New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Volume encryption doesn't work on Amazon Linux 2 #5944
Comments
cc @longhorn/qa |
Hi @v-starodubov |
cc @derekbit |
@v-starodubov We will
|
Pre Ready-For-Testing Checklist
Improve the error message
longhorn/longhorn-manager#2308
|
Verified pass on longhorn master (longhorn-manager
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 25s default-scheduler Successfully assigned default/my-pod to ip-172-31-43-90
Normal SuccessfulAttachVolume 15s attachdetach-controller AttachVolume.Attach succeeded for volume "pvc-03c6da27-bd09-49d2-b60b-d117de538bed"
Warning FailedMount 7s (x5 over 15s) kubelet MountVolume.MountDevice failed for volume "pvc-03c6da27-bd09-49d2-b60b-d117de538bed" : rpc error: code = Internal desc = failed to encrypt device /dev/longhorn/pvc-03c6da27-bd09-49d2-b60b-d117de538bed with LUKS: failed to run cryptsetup, args: [-q luksFormat --type luks2 --cipher aes-xts-plain64 --hash sha256 --key-size 256 --pbkdf argon2i /dev/longhorn/pvc-03c6da27-bd09-49d2-b60b-d117de538bed -d /dev/stdin], stdout: , stderr: Usage: cryptsetup [-?vyrq] [-?|--help] [--usage] [--version] [-v|--verbose]
[--debug] [-c|--cipher=STRING] [-h|--hash=STRING]
[-y|--verify-passphrase] [-d|--key-file=STRING]
[--master-key-file=STRING] [--dump-master-key] [-s|--key-size=BITS]
[-l|--keyfile-size=bytes] [--keyfile-offset=bytes]
[--new-keyfile-size=bytes] [--new-keyfile-offset=bytes]
[-S|--key-slot=INT] [-b|--size=SECTORS] [-o|--offset=SECTORS]
[-p|--skip=SECTORS] [-r|--readonly] [-i|--iter-time=msecs]
[-q|--batch-mode] [-t|--timeout=secs] [-T|--tries=INT]
[--align-payload=SECTORS] [--header-backup-file=STRING]
[--use-random] [--use-urandom] [--shared] [--uuid=STRING]
[--allow-discards] [--header=STRING] [--test-passphrase]
[--tcrypt-hidden] [--tcrypt-system] [--tcrypt-backup] [--veracrypt]
[-M|--type=STRING] [--force-password] [--perf-same_cpu_crypt]
[--perf-submit_from_crypt_cpus] [OPTION...] <action> <action-specific>
--pbkdf: unknown option
: exit status 1
root@ip-172-31-37-145:/home/ubuntu# cryptsetup --version
cryptsetup 1.7.4
|
Describe the bug (馃悰 if you encounter this issue)
While using Longhorn on worker nodes with the Amazon Linux 2 image, I encountered an error stating that the Longhorn CSI plugin cannot perform LUKS-related actions on volumes. For example, when attempting to mount a volume created from a PVC manifest for the first time, the pod fails to mount it due to NodeStageVolume returning an exit code 1.
To Reproduce
Steps to reproduce the behavior:
cryptsetup
and loaddm_crypt
module in worker nodes.CRYPTO_KEY_VALUE
. Create StorageClass withencrypted: true
and CSI storage parameters that references previously created secret. Took them from this documentation page.Pending
state, check log of your pod orlonghorn-csi-plugin
that serves luksFormat action for this volume.Expected behavior
longhorn-csi-plugin
should performluksFormat
and thenluksOpen
properly.Likewise Ubuntu. I tested this steps on Ubuntu 20.04 distribution and everything works fine.
Log or Support bundle
Environment
1.4.2
Helm
EKS 1.26
AL2_x86_64 1.26.2-20230509
(ami-0ebd4e6356d0557a5)2 vCPU
8 GiB
SSD GP2
AWS EKS
1
Additional context
I think this can be related to process of passing
passphrase
during crypto process. If i pass emptyCRYPTO_KEY_VALUE
or remove it from secret, the csi-plugin will correctly display that there is missing key value.During
Pending
pod status, i can exec into correspondinglonghorn-csi-plugin
container and perform this steps manually, without-d /dev/stdin
:This required for first-time. Next step is to perform
luksOpen
:After this steps pod that requested volume should proceed to
Running
state.The text was updated successfully, but these errors were encountered: