Skip to content

Commit

Permalink
rbd: add additional space for encrypted volumes
Browse files Browse the repository at this point in the history
issue: when a block-mode pvc is created with encryption enabled
there is some space reserved for the encryption metadata.
Which doesn't allows users to write extact amount of data that
they have requested for.

solution: create pvc with extra space needed for the encryption
metadata. `GetLuksHeaderSize()` function returns the luks2
encryption metadata(header size).

Signed-off-by: Praveen M <[email protected]>
  • Loading branch information
iPraveenParihar authored and nixpanic committed Apr 25, 2024
1 parent 60e2527 commit 69aeda7
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 4 deletions.
5 changes: 5 additions & 0 deletions internal/rbd/controllerserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -1217,6 +1217,11 @@ func (cs *ControllerServer) CreateSnapshot(
return nil, status.Error(codes.Internal, err.Error())
}

// remove the extra size of the LUKS header, if the volume is block encrypted.
if vol.isBlockEncrypted() {
vol.VolSize -= util.GetLuksHeaderSize()
}

return &csi.CreateSnapshotResponse{
Snapshot: &csi.Snapshot{
SizeBytes: vol.VolSize,
Expand Down
24 changes: 21 additions & 3 deletions internal/rbd/rbd_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -443,8 +443,14 @@ func createImage(ctx context.Context, pOpts *rbdVolume, cr *util.Credentials) er
return fmt.Errorf("failed to get IOContext: %w", err)
}

err = librbd.CreateImage(pOpts.ioctx, pOpts.RbdImageName,
uint64(util.RoundOffVolSize(pOpts.VolSize)*helpers.MiB), options)
size := uint64(util.RoundOffVolSize(pOpts.VolSize) * helpers.MiB)

// add the extra size of the LUKS header to the image size if block encryption is enabled.
if pOpts.isBlockEncrypted() {
size += uint64(util.GetLuksHeaderSize())
}

err = librbd.CreateImage(pOpts.ioctx, pOpts.RbdImageName, size, options)
if err != nil {
return fmt.Errorf("failed to create rbd image: %w", err)
}
Expand Down Expand Up @@ -1598,6 +1604,11 @@ func (ri *rbdImage) getImageInfo() error {
// TODO: can rv.VolSize not be a uint64? Or initialize it to -1?
ri.VolSize = int64(imageInfo.Size)

// remove the extra size of the LUKS header, if the volume is block encrypted.
if ri.isBlockEncrypted() {
ri.VolSize -= util.GetLuksHeaderSize()
}

features, err := image.GetFeatures()
if err != nil {
return err
Expand Down Expand Up @@ -1846,7 +1857,14 @@ func (ri *rbdImage) resize(newSize int64) error {
}
defer image.Close()

err = image.Resize(uint64(util.RoundOffVolSize(newSize) * helpers.MiB))
size := uint64(util.RoundOffVolSize(newSize) * helpers.MiB)

// add the extra size of the LUKS header to the image size if block encryption is enabled.
if ri.isBlockEncrypted() {
size += uint64(util.GetLuksHeaderSize())
}

err = image.Resize(size)
if err != nil {
return err
}
Expand Down
18 changes: 17 additions & 1 deletion internal/util/cryptsetup.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,22 @@ import (
"os/exec"
"strconv"
"strings"

"k8s.io/cloud-provider/volume/helpers"
)

// Limit memory used by Argon2i PBKDF to 32 MiB.
const cryptsetupPBKDFMemoryLimit = 32 << 10 // 32768 KiB
const (
cryptsetupPBKDFMemoryLimit = 32 << 10 // 32768 KiB
luks2MetadataSize = 32 << 7 // 4096 KiB
luks2KeySlotsSize = 32 << 8 // 8192 KiB
)

func GetLuksHeaderSize() int64 {
size := int64((((2 * luks2MetadataSize) + luks2KeySlotsSize) * helpers.KiB))

return size
}

// LuksFormat sets up volume as an encrypted LUKS partition.
func LuksFormat(devicePath, passphrase string) (string, string, error) {
Expand All @@ -37,6 +49,10 @@ func LuksFormat(devicePath, passphrase string) (string, string, error) {
"luks2",
"--hash",
"sha256",
"--luks2-metadata-size",
strconv.Itoa(luks2MetadataSize)+"k",
"--luks2-keyslots-size",
strconv.Itoa(luks2KeySlotsSize)+"k",
"--pbkdf-memory",
strconv.Itoa(cryptsetupPBKDFMemoryLimit),
devicePath,
Expand Down

0 comments on commit 69aeda7

Please sign in to comment.