From 8d242abfb7c086f6d20be43af40643feeec2835d Mon Sep 17 00:00:00 2001 From: Michael Saffitz Date: Wed, 8 Apr 2015 08:40:11 -0700 Subject: [PATCH 1/2] Add support for encrypted EBS volumes --- README.md | 4 ++++ attributes/default.rb | 1 + metadata.rb | 2 +- recipes/default.rb | 2 +- recipes/raids.rb | 1 + recipes/volumes.rb | 1 + 6 files changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1caacd3..bb0ddcb 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,10 @@ Create a 10GB volume with 1000 provisioned iops, format it with XFS, and mount i `mount_options` are optional and will default to `noatime,nobootwait` on all platforms except Amazon linux, where they will default to `noatime`. +## Volume Encryption + +You can provide `encrypted: true` for an encrypted volume. + ## Credentials Expects a `credentials` databag with an `aws` item that contains `aws_access_key_id` and `aws_secret_access_key`. diff --git a/attributes/default.rb b/attributes/default.rb index 36fbd15..c01a2f3 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -8,6 +8,7 @@ default[:ebs][:mdadm_chunk_size] = '256' default[:ebs][:md_read_ahead] = '65536' # 64k default[:ebs][:initrd_md5] = '' +default[:ebs][:encrypted] = false if BlockDevice.on_kvm? && ebs[:devices] diff --git a/metadata.rb b/metadata.rb index 2725a4e..9b67a4f 100644 --- a/metadata.rb +++ b/metadata.rb @@ -11,5 +11,5 @@ recipe "ebs::raids", "Mounts attached EBS RAIDs" recipe "ebs::persistent", "Mounts volumes defined in attributes" -depends 'aws', '>= 0.101.0' +depends 'aws', '~> 2.7.0' depends 'delayed_evaluator' diff --git a/recipes/default.rb b/recipes/default.rb index 12c6f42..f29ac4b 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -23,7 +23,7 @@ owner "root" mode 0644 end - + execute "Reload udev rules" do command "udevadm control --reload-rules" end diff --git a/recipes/raids.rb b/recipes/raids.rb index 4963a58..8a686ba 100644 --- a/recipes/raids.rb +++ b/recipes/raids.rb @@ -34,6 +34,7 @@ device mount availability_zone node[:ec2][:placement_availability_zone] volume_type options[:piops] ? 'io1' : 'standard' + encrypted options[:encrypted] || node[:ebs][:encrypted] piops options[:piops] action [ :create, :attach ] end diff --git a/recipes/volumes.rb b/recipes/volumes.rb index f990655..45f76b6 100644 --- a/recipes/volumes.rb +++ b/recipes/volumes.rb @@ -23,6 +23,7 @@ device device availability_zone node[:ec2][:placement_availability_zone] volume_type options[:piops] ? 'io1' : 'standard' + encrypted options[:encrypted] || node[:ebs][:encrypted] piops options[:piops] action :nothing end From b6c65904c5ef23d59654af29c3b8a19fb1987e5e Mon Sep 17 00:00:00 2001 From: Michael Saffitz Date: Thu, 19 Jun 2014 09:16:25 -0700 Subject: [PATCH 2/2] add support for general purpose SSD devices --- README.md | 4 ++-- attributes/default.rb | 2 +- recipes/raids.rb | 10 +++++++++- recipes/volumes.rb | 10 +++++++++- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index bb0ddcb..7b6fa81 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ Create a RAID 10 across the volumes specified in the `persistent_volumes` array, ### EBS Volume Creation -Create a 10GB volume with 1000 provisioned iops, format it with XFS, and mount it on `/data` with `noatime` as an option. +Create a 10GB EBS General Purpose SSD volume, format it with XFS, and mount it on `/data` with `noatime` as an option. ```ruby { @@ -68,7 +68,7 @@ Create a 10GB volume with 1000 provisioned iops, format it with XFS, and mount i :volumes => { '/data' => { :size => 10, - :piops => 1000, + :volume_type => 'gp2', :fstype => 'xfs', :mount_options => 'noatime' } diff --git a/attributes/default.rb b/attributes/default.rb index c01a2f3..2839af0 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -8,9 +8,9 @@ default[:ebs][:mdadm_chunk_size] = '256' default[:ebs][:md_read_ahead] = '65536' # 64k default[:ebs][:initrd_md5] = '' +default[:ebs][:volume_type] = 'standard' # or gp2 for SSD disks by default (more expensive) default[:ebs][:encrypted] = false - if BlockDevice.on_kvm? && ebs[:devices] Chef::Log.info("Running on QEMU/KVM: Need to translate device names as KVM allocates them regardless of the given device ID") ebs_devices = {} diff --git a/recipes/raids.rb b/recipes/raids.rb index 8a686ba..683ccb5 100644 --- a/recipes/raids.rb +++ b/recipes/raids.rb @@ -27,13 +27,21 @@ disks << mount = "/dev/sd#{next_mount}" next_mount = next_mount.succ + volume_type = if options[:piops] + 'io1' + elsif options[:volume_type] + options[:volume_type] + else + node[:ebs][:volume_type] + end + aws_ebs_volume mount do aws_access_key credentials[node.ebs.creds.aki] aws_secret_access_key credentials[node.ebs.creds.sak] size options[:disk_size] device mount availability_zone node[:ec2][:placement_availability_zone] - volume_type options[:piops] ? 'io1' : 'standard' + volume_type volume_type encrypted options[:encrypted] || node[:ebs][:encrypted] piops options[:piops] action [ :create, :attach ] diff --git a/recipes/volumes.rb b/recipes/volumes.rb index 45f76b6..4ea8f99 100644 --- a/recipes/volumes.rb +++ b/recipes/volumes.rb @@ -16,13 +16,21 @@ devid = devices.sort.last[-1,1].succ device = "/dev/sd#{devid}" + volume_type = if options[:piops] + 'io1' + elsif options[:volume_type] + options[:volume_type] + else + node[:ebs][:volume_type] + end + vol = aws_ebs_volume device do aws_access_key credentials[node.ebs.creds.aki] aws_secret_access_key credentials[node.ebs.creds.sak] size options[:size] device device availability_zone node[:ec2][:placement_availability_zone] - volume_type options[:piops] ? 'io1' : 'standard' + volume_type volume_type encrypted options[:encrypted] || node[:ebs][:encrypted] piops options[:piops] action :nothing