ceph-csi/internal/util
Benoît Knecht 0ec6e10bf2 util: Limit cryptsetup PBKDF memory usage
By default, `cryptsetup luksFormat` uses Argon2i as Password-Based Key
Derivation Function (PBKDF), which not only has a CPU cost, but also a memory
cost (to make brute-force attacks harder).

The memory cost is based on the available system memory by default, which in
the context of Ceph CSI can be a problem for two reasons:

1. Pods can have a memory limit (much lower that the memory available on the
   node, usually) which isn't taken into account by `cryptsetup`, so it can get
   OOM-killed when formating a new volume;
2. The amount of memory that was used during `cryptsetup luksFormat` will then
   be needed for `cryptsetup luksOpen`, so if the volume was formated on a node
   with a lot of memory, but then needs to be opened on a different node with
   less memory, `cryptsetup` will get OOM-killed.

This commit sets the PBKDF memory limit to a fixed value to ensure consistent
memory usage regardless of the specifications of the nodes where the volume
happens to be formatted in the first place.

The limit is set to a relatively low value (32 MiB) so that the `csi-rbdplugin`
container in the `nodeplugin` pod doesn't require an extravagantly high memory
limit in order to format/open volumes (particularly with operations happening
in parallel), while at the same time not being so low as to render it
completely pointless.

Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
(cherry picked from commit 1852e977f8)
2023-04-27 16:47:12 +00:00
..
fscrypt fscrypt: fix metadata directory permissions 2022-10-17 17:33:52 +00:00
k8s rbd: create token and use it for vault SA 2022-06-17 11:37:59 +00:00
log cleanup: fix static checks 2023-02-02 14:53:59 +00:00
reftracker util: added reference tracker 2022-03-27 19:24:26 +00:00
cephcmds_test.go
cephcmds.go ci: fix all linter errors found in golangci-lint 2022-06-03 12:55:54 +00:00
cephconf.go cleanup: remove ceph.conf WA options which are already fixed 2022-02-04 15:42:32 +00:00
cluster_mapping_test.go
cluster_mapping.go ci: fix all linter errors found in golangci-lint 2022-06-03 12:55:54 +00:00
conn_pool_test.go cleanup: use os.WriteFile to write files 2022-01-24 05:25:11 +00:00
conn_pool.go
connection.go nfs: use go-ceph API for creating/deleting exports 2022-04-14 08:01:45 +00:00
credentials_test.go
credentials.go cleanup: fix static checks 2023-02-02 14:53:59 +00:00
crushlocation_test.go rbd: add capability to automatically enable read affinity 2023-02-14 08:29:46 +00:00
crushlocation.go rbd: add capability to automatically enable read affinity 2023-02-14 08:29:46 +00:00
crypto_test.go util: Add EncryptionTypeNone and unit tests 2022-10-17 17:33:52 +00:00
crypto.go util: Add EncryptionTypeNone and unit tests 2022-10-17 17:33:52 +00:00
cryptsetup.go util: Limit cryptsetup PBKDF memory usage 2023-04-27 16:47:12 +00:00
csiconfig_test.go nfs: add nodeserver within cephcsi 2022-08-09 13:36:03 +00:00
csiconfig.go cleanup: use index instead of value while iterating 2022-08-09 13:36:03 +00:00
errors_test.go
errors.go
getsecret_test.go kms: Add basic GetSecret() test 2022-10-17 17:33:52 +00:00
httpserver.go
idlocker_test.go
idlocker.go cleanup: fix static checks 2023-02-03 08:55:43 +00:00
pidlimit_test.go
pidlimit.go util: support systems using the new cgroup v2 structure 2022-05-07 20:38:48 +00:00
stripsecrets.go
topology_test.go rbd: fix topology snapshot pool 2022-03-30 04:40:30 +00:00
topology.go ci: fix all linter errors found in golangci-lint 2022-06-03 12:55:54 +00:00
util_test.go cephfs: round to cephfs size to multiple of 4Mib 2022-07-13 18:32:40 +00:00
util.go rbd: add capability to automatically enable read affinity 2023-02-14 08:29:46 +00:00
validate.go
volid_test.go
volid.go ci: fix all linter errors found in golangci-lint 2022-06-03 12:55:54 +00:00