Commit Graph

304 Commits

Author SHA1 Message Date
Vasyl Purchel
166eaf700f Adds PVC encryption with LUKS
Adds encryption in StorageClass as a parameter. Encryption passphrase is
stored in kubernetes secrets per StorageClass. Implements rbd volume
encryption relying on dm-crypt and cryptsetup using LUKS extension

The change is related to proposal made earlier. This is a first part of
the full feature that adds encryption with passphrase stored in secrets.

Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com
Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com
Signed-off-by: Ioannis Papaioannou ioannis.papaioannou@workday.com
Signed-off-by: Paul Mc Auley paul.mcauley@workday.com
Signed-off-by: Sergio de Carvalho sergio.carvalho@workday.com
2019-12-16 08:12:44 +00:00
Humble Chirammal
7c8e66e427 Add resize check for XFS formatted FS
Lock out parellel requests against same volumeID
Remove pod after resize and validation in E2E

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-12-13 12:40:12 +00:00
Humble Chirammal
2f2585dc3c Resize RBD CSI volumes on demand of CO resize request
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-12-13 12:40:12 +00:00
Woohyung Han
8a16f740d6 Update golangci-lint version to v1.21.0
Signed-off-by: Woohyung Han <techhanx@gmail.com>
2019-12-12 04:57:14 +00:00
Madhu Rajanna
118f34525e Remove deprecated containerized
As we are moving towards v2.0.0 I think
it's a good time to remove the deprecated flag.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-12-11 14:44:35 +00:00
Humble Chirammal
671e2d814a Add volumesize roundoff for expandrequest
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-11-27 14:00:47 +00:00
Humble Chirammal
ac09c5553c Add E2E for cephfs resize functionality
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-11-27 14:00:47 +00:00
Humble Chirammal
b721accaf5 Resize CephFS Volumes
This feature enables CephFS Volume expansion on demand
based on the CO resizer request.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-11-27 14:00:47 +00:00
Niels de Vos
290beb4dda cephfs: add kernel version detection for mounting with client
Linux kernel 4.17.0 adds support for quota with CephFS. Without quota,
it is not possible to fullfill the requirements of the CSI Spec and
guarantee sufficient space on the filesystem for a volume. With this in
mind, usage of the kernel client is only allowed with kernel 4.17.0 or
newer.

However, some Linux vendors backport features and patches to their
Enterprise products. These kernels may have an older version, but do
support quota. One of these is the kernel that comes with RHEL-7.7.

By comparing the current running version of the Linux kernel against
known versions that support quota, we can now automatically decide to
use the kernel client, or not.

Note that this does not change the 'forcekernelclient' parameter. The
parameter is still available and can be used for kernels that are not in
the 'known to support quota list'. Or users can pass the parameter to
use a CephFS kernel client that does not support quota.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-11-13 11:56:09 +00:00
Madhu Rajanna
dfc3562e29 Add Version flag to cephcsi
This will be helpful if someone wants
to check the cephcsi version

output
```
docker run quay.io/cephcsi/cephcsi:v1.2.1 --version
Cephcsi Version: v1.2.1
Git Commit: 4b871366327d63e27fc1abfb699f0faaf0fc16b9
GoVersion: go1.12.5
Compiler: gc
Platform: linux/amd64
```

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-11-06 12:35:28 +00:00
Stefan Haas
6a2717ce20 Added forcecephkernelclient as startup parameter to force enabling ceph
Signed-off-by: Stefan Haas <shaas@suse.com>
2019-10-16 06:47:10 +00:00
Jason Dillaman
a274b19bfa Handle EACCESS error from 'ceph rbd task add remove'
If the RBD user does not have permissions to talk to the
Ceph MGR, it should gracefully fallback to the slower foreground
image deletion.

Fixes: #677
Signed-off-by: Jason Dillaman <dillaman@redhat.com>
2019-10-13 14:50:40 +00:00
Madhu Rajanna
239822f147 reuse existing code for size Roundoff
This PR addresses the review comments in
https://github.com/ceph/ceph-csi/pull/644

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-10-11 11:07:39 +00:00
Madhu Rajanna
7274bd09e5 Fix volsize for cephfs and rbd
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-10-11 08:22:27 +00:00
Ilya Dryomov
9a61fa0c0a Format ext4 with lazy_journal_init
Skip zeroing of the journal on freshly created images.  As only dynamic
PVs are supported, it is fine to assume that existingFormat == "" image
has never been mapped and written to before.

lazy_itable_init is enabled by default, passing it for consistency with
lazy_journal_init.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2019-10-04 15:07:48 +00:00
Madhu Rajanna
b8568a5bb9 Add a check for nil secrets
Improve the error message if
secrets are not provided in request

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-27 05:10:01 +00:00
Madhu Rajanna
7002da1a6a deprecate containerized flag and remove nsenter
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-23 13:22:29 +00:00
Humble Chirammal
0e6617e1ff Format RBD volumes with nodiscard formatting options.
Currently rbd CSI plugin uses formatAndMount of
mount.SafeFormatAndMount. This does not allow to pass or use
specific formatting arguments with it. This patch introduce
RBD specific formatting options with both xfs and ext4,
for example: -E no-discard with ext4 and -k option with
XFS to boost formatting performance of RBD device.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-09-20 13:16:53 +00:00
Madhu Rajanna
6aac399075 Change the logic of locking
if any on going opearation is seen,we
have to return Abort error message

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-20 07:37:17 +00:00
Madhu Rajanna
6da96c6327 remove support for create image with image-format 1
tried to create an image with image-format=1

```
sh-4.2# rbd create --size=1024 replicapool/test --image-format=1
rbd: image format 1 is deprecated
rbd: create error: (22) Invalid argument
2019-09-11 07:00:54.531 7fb0e40bfb00 -1 librbd: Format 1 image creation unsupported.
```

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-12 07:52:32 +00:00
Madhu Rajanna
e395080cdc Add req-ID to logging
with this log format we can easily identify
the logs per request

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-11 13:45:40 +00:00
Madhu Rajanna
ed9330d2f6 rename Key to CtxKey
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-11 13:45:40 +00:00
Madhu Rajanna
41b701c98c Add support for erasure pool in rbd
Allow specifying different metadata and data pools in a
CSI RBD StorageClass

Fixes: #199
Fixes: https://github.com/rook/rook/issues/2650
Fixes: https://github.com/rook/rook/issues/3763

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-11 06:48:08 +00:00
KingJ
0639e00705 Reorder kernel version checking logic 2019-09-07 11:10:27 +00:00
KingJ
197c8fcfcc Consider Kernel >=5.x as sufficent for using the Kernel mounter 2019-09-07 11:10:27 +00:00
Poornima G
060ff8d25e Add mount option for Cephfs
The storage class already takes MountOptions(MountFlags), these are the
bind mount options. Some of these options may not be recognised by the
cephfs mount. Hence added a new parameterin Storage Class for
- cephfs kernel mount options,
- ceph-fuse mount options

Ceph kernel mount options are different from ceph-fuse options, hence
added two different parameters.

Signed-off-by: Poornima G <pgurusid@redhat.com>
2019-09-06 16:32:10 +00:00
Daniel-Pivonka
d1952e5fd0 Fix liveness connection opening endless sockets
Signed-off-by: Daniel-Pivonka <dpivonka@redhat.com>
2019-09-06 03:15:28 +00:00
Madhu Rajanna
f4b38228ae Remove volumemounter flag from cephfs
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-05 07:20:50 +00:00
Poornima G
90c4d6a451 Cephfs: Use ceph kernel client if kernel version >= 4.17
Ceph kernel client is more performant than ceph fuse client.
The kernel client has Quota support only in the kernel version >=4.17.
Hence use ceph kernel client when the kernel version is >=4.17.

Signed-off-by: Poornima G <pgurusid@redhat.com>
2019-09-05 04:55:05 +00:00
Niels de Vos
dd668e59f1 Address security concerns reported by 'gosec'
gosec reports several issues, none of them looks very critical. With
this change the following concerns have been addressed:

[pkg/cephfs/nodeserver.go:229] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
  > os.Chmod(targetPath, 0777)

[pkg/cephfs/util.go:39] - G204: Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
  > exec.Command(program, args...)

[pkg/rbd/nodeserver.go:156] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
  > os.Chmod(stagingTargetPath, 0777)

[pkg/rbd/nodeserver.go:205] - G302: Expect file permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
  > os.OpenFile(mountPath, os.O_CREATE|os.O_RDWR, 0750)

[pkg/rbd/rbd_util.go:797] - G304: Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
  > ioutil.ReadFile(fPath)

[pkg/util/cephcmds.go:35] - G204: Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
  > exec.Command(program, args...)

[pkg/util/credentials.go:47] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW)
  > os.Remove(tmpfile.Name())

[pkg/util/credentials.go:92] - G104: Errors unhandled. (Confidence: HIGH, Severity: LOW)
  > os.Remove(cr.KeyFile)

[pkg/util/pidlimit.go:74] - G304: Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
  > os.Open(pidsMax)

URL: https://github.com/securego/gosec
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2019-09-04 11:48:37 +00:00
Madhu Rajanna
a81a3bf96b implement grpc metrics for ceph-csi
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-30 06:50:32 +00:00
Daniel-Pivonka
01a78cace5 switch to cephfs, utils, and csicommon to new loging system
Signed-off-by: Daniel-Pivonka <dpivonka@redhat.com>
2019-08-29 14:04:31 +00:00
Madhu Rajanna
3af364e7b5 move to statand context package
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-26 06:19:24 +00:00
Madhu Rajanna
38ca08bf65 Context based logging for rbd
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-26 06:19:24 +00:00
Daniel-Pivonka
81c28d6cb0 implement klog wrapper
Signed-off-by: Daniel-Pivonka <dpivonka@redhat.com>
2019-08-21 14:36:41 +00:00
Daniel-Pivonka
aa74f8c87f Implement context based logging
Signed-off-by: Daniel-Pivonka <dpivonka@redhat.com>
2019-08-21 14:36:41 +00:00
Madhu Rajanna
e557438f87 unmap rbd image if connection timeout.
Sometime rbd images are mapped even if the
connection timeout error occurs, this will
try to unmap if the received error message
is connection timeout.This will fix stale maps
and rbd image deletion issue

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-19 10:54:17 +00:00
Madhu Rajanna
0da4bd5151 start controller or node server based on config
if both controller and nodeserver flags are set/unset
cephcsi will start both server,

if only one flag is set, it will start relavent
service.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-19 06:11:43 +00:00
Madhu Rajanna
89732d923f move flag configuration variable to util
remove unwanted checks
remove getting drivertype from binary name

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-19 06:11:43 +00:00
Madhu Rajanna
2b1355061e rename rbd.go to driver.go
to keep code struct similar with cephfs
renamed rbd.go to driver.go

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-19 06:11:43 +00:00
Daniel-Pivonka
d621a58207 prometheus liveness probe sidecar
Signed-off-by: Daniel-Pivonka dpivonka@redhat.com
2019-08-13 17:51:41 +00:00
Madhu Rajanna
2ca575b99d Wrap error if failed to fetch mon
This will help user to check whats
the actual error. if the config file
is having issue or the  clusterid is
not valid.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-13 17:16:27 +00:00
ShyamsundarR
20d336fca3 Add support to use ceph manager rbd command to delete an image
Image deletion takes time proportional to the size of the
image. Hence, ceph manager is enhanced to support async
deletion of an image, or rather passing the task of
deleting an image to the ceph manager.

This commit leverages the ceph manager enhancement in the CSI code.

NOTE: This is tested against a ceph cluster that is running
Ceph master version of the code. Once other releases
catch up in terms of the feature, the optimization would be
available to the CSI driver as well.

Fixes: #523
Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-08-13 16:08:22 +00:00
Niels de Vos
31648c8feb provisioners: add reconfiguring of PID limit
The container runtime CRI-O limits the number of PIDs to 1024 by
default. When many PVCs are requested at the same time, it is possible
for the provisioner to start too many threads (or go routines) and
executing 'rbd' commands can start to fail. In case a go routine can not
get started, the process panics.

The PID limit can be changed by passing an argument to kubelet, but this
will affect all pids running on a host. Changing the parameters to
kubelet is also not a very elegant solution.

Instead, the provisioner pod can change the configuration itself. The
pod is running in privileged mode and can write to /sys/fs/cgroup where
the limit is configured.

With this change, the limit is configured to 'max', just as if there is
no limit at all. The logs of the csi-rbdplugin in the provisioner pod
will reflect the change it makes when starting the service:

    $ oc -n rook-ceph logs -c csi-rbdplugin csi-rbdplugin-provisioner-0
    ..
    I0726 13:59:19.737678       1 cephcsi.go:127] Initial PID limit is set to 1024
    I0726 13:59:19.737746       1 cephcsi.go:136] Reconfigured PID limit to -1 (max)
    ..

It is possible to pass a different limit on the commandline of the
cephcsi executable. The following flag has been added:

    --pidlimit=<int>       the PID limit to configure through cgroups

This accepts special values -1 (max) and 0 (default, do not
reconfigure). Other integers will be the limit that gets configured in
cgroups.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2019-08-13 14:43:29 +00:00
ShyamsundarR
885ec7049d Update Unstage transaction to undo steps done in Stage
In unstage we now adhere to the transaction (or order of steps)
done in Stage. To enable this we stash the image meta data
into a local file on the staging path for use with unstage
request.

This helps in unmapping a stale map, in case the mount or
other steps in the transaction are complete.

Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-08-13 14:07:52 +00:00
ShyamsundarR
44f7b1fe4b Use "rbd device list" to list and find rbd images and their device paths
This change also starts mapping nbd based access using ther rbd CLI
as, it is a prerequisite to get device listing for nbd as well.

Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-08-13 14:07:52 +00:00
ShyamsundarR
925bda2881 Move mounting staging instance to a sub-path within staging path
This commit moves the mounting of a block volumes and filesystems
to a sub-file (already the case) or a sub-dir within the staging
path.

This enables using the staging path to store any additional data
regarding the mount. For example, this will be extended in the
future to store the fsid of the cluster, and maybe the pool name
to map unmap requests to the right image.

Also, this fixes the noted hack in the code, to determine in a
common manner if there is a mount on the passed in staging path.

Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-08-13 14:07:52 +00:00
Madhu Rajanna
7c2fb6187a remove post validation of rbd device
once we map the rbd image on a node
we will get the device name its mapped
in the map output itself,no need to
check the devicepath post rbd  mapping

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-07 14:52:13 +00:00
Daniel-Pivonka
0063727199 Make parameter pool optional in CephFS storageclass
Signed-off-by: Daniel-Pivonka <dpivonka@redhat.com>
2019-08-07 13:30:38 +00:00
Humble Chirammal
0786225937 Implement metrics for RBD plugin
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-08-01 11:58:54 +00:00