Can't deploy AWS instances with encrypted root FS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
Low
|
Unassigned |
Bug Description
Hi,
I'm using juju 2.7.5-focal-amd64 to deploy a controller and model into AWS. Everything here was done within the last 24 hours.
I finished deploying a set of apps, but I noted that all the units are running on unencrypted SSD volumes (AWS gp2 volumes specifically). I'd like to redeploy, or add/remove units, so that all my units are running on encrypted volumes instead.
If I'm understanding the storage docs correctly for juju, it sounds like I either need to update the ebs pool (specified via storage-
Unfortunately, I can't get this to work.
* "juju update-storage-pool ebs encrypted=true" returns "ERROR pool "ebs" not found", despite "ebs" showing up via "juju storage-pools". The same is true for rootfs, although that might not work anyway since rootfs uses the rootfs provider instead.
* Creating a new storage pool and associating that with storage-
Is there a way to have the root FS on new AWS-based units be encrypted?
"ebs" is a built in virtual pool and gives out of the box ebs support, so creating a new bespoke ebs pool with the encrypted option is the correct approach.
How does you charm declare its storage? "filesystem" or "block"? default- filesystem- source" setting.
For "filesystem" storage you need to use the "storage-
Yes, the underlying storage provided by the cloud is a block device, but as far as the charm is concerned it is asking for a filesystem storage device; Juju take the block device from the cloud and formats an ext4 filesystem on top and hands that to the charm.
I am not sure there's a way to get the rootfs of the running instance to be encrypted. But the charm can ensure all of its workload data is stored on an encrypted volume using a storage poo which provisions encrypted volumes.