mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-09-19 15:09:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
CSI driver for Ceph
3,522 Commits 25 Branches 38 Tags 164 MiB
Go 94.9%
Shell 2.9%
Python 1%
Makefile 0.7%
Smarty 0.3%
Other 0.2%
1852e977f8
Go to file
Benoît Knecht 1852e977f8 util: Limit cryptsetup PBKDF memory usage 
By default, `cryptsetup luksFormat` uses Argon2i as Password-Based Key
Derivation Function (PBKDF), which not only has a CPU cost, but also a memory
cost (to make brute-force attacks harder).

The memory cost is based on the available system memory by default, which in
the context of Ceph CSI can be a problem for two reasons:

1. Pods can have a memory limit (much lower that the memory available on the
   node, usually) which isn't taken into account by `cryptsetup`, so it can get
   OOM-killed when formating a new volume;
2. The amount of memory that was used during `cryptsetup luksFormat` will then
   be needed for `cryptsetup luksOpen`, so if the volume was formated on a node
   with a lot of memory, but then needs to be opened on a different node with
   less memory, `cryptsetup` will get OOM-killed.

This commit sets the PBKDF memory limit to a fixed value to ensure consistent
memory usage regardless of the specifications of the nodes where the volume
happens to be formatted in the first place.

The limit is set to a relatively low value (32 MiB) so that the `csi-rbdplugin`
container in the `nodeplugin` pod doesn't require an extravagantly high memory
limit in order to format/open volumes (particularly with operations happening
in parallel), while at the same time not being so low as to render it
completely pointless.

Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
2023-04-27 10:43:45 +00:00
.github rebase: bump peter-evans/create-or-update-comment from 2 to 3 2023-04-25 11:34:17 +00:00
actions/retest rebase: Bump golang.org/x/oauth2 from 0.6.0 to 0.7.0 in /actions/retest 2023-04-14 08:13:28 +00:00
api ci: fix codespell failure 2023-04-20 15:24:35 +00:00
assets feat: Adds Ceph logo as icon for Helm charts 2019-08-20 05:34:28 +00:00
charts doc: Add basic upgrade documentation for Helm Charts 2023-02-08 12:59:23 +00:00
cmd util: set pid limit only for nodeserver 2023-04-25 13:26:11 +00:00
deploy ci: fix codespell failure 2023-04-20 15:24:35 +00:00
docs doc: use the Ceph Slack instance and not our silo'ed own one 2023-04-27 07:58:15 +00:00
e2e ci: fix codespell failure 2023-04-20 15:24:35 +00:00
examples doc: configuring cephfs snapshots and clones 2023-04-13 16:03:43 +00:00
internal util: Limit cryptsetup PBKDF memory usage 2023-04-27 10:43:45 +00:00
scripts ci: fix shell check failures 2023-04-20 15:24:35 +00:00
tools ci: fix mdl related failures 2022-11-17 08:25:10 +00:00
troubleshooting/tools ci: fix shell check failures 2023-04-20 15:24:35 +00:00
vendor rebase: bump github.com/ceph/go-ceph from 0.20.0 to 0.21.0 2023-04-26 17:29:31 +00:00
.commitlintrc.yml ci: add "nfs" as allowed commit prefix 2022-03-28 11:23:17 +00:00
.gitignore build: ignore generated go-tags file 2022-04-04 12:59:12 +00:00
.mergify.yml ci: update mergify rules for kubernetes 1.27 2023-04-27 10:11:29 +02:00
.pre-commit-config.yaml cleanup: fix the pre-commit-golang repo link 2023-04-20 15:38:12 +00:00
build.env build: update golang to 1.19.8 2023-04-25 10:19:33 +00:00
deploy.sh ci: use resync to sync helm charts 2022-09-06 11:22:51 +00:00
go.mod rebase: bump github.com/ceph/go-ceph from 0.20.0 to 0.21.0 2023-04-26 17:29:31 +00:00
go.sum rebase: bump github.com/ceph/go-ceph from 0.20.0 to 0.21.0 2023-04-26 17:29:31 +00:00
LICENSE Removing appendix from license. 2019-08-09 15:16:46 +00:00
Makefile build: add check for go list 2023-02-15 10:09:49 +00:00
README.md doc: use the Ceph Slack instance and not our silo'ed own one 2023-04-27 07:58:15 +00:00

README.md

Ceph CSI

GitHub release Mergify Status Go Report Card TODOs CII Best Practices

This repo contains the Ceph Container Storage Interface (CSI) driver for RBD, CephFS and Kubernetes sidecar deployment YAMLs to support CSI functionality: provisioner, attacher, resizer, driver-registrar and snapshotter.

Overview

Ceph CSI plugins implement an interface between a CSI-enabled Container Orchestrator (CO) and Ceph clusters. They enable dynamically provisioning Ceph volumes and attaching them to workloads.

Independent CSI plugins are provided to support RBD and CephFS backed volumes,

  • For details about configuration and deployment of RBD plugin, please refer rbd doc and for CephFS plugin configuration and deployment please refer cephFS doc.
  • For example usage of the RBD and CephFS CSI plugins, see examples in examples/.
  • Stale resource cleanup, please refer cleanup doc.

NOTE:

  • Ceph CSI Arm64 support is experimental.

Project status

Status: GA

Known to work CO platforms

Ceph CSI drivers are currently developed and tested exclusively in Kubernetes environments.

Ceph CSI Version Container Orchestrator Name Version Tested
v3.8.0 Kubernetes v1.24, v1.25, v1.26, v1.27
v3.7.2 Kubernetes v1.22, v1.23, v1.24
v3.7.1 Kubernetes v1.22, v1.23, v1.24
v3.7.0 Kubernetes v1.22, v1.23, v1.24

There is work in progress to make this CO-independent and thus support other orchestration environments (Nomad, Mesos..etc).

NOTE:

The supported window of Ceph CSI versions is "N.(x-1)": (N (Latest major release) . (x (Latest minor release) - 1)).

For example, if the Ceph CSI latest major version is 3.8.0 today, support is provided for the versions above 3.7.0. If users are running an unsupported Ceph CSI version, they will be asked to upgrade when requesting support.

Support Matrix

Ceph-CSI features and available versions

Please refer rbd nbd mounter for its support details.

Plugin Features Feature Status CSI Driver Version CSI Spec Version Ceph Cluster Version Kubernetes Version
RBD Dynamically provision, de-provision Block mode RWO volume GA >= v1.0.0 >= v1.0.0 Octopus (>=15.0.0) >= v1.14.0
Dynamically provision, de-provision Block mode RWX volume GA >= v1.0.0 >= v1.0.0 Octopus (>=15.0.0) >= v1.14.0
Dynamically provision, de-provision Block mode RWOP volume Alpha >= v3.5.0 >= v1.5.0 Octopus (>=15.0.0) >= v1.22.0
Dynamically provision, de-provision File mode RWO volume GA >= v1.0.0 >= v1.0.0 Octopus (>=15.0.0) >= v1.14.0
Dynamically provision, de-provision File mode RWOP volume Alpha >= v3.5.0 >= v1.5.0 Octopus (>=15.0.0) >= v1.22.0
Provision File Mode ROX volume from snapshot Alpha >= v3.0.0 >= v1.0.0 Octopus (>=v15.0.0) >= v1.17.0
Provision File Mode ROX volume from another volume Alpha >= v3.0.0 >= v1.0.0 Octopus (>=v15.0.0) >= v1.16.0
Provision Block Mode ROX volume from snapshot Alpha >= v3.0.0 >= v1.0.0 Octopus (>=v15.0.0) >= v1.17.0
Provision Block Mode ROX volume from another volume Alpha >= v3.0.0 >= v1.0.0 Octopus (>=v15.0.0) >= v1.16.0
Creating and deleting snapshot GA >= v1.0.0 >= v1.0.0 Octopus (>=15.0.0) >= v1.17.0
Provision volume from snapshot GA >= v1.0.0 >= v1.0.0 Octopus (>=15.0.0) >= v1.17.0
Provision volume from another volume GA >= v1.0.0 >= v1.0.0 Octopus (>=15.0.0) >= v1.16.0
Expand volume Beta >= v2.0.0 >= v1.1.0 Octopus (>=15.0.0) >= v1.15.0
Volume/PV Metrics of File Mode Volume GA >= v1.2.0 >= v1.1.0 Octopus (>=15.0.0) >= v1.15.0
Volume/PV Metrics of Block Mode Volume GA >= v1.2.0 >= v1.1.0 Octopus (>=15.0.0) >= v1.21.0
Topology Aware Provisioning Support Alpha >= v2.1.0 >= v1.1.0 Octopus (>=15.0.0) >= v1.14.0
CephFS Dynamically provision, de-provision File mode RWO volume GA >= v1.1.0 >= v1.0.0 Octopus (>=15.0.0) >= v1.14.0
Dynamically provision, de-provision File mode RWX volume GA >= v1.1.0 >= v1.0.0 Octopus (>=v15.0.0) >= v1.14.0
Dynamically provision, de-provision File mode ROX volume Alpha >= v3.0.0 >= v1.0.0 Octopus (>=v15.0.0) >= v1.14.0
Dynamically provision, de-provision File mode RWOP volume Alpha >= v3.5.0 >= v1.5.0 Octopus (>=15.0.0) >= v1.22.0
Creating and deleting snapshot GA >= v3.1.0 >= v1.0.0 Octopus (>=v15.2.4) >= v1.17.0
Provision volume from snapshot GA >= v3.1.0 >= v1.0.0 Octopus (>=v15.2.4) >= v1.17.0
Provision volume from another volume GA >= v3.1.0 >= v1.0.0 Octopus (>=v15.2.4) >= v1.16.0
Expand volume Beta >= v2.0.0 >= v1.1.0 Octopus (>=v15.0.0) >= v1.15.0
Volume/PV Metrics of File Mode Volume GA >= v1.2.0 >= v1.1.0 Octopus (>=v15.0.0) >= v1.15.0
NFS Dynamically provision, de-provision File mode RWO volume Alpha >= v3.6.0 >= v1.0.0 Pacific (>=16.2.0) >= v1.14.0
Dynamically provision, de-provision File mode RWX volume Alpha >= v3.6.0 >= v1.0.0 Pacific (>=16.2.0) >= v1.14.0
Dynamically provision, de-provision File mode ROX volume Alpha >= v3.6.0 >= v1.0.0 Pacific (>=16.2.0) >= v1.14.0
Dynamically provision, de-provision File mode RWOP volume Alpha >= v3.6.0 >= v1.5.0 Pacific (>=16.2.0) >= v1.22.0
Expand volume Alpha >= v3.7.0 >= v1.1.0 Pacific (>=16.2.0) >= v1.15.0
Creating and deleting snapshot Alpha >= v3.7.0 >= v1.1.0 Pacific (>=16.2.0) >= v1.17.0
Provision volume from snapshot Alpha >= v3.7.0 >= v1.1.0 Pacific (>=16.2.0) >= v1.17.0
Provision volume from another volume Alpha >= v3.7.0 >= v1.1.0 Pacific (>=16.2.0) >= v1.16.0

NOTE: The Alpha status reflects possible non-backward compatible changes in the future, and is thus not recommended for production use.

CSI spec and Kubernetes version compatibility

Please refer to the matrix in the Kubernetes documentation.

Ceph CSI Container images and release compatibility

Ceph CSI Release/Branch Container image name Image Tag
devel (Branch) quay.io/cephcsi/cephcsi canary
v3.8.0 (Release) quay.io/cephcsi/cephcsi v3.8.0
v3.7.2 (Release) quay.io/cephcsi/cephcsi v3.7.2
v3.7.1 (Release) quay.io/cephcsi/cephcsi v3.7.1
v3.7.0 (Release) quay.io/cephcsi/cephcsi v3.7.0
Deprecated Ceph CSI Release/Branch Container image name Image Tag
v3.6.1 (Release) quay.io/cephcsi/cephcsi v3.6.1
v3.6.0 (Release) quay.io/cephcsi/cephcsi v3.6.0
v3.5.1 (Release) quay.io/cephcsi/cephcsi v3.5.1
v3.5.0 (Release) quay.io/cephcsi/cephcsi v3.5.0
v3.4.0 (Release) quay.io/cephcsi/cephcsi v3.4.0
v3.3.1 (Release) quay.io/cephcsi/cephcsi v3.3.1
v3.3.0 (Release) quay.io/cephcsi/cephcsi v3.3.0
v3.2.2 (Release) quay.io/cephcsi/cephcsi v3.2.2
v3.2.1 (Release) quay.io/cephcsi/cephcsi v3.2.1
v3.2.0 (Release) quay.io/cephcsi/cephcsi v3.2.0
v3.1.2 (Release) quay.io/cephcsi/cephcsi v3.1.2
v3.1.1 (Release) quay.io/cephcsi/cephcsi v3.1.1
v3.1.0 (Release) quay.io/cephcsi/cephcsi v3.1.0
v3.0.0 (Release) quay.io/cephcsi/cephcsi v3.0.0
v2.1.2 (Release) quay.io/cephcsi/cephcsi v2.1.2
v2.1.1 (Release) quay.io/cephcsi/cephcsi v2.1.1
v2.1.0 (Release) quay.io/cephcsi/cephcsi v2.1.0
v2.0.1 (Release) quay.io/cephcsi/cephcsi v2.0.1
v2.0.0 (Release) quay.io/cephcsi/cephcsi v2.0.0
v1.2.2 (Release) quay.io/cephcsi/cephcsi v1.2.2
v1.2.1 (Release) quay.io/cephcsi/cephcsi v1.2.1
v1.2.0 (Release) quay.io/cephcsi/cephcsi v1.2.0
v1.1.0 (Release) quay.io/cephcsi/cephcsi v1.1.0
v1.0.0 (Branch) quay.io/cephcsi/cephfsplugin v1.0.0
v1.0.0 (Branch) quay.io/cephcsi/rbdplugin v1.0.0

Contributing to this repo

Please follow development-guide and coding style guidelines if you are interested to contribute to this repo.

Troubleshooting

Please submit an issue at: Issues

Weekly Bug Triage call

We conduct weekly bug triage calls at our slack channel on Tuesdays. More details are available here

Dev standup

A regular dev standup takes place every Tuesday at 12:00 PM UTC Convert to your local timezone by executing command date -d "12:00 UTC" on terminal

Any changes to the meeting schedule will be added to the agenda doc.

Anyone who wants to discuss the direction of the project, design and implementation reviews, or general questions with the broader community is welcome and encouraged to join.

Contact

Please use the following to reach members of the community: