Bug 1262120

Summary: [RFE] Expose encrypted volume options for Cinder volumes backed by RBD
Product: Red Hat OpenStack Reporter: Neil Levine <nlevine>
Component: rhosp-directorAssignee: Alan Bishop <abishop>
Status: CLOSED CURRENTRELEASE QA Contact: Yogev Rabl <yrabl>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 9.0 (Mitaka)CC: egafford, eharney, flucifre, jdurgin, jefbrown, jomurphy, jschluet, mburns, morazi, nlevine, pgrist, rhel-osp-director-maint, scohen, yrabl
Target Milestone: Upstream M1Keywords: FutureFeature, TestOnly, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-13 14:58:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1230405, 1262121, 1285089, 1297980, 1301019    
Bug Blocks: 1291943, 1411525    

Description Neil Levine 2015-09-10 20:33:18 UTC 
NFV and other customers want to ensure a hard level of security in a multi-tenant storage environment. Cinder has support for encrypted volume types. This needs to be exposed in OSP-D.
Comment 3 Emilien Macchi 2015-09-17 16:22:27 UTC 
In the meantime we're configuring it in the puppet module and in tripleo heat tempaltes, you can already do that:

So if you want:

[section]
parameter = something

You can edit puppet/hieradata/controller.yaml:

cinder::config::cinder_config:
  section/parameter:
    value: 'something'

And it will apply the right configuration to Cinder.
Comment 4 Emilien Macchi 2015-09-17 16:32:35 UTC 
I think what you need is to run some CLI commands to enable encryption.
Please look http://docs.openstack.org/kilo/config-reference/content/section_create-encrypted-volume-type.html

You might need to run:

cinder type-create LUKS
cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 \
  --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor


"Support for creating the volume type in the OpenStack dashboard (horizon) exists today, however support for tagging the type as encrypted and providing the additional information needed is still in review."

Please confirm this workaround works for you now and if yes we will automate it in the installer.
Comment 5 Emilien Macchi 2015-09-21 18:19:51 UTC 
Sorry to ask again, I might be confused, but I still need if this solution works for you.
Before changing anything in the installer, we might need your feedback on this proposal.

Thank you
Comment 6 Josh Durgin 2015-12-11 00:35:13 UTC 
Sorry for the delayed response. This needs to wait for encryption in qemu and nova for rbd. Since qemu is accessing rbd directly, there is no block device on the compute host for the existing nova encryption setup to work with.
Comment 8 Mike Burns 2016-04-07 20:50:54 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 10 Jeff Brown 2016-09-13 17:28:57 UTC 
I wanted to confirm that encryption has moved out to OSP11.  I will move this bug when I hear from Federico.

Thanks
Comment 11 Federico Lucifredi 2016-09-15 06:57:52 UTC 
This is actually worth doing in this cycle if we at all can.
Comment 12 Elise Gafford 2016-12-02 19:42:37 UTC 
Libvirt needs to support RBD encryption in order to address this, which will not occur in the RHOS 11 timeframe. Pushing to 12.