NodeStageVolume sometimes failes with luks-encrypted volumes

[mwennrich]

time="2024-11-29T06:22:13.126448+00:00" level=debug msg="encryptAndOpenDevice volume uuid: \"da5be509-a6c4-401b-8a3c-bcfe4dcd1ef0\"" node=shoot--ph4snz--t2-fel-group-0-69b77-qlkp4.node role=node
time="2024-11-29T06:22:13.126460+00:00" level=debug msg="luksStatus with args:[status /dev/mapper/lb-csi-nvme-uuid.da5be509-a6c4-401b-8a3c-bcfe4dcd1ef0]" node=shoot--ph4snz--t2-fel-group-0-69b77-qlkp4.node role=node
time="2024-11-29T06:22:13.130198+00:00" level=debug msg="luksStatus output:\"/dev/mapper/lb-csi-nvme-uuid.da5be509-a6c4-401b-8a3c-bcfe4dcd1ef0 is active.\\n  type:    n/a\\n  cipher:  aes-xts-plain64\\n  keysize: 256 bits\\n  key location: dm-crypt\\n  device:  (null)\\n  sector size:  512\\n  offset:  32768 sectors\\n  size:    20938752 sectors\\n  mode:    read/write\\n  flags:   same_cpu_crypt submit_from_crypt_cpus no_read_workqueue no_write_workqueue\\n\" " node=shoot--ph4snz--t2-fel-group-0-69b77-qlkp4.node role=node
time="2024-11-29T06:22:13.130230+00:00" level=debug msg="encryptAndOpenDevice volume: \"da5be509-a6c4-401b-8a3c-bcfe4dcd1ef0\" is already encrypted" node=shoot--ph4snz--t2-fel-group-0-69b77-qlkp4.node role=node
I1129 06:22:13.131657       1 mount_linux.go:408] Disk "/dev/mapper/lb-csi-nvme-uuid.da5be509-a6c4-401b-8a3c-bcfe4dcd1ef0" appears to be unformatted, attempting to format as type: "ext4" with options: [-F -m0 /dev/mapper/lb-csi-nvme-uuid.da5be509-a6c4-401b-8a3c-bcfe4dcd1ef0]

=> luks status has type: n/a and device: (null)

luksStatus() only checks for the string is active:

Which is not enough, for example:

/ # cryptsetup status /dev/mapper/lb-csi-nvme-uuid.43355f01-37ba-43b4-9030-0a124c23d922
/dev/mapper/lb-csi-nvme-uuid.43355f01-37ba-43b4-9030-0a124c23d922 is active and is in use.
  type:    n/a
  cipher:  aes-xts-plain64
  keysize: 256 bits
  key location: dm-crypt
  device:  (null)
  sector size:  512
  offset:  32768 sectors
  size:    2064384 sectors
  mode:    read/write
  flags:   same_cpu_crypt submit_from_crypt_cpus no_read_workqueue no_write_workqueue

should look like this:

/ # cryptsetup status /dev/mapper/lb-csi-nvme-uuid.43355f01-37ba-43b4-9030-0a124c23d922
/dev/mapper/lb-csi-nvme-uuid.43355f01-37ba-43b4-9030-0a124c23d922 is active and is in use.
  type:    LUKS2
  cipher:  aes-xts-plain64
  keysize: 256 bits
  key location: dm-crypt
  device:  /dev/nvme1n10
  sector size:  4096
  offset:  32768 sectors
  size:    20938752 sectors
  mode:    read/write
  flags:   same_cpu_crypt submit_from_crypt_cpus no_read_workqueue no_write_workqueue

Even not-encrypted volumes report is active:

/ # cryptsetup status /dev/mapper/csi--lvm-csi--5b105a5007a6c68dfa38fde86c569647609054c357a2d1e8cba74adee3f6f1b2
/dev/mapper/csi--lvm-csi--5b105a5007a6c68dfa38fde86c569647609054c357a2d1e8cba74adee3f6f1b2 is active and is in use.
  type:    n/a
/ # 

luksStatus() should check for more conditions, like type: != "n/a" and/or device != "(null)"

full error log: csi-lb-node-luks-error.log

[muliby-lb]

Thanks for the bug report @mwennrich. @rahman-lb @ronen-lb FYI, let's create an internal Jira ticket that links to it for internal book keeping.