Skip to content

Commit

Permalink
rbd: add additional space for encrypted volumes
Browse files Browse the repository at this point in the history
issue: when a block-mode pvc is created with encryption enabled
there is some space reserved for the encryption metadata.
Which doesn't allows users to write extact amount of data that
they have requested for.

solution: create pvc with extra space needed for the encryption
metadata. `GetLuksHeaderSize()` function returns the luks2
encryption metadata(header size).

Signed-off-by: Praveen M <[email protected]>
  • Loading branch information
iPraveenParihar committed Apr 24, 2024
1 parent b095e04 commit b7586df
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 4 deletions.
4 changes: 4 additions & 0 deletions internal/rbd/controllerserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -1627,6 +1627,10 @@ func (cs *ControllerServer) ControllerExpandVolume(
}
}

if rbdVol.isBlockEncrypted() {
rbdVol.VolSize -= util.GetLuksHeaderSize()
}

return &csi.ControllerExpandVolumeResponse{
CapacityBytes: rbdVol.VolSize,
NodeExpansionRequired: nodeExpansion,
Expand Down
15 changes: 12 additions & 3 deletions internal/rbd/rbd_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -443,8 +443,12 @@ func createImage(ctx context.Context, pOpts *rbdVolume, cr *util.Credentials) er
return fmt.Errorf("failed to get IOContext: %w", err)
}

err = librbd.CreateImage(pOpts.ioctx, pOpts.RbdImageName,
uint64(util.RoundOffVolSize(pOpts.VolSize)*helpers.MiB), options)
size := uint64(util.RoundOffVolSize(pOpts.VolSize)*helpers.MiB)
if pOpts.isBlockEncrypted() {
size += uint64(util.GetLuksHeaderSize())
}

err = librbd.CreateImage(pOpts.ioctx, pOpts.RbdImageName, size, options)
if err != nil {
return fmt.Errorf("failed to create rbd image: %w", err)
}
Expand Down Expand Up @@ -1846,7 +1850,12 @@ func (ri *rbdImage) resize(newSize int64) error {
}
defer image.Close()

err = image.Resize(uint64(util.RoundOffVolSize(newSize) * helpers.MiB))
size := uint64(util.RoundOffVolSize(newSize) * helpers.MiB)
if ri.isBlockEncrypted() {
size += uint64(util.GetLuksHeaderSize())
}

err = image.Resize(size)
if err != nil {
return err
}
Expand Down
18 changes: 17 additions & 1 deletion internal/util/cryptsetup.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,22 @@ import (
"os/exec"
"strconv"
"strings"

"k8s.io/cloud-provider/volume/helpers"
)

// Limit memory used by Argon2i PBKDF to 32 MiB.
const cryptsetupPBKDFMemoryLimit = 32 << 10 // 32768 KiB
const (
cryptsetupPBKDFMemoryLimit = 32 << 10 // 32768 KiB
luks2MetadataSize = 32 << 7 // 4096 KiB
luks2KeySlotsSize = 32 << 8 // 8192 KiB
)


func GetLuksHeaderSize() int64 {
size := int64((((2 * luks2MetadataSize) + luks2KeySlotsSize) * helpers.KiB))
return size
}

// LuksFormat sets up volume as an encrypted LUKS partition.
func LuksFormat(devicePath, passphrase string) (string, string, error) {
Expand All @@ -37,6 +49,10 @@ func LuksFormat(devicePath, passphrase string) (string, string, error) {
"luks2",
"--hash",
"sha256",
"--luks2-metadata-size",
fmt.Sprintf("%sk", strconv.Itoa(luks2MetadataSize)),
"--luks2-keyslots-size",
fmt.Sprintf("%sk", strconv.Itoa(luks2KeySlotsSize)),
"--pbkdf-memory",
strconv.Itoa(cryptsetupPBKDFMemoryLimit),
devicePath,
Expand Down

0 comments on commit b7586df

Please sign in to comment.