-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fscrypt: create a new blank key sized according to the passphrase #4464
Conversation
aa4121b
to
186306a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
@Mergifyio rebase |
✅ Branch has been successfully rebased |
186306a
to
5b313de
Compare
@Mergifyio queue |
🛑 The pull request has been removed from the queue
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
/test ci/centos/mini-e2e-helm/k8s-1.27 |
/test ci/centos/upgrade-tests-cephfs |
/test ci/centos/mini-e2e/k8s-1.27 |
/test ci/centos/k8s-e2e-external-storage/1.28 |
/test ci/centos/k8s-e2e-external-storage/1.29 |
/test ci/centos/upgrade-tests-rbd |
/test ci/centos/mini-e2e-helm/k8s-1.28 |
/test ci/centos/mini-e2e-helm/k8s-1.29 |
/test ci/centos/mini-e2e/k8s-1.28 |
/test ci/centos/mini-e2e/k8s-1.29 |
Looks like pulling images in the CI failed, seems to be common on Tuesdays for some weird reason. |
/test ci/centos/k8s-e2e-external-storage/1.27 |
/test ci/centos/upgrade-tests-rbd |
/test ci/centos/mini-e2e/k8s-1.28 |
/test ci/centos/mini-e2e-helm/k8s-1.27 |
/test ci/centos/mini-e2e/k8s-1.27 |
/test ci/centos/k8s-e2e-external-storage/1.29 |
/test ci/centos/mini-e2e-helm/k8s-1.29 |
/test ci/centos/mini-e2e/k8s-1.29 |
@Mergifyio rebase |
fscrypt will infinitely retry the keyFn during an auth failure, preventing the csi driver from progressing when configured with an invalid passphrase See also: https://github.com/google/fscrypt/blob/8c12cd64ab471d0a73ef4c300d7c40077cad5d5d/actions/callback.go#L102-L106 Signed-off-by: Michael Fritch <mfritch@suse.com>
Padding a passphrase with null chars to arrive at a 32-byte length later forces a user to also pass null chars via the term when attempting to manually unlock a subvolume via the fscrypt cli tools. This also had a side-effect of truncating any longer length passphrase down to a shorter 32-byte length. fixup for: cfea8d7 dd0e198 Signed-off-by: Michael Fritch <mfritch@suse.com>
✅ Branch has been successfully rebased |
@Mergifyio queue |
/test ci/centos/k8s-e2e-external-storage/1.28 |
/test ci/centos/mini-e2e-helm/k8s-1.28 |
/test ci/centos/k8s-e2e-external-storage/1.27 |
/test ci/centos/upgrade-tests-cephfs |
/test ci/centos/mini-e2e/k8s-1.28 |
/test ci/centos/mini-e2e-helm/k8s-1.27 |
/test ci/centos/k8s-e2e-external-storage/1.29 |
/test ci/centos/upgrade-tests-rbd |
/test ci/centos/mini-e2e/k8s-1.27 |
/test ci/centos/mini-e2e-helm/k8s-1.29 |
/test ci/centos/mini-e2e/k8s-1.29 |
Padding a passphrase with null chars to arrive at a 32-byte length
later forces a user to also pass null chars via the term when
attempting to manually unlock a subvolume via the fscrypt cli tools.
This also had a side-effect of truncating any longer length passphrase
down to a shorter 32-byte length.
fixup for:
cfea8d7
dd0e198
Is there anything that requires special attention
Backward compatibility is provided to unlock subvolumes that might have been created using the old style null-padded passphrase
This PR also includes an additional fix for a related issue where fscrypt was allowed to indefinitely retry the
keyFn
after an auth failure, which can block subsequent requests to the ceph csi driver.Related issues
n/a
Future concerns
List items that are not part of the PR and do not impact it's
functionality, but are work items that can be taken up subsequently.
Checklist:
guidelines in the developer
guide.
Request
notes
updated with breaking and/or notable changes for the next major release.
Show available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>
: retest the<job-name>
after unrelatedfailure (please report the failure too!)