From 10f6d94b8ebc42f30f90c174469c0f39f4eb9c81 Mon Sep 17 00:00:00 2001 From: Eric Weber Date: Mon, 15 Jul 2024 10:24:05 -0500 Subject: [PATCH] fix(crypto): execute cryptsetup in the host namespace again Longhorn 9000 Signed-off-by: Eric Weber --- csi/crypto/crypto.go | 10 +++++----- csi/deployment.go | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/csi/crypto/crypto.go b/csi/crypto/crypto.go index c8f60d2ae4..d22c4ad922 100644 --- a/csi/crypto/crypto.go +++ b/csi/crypto/crypto.go @@ -76,7 +76,7 @@ func VolumeMapper(volume string) string { // EncryptVolume encrypts provided device with LUKS. func EncryptVolume(devicePath, passphrase string, cryptoParams *EncryptParams) error { namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc} - nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.ProcDirectory, namespaces) + nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces) if err != nil { return err } @@ -102,7 +102,7 @@ func OpenVolume(volume, devicePath, passphrase string) error { } namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc} - nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.ProcDirectory, namespaces) + nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces) if err != nil { return err } @@ -118,7 +118,7 @@ func OpenVolume(volume, devicePath, passphrase string) error { // CloseVolume closes encrypted volume so it can be detached. func CloseVolume(volume string) error { namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc} - nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.ProcDirectory, namespaces) + nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces) if err != nil { return err } @@ -136,7 +136,7 @@ func ResizeEncryptoDevice(volume, passphrase string) error { } namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc} - nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.ProcDirectory, namespaces) + nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces) if err != nil { return err } @@ -160,7 +160,7 @@ func DeviceEncryptionStatus(devicePath string) (mappedDevice, mapper string, err } namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc} - nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.ProcDirectory, namespaces) + nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces) if err != nil { return devicePath, "", err } diff --git a/csi/deployment.go b/csi/deployment.go index 5422f5523b..368b3d50ef 100644 --- a/csi/deployment.go +++ b/csi/deployment.go @@ -419,6 +419,12 @@ func NewPluginDeployment(namespace, serviceAccount, nodeDriverRegistrarImage, li Name: "host-dev", MountPath: "/dev", }, + { + // The plugin must be able to switch to the host's namespaces in order to execute + // cryptsetup commands for encrypted devices. + Name: "host-proc", + MountPath: "/host/proc", + }, { Name: "host-sys", MountPath: "/sys", @@ -476,6 +482,14 @@ func NewPluginDeployment(namespace, serviceAccount, nodeDriverRegistrarImage, li }, }, }, + { + Name: "host-proc", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/proc", + }, + }, + }, { Name: "host-sys", VolumeSource: corev1.VolumeSource{