rbd: Add timeout for cryptsetup commands

This PR modifies the execCryptSetupCommand so that the process is killed in an event of lock timeout. Useful in cases where the volume lock is released but the command is still running. Signed-off-by: Niraj Yadav <[email protected]>
ceph · Oct 17, 2024 · a68d41f · a68d41f
1 parent 8ddb615
commit a68d41f
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 6 deletions.
diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go
@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
-	"time"
 
 	kmsapi "github.com/ceph/ceph-csi/internal/kms"
 	"github.com/ceph/ceph-csi/internal/util"
@@ -475,11 +474,10 @@ func (rv *rbdVolume) RotateEncryptionKey(ctx context.Context) error {
 	// Lock params
 	lockName := rv.VolID + "-mutexlock"
 	lockDesc := "Key rotation mutex lock for " + rv.VolID
-	lockDuration := 3 * time.Minute
 	lockCookie := rv.VolID + "-enc-key-rotate"
 
 	// Acquire the exclusive lock based on vol id
-	lck := lock.NewLock(rv.ioctx, rv.VolID, lockName, lockCookie, lockDesc, lockDuration)
+	lck := lock.NewLock(rv.ioctx, rv.VolID, lockName, lockCookie, lockDesc, util.CryptSetupExecutionTimeout)
 	err = lck.LockExclusive(ctx)
 	if err != nil {
 		return err

diff --git a/internal/util/cryptsetup.go b/internal/util/cryptsetup.go
@@ -18,18 +18,26 @@ package util
 
 import (
 	"bytes"
+	"context"
+	"errors"
 	"fmt"
 	"os"
 	"os/exec"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/ceph/ceph-csi/internal/util/file"
 	"github.com/ceph/ceph-csi/internal/util/log"
 )
 
-// Limit memory used by Argon2i PBKDF to 32 MiB.
-const cryptsetupPBKDFMemoryLimit = 32 << 10 // 32768 KiB
+const (
+	// Maximum time to wait for cryptsetup commands to complete.
+	CryptSetupExecutionTimeout = 3 * time.Minute
+
+	// Limit memory used by Argon2i PBKDF to 32 MiB.
+	cryptsetupPBKDFMemoryLimit = 32 << 10 // 32768 KiB
+)
 
 // LuksFormat sets up volume as an encrypted LUKS partition.
 func LuksFormat(devicePath, passphrase string) (string, string, error) {
@@ -200,9 +208,12 @@ func LuksVerifyKey(devicePath, passphrase, slot string) (bool, error) {
 }
 
 func execCryptsetupCommand(stdin *string, args ...string) (string, string, error) {
+	timeoutCtx, cancel := context.WithTimeout(context.Background(), CryptSetupExecutionTimeout)
+	defer cancel()
+
 	var (
 		program       = "cryptsetup"
-		cmd           = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.
+		cmd           = exec.CommandContext(timeoutCtx, program, args...) // #nosec:G204, commands executing not vulnerable.
 		sanitizedArgs = StripSecretInArgs(args)
 		stdoutBuf     bytes.Buffer
 		stderrBuf     bytes.Buffer
@@ -217,6 +228,10 @@ func execCryptsetupCommand(stdin *string, args ...string) (string, string, error
 	stdout := stdoutBuf.String()
 	stderr := stderrBuf.String()
 
+	if errors.Is(timeoutCtx.Err(), context.DeadlineExceeded) {
+		return stdout, stderr, fmt.Errorf("timeout occurred while running %s args: %v", program, sanitizedArgs)
+	}
+
 	if err != nil {
 		return stdout, stderr, fmt.Errorf("an error (%v)"+
 			" occurred while running %s args: %v", err, program, sanitizedArgs)