Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

util: Limit cryptsetup PBKDF memory usage #3781

Merged
merged 1 commit into from
Apr 27, 2023

Commits on Apr 27, 2023

  1. util: Limit cryptsetup PBKDF memory usage

    By default, `cryptsetup luksFormat` uses Argon2i as Password-Based Key
    Derivation Function (PBKDF), which not only has a CPU cost, but also a memory
    cost (to make brute-force attacks harder).
    
    The memory cost is based on the available system memory by default, which in
    the context of Ceph CSI can be a problem for two reasons:
    
    1. Pods can have a memory limit (much lower that the memory available on the
       node, usually) which isn't taken into account by `cryptsetup`, so it can get
       OOM-killed when formating a new volume;
    2. The amount of memory that was used during `cryptsetup luksFormat` will then
       be needed for `cryptsetup luksOpen`, so if the volume was formated on a node
       with a lot of memory, but then needs to be opened on a different node with
       less memory, `cryptsetup` will get OOM-killed.
    
    This commit sets the PBKDF memory limit to a fixed value to ensure consistent
    memory usage regardless of the specifications of the nodes where the volume
    happens to be formatted in the first place.
    
    The limit is set to a relatively low value (32 MiB) so that the `csi-rbdplugin`
    container in the `nodeplugin` pod doesn't require an extravagantly high memory
    limit in order to format/open volumes (particularly with operations happening
    in parallel), while at the same time not being so low as to render it
    completely pointless.
    
    Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
    BenoitKnecht authored and Madhu-1 committed Apr 27, 2023
    Configuration menu
    Copy the full SHA
    52bcb1c View commit details
    Browse the repository at this point in the history