Skip to content

Commit

Permalink
fix(crypto): execute cryptsetup in the host namespace again
Browse files Browse the repository at this point in the history
Longhorn 9000

Signed-off-by: Eric Weber <[email protected]>
  • Loading branch information
ejweber authored and c3y1huang committed Jul 15, 2024
1 parent 06abbf3 commit 10f6d94
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 5 deletions.
10 changes: 5 additions & 5 deletions csi/crypto/crypto.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ func VolumeMapper(volume string) string {
// EncryptVolume encrypts provided device with LUKS.
func EncryptVolume(devicePath, passphrase string, cryptoParams *EncryptParams) error {
namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc}
nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.ProcDirectory, namespaces)
nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces)
if err != nil {
return err
}
Expand All @@ -102,7 +102,7 @@ func OpenVolume(volume, devicePath, passphrase string) error {
}

namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc}
nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.ProcDirectory, namespaces)
nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces)
if err != nil {
return err
}
Expand All @@ -118,7 +118,7 @@ func OpenVolume(volume, devicePath, passphrase string) error {
// CloseVolume closes encrypted volume so it can be detached.
func CloseVolume(volume string) error {
namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc}
nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.ProcDirectory, namespaces)
nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces)
if err != nil {
return err
}
Expand All @@ -136,7 +136,7 @@ func ResizeEncryptoDevice(volume, passphrase string) error {
}

namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc}
nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.ProcDirectory, namespaces)
nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces)
if err != nil {
return err
}
Expand All @@ -160,7 +160,7 @@ func DeviceEncryptionStatus(devicePath string) (mappedDevice, mapper string, err
}

namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc}
nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.ProcDirectory, namespaces)
nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces)
if err != nil {
return devicePath, "", err
}
Expand Down
14 changes: 14 additions & 0 deletions csi/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -419,6 +419,12 @@ func NewPluginDeployment(namespace, serviceAccount, nodeDriverRegistrarImage, li
Name: "host-dev",
MountPath: "/dev",
},
{
// The plugin must be able to switch to the host's namespaces in order to execute
// cryptsetup commands for encrypted devices.
Name: "host-proc",
MountPath: "/host/proc",
},
{
Name: "host-sys",
MountPath: "/sys",
Expand Down Expand Up @@ -476,6 +482,14 @@ func NewPluginDeployment(namespace, serviceAccount, nodeDriverRegistrarImage, li
},
},
},
{
Name: "host-proc",
VolumeSource: corev1.VolumeSource{
HostPath: &corev1.HostPathVolumeSource{
Path: "/proc",
},
},
},
{
Name: "host-sys",
VolumeSource: corev1.VolumeSource{
Expand Down

0 comments on commit 10f6d94

Please sign in to comment.