From 13c0980e7101840fa5792b249cc3cb393e147ecc Mon Sep 17 00:00:00 2001 From: Tim Burke Date: 2021年1月21日 11:53:09 -0800 Subject: [PATCH] docs: Clarify that encryption should not be in reconciler pipeline UpgradeImpact ============= Operators should verify that encryption is not enabled in their reconciler pipelines; having it enabled there may harm data durability. For more information, see https://launchpad.net/bugs/1910804 Change-Id: I1a1d78ed91d940ef0b4eba186dcafd714b4fb808 Closes-Bug: #1910804 --- doc/source/overview_encryption.rst | 5 +++-- etc/container-reconciler.conf-sample | 6 ++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/source/overview_encryption.rst b/doc/source/overview_encryption.rst index cc429737eb..beab7ba11d 100644 --- a/doc/source/overview_encryption.rst +++ b/doc/source/overview_encryption.rst @@ -781,8 +781,9 @@ encrypted. Encryption has no impact on the `container-reconciler` service. The `container-reconciler` uses an internal client to move objects between -different policy rings. The destination object has the same URL as the source -object and the object is moved without re-encryption. +different policy rings. The reconciler's pipeline *MUST NOT* have encryption +enabled. The destination object has the same URL as the source object and the +object is moved without re-encryption. Considerations for developers diff --git a/etc/container-reconciler.conf-sample b/etc/container-reconciler.conf-sample index ea8bc53a19..ee507a396b 100644 --- a/etc/container-reconciler.conf-sample +++ b/etc/container-reconciler.conf-sample @@ -58,6 +58,12 @@ # ionice_priority = [pipeline:main] +# Note that the reconciler's pipeline is intentionally very sparse -- it is +# only responsible for moving data from one policy to another and should not +# perform any transformations beyond (potentially) changing erasure coding. +# It notably MUST NOT include transformative middlewares (such as encryption), +# redirection middlewares (such as symlink), or composing middlewares (such +# as slo and dlo). pipeline = catch_errors proxy-logging cache proxy-server [app:proxy-server]

AltStyle によって変換されたページ (->オリジナル) /