Add support for "scsi disks" to be tagged "ephemeral" in udev

[mikn]

Currently here:
https://github.com/bottlerocket-os/bottlerocket-core-kit/blob/edec0b247f770dd13912fd11293e02bf5981891a/packages/os/ephemeral-storage.rules#L10

and in a couple of other rules, there is a whitelist of device prefixes that does not include sd* devices. I was hoping to rely on the BOTTLEROCKET_DEVICE_TYPE to trigger automatic encryption using udev rules, but since sd* is not included by default, I have now added my own rule that tags them also using ghostdog.

Would you want to upstream this as part of the core ruleset?

[bcressey]

Would you want to upstream this as part of the core ruleset?

The comments in the rules don't call this out directly, but a goal is to exclude CSI volumes from being matched, since those are managed by a different solution. Some of these volumes, like EBS, might be brought up automatically on reboot before pods are running.

It's critical that they not be confused or incorrectly tagged as "ephemeral", since then they might be grouped with other ephemeral storage devices and placed into a RAID array. So any storage type that is hot-plugged or with a lifecycle that's detached from the host's own lifecycle is likely not a good fit for being matched by these rules.

("ephemeral" is an EC2-ism and refers to local data volumes whose contents are not persisted across a stop/start cycle.)

With that context in mind, if your devices match that profile - disks that are always present on the host, that the host would otherwise ignore, that aren't a block device type used by CSI drivers - then it makes sense to update the rules to match them, and upstreaming the change would be great!

[mikn]

Yes, the disks we are managing (on a metal machine) are strongly linked to the life cycle of the node and may also be replaced (if they break). We want the device mapper target of the crypt device to be what the CSI drivers use, not the raw disk.

Given that you are excluding sd* disks now to exclude EBS volumes, how can I introduce my change without inadvertently tagging EBS volumes as "ephemeral" also?

More specifically, what we do is that we have an udev rule that reads the BOTTLEROCKET_DEVICE_TYPE tag and whether there is a filesystem on the disk currently or not. If it is ephemeral without a filesystem, we then format it with cryptdisk and enrolls the key into the TPM. If there is a file system on it with the LUKS header, we then start the decryption systemd unit.

[bcressey]

Given that you are excluding sd* disks now to exclude EBS volumes, how can I introduce my change without inadvertently tagging EBS volumes as "ephemeral" also?

EBS volumes would either match xvd* (for Xen-based VMs) or nvme* (for newer). Since we don't have any additional data to distinguish EBS from non-EBS xvd*, we don't create links for any such disks under /dev/disk/ephemeral. For nvme*, we're able to get additional data to make that distinction.

The ephemeral rules are silent on sd* at the moment, and anything added there won't affect the EBS code paths at all. I was just providing additional background in case we needed some way to distinguish different types of sd* disks, which it sounds like we don't.