mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-01-05 11:39:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: Limit cryptsetup PBKDF memory usage

Browse Source 
By default, `cryptsetup luksFormat` uses Argon2i as Password-Based Key
Derivation Function (PBKDF), which not only has a CPU cost, but also a memory
cost (to make brute-force attacks harder).

The memory cost is based on the available system memory by default, which in
the context of Ceph CSI can be a problem for two reasons:

1. Pods can have a memory limit (much lower that the memory available on the
   node, usually) which isn't taken into account by `cryptsetup`, so it can get
   OOM-killed when formating a new volume;
2. The amount of memory that was used during `cryptsetup luksFormat` will then
   be needed for `cryptsetup luksOpen`, so if the volume was formated on a node
   with a lot of memory, but then needs to be opened on a different node with
   less memory, `cryptsetup` will get OOM-killed.

This commit sets the PBKDF memory limit to a fixed value to ensure consistent
memory usage regardless of the specifications of the nodes where the volume
happens to be formatted in the first place.

The limit is set to a relatively low value (32 MiB) so that the `csi-rbdplugin`
container in the `nodeplugin` pod doesn't require an extravagantly high memory
limit in order to format/open volumes (particularly with operations happening
in parallel), while at the same time not being so low as to render it
completely pointless.

Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
This commit is contained in:
Benoît Knecht 2023-04-26 11:22:25 +02:00 committed by mergify[bot]
parent 014f81495b
commit 1852e977f8
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
internal/util/cryptsetup.go
View File

@ -20,9 +20,13 @@ import (
"bytes" "bytes"
"fmt" "fmt"
"os/exec" "os/exec"
"strconv"
"strings" "strings"
) )
// Limit memory used by Argon2i PBKDF to 32 MiB.
const cryptsetupPBKDFMemoryLimit = 32 << 10 // 32768 KiB
// LuksFormat sets up volume as an encrypted LUKS partition. // LuksFormat sets up volume as an encrypted LUKS partition.
func LuksFormat(devicePath, passphrase string) (string, string, error) { func LuksFormat(devicePath, passphrase string) (string, string, error) {
return execCryptsetupCommand( return execCryptsetupCommand(
@ -33,6 +37,8 @@ func LuksFormat(devicePath, passphrase string) (string, string, error) {
"luks2", "luks2",
"--hash", "--hash",
"sha256", "sha256",
"--pbkdf-memory",
strconv.Itoa(cryptsetupPBKDFMemoryLimit),
devicePath, devicePath,
"-d", "-d",
"/dev/stdin") "/dev/stdin")