fix: data lost caused by Longhorn CSI plugin doing a wrong re-encryption of volume in rare race condition (backport #3566)

csi/crypto/crypto.go

@@ -75,12 +75,21 @@ func VolumeMapper(volume string) string {
 
 // EncryptVolume encrypts provided device with LUKS.
 func EncryptVolume(devicePath, passphrase string, cryptoParams *EncryptParams) error {
+	isEncrypted, err := isDeviceEncrypted(devicePath)
+	if err != nil {
+		logrus.WithError(err).Warnf("Failed to check IsDeviceEncrypted before encrypting volume %v", devicePath)
+		return err
+	}
+	if isEncrypted {
+		logrus.Infof("The device %v is already encrypted. Skipping the encryption to avoid data lost", devicePath)
+		return nil
+	}
+
 	namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc}
 	nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces)
 	if err != nil {
 		return err
 	}
-
 	logrus.Infof("Encrypting device %s with LUKS", devicePath)
 	if _, err := nsexec.LuksFormat(
 		devicePath, passphrase,
@@ -161,6 +170,15 @@ func IsDeviceOpen(device string) (bool, error) {
 	return mappedFile != "", err
 }
 
+func isDeviceEncrypted(devicePath string) (bool, error) {
+	namespaces := []lhtypes.Namespace{lhtypes.NamespaceMnt, lhtypes.NamespaceIpc}
+	nsexec, err := lhns.NewNamespaceExecutor(lhtypes.ProcessNone, lhtypes.HostProcDirectory, namespaces)
+	if err != nil {
+		return false, err
+	}
+	return nsexec.IsLuks(devicePath, lhtypes.LuksTimeout)
+}
+
 // DeviceEncryptionStatus looks to identify if the passed device is a LUKS mapping
 // and if so what the device is and the mapper name as used by LUKS.
 // If not, just returns the original device and an empty string.

go.mod

@@ -62,7 +62,7 @@ require (
 	github.com/kubernetes-csi/csi-lib-utils v0.6.1
 	github.com/longhorn/backing-image-manager v1.7.2
 	github.com/longhorn/backupstore v0.0.0-20250209090923-c552364ab3ac
-	github.com/longhorn/go-common-libs v0.0.0-20250210035242-5fafd2e6171a
+	github.com/longhorn/go-common-libs v0.0.0-20250214072736-3008fa6b826f
 	github.com/longhorn/go-iscsi-helper v0.0.0-20250111093313-7e1930499625
 	github.com/longhorn/go-spdk-helper v0.0.0-20241216160651-bcce92add55b
 	github.com/longhorn/longhorn-engine v1.7.2

go.sum

@@ -161,8 +161,8 @@ github.com/longhorn/backing-image-manager v1.7.2 h1:yVu03EE3WmkNWMSdS4M8LciLJqya
 github.com/longhorn/backing-image-manager v1.7.2/go.mod h1:hsntkXAMiaThQiPDulAbZCUcxKhaiDBX58HPwxa1wZs=
 github.com/longhorn/backupstore v0.0.0-20250209090923-c552364ab3ac h1:zjvNWC5xZFjQtBM5iAX1pNJkZanyDB+YLrB1VWSFSaU=
 github.com/longhorn/backupstore v0.0.0-20250209090923-c552364ab3ac/go.mod h1:XAuYr2VfgSrine1YUNKagH6dFf5Z1xMLMkp5FxuzZS4=
-github.com/longhorn/go-common-libs v0.0.0-20250210035242-5fafd2e6171a h1:vchYifra9CzQ4FLXfkW4WPUu3pSWzknjP3vdng2MpDA=
-github.com/longhorn/go-common-libs v0.0.0-20250210035242-5fafd2e6171a/go.mod h1:WHFO5jD8wdnSSB5g+/mKNzcC0bglsPpH7ZBfFNlOMko=
+github.com/longhorn/go-common-libs v0.0.0-20250214072736-3008fa6b826f h1:hTJufjYuG5O09pApC2qtSvBYPcvEWh+jA+DUqVV+d84=
+github.com/longhorn/go-common-libs v0.0.0-20250214072736-3008fa6b826f/go.mod h1:9aezM1ef3JFYww2tCbeEoRr5091C4T6SNyp6LJ87Kqc=
 github.com/longhorn/go-iscsi-helper v0.0.0-20250111093313-7e1930499625 h1:d39A3041RyFve26tIuKUuzrh2CkBY970xlGIXgMA998=
 github.com/longhorn/go-iscsi-helper v0.0.0-20250111093313-7e1930499625/go.mod h1:yIm3sGRuYOw/Y3XzRhG5+3FlZBOfrU5EZOavzwL2jVs=
 github.com/longhorn/go-spdk-helper v0.0.0-20241216160651-bcce92add55b h1:fzyWJOiUPzwkY/VShltuhP6eUpkv6RMFqSVuVFt/Z2M=

vendor/modules.txt

@@ -244,7 +244,7 @@ github.com/longhorn/backupstore/logging
 github.com/longhorn/backupstore/systembackup
 github.com/longhorn/backupstore/types
 github.com/longhorn/backupstore/util
-# github.com/longhorn/go-common-libs v0.0.0-20250210035242-5fafd2e6171a
+# github.com/longhorn/go-common-libs v0.0.0-20250214072736-3008fa6b826f
 ## explicit; go 1.22.7
 github.com/longhorn/go-common-libs/backup
 github.com/longhorn/go-common-libs/exec