From 658182ae32de367b4d88a57add5a2e098c4084f4 Mon Sep 17 00:00:00 2001 From: James Lu Date: Mon, 9 Sep 2024 17:05:24 +0800 Subject: [PATCH] fix(encrypt): close encrypted volume if it is opened In normal process of attaching a volume via CSI, the encrypted volume should be in closed or inactivated state before Longhorn attempts to open it. ref: longhorn/longhorn 9385 Signed-off-by: James Lu (cherry picked from commit 04f95d276eb56ecf6a242ab390803f6aaeafbe80) --- csi/crypto/crypto.go | 10 ++++++++++ csi/node_server.go | 12 ++++++++++++ 2 files changed, 22 insertions(+) diff --git a/csi/crypto/crypto.go b/csi/crypto/crypto.go index c8f60d2ae4..988864f787 100644 --- a/csi/crypto/crypto.go +++ b/csi/crypto/crypto.go @@ -145,6 +145,16 @@ func ResizeEncryptoDevice(volume, passphrase string) error { return err } +// IsDeviceMappedToNullPath determines if encrypted device is already open at a null path. The command 'cryptsetup status [crypted_device]' show "device: (null)" +func IsDeviceMappedToNullPath(device string) (bool, error) { + devPath, mappedFile, err := DeviceEncryptionStatus(device) + if err != nil { + return false, err + } + + return mappedFile != "" && strings.Compare(devPath, "(null)") == 0, nil +} + // IsDeviceOpen determines if encrypted device is already open. func IsDeviceOpen(device string) (bool, error) { _, mappedFile, err := DeviceEncryptionStatus(device) diff --git a/csi/node_server.go b/csi/node_server.go index 0575c571b0..399503abb9 100644 --- a/csi/node_server.go +++ b/csi/node_server.go @@ -489,6 +489,18 @@ func (ns *NodeServer) NodeStageVolume(ctx context.Context, req *csi.NodeStageVol cryptoDevice := crypto.VolumeMapper(volumeID) log.Infof("Volume %s requires crypto device %s", volumeID, cryptoDevice) + // check if the crypto device is open at the null path. + // this will happen if the crypto device is not closed properly and a new attaching request is made on the same node. + // reference issue: https://github.com/longhorn/longhorn/issues/9385 + if mappedToNullPath, err := crypto.IsDeviceMappedToNullPath(cryptoDevice); err != nil { + return nil, status.Errorf(codes.Internal, "failed to check if the crypto device %s for volume %s is mapped to the null path: %v", cryptoDevice, volumeID, err.Error()) + } else if mappedToNullPath { + log.Warnf("Closing active crypto device %s for volume %s since the volume is not closed properly before", cryptoDevice, volumeID) + if err := crypto.CloseVolume(volumeID); err != nil { + return nil, status.Errorf(codes.Internal, "failed to close active crypto device %s for volume %s: %v ", cryptoDevice, volumeID, err.Error()) + } + } + if err := crypto.OpenVolume(volumeID, devicePath, passphrase); err != nil { return nil, status.Error(codes.Internal, err.Error()) }