ceph-csi/internal
Benoît Knecht 0ec6e10bf2 util: Limit cryptsetup PBKDF memory usage
By default, `cryptsetup luksFormat` uses Argon2i as Password-Based Key
Derivation Function (PBKDF), which not only has a CPU cost, but also a memory
cost (to make brute-force attacks harder).

The memory cost is based on the available system memory by default, which in
the context of Ceph CSI can be a problem for two reasons:

1. Pods can have a memory limit (much lower that the memory available on the
   node, usually) which isn't taken into account by `cryptsetup`, so it can get
   OOM-killed when formating a new volume;
2. The amount of memory that was used during `cryptsetup luksFormat` will then
   be needed for `cryptsetup luksOpen`, so if the volume was formated on a node
   with a lot of memory, but then needs to be opened on a different node with
   less memory, `cryptsetup` will get OOM-killed.

This commit sets the PBKDF memory limit to a fixed value to ensure consistent
memory usage regardless of the specifications of the nodes where the volume
happens to be formatted in the first place.

The limit is set to a relatively low value (32 MiB) so that the `csi-rbdplugin`
container in the `nodeplugin` pod doesn't require an extravagantly high memory
limit in order to format/open volumes (particularly with operations happening
in parallel), while at the same time not being so low as to render it
completely pointless.

Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
(cherry picked from commit 1852e977f8)
2023-04-27 16:47:12 +00:00
..
cephfs cephfs: use shallow volumes for the ROX accessMode 2023-02-21 20:09:13 +00:00
controller cleanup: ReconcilePersistentVolume consider passing it by pointer 2022-06-28 19:12:53 +00:00
csi-addons rbd: ignore stdErr for ceph osd blocklist when there is no error 2022-11-12 04:20:14 +00:00
csi-common util: make inode metrics optional in FilesystemNodeGetVolumeStats() 2022-10-13 19:02:47 +00:00
journal rbd: update namespace name in rados object 2022-10-28 15:50:01 +00:00
kms cleanup: fix static checks 2023-02-02 14:53:59 +00:00
liveness cleanup: move log functions to new internal/util/log package 2021-08-26 09:34:05 +00:00
nfs cephfs: use shallow volumes for the ROX accessMode 2023-02-21 20:09:13 +00:00
rbd rbd: add capability to automatically enable read affinity 2023-02-14 08:29:46 +00:00
util util: Limit cryptsetup PBKDF memory usage 2023-04-27 16:47:12 +00:00