Luks format enhancements

jharrod · jharrod · commit 7700122ddd94 · 2025-05-08T09:34:26.000-06:00
Update cryptsetup LUKS format options for increased performance
Clear  formatting upon LUKS format failures and timeouts
diff --git a/mocks/mock_utils/mock_devices/mock_devices_client.go b/mocks/mock_utils/mock_devices/mock_devices_client.go
diff --git a/utils/devices/devices.go b/utils/devices/devices.go
@@ -77,6 +77,7 @@ type Devices interface {
 	) error
 	RemoveMultipathDeviceMappingWithRetries(ctx context.Context, devicePath string, retries uint64,
 		sleep time.Duration) error
+	ClearFormatting(ctx context.Context, devicePath string) error
 }
 
 type SizeGetter interface {
@@ -852,6 +853,57 @@ func (c *Client) ScanTargetLUN(ctx context.Context, deviceAddresses []models.Scs
 	return nil
 }
 
+// ClearFormatting clears any formatting on the device. Use with caution.
+// This is a destructive operation and should only be used when you are sure you want to clear the device.
+// The original purpose for this was to clear incomplete LUKS formatting where the inital format errored or timed out.
+// This allows us to retry the LUKS format. If we don't clear the formatting, we encounter an issue where we think
+// the device is already formatted and don't attempt to format it again.
+func (c *Client) ClearFormatting(ctx context.Context, devicePath string) error {
+	err := c.wipeFs(ctx, devicePath)
+	if err != nil {
+		// Log happens in wipeFs()
+		return err
+	}
+	err = c.zeroDeviceHeader(ctx, devicePath)
+	if err != nil {
+		// Log happens in zeroDeviceHeader()
+		return err
+	}
+	return nil
+}
+
+// zeroDeviceHeader zeros the first 4 KiB of the device header.
+func (c *Client) zeroDeviceHeader(ctx context.Context, devicePath string) error {
+	Logc(ctx).WithField("device", devicePath).Debug(">>>> devices.zeroDeviceHeader")
+	defer Logc(ctx).Debug("<<<< devices.zeroDeviceHeader")
+
+	const zeroDeviceTimeout = 5 * time.Second
+	args := []string{"if=/dev/zero", "of=" + devicePath, "bs=4096", "count=512", "status=none"}
+	out, err := c.command.ExecuteWithTimeout(ctx, "dd", zeroDeviceTimeout, false, args...)
+	if err != nil {
+		Logc(ctx).WithFields(LogFields{"error": err, "output": string(out), "device": devicePath}).
+			Error("Failed to zero the device.")
+		return fmt.Errorf("failed to zero the device %v; %v", devicePath, string(out))
+	}
+
+	return nil
+}
+
+// wipeFs wipes the filesystem signature from the device. This is a destructive action.
+func (c *Client) wipeFs(ctx context.Context, devicePath string) error {
+	Logc(ctx).WithField("device", devicePath).Debug(">>>> devices.wipeFs")
+	defer Logc(ctx).Debug("<<<< devices.wipeFs")
+
+	const wipeFsTimeout = 10 * time.Second
+	out, err := c.command.ExecuteWithTimeout(ctx, "wipefs", wipeFsTimeout, false, "-a", devicePath)
+	if err != nil {
+		Logc(ctx).WithFields(LogFields{"error": err, "output": string(out), "device": devicePath}).
+			Error("Failed to wipe the filesystem signature.")
+		return fmt.Errorf("failed to wipe FS %v: %v", devicePath, string(out))
+	}
+	return nil
+}
+
 // convertToDeviceAddressValue converts the device address value to string.
 func convertToDeviceAddressValue(value int) string {
 	if value < 0 {
diff --git a/utils/devices/devices_test.go b/utils/devices/devices_test.go
@@ -1023,3 +1023,55 @@ func TestRemoveMultipathDeviceMappingWithRetries(t *testing.T) {
 		})
 	}
 }
+
+func TestClearFormatting(t *testing.T) {
+	devicePath := "/dev/mock-0"
+	tests := map[string]struct {
+		getMockCmd  func() exec.Command
+		expectError bool
+	}{
+		"Formatting cleared successfully": {
+			getMockCmd: func() exec.Command {
+				mockCommand := mockexec.NewMockCommand(gomock.NewController(t))
+				mockCommand.EXPECT().ExecuteWithTimeout(gomock.Any(), "wipefs", 10*time.Second, false, "-a", devicePath).
+					Return([]byte{}, nil).Times(1)
+				mockCommand.EXPECT().ExecuteWithTimeout(gomock.Any(), "dd", 5*time.Second, false, "if=/dev/zero", "of="+devicePath, "bs=4096", "count=512", "status=none").
+					Return([]byte{}, nil).Times(1)
+				return mockCommand
+			},
+			expectError: false,
+		},
+		"Error clearing filesystem signature": {
+			getMockCmd: func() exec.Command {
+				mockCommand := mockexec.NewMockCommand(gomock.NewController(t))
+				mockCommand.EXPECT().ExecuteWithTimeout(gomock.Any(), "wipefs", 10*time.Second, false, "-a", devicePath).
+					Return(nil, fmt.Errorf("wipefs error")).Times(1)
+				return mockCommand
+			},
+			expectError: true,
+		},
+		"Error zeroing device header": {
+			getMockCmd: func() exec.Command {
+				mockCommand := mockexec.NewMockCommand(gomock.NewController(t))
+				mockCommand.EXPECT().ExecuteWithTimeout(gomock.Any(), "wipefs", 10*time.Second, false, "-a", devicePath).
+					Return([]byte{}, nil).Times(1)
+				mockCommand.EXPECT().ExecuteWithTimeout(gomock.Any(), "dd", 5*time.Second, false, "if=/dev/zero", "of="+devicePath, "bs=4096", "count=512", "status=none").
+					Return(nil, fmt.Errorf("dd error")).Times(1)
+				return mockCommand
+			},
+			expectError: true,
+		},
+	}
+
+	for name, params := range tests {
+		t.Run(name, func(t *testing.T) {
+			deviceClient := NewDetailed(params.getMockCmd(), afero.NewMemMapFs(), NewDiskSizeGetter())
+			err := deviceClient.ClearFormatting(context.Background(), devicePath)
+			if params.expectError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
diff --git a/utils/devices/luks/luks.go b/utils/devices/luks/luks.go
@@ -87,8 +87,10 @@ func (d *LUKSDevice) EnsureDeviceMappedOnHost(ctx context.Context, name string,
 		"luks-passphrase-name": luksPassphraseName,
 	}).Info("Opening encrypted volume.")
 	luksFormatted, err := d.EnsureFormattedAndOpen(ctx, luksPassphrase)
-	if err == nil {
-		return luksFormatted, nil
+
+	// If we fail due to a format issue there is no need to try to open the device.
+	if err == nil || errors.IsFormatError(err) {
+		return luksFormatted, err
 	}
 
 	// If we failed to open, try previous passphrase
diff --git a/utils/devices/luks/luks_linux.go b/utils/devices/luks/luks_linux.go
@@ -19,7 +19,7 @@ import (
 )
 
 const (
-	luksCommandTimeout time.Duration = time.Second * 60
+	luksCommandTimeout time.Duration = time.Second * 30
 
 	luksCypherMode = "aes-xts-plain64"
 	luksType       = "luks2"
@@ -102,7 +102,8 @@ func (d *LUKSDevice) format(ctx context.Context, luksPassphrase string) error {
 
 	if output, err := d.command.ExecuteWithTimeoutAndInput(
 		ctx, "cryptsetup", luksCommandTimeout, true, luksPassphrase, "luksFormat", device,
-		"--type", "luks2", "-c", "aes-xts-plain64",
+		"--type", "luks2", "-c", "aes-xts-plain64", "--hash", "sha256", "--pbkdf", "pbkdf2",
+		"--pbkdf-force-iterations", "1000",
 	); err != nil {
 		Logc(ctx).WithFields(LogFields{
 			"device": device,
@@ -137,6 +138,15 @@ func (d *LUKSDevice) formatUnformattedDevice(ctx context.Context, luksPassphrase
 
 	// Attempt LUKS format.
 	if err := d.format(ctx, luksPassphrase); err != nil {
+		if errors.IsFormatError(err) {
+			Logc(ctx).Debug("Failed to format LUKS device. Clearing partial formatting.")
+			// We clear the formatting here to allow retires, else we would detect the device as already formatted
+			// or dirty and not retry the format on the next nodeStage attempt.
+			clearFormatErr := d.devices.ClearFormatting(ctx, d.rawDevicePath)
+			if clearFormatErr != nil {
+				Logc(ctx).WithError(clearFormatErr).Error("Failed to clear LUKS format. Format retries may fail.")
+			}
+		}
 		return fmt.Errorf("failed to LUKS format device; %w", err)
 	}
 
diff --git a/utils/devices/luks/luks_linux_test.go b/utils/devices/luks/luks_linux_test.go
@@ -33,6 +33,7 @@ func mockCryptsetupLuksFormat(mock *mockexec.MockCommand) *gomock.Call {
 	return mock.EXPECT().ExecuteWithTimeoutAndInput(
 		gomock.Any(), "cryptsetup", luksCommandTimeout, true, gomock.Any(),
 		"luksFormat", gomock.Any(), "--type", "luks2", "-c", "aes-xts-plain64",
+		"--hash", "sha256", "--pbkdf", "pbkdf2", "--pbkdf-force-iterations", "1000",
 	)
 }
 
@@ -294,6 +295,7 @@ func TestEnsureLUKSDevice_IsOpen(t *testing.T) {
 func TestEnsureLUKSDevice_LUKSFormatFails(t *testing.T) {
 	mockCtrl := gomock.NewController(t)
 	mockCommand := mockexec.NewMockCommand(mockCtrl)
+	rawDevicePath := "/dev/sdb"
 
 	// Setup mock calls and reassign any clients to their mock counterparts.
 	mockCryptsetupLuksStatus(mockCommand).Return([]byte{},
@@ -304,8 +306,9 @@ func TestEnsureLUKSDevice_LUKSFormatFails(t *testing.T) {
 
 	mockDevices := mock_devices.NewMockDevices(mockCtrl)
 	mockDevices.EXPECT().IsDeviceUnformatted(gomock.Any(), gomock.Any()).Return(true, nil)
+	mockDevices.EXPECT().ClearFormatting(gomock.Any(), rawDevicePath).Return(nil)
 
-	luksDevice := NewDetailed("/dev/sdb", devicePrefix+"pvc-test", mockCommand, mockDevices, afero.NewMemMapFs())
+	luksDevice := NewDetailed(rawDevicePath, devicePrefix+"pvc-test", mockCommand, mockDevices, afero.NewMemMapFs())
 
 	luksFormatted, err := luksDevice.ensureLUKSDevice(context.Background(), "mysecretlukspassphrase")
 	assert.Error(t, err)
diff --git a/utils/iscsi/iscsi_linux_test.go b/utils/iscsi/iscsi_linux_test.go
@@ -72,7 +72,7 @@ tcp: [4] 127.0.0.2:3260,1029 ` + targetIQN + ` (non-flash)`
 					"config").Return([]byte(multipathConfig("no", false)), nil)
 				mockCommand.EXPECT().Execute(context.TODO(), "iscsiadm", "-m",
 					"session").Return([]byte(iscsiadmSessionOutput), nil)
-				mockCommand.EXPECT().ExecuteWithTimeoutAndInput(context.TODO(), "cryptsetup", time.Minute, true, "",
+				mockCommand.EXPECT().ExecuteWithTimeoutAndInput(context.TODO(), "cryptsetup", 30*time.Second, true, "",
 					"status", "/dev/mapper/luks-test-volume")
 				return mockCommand
 			},
@@ -164,7 +164,7 @@ tcp: [4] 127.0.0.2:3260,1029 ` + targetIQN + ` (non-flash)`
 					"config").Return([]byte(multipathConfig("no", false)), nil)
 				mockCommand.EXPECT().Execute(context.TODO(), "iscsiadm", "-m",
 					"session").Return([]byte(iscsiadmSessionOutput), nil)
-				mockCommand.EXPECT().ExecuteWithTimeoutAndInput(context.TODO(), "cryptsetup", time.Minute, true, "",
+				mockCommand.EXPECT().ExecuteWithTimeoutAndInput(context.TODO(), "cryptsetup", 30*time.Second, true, "",
 					"status",
 					"/dev/mapper/luks-test-volume")
 				return mockCommand
diff --git a/utils/nvme/nvme_linux_test.go b/utils/nvme/nvme_linux_test.go
@@ -601,10 +601,11 @@ func TestNVMeMountVolume(t *testing.T) {
 			getMockCommand: func(ctrl *gomock.Controller) exec.Command {
 				mockCommand := mockexec.NewMockCommand(ctrl)
 				mockCommand.EXPECT().ExecuteWithTimeoutAndInput(
-					gomock.Any(), "cryptsetup", time.Minute, true, "", "status",
+					gomock.Any(), "cryptsetup", 30*time.Second, true, "", "status",
 					"/dev/mapper/luks-mockName").Return([]byte{}, mockexec.NewMockExitError(4,
 					"device does not exist"))
-				mockCommand.EXPECT().ExecuteWithTimeoutAndInput(gomock.Any(), "cryptsetup", time.Minute, true, "", "status",
+				mockCommand.EXPECT().ExecuteWithTimeoutAndInput(gomock.Any(), "cryptsetup", 30*time.Second, true, "",
+					"status",
 					"/dev/mapper/luks-mockName").Return([]byte{}, nil)
 				return mockCommand
 			},
