使用 Kubernetes CSI 與 Ceph 實現 Trustzone

使用 Kubernetes CSI 與 Ceph 實現 Trustzone

3031a0d32c17e26509aeb82d200ba034?s=128

chun wang

July 20, 2019
Tweet

Transcript

  1. 使用Kubernetes CSI與Ceph 實現Trustzone 林春旺@NUTC 1

  2. Agenda Why need CSI What is CSI How to use

    CSI with Kubernetes What is Trustzone How to implement Trustzone Summary 2
  3. Why need CSI 3

  4. Kubernetes - Volume(emptyDir) 4

  5. Kubernetes - Volume(hostPath) 5

  6. Kubernetes - Persistent Storage Persistent Volume(PV) Persistent Volume Claim(PVC) StorageClass

    6
  7. Kubernetes - In-Tree Volume Plugin 7 External Storage https://medium.com/google-cloud/understanding-the-container-storage-interface-csi-ddbeb966a3b

  8. What is CSI 8

  9. Kubernetes - Out-Tree Volume Plugin 9 External Storage https://medium.com/google-cloud/understanding-the-container-storage-interface-csi-ddbeb966a3b

  10. How to use CSI with Kubernetes 10

  11. Deploy Ceph-CSI Services Deploy RBACs for sidecar containers and node

    plugins kubectl create -f csi-provisioner-rbac.yaml kubectl create -f csi-nodeplugin-rbac.yaml Deploy CSI sidecar containers: kubectl create -f csi-cephfsplugin-provisioner.yaml Deploy CSI CephFS driver: kubectl create -f csi-cephfsplugin.yaml 11 https://github.com/ceph/ceph-csi/blob/master/docs/deploy-cephfs.md
  12. Deploy the Storage Class kubectl create -f secret.yaml kubectl create

    -f storageclass.yaml kubectl create -f pvc.yaml kubectl create -f pod.yaml 12
  13. Secret 13

  14. StorageClass 14

  15. PersistentVolumeClaim(PVC) 15

  16. Pod 16

  17. What is Trustzone 17

  18. Trustzone 18 https://www.microcontrollertips.com/embedded-security-brief-arm-trustzone-explained/ 在ARM Cortex手 機處理器中分隔 出沒有安全性要 求的執行區域和 可信任的安全區 域。

  19. How to implement Trustzone 19

  20. Ceph - Architecture 20 http://docs.ceph.com/docs/mimic/architecture/

  21. Ceph - Placement Groups 21 http://docs.ceph.com/docs/mimic/rados/operations/placement-groups/ 1.pg_id = hash(obj_id) mod

    pg_num 2.CRUSH(pg_id)取得對應OSD
  22. Ceph - CRUSH Maps 22 http://docs.ceph.com/docs/mimic/rados/operations/crush-map/

  23. Ceph - CRUSH Maps 23 host normal { id -2

    alg straw2 hash 0 item osd.1 weight 0.910 item osd.2 weight 0.910 item osd.3 weight 0.910 } host secret { id -3 alg straw2 hash 0 item osd.4 weight 0.910 item osd.5 weight 0.910 item osd.6 weight 0.910 }
  24. Ceph - CRUSH Rule 24 rule normal { id 1

    type replicated min_size 1 max_size 10 step take normal step chooseleaf firstn 0 type host step emit } rule secret{ id 2 type replicated min_size 1 max_size 10 step take secret step chooseleaf firstn 0 type host step emit }
  25. Ceph - File Layouts (Extended Attributes) ceph osd pool create

    normal_data 128 normal ceph osd pool create secret_data 128 secret setfattr -n ceph.dir.layout -v “pool=normal_data" /mnt/normal/ setfattr -n ceph.dir.layout -v “pool=secret_data” /mnt/secret/ 25 http://docs.ceph.com/docs/jewel/cephfs/file-layouts/
  26. Summary 26