ceph-csi icon indicating copy to clipboard operation
ceph-csi copied to clipboard
verified publisher icon ceph

rbd: Add timeout for cryptsetup commands

Open black-dragon74 opened this issue 1 year ago • 4 comments

Describe what this PR does

This PR modifies the execCryptSetupCommand so that the process is killed in an event of lock timeout.

Useful in cases where the volume lock is released but the command is still running.

black-dragon74 avatar Oct 17 '24 12:10 black-dragon74

This looks reasonable to me. Did you manage to test this somehow, and see how everything gets corrected by a different container?

we need to ensure that the CLI command we start is killed and doesn't continue to execute, please test it the changes to ensure that it works as expected and also provide some test results on how this is tested

Madhu-1 avatar Oct 18 '24 08:10 Madhu-1

This looks reasonable to me. Did you manage to test this somehow, and see how everything gets corrected by a different container?

Trying but not able to yet. I am thinking of having a wrapper to cryptsetup that sleeps for some time and then tries to execute the intended command. The key is to kill the process in midst of operations.

I will test it and report.

black-dragon74 avatar Oct 18 '24 09:10 black-dragon74

Trying but not able to yet. I am thinking of having a wrapper to cryptsetup that sleeps for some time and then tries to execute the intended command. The key is to kill the process in midst of operations.

I also think the only way reproduce this, is by adding a wrapper for the command. It helps to make the command do something that can be verified after aborting, maybe something like this (untested):

#!/bin/sh
#
# Assume a 1GB block-device, write unencrypted data at 500MB offset.
#

# run normal crypsetup, it will be quick and exits cleanly
cryptsetup.real $@

# run dd in a loop, small I/O with sync to make it slower
# only runs the loop if /tmp/testing exists
while [ -e /tmp/testing ]
do
    # set correct device and verify parameters
    dd if=/dev/urandom of=/dev/rbd... bs=1 count=100m offset=500m
done

Make sure to name the script cryptsetup and place is in the location where cryptsetup normally lives. The original cryptsetup executable should be renamed to cryptsetup.real so that it still can be executed.

nixpanic avatar Oct 18 '24 13:10 nixpanic

Hey @black-dragon74 , I'll mark this as a draft for now, otherwise I keep checking it for updates. Please move it back as ready for review once you have tested it. Thanks!

nixpanic avatar Oct 22 '24 14:10 nixpanic

@mergifyio rebase

nixpanic avatar Nov 05 '24 09:11 nixpanic

rebase

✅ Branch has been successfully rebased

mergify[bot] avatar Nov 05 '24 09:11 mergify[bot]

@mergifyio queue

nixpanic avatar Nov 05 '24 09:11 nixpanic

queue

✅ The pull request has been merged automatically

The pull request has been merged automatically at 1c02e69ba49f411390a79eb5025084bed85b6833

mergify[bot] avatar Nov 05 '24 09:11 mergify[bot]

/test ci/centos/k8s-e2e-external-storage/1.31

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot

/test ci/centos/mini-e2e-helm/k8s-1.31

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot

/test ci/centos/k8s-e2e-external-storage/1.29

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot

/test ci/centos/mini-e2e/k8s-1.31

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot

/test ci/centos/mini-e2e-helm/k8s-1.29

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot

/test ci/centos/k8s-e2e-external-storage/1.30

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot

/test ci/centos/mini-e2e/k8s-1.29

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot

/test ci/centos/mini-e2e-helm/k8s-1.30

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot

/test ci/centos/mini-e2e/k8s-1.30

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot

/test ci/centos/upgrade-tests-cephfs

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot

/test ci/centos/upgrade-tests-rbd

ceph-csi-bot avatar Nov 05 '24 09:11 ceph-csi-bot