0ec6e10bf2
By default, `cryptsetup luksFormat` uses Argon2i as Password-Based Key
Derivation Function (PBKDF), which not only has a CPU cost, but also a memory
cost (to make brute-force attacks harder).
The memory cost is based on the available system memory by default, which in
the context of Ceph CSI can be a problem for two reasons:
1. Pods can have a memory limit (much lower that the memory available on the
node, usually) which isn't taken into account by `cryptsetup`, so it can get
OOM-killed when formating a new volume;
2. The amount of memory that was used during `cryptsetup luksFormat` will then
be needed for `cryptsetup luksOpen`, so if the volume was formated on a node
with a lot of memory, but then needs to be opened on a different node with
less memory, `cryptsetup` will get OOM-killed.
This commit sets the PBKDF memory limit to a fixed value to ensure consistent
memory usage regardless of the specifications of the nodes where the volume
happens to be formatted in the first place.
The limit is set to a relatively low value (32 MiB) so that the `csi-rbdplugin`
container in the `nodeplugin` pod doesn't require an extravagantly high memory
limit in order to format/open volumes (particularly with operations happening
in parallel), while at the same time not being so low as to render it
completely pointless.
Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
(cherry picked from commit
|
||
---|---|---|
.github | ||
actions/retest | ||
api | ||
assets | ||
charts | ||
cmd | ||
deploy | ||
docs | ||
e2e | ||
examples | ||
internal | ||
scripts | ||
tools | ||
troubleshooting/tools | ||
vendor | ||
.commitlintrc.yml | ||
.gitignore | ||
.mergify.yml | ||
.pre-commit-config.yaml | ||
build.env | ||
deploy.sh | ||
go.mod | ||
go.sum | ||
LICENSE | ||
Makefile | ||
README.md |
Ceph CSI
This repo contains the Ceph Container Storage Interface (CSI) driver for RBD, CephFS and Kubernetes sidecar deployment YAMLs to support CSI functionality: provisioner, attacher, resizer, driver-registrar and snapshotter.
Overview
Ceph CSI plugins implement an interface between a CSI-enabled Container Orchestrator (CO) and Ceph clusters. They enable dynamically provisioning Ceph volumes and attaching them to workloads.
Independent CSI plugins are provided to support RBD and CephFS backed volumes,
- For details about configuration and deployment of RBD plugin, please refer rbd doc and for CephFS plugin configuration and deployment please refer cephFS doc.
- For example usage of the RBD and CephFS CSI plugins, see examples in
examples/
. - Stale resource cleanup, please refer cleanup doc.
NOTE:
- Ceph CSI
Arm64
support is experimental.
Project status
Status: GA
Known to work CO platforms
Ceph CSI drivers are currently developed and tested exclusively in Kubernetes environments.
Ceph CSI Version | Container Orchestrator Name | Version Tested |
---|---|---|
v3.8.0 | Kubernetes | v1.24, v1.25, v1.26 |
v3.7.2 | Kubernetes | v1.22, v1.23, v1.24 |
v3.7.1 | Kubernetes | v1.22, v1.23, v1.24 |
v3.7.0 | Kubernetes | v1.22, v1.23, v1.24 |
There is work in progress to make this CO-independent and thus support other orchestration environments (Nomad, Mesos..etc).
NOTE:
The supported window of Ceph CSI versions is "N.(x-1)": (N (Latest major release) . (x (Latest minor release) - 1)).
For example, if the Ceph CSI latest major version is 3.8.0
today, support is
provided for the versions above 3.7.0
. If users are running an unsupported
Ceph CSI version, they will be asked to upgrade when requesting support.
Support Matrix
Ceph-CSI features and available versions
Please refer rbd nbd mounter for its support details.
Plugin | Features | Feature Status | CSI Driver Version | CSI Spec Version | Ceph Cluster Version | Kubernetes Version |
---|---|---|---|---|---|---|
RBD | Dynamically provision, de-provision Block mode RWO volume | GA | >= v1.0.0 | >= v1.0.0 | Nautilus (>=15.0.0) | >= v1.14.0 |
Dynamically provision, de-provision Block mode RWX volume | GA | >= v1.0.0 | >= v1.0.0 | Nautilus (>=15.0.0) | >= v1.14.0 | |
Dynamically provision, de-provision Block mode RWOP volume | Alpha | >= v3.5.0 | >= v1.5.0 | Nautilus (>=15.0.0) | >= v1.22.0 | |
Dynamically provision, de-provision File mode RWO volume | GA | >= v1.0.0 | >= v1.0.0 | Nautilus (>=15.0.0) | >= v1.14.0 | |
Dynamically provision, de-provision File mode RWOP volume | Alpha | >= v3.5.0 | >= v1.5.0 | Nautilus (>=15.0.0) | >= v1.22.0 | |
Provision File Mode ROX volume from snapshot | Alpha | >= v3.0.0 | >= v1.0.0 | Nautilus (>=v15.0.0) | >= v1.17.0 | |
Provision File Mode ROX volume from another volume | Alpha | >= v3.0.0 | >= v1.0.0 | Nautilus (>=v15.0.0) | >= v1.16.0 | |
Provision Block Mode ROX volume from snapshot | Alpha | >= v3.0.0 | >= v1.0.0 | Nautilus (>=v15.0.0) | >= v1.17.0 | |
Provision Block Mode ROX volume from another volume | Alpha | >= v3.0.0 | >= v1.0.0 | Nautilus (>=v15.0.0) | >= v1.16.0 | |
Creating and deleting snapshot | GA | >= v1.0.0 | >= v1.0.0 | Nautilus (>=15.0.0) | >= v1.17.0 | |
Provision volume from snapshot | GA | >= v1.0.0 | >= v1.0.0 | Nautilus (>=15.0.0) | >= v1.17.0 | |
Provision volume from another volume | GA | >= v1.0.0 | >= v1.0.0 | Nautilus (>=15.0.0) | >= v1.16.0 | |
Expand volume | Beta | >= v2.0.0 | >= v1.1.0 | Nautilus (>=15.0.0) | >= v1.15.0 | |
Volume/PV Metrics of File Mode Volume | GA | >= v1.2.0 | >= v1.1.0 | Nautilus (>=15.0.0) | >= v1.15.0 | |
Volume/PV Metrics of Block Mode Volume | GA | >= v1.2.0 | >= v1.1.0 | Nautilus (>=15.0.0) | >= v1.21.0 | |
Topology Aware Provisioning Support | Alpha | >= v2.1.0 | >= v1.1.0 | Nautilus (>=15.0.0) | >= v1.14.0 | |
CephFS | Dynamically provision, de-provision File mode RWO volume | GA | >= v1.1.0 | >= v1.0.0 | Nautilus (>=15.0.0) | >= v1.14.0 |
Dynamically provision, de-provision File mode RWX volume | GA | >= v1.1.0 | >= v1.0.0 | Nautilus (>=v15.0.0) | >= v1.14.0 | |
Dynamically provision, de-provision File mode ROX volume | Alpha | >= v3.0.0 | >= v1.0.0 | Nautilus (>=v15.0.0) | >= v1.14.0 | |
Dynamically provision, de-provision File mode RWOP volume | Alpha | >= v3.5.0 | >= v1.5.0 | Nautilus (>=15.0.0) | >= v1.22.0 | |
Creating and deleting snapshot | GA | >= v3.1.0 | >= v1.0.0 | Octopus (>=v15.2.4) | >= v1.17.0 | |
Provision volume from snapshot | GA | >= v3.1.0 | >= v1.0.0 | Octopus (>=v15.2.4) | >= v1.17.0 | |
Provision volume from another volume | GA | >= v3.1.0 | >= v1.0.0 | Octopus (>=v15.2.4) | >= v1.16.0 | |
Expand volume | Beta | >= v2.0.0 | >= v1.1.0 | Nautilus (>=v15.0.0) | >= v1.15.0 | |
Volume/PV Metrics of File Mode Volume | GA | >= v1.2.0 | >= v1.1.0 | Nautilus (>=v15.0.0) | >= v1.15.0 | |
NFS | Dynamically provision, de-provision File mode RWO volume | Alpha | >= v3.6.0 | >= v1.0.0 | Pacific (>=16.2.0) | >= v1.14.0 |
Dynamically provision, de-provision File mode RWX volume | Alpha | >= v3.6.0 | >= v1.0.0 | Pacific (>=16.2.0) | >= v1.14.0 | |
Dynamically provision, de-provision File mode ROX volume | Alpha | >= v3.6.0 | >= v1.0.0 | Pacific (>=16.2.0) | >= v1.14.0 | |
Dynamically provision, de-provision File mode RWOP volume | Alpha | >= v3.6.0 | >= v1.5.0 | Pacific (>=16.2.0) | >= v1.22.0 | |
Expand volume | Alpha | >= v3.7.0 | >= v1.1.0 | Pacific (>=16.2.0) | >= v1.15.0 | |
Creating and deleting snapshot | Alpha | >= v3.7.0 | >= v1.1.0 | Pacific (>=16.2.0) | >= v1.17.0 | |
Provision volume from snapshot | Alpha | >= v3.7.0 | >= v1.1.0 | Pacific (>=16.2.0) | >= v1.17.0 | |
Provision volume from another volume | Alpha | >= v3.7.0 | >= v1.1.0 | Pacific (>=16.2.0) | >= v1.16.0 |
NOTE
: The Alpha
status reflects possible non-backward
compatible changes in the future, and is thus not recommended
for production use.
CSI spec and Kubernetes version compatibility
Please refer to the matrix in the Kubernetes documentation.
Ceph CSI Container images and release compatibility
Ceph CSI Release/Branch | Container image name | Image Tag |
---|---|---|
devel (Branch) | quay.io/cephcsi/cephcsi | canary |
v3.8.0 (Release) | quay.io/cephcsi/cephcsi | v3.8.0 |
v3.7.2 (Release) | quay.io/cephcsi/cephcsi | v3.7.2 |
v3.7.1 (Release) | quay.io/cephcsi/cephcsi | v3.7.1 |
v3.7.0 (Release) | quay.io/cephcsi/cephcsi | v3.7.0 |
Deprecated Ceph CSI Release/Branch | Container image name | Image Tag |
---|---|---|
v3.6.1 (Release) | quay.io/cephcsi/cephcsi | v3.6.1 |
v3.6.0 (Release) | quay.io/cephcsi/cephcsi | v3.6.0 |
v3.5.1 (Release) | quay.io/cephcsi/cephcsi | v3.5.1 |
v3.5.0 (Release) | quay.io/cephcsi/cephcsi | v3.5.0 |
v3.4.0 (Release) | quay.io/cephcsi/cephcsi | v3.4.0 |
v3.3.1 (Release) | quay.io/cephcsi/cephcsi | v3.3.1 |
v3.3.0 (Release) | quay.io/cephcsi/cephcsi | v3.3.0 |
v3.2.2 (Release) | quay.io/cephcsi/cephcsi | v3.2.2 |
v3.2.1 (Release) | quay.io/cephcsi/cephcsi | v3.2.1 |
v3.2.0 (Release) | quay.io/cephcsi/cephcsi | v3.2.0 |
v3.1.2 (Release) | quay.io/cephcsi/cephcsi | v3.1.2 |
v3.1.1 (Release) | quay.io/cephcsi/cephcsi | v3.1.1 |
v3.1.0 (Release) | quay.io/cephcsi/cephcsi | v3.1.0 |
v3.0.0 (Release) | quay.io/cephcsi/cephcsi | v3.0.0 |
v2.1.2 (Release) | quay.io/cephcsi/cephcsi | v2.1.2 |
v2.1.1 (Release) | quay.io/cephcsi/cephcsi | v2.1.1 |
v2.1.0 (Release) | quay.io/cephcsi/cephcsi | v2.1.0 |
v2.0.1 (Release) | quay.io/cephcsi/cephcsi | v2.0.1 |
v2.0.0 (Release) | quay.io/cephcsi/cephcsi | v2.0.0 |
v1.2.2 (Release) | quay.io/cephcsi/cephcsi | v1.2.2 |
v1.2.1 (Release) | quay.io/cephcsi/cephcsi | v1.2.1 |
v1.2.0 (Release) | quay.io/cephcsi/cephcsi | v1.2.0 |
v1.1.0 (Release) | quay.io/cephcsi/cephcsi | v1.1.0 |
v1.0.0 (Branch) | quay.io/cephcsi/cephfsplugin | v1.0.0 |
v1.0.0 (Branch) | quay.io/cephcsi/rbdplugin | v1.0.0 |
Contributing to this repo
Please follow development-guide and coding style guidelines if you are interested to contribute to this repo.
Troubleshooting
Please submit an issue at: Issues
Weekly Bug Triage call
We conduct weekly bug triage calls at our slack channel on Tuesdays. More details are available here
Dev standup
A regular dev standup takes place every Monday,Tuesday and Thursday at
12:00 PM UTC. Convert to your local
timezone by executing command date -d "12:00 UTC"
on terminal
Any changes to the meeting schedule will be added to the agenda doc.
Anyone who wants to discuss the direction of the project, design and implementation reviews, or general questions with the broader community is welcome and encouraged to join.
- Meeting link: https://meet.google.com/nnn-txfp-cge
- Current agenda
Contact
Please use the following to reach members of the community:
- Slack: Join our Slack channel to discuss anything related to this project. You can join the Slack by this invite link
- Forums: ceph-csi
- Twitter: @CephCsi