Commits on Apr 27, 2023

1. util: Limit cryptsetup PBKDF memory usage …

   By default, `cryptsetup luksFormat` uses Argon2i as Password-Based Key
   Derivation Function (PBKDF), which not only has a CPU cost, but also a memory
   cost (to make brute-force attacks harder).
   
   The memory cost is based on the available system memory by default, which in
   the context of Ceph CSI can be a problem for two reasons:
   
   1. Pods can have a memory limit (much lower that the memory available on the
      node, usually) which isn't taken into account by `cryptsetup`, so it can get
      OOM-killed when formating a new volume;
   2. The amount of memory that was used during `cryptsetup luksFormat` will then
      be needed for `cryptsetup luksOpen`, so if the volume was formated on a node
      with a lot of memory, but then needs to be opened on a different node with
      less memory, `cryptsetup` will get OOM-killed.
   
   This commit sets the PBKDF memory limit to a fixed value to ensure consistent
   memory usage regardless of the specifications of the nodes where the volume
   happens to be formatted in the first place.
   
   The limit is set to a relatively low value (32 MiB) so that the `csi-rbdplugin`
   container in the `nodeplugin` pod doesn't require an extravagantly high memory
   limit in order to format/open volumes (particularly with operations happening
   in parallel), while at the same time not being so low as to render it
   completely pointless.
   
   Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>

   

   BenoitKnecht authored and Madhu-1 committed Apr 27, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for 52bcb1c
   • Browse repository at this point

   Copy the full SHA

   52bcb1c View commit details

   Browse the repository at this point in the history