mds: add protection from clients without fscrypt support

[lxbsz]

Clients that do not support fscrypt can execute operations that may cause unrecoverable data loss. Add protection on the MDS so that it prevents these clients from executing some operations.

Note, however, that clients will still be able corrupt encrypted files by appending data to them. And they will still be able to read encrypted data from those files.

This PR originally from @luis-henrix 's PR #45073. And I just fix the lock order issue, and will run more tests for it.

Please note this PR will fix one issue from Luis' previous PR:

1, MDS crash issue https://tracker.ceph.com/issues/63685

Fixes: https://tracker.ceph.com/issues/65217

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

• When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows
• jenkins test rook e2e

[lxbsz]

Locally the xfstests passed.

[github-actions]

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

[github-actions]

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

[vshankar]

@lxbsz Is this ready for review?

[lxbsz]

@lxbsz Is this ready for review?

@vshankar Yeah, it's ready.

[chrisphoffman]

I'm happy to see there's been discussion about server side semantics enforcement.

Do we need any tests included in this PR to ensure our intended behavior doesn't change? We can't one day inadvertently allow older or non-friendly clients to be able to do known malicious things.

[lxbsz]

I'm happy to see there's been discussion about server side semantics enforcement.

Do we need any tests included in this PR to ensure our intended behavior doesn't change?

Yeah, we need to run qa.

[chrisphoffman]

I'm happy to see there's been discussion about server side semantics enforcement.
Do we need any tests included in this PR to ensure our intended behavior doesn't change?

Yeah, we need to run qa.

To be more specific, I was proposing new tests. For example testing a client working on a fscrypt tree that the client doesn't know about fscrypt. We want to make sure server enforced behavior fails on unaware clients. What do you think?

Do we already test this? If so, can you point me to it?

[lxbsz]

I'm happy to see there's been discussion about server side semantics enforcement.
Do we need any tests included in this PR to ensure our intended behavior doesn't change?

Yeah, we need to run qa.

To be more specific, I was proposing new tests. For example testing a client working on a fscrypt tree that the client doesn't know about fscrypt. We want to make sure server enforced behavior fails on unaware clients. What do you think?

Do we already test this? If so, can you point me to it?

Hmm, sounds reasonable to me. Currently there has not thus test yet.

[github-actions]

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

[vshankar]

This PR is under test in https://tracker.ceph.com/issues/68092.

[vshankar]

Dropping my testing tag since I'm still running into failures which seem related. Will have to debug.

[github-actions]

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

[dparmar18]

Dropping my testing tag since I'm still running into failures which seem related. Will have to debug.

@vshankar are we moving ahead with this?

[vshankar]

Dropping my testing tag since I'm still running into failures which seem related. Will have to debug.

@vshankar are we moving ahead with this?

We need to, but the failure that I saw in the test run isn't debugged and @chrisphoffman will have a look.

[vshankar]

bumping this up for @chrisphoffman

[github-actions]

This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved

[chrisphoffman]

bumping this up for @chrisphoffman

Got it, added to fscrypt master tracker todo list: https://tracker.ceph.com/issues/65217

[github-actions]

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

[github-actions]

This pull request has been automatically closed because there has been no activity for 90 days. Please feel free to reopen this pull request (or open a new one) if the proposed change is still appropriate. Thank you for your contribution!

[dparmar18]

@chrisphoffman @vshankar @batrick are we still working on this?

[vshankar]

@chrisphoffman @vshankar @batrick are we still working on this?

Not sure what you mean. We need this change to ensure that non-fscrypt clients cannot mangle encrypted files/directories.

[vshankar]

(closed by mistake -- reopened)

[github-actions]

This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days.
If you are a maintainer or core committer, please follow-up on this pull request to identify what steps should be taken by the author to move this proposed change forward.
If you are the author of this pull request, thank you for your proposed contribution. If you believe this change is still appropriate, please ensure that any feedback has been addressed and ask for a code review.

[github-actions]

This pull request has been automatically closed because there has been no activity for 90 days. Please feel free to reopen this pull request (or open a new one) if the proposed change is still appropriate. Thank you for your contribution!