but several remote ports. That way we can keep the global setting for local port addresses and don't need to worry about passing the correct local port address when calling 'nvme connect'. Signed-off-by: Hannes Reinecke <[email protected]>
Always called without arguments, so drop the assignment. Signed-off-by: Hannes Reinecke <[email protected]>
Add a function to set the ANA state and group id for a port. Signed-off-by: Hannes Reinecke <[email protected]>
Add a function to set the ANA groupid for a namespace. Signed-off-by: Hannes Reinecke <[email protected]>
Add an argument '--ports' to _nvmet_target_setup() to specify the number of ports to create. Signed-off-by: Hannes Reinecke <[email protected]>
A port might have several ANA groups, and we have to remove all ANA groups with a group id other than 1, otherwise we cannot remove the port itself. Signed-off-by: Hannes Reinecke <[email protected]>
Add a test for basic ANA support by creating 4 paths, run a fio process to generate load, and then switch port states to check if I/O continues uninterrupted. Signed-off-by: Hannes Reinecke <[email protected]>
Add a test for rapid namespace remapping to simulate short-lived namespaces being created and deleted in rapid succession with a cluster. Signed-off-by: Hannes Reinecke <[email protected]>
Most callers use the default subsystem NQN as argument to _find_nvme_ns(), so make it optional. Signed-off-by: Hannes Reinecke <[email protected]>
Add a function to restrict testcases to TCP transport. Signed-off-by: Hannes Reinecke <[email protected]>
To start TLS-encrypted connections. Signed-off-by: Hannes Reinecke <[email protected]>
Add --tls option to _create_nvmet_subsystem and allow to specify the tls requirements in _create_nvmet_port. Signed-off-by: Hannes Reinecke <[email protected]>
TCP connections can be encrypted using in-kernel TLS, so add a testcase to exercise the various combinations. Signed-off-by: Hannes Reinecke <[email protected]>
|
It is based on the 'ANA support' patches, so will need to be rebased once they are merged. |
To start secure concatenation the option '--concat' has to be passed to the 'nvme connect' command. Signed-off-by: Hannes Reinecke <[email protected]>
Add testcase for secure concatenation on NVMe-over-TCP. Signed-off-by: Hannes Reinecke <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patchset implements tests for TLS-encrypted TCP connections.