rbd: use ioctx locks for key rotation

Signed-off-by: Niraj Yadav <[email protected]>
ceph · Jul 30, 2024 · 4445247 · 4445247
1 parent 0bed833
commit 4445247
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 8 deletions.
diff --git a/internal/csi-addons/rbd/encryptionkeyrotation.go b/internal/csi-addons/rbd/encryptionkeyrotation.go
@@ -20,12 +20,10 @@ import (
 	"context"
 	"errors"
 
-	csicommon "github.com/ceph/ceph-csi/internal/csi-common"
 	"github.com/ceph/ceph-csi/internal/rbd"
 	"github.com/ceph/ceph-csi/internal/util"
 	"github.com/ceph/ceph-csi/internal/util/log"
 
-	"github.com/container-storage-interface/spec/lib/go/csi"
 	ekr "github.com/csi-addons/spec/lib/go/encryptionkeyrotation"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@@ -55,12 +53,6 @@ func (ekrs *EncryptionKeyRotationServer) EncryptionKeyRotate(
 		return nil, status.Error(codes.InvalidArgument, "empty volume ID in request")
 	}
 
-	// Block key rotation for RWX/ROX volumes
-	_, isMultiNode := csicommon.IsBlockMultiNode([]*csi.VolumeCapability{req.GetVolumeCapability()})
-	if isMultiNode {
-		return nil, status.Error(codes.Unimplemented, "multi-node key rotation is not supported")
-	}
-
 	if acquired := ekrs.volLock.TryAcquire(volID); !acquired {
 		return nil, status.Errorf(codes.Aborted, util.VolumeOperationAlreadyExistsFmt, volID)
 	}

diff --git a/internal/rbd/encryption.go b/internal/rbd/encryption.go
@@ -22,9 +22,11 @@ import (
 	"fmt"
 	"strconv"
 	"strings"
+	"time"
 
 	kmsapi "github.com/ceph/ceph-csi/internal/kms"
 	"github.com/ceph/ceph-csi/internal/util"
+	"github.com/ceph/ceph-csi/internal/util/lock"
 	"github.com/ceph/ceph-csi/internal/util/log"
 
 	librbd "github.com/ceph/go-ceph/rbd"
@@ -463,6 +465,28 @@ func (rv *rbdVolume) RotateEncryptionKey(ctx context.Context) error {
 		return errors.New("key rotation not supported for unencrypted device")
 	}
 
+	// Call open Ioctx to create a new ioctx object
+	// if the obj already exists, no error is returned
+	err = rv.openIoctx()
+	if err != nil {
+		return fmt.Errorf("failed to open ioctx, err: %w", err)
+	}
+
+	// Lock params
+	lockName := rv.VolID + "-mutexlock"
+	lockDesc := "Key rotation mutex lock for " + rv.VolID
+	lockDuration := 3 * time.Minute
+	lockCookie := rv.VolID + "-enc-key-rotate"
+
+	// Acquire the exclusive lock based on vol id
+	lck := lock.NewLock(rv.ioctx, rv.VolID, lockName, lockCookie, lockDesc, lockDuration)
+	err = lck.LockExclusive(ctx)
+	if err != nil {
+		return err
+	}
+	defer lck.Unlock(ctx)
+	log.DebugLog(ctx, "acquired ioctx lock for vol id: %s", rv.VolID)
+
 	// Get the device path for the underlying image
 	useNbd := rv.Mounter == rbdNbdMounter && hasNBD
 	devicePath, found := waitForPath(ctx, rv.Pool, rv.RadosNamespace, rv.RbdImageName, 1, useNbd)