From 4445247690b9355552f3fb309e634c5106b0728f Mon Sep 17 00:00:00 2001 From: Niraj Yadav Date: Fri, 26 Jul 2024 09:15:21 +0530 Subject: [PATCH] rbd: use ioctx locks for key rotation Signed-off-by: Niraj Yadav --- .../csi-addons/rbd/encryptionkeyrotation.go | 8 ------- internal/rbd/encryption.go | 24 +++++++++++++++++++ 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/internal/csi-addons/rbd/encryptionkeyrotation.go b/internal/csi-addons/rbd/encryptionkeyrotation.go index 42ca620e4..8af1fa0ea 100644 --- a/internal/csi-addons/rbd/encryptionkeyrotation.go +++ b/internal/csi-addons/rbd/encryptionkeyrotation.go @@ -20,12 +20,10 @@ import ( "context" "errors" - csicommon "github.com/ceph/ceph-csi/internal/csi-common" "github.com/ceph/ceph-csi/internal/rbd" "github.com/ceph/ceph-csi/internal/util" "github.com/ceph/ceph-csi/internal/util/log" - "github.com/container-storage-interface/spec/lib/go/csi" ekr "github.com/csi-addons/spec/lib/go/encryptionkeyrotation" "google.golang.org/grpc" "google.golang.org/grpc/codes" @@ -55,12 +53,6 @@ func (ekrs *EncryptionKeyRotationServer) EncryptionKeyRotate( return nil, status.Error(codes.InvalidArgument, "empty volume ID in request") } - // Block key rotation for RWX/ROX volumes - _, isMultiNode := csicommon.IsBlockMultiNode([]*csi.VolumeCapability{req.GetVolumeCapability()}) - if isMultiNode { - return nil, status.Error(codes.Unimplemented, "multi-node key rotation is not supported") - } - if acquired := ekrs.volLock.TryAcquire(volID); !acquired { return nil, status.Errorf(codes.Aborted, util.VolumeOperationAlreadyExistsFmt, volID) } diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go index 9cb87cb5d..4c27bb6e2 100644 --- a/internal/rbd/encryption.go +++ b/internal/rbd/encryption.go @@ -22,9 +22,11 @@ import ( "fmt" "strconv" "strings" + "time" kmsapi "github.com/ceph/ceph-csi/internal/kms" "github.com/ceph/ceph-csi/internal/util" + "github.com/ceph/ceph-csi/internal/util/lock" "github.com/ceph/ceph-csi/internal/util/log" librbd "github.com/ceph/go-ceph/rbd" @@ -463,6 +465,28 @@ func (rv *rbdVolume) RotateEncryptionKey(ctx context.Context) error { return errors.New("key rotation not supported for unencrypted device") } + // Call open Ioctx to create a new ioctx object + // if the obj already exists, no error is returned + err = rv.openIoctx() + if err != nil { + return fmt.Errorf("failed to open ioctx, err: %w", err) + } + + // Lock params + lockName := rv.VolID + "-mutexlock" + lockDesc := "Key rotation mutex lock for " + rv.VolID + lockDuration := 3 * time.Minute + lockCookie := rv.VolID + "-enc-key-rotate" + + // Acquire the exclusive lock based on vol id + lck := lock.NewLock(rv.ioctx, rv.VolID, lockName, lockCookie, lockDesc, lockDuration) + err = lck.LockExclusive(ctx) + if err != nil { + return err + } + defer lck.Unlock(ctx) + log.DebugLog(ctx, "acquired ioctx lock for vol id: %s", rv.VolID) + // Get the device path for the underlying image useNbd := rv.Mounter == rbdNbdMounter && hasNBD devicePath, found := waitForPath(ctx, rv.Pool, rv.RadosNamespace, rv.RbdImageName, 1, useNbd)