New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
osd: fix removing key file timing #13830
Conversation
9af5b5c
to
01b9a48
Compare
01b9a48
to
adb60fa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cupnes Are you still testing this? I don't think this will fix the issue. The key file is in the /etc/ceph
folder. If this folder needs to be shared with the other init containers, it will need to be mounted as a volume inside all the init containers. Unless that folder is shared, the key file anyway won't be available in the other init containers even if it is not deleted by the first init container.
And if you mount this as an EmptyDir to share between the containers, it will naturally anyway be deleted after the init containers are completed, and no need for a separate init container to delete the file.
I thought the test was finished. The CI of this PR has failed in two. The first is "TestHelmUpgradeSuite (v1.24.17)". I do not think that this PR is the cause, as the same failures have occurred outside of this PR[1]. The second is "govulncheck". About it, I am aware that you have put up an issue[2].
I think you're right, just I'm concerned about is that when I deleted the key file deletion in the
However, I think that it would be better than my solution and will change this PR to your suggestion. [1] https://github.com/rook/rook/actions/runs/8161015462/job/22308883169?pr=13878 |
Ok interesting, you had tested successfully that your change was working? In code inspection I just didn't see the /etc/ceph was mounted, so I didn't expect it to work. In your tests, you also don't see the /etc/ceph volume mounted in the init containers, right? |
I see, that may be so. I will answer next week as I cannot take the time to check today. |
@travisn
Yes, however, I understand that it is not a good modification and I intend to modify it.
The /etc/ceph volume mounted on the init container was shown as follows.
Therefore, following your comment, I understand that the init container for deletion is not necessary and that it is sufficient to simply delete this line. Is this understanding correct? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Therefore, following your comment, I understand that the init container for deletion is not necessary and that it is sufficient to simply delete this line. Is this understanding correct?
Yes, this sounds correct. Thanks for confirming that the /etc/ceph volume was indeed mounted. To confirm that the deletion is not necessary, you can connect to the main container and confirm the file does not exist.
Thank you. I made that fix and looked at the main container and found no key file.
I will amend this PR with this plan. |
The key file deletion process is in the shell script commonly used by all of encryption-open, encryption-open-metadata, and encryption-open-wal init containers. The key file is deleted at the encryption-open init container and encryption-open-metadata and encryption-open-wal init containers are failed to open the key file. The key file is in the /etc/ceph folder. Unless that folder is shared, the key file anyway won't be available in the other init containers even if it is not deleted by these init containers. And it will naturally anyway be deleted after the init containers are completed. So The key file deletion process in shell scripts is unnecessary. Fixes: rook#13737 Signed-off-by: Yuma Ogami <yuma-ogami@cybozu.co.jp>
adb60fa
to
cdd655e
Compare
I fixed this PR. Please review. |
osd: fix removing key file timing (backport #13830)
The key file deletion process is in the shell script commonly used by all of
encryption-open
,encryption-open-metadata
, andencryption-open-wal
init containers. The key file is deleted at theencryption-open
init container andencryption-open-metadata
andencryption-open-wal
init containers are failed to open the key file.The key file is in the
/etc/ceph
folder. Unless that folder is shared, the key file anyway won't be available in the other init containers even if it is not deleted by these init containers. And it will naturally anyway be deleted after the init containers are completed. So The key file deletion process in shell scripts is unnecessary.Fixes: #13737
Checklist: