fix(encrypt): close encrypted volume if it is opened

In normal process of attaching a volume via CSI, the encrypted volume should be in closed or inactivated state before Longhorn attempts to open it. ref: longhorn/longhorn 9385 Signed-off-by: James Lu <james.lu@suse.com>
longhorn · Sep 9, 2024 · 04f95d2 · 04f95d2
1 parent f45adc0
commit 04f95d2
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/csi/crypto/crypto.go b/csi/crypto/crypto.go
@@ -145,6 +145,16 @@ func ResizeEncryptoDevice(volume, passphrase string) error {
 	return err
 }
 
+// IsDeviceMappedToNullPath determines if encrypted device is already open at a null path. The command 'cryptsetup status [crypted_device]' show "device:  (null)"
+func IsDeviceMappedToNullPath(device string) (bool, error) {
+	devPath, mappedFile, err := DeviceEncryptionStatus(device)
+	if err != nil {
+		return false, err
+	}
+
+	return mappedFile != "" && strings.Compare(devPath, "(null)") == 0, nil
+}
+
 // IsDeviceOpen determines if encrypted device is already open.
 func IsDeviceOpen(device string) (bool, error) {
 	_, mappedFile, err := DeviceEncryptionStatus(device)

diff --git a/csi/node_server.go b/csi/node_server.go
@@ -487,6 +487,18 @@ func (ns *NodeServer) NodeStageVolume(ctx context.Context, req *csi.NodeStageVol
 		cryptoDevice := crypto.VolumeMapper(volumeID)
 		log.Infof("Volume %s requires crypto device %s", volumeID, cryptoDevice)
 
+		// check if the crypto device is open at the null path.
+		// this will happen if the crypto device is not closed properly and a new attaching request is made on the same node.
+		// reference issue: https://github.com/longhorn/longhorn/issues/9385
+		if mappedToNullPath, err := crypto.IsDeviceMappedToNullPath(cryptoDevice); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to check if the crypto device %s for volume %s is mapped to the null path: %v", cryptoDevice, volumeID, err.Error())
+		} else if mappedToNullPath {
+			log.Warnf("Closing active crypto device %s for volume %s since the volume is not closed properly before", cryptoDevice, volumeID)
+			if err := crypto.CloseVolume(volumeID); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to close active crypto device %s for volume %s: %v ", cryptoDevice, volumeID, err.Error())
+			}
+		}
+
 		if err := crypto.OpenVolume(volumeID, devicePath, passphrase); err != nil {
 			return nil, status.Error(codes.Internal, err.Error())
 		}