util: Limit cryptsetup PBKDF memory usage (backport #3781) #3784
Conversation
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?s=60&v=4){kind=small}
Madhu-1
added
ready-to-merge
|
/test ci/centos/k8s-e2e-external-storage/1.23 |
|
/test ci/centos/k8s-e2e-external-storage/1.24 |
|
/test ci/centos/k8s-e2e-external-storage/1.25 |
|
/test ci/centos/k8s-e2e-external-storage/1.26 |
|
/test ci/centos/mini-e2e-helm/k8s-1.23 |
|
/test ci/centos/mini-e2e-helm/k8s-1.24 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/test ci/centos/mini-e2e-helm/k8s-1.26 |
|
/test ci/centos/mini-e2e/k8s-1.23 |
|
/test ci/centos/mini-e2e/k8s-1.24 |
|
/test ci/centos/mini-e2e/k8s-1.25 |
|
/test ci/centos/mini-e2e/k8s-1.26 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
|
@Mergifyio rebase |
✅ Branch has been successfully rebased |
Madhu-1
force-pushed
the
mergify/bp/release-v3.8/pr-3781
branch
from
82459ea to
bd4c896
Compare
|
/test ci/centos/k8s-e2e-external-storage/1.24 |
|
/test ci/centos/k8s-e2e-external-storage/1.25 |
|
/test ci/centos/k8s-e2e-external-storage/1.26 |
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/mini-e2e-helm/k8s-1.24 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/retest ci/centos/k8s-e2e-external-storage/1.27 |
|
/retest ci/centos/mini-e2e-helm/k8s-1.27 |
|
@Mergifyio requeue |
❌ This pull request head commit has not been previously disembarked from queue. |
|
@Mergifyio rebase |
By default, `cryptsetup luksFormat` uses Argon2i as Password-Based Key Derivation Function (PBKDF), which not only has a CPU cost, but also a memory cost (to make brute-force attacks harder). The memory cost is based on the available system memory by default, which in the context of Ceph CSI can be a problem for two reasons: 1. Pods can have a memory limit (much lower that the memory available on the node, usually) which isn't taken into account by `cryptsetup`, so it can get OOM-killed when formating a new volume; 2. The amount of memory that was used during `cryptsetup luksFormat` will then be needed for `cryptsetup luksOpen`, so if the volume was formated on a node with a lot of memory, but then needs to be opened on a different node with less memory, `cryptsetup` will get OOM-killed. This commit sets the PBKDF memory limit to a fixed value to ensure consistent memory usage regardless of the specifications of the nodes where the volume happens to be formatted in the first place. The limit is set to a relatively low value (32 MiB) so that the `csi-rbdplugin` container in the `nodeplugin` pod doesn't require an extravagantly high memory limit in order to format/open volumes (particularly with operations happening in parallel), while at the same time not being so low as to render it completely pointless. Signed-off-by: Benoît Knecht <bknecht@protonmail.ch> (cherry picked from commit 1852e97)
✅ Branch has been successfully rebased |
Madhu-1
force-pushed
the
mergify/bp/release-v3.8/pr-3781
branch
from
bd4c896 to
10384ab
Compare
|
/test ci/centos/k8s-e2e-external-storage/1.24 |
|
/test ci/centos/k8s-e2e-external-storage/1.25 |
|
/test ci/centos/k8s-e2e-external-storage/1.26 |
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/mini-e2e-helm/k8s-1.24 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/test ci/centos/mini-e2e-helm/k8s-1.26 |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.24 |
|
/test ci/centos/mini-e2e/k8s-1.25 |
|
/test ci/centos/mini-e2e/k8s-1.26 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
This is an automatic backport of pull request #3781 done by Mergify.
Mergify commands and options
More conditions and actions can be found in the documentation.
You can also trigger Mergify actions by commenting on this pull request:
@Mergifyio refreshwill re-evaluate the rules@Mergifyio rebasewill rebase this PR on its base branch@Mergifyio updatewill merge the base branch into this PR@Mergifyio backport <destination>will backport this PR on<destination>branchAdditionally, on Mergify dashboard you can:
Finally, you can contact us on https://mergify.com