fscrypt: create a new blank key sized according to the passphrase #4464
Conversation
mgfritch
force-pushed
the
fscrypt-devel
branch
4 times, most recently
from
aa4121b
to
186306a
Compare
nixpanic
added
component/cephfs
|
@Mergifyio rebase |
✅ Branch has been successfully rebased |
nixpanic
force-pushed
the
fscrypt-devel
branch
from
186306a
to
5b313de
Compare
|
@Mergifyio queue |
🛑 The pull request has been removed from the queue
|
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/k8s-e2e-external-storage/1.28 |
|
/test ci/centos/k8s-e2e-external-storage/1.29 |
|
/test ci/centos/upgrade-tests-rbd |
|
/test ci/centos/mini-e2e-helm/k8s-1.28 |
|
/test ci/centos/mini-e2e-helm/k8s-1.29 |
|
/test ci/centos/mini-e2e/k8s-1.28 |
|
/test ci/centos/mini-e2e/k8s-1.29 |
|
Looks like pulling images in the CI failed, seems to be common on Tuesdays for some weird reason. |
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/upgrade-tests-rbd |
|
/test ci/centos/mini-e2e/k8s-1.28 |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/k8s-e2e-external-storage/1.29 |
|
/test ci/centos/mini-e2e-helm/k8s-1.29 |
|
/test ci/centos/mini-e2e/k8s-1.29 |
|
@Mergifyio rebase |
fscrypt will infinitely retry the keyFn during an auth failure, preventing the csi driver from progressing when configured with an invalid passphrase See also: https://github.com/google/fscrypt/blob/8c12cd64ab471d0a73ef4c300d7c40077cad5d5d/actions/callback.go#L102-L106 Signed-off-by: Michael Fritch <mfritch@suse.com>
Padding a passphrase with null chars to arrive at a 32-byte length later forces a user to also pass null chars via the term when attempting to manually unlock a subvolume via the fscrypt cli tools. This also had a side-effect of truncating any longer length passphrase down to a shorter 32-byte length. fixup for: cfea8d7 dd0e198 Signed-off-by: Michael Fritch <mfritch@suse.com>
✅ Branch has been successfully rebased |
|
@Mergifyio queue |
|
/test ci/centos/k8s-e2e-external-storage/1.28 |
|
/test ci/centos/mini-e2e-helm/k8s-1.28 |
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/mini-e2e/k8s-1.28 |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/k8s-e2e-external-storage/1.29 |
|
/test ci/centos/upgrade-tests-rbd |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e-helm/k8s-1.29 |
|
/test ci/centos/mini-e2e/k8s-1.29 |
Padding a passphrase with null chars to arrive at a 32-byte length
later forces a user to also pass null chars via the term when
attempting to manually unlock a subvolume via the fscrypt cli tools.
This also had a side-effect of truncating any longer length passphrase
down to a shorter 32-byte length.
fixup for:
cfea8d7
dd0e198
Is there anything that requires special attention
Backward compatibility is provided to unlock subvolumes that might have been created using the old style null-padded passphrase
This PR also includes an additional fix for a related issue where fscrypt was allowed to indefinitely retry the
keyFnafter an auth failure, which can block subsequent requests to the ceph csi driver.Related issues
n/a
Future concerns
List items that are not part of the PR and do not impact it's
functionality, but are work items that can be taken up subsequently.
Checklist:
guidelines in the developer
guide.
Request
notes
updated with breaking and/or notable changes for the next major release.
Show available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>: retest the<job-name>after unrelatedfailure (please report the failure too!)