mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-22 04:50:23 +00:00
fscrypt: Unlock: Fetch keys early
Fetch keys from KMS before doing anything else. This will catch KMS errors before setting up any fscrypt metadata. Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
This commit is contained in:
parent
f8faffac89
commit
a6a4282493
@ -294,9 +294,17 @@ func Unlock(
|
||||
volEncryption *util.VolumeEncryption,
|
||||
stagingTargetPath string, volID string,
|
||||
) error {
|
||||
// Fetches keys from KMS. Do this first to catch KMS errors before setting up anything.
|
||||
keyFn, err := createKeyFuncFromVolumeEncryption(ctx, *volEncryption, volID)
|
||||
if err != nil {
|
||||
log.ErrorLog(ctx, "fscrypt: could not create key function: %v", err)
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
fscryptContext, err := fscryptactions.NewContextFromMountpoint(stagingTargetPath, nil)
|
||||
if err != nil {
|
||||
log.ErrorLog(ctx, "fscrypt: failed to create context from mountpoint %v: %w", stagingTargetPath)
|
||||
log.ErrorLog(ctx, "fscrypt: failed to create context from mountpoint %v: %w", stagingTargetPath, err)
|
||||
|
||||
return err
|
||||
}
|
||||
@ -318,7 +326,7 @@ func Unlock(
|
||||
if err = fscryptContext.Mount.Setup(0o755); err != nil {
|
||||
alreadySetupErr := &fscryptfilesystem.ErrAlreadySetup{}
|
||||
if errors.As(err, &alreadySetupErr) {
|
||||
log.DebugLog(ctx, "fscrypt: metadata directory %q already set up", alreadySetupErr.Mount.Path)
|
||||
log.DebugLog(ctx, "fscrypt: metadata directory in %q already set up", alreadySetupErr.Mount.Path)
|
||||
metadataDirExists = true
|
||||
} else {
|
||||
log.ErrorLog(ctx, "fscrypt: mount setup failed: %v", err)
|
||||
@ -339,13 +347,6 @@ func Unlock(
|
||||
metadataDirExists, kernelPolicyExists)
|
||||
}
|
||||
|
||||
keyFn, err := createKeyFuncFromVolumeEncryption(ctx, *volEncryption, volID)
|
||||
if err != nil {
|
||||
log.ErrorLog(ctx, "fscrypt: could not create key function: %v", err)
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
protectorName := fmt.Sprintf("%s-%s", FscryptProtectorPrefix, volEncryption.GetID())
|
||||
|
||||
switch volEncryption.KMS.RequiresDEKStore() {
|
||||
|
Loading…
Reference in New Issue
Block a user