mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-23 23:00:19 +00:00
0ec6e10bf2
By default, `cryptsetup luksFormat` uses Argon2i as Password-Based Key
Derivation Function (PBKDF), which not only has a CPU cost, but also a memory
cost (to make brute-force attacks harder).
The memory cost is based on the available system memory by default, which in
the context of Ceph CSI can be a problem for two reasons:
1. Pods can have a memory limit (much lower that the memory available on the
node, usually) which isn't taken into account by `cryptsetup`, so it can get
OOM-killed when formating a new volume;
2. The amount of memory that was used during `cryptsetup luksFormat` will then
be needed for `cryptsetup luksOpen`, so if the volume was formated on a node
with a lot of memory, but then needs to be opened on a different node with
less memory, `cryptsetup` will get OOM-killed.
This commit sets the PBKDF memory limit to a fixed value to ensure consistent
memory usage regardless of the specifications of the nodes where the volume
happens to be formatted in the first place.
The limit is set to a relatively low value (32 MiB) so that the `csi-rbdplugin`
container in the `nodeplugin` pod doesn't require an extravagantly high memory
limit in order to format/open volumes (particularly with operations happening
in parallel), while at the same time not being so low as to render it
completely pointless.
Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
(cherry picked from commit
|
||
---|---|---|
.. | ||
fscrypt | ||
k8s | ||
log | ||
reftracker | ||
cephcmds_test.go | ||
cephcmds.go | ||
cephconf.go | ||
cluster_mapping_test.go | ||
cluster_mapping.go | ||
conn_pool_test.go | ||
conn_pool.go | ||
connection.go | ||
credentials_test.go | ||
credentials.go | ||
crushlocation_test.go | ||
crushlocation.go | ||
crypto_test.go | ||
crypto.go | ||
cryptsetup.go | ||
csiconfig_test.go | ||
csiconfig.go | ||
errors_test.go | ||
errors.go | ||
getsecret_test.go | ||
httpserver.go | ||
idlocker_test.go | ||
idlocker.go | ||
pidlimit_test.go | ||
pidlimit.go | ||
stripsecrets.go | ||
topology_test.go | ||
topology.go | ||
util_test.go | ||
util.go | ||
validate.go | ||
volid_test.go | ||
volid.go |