Bug 1285089

Summary: [RFE] Boot instance from encrypted volume [iSCSI]
Product: Red Hat OpenStack Reporter: Jeremy <jmelvin>
Component: openstack-cinderAssignee: Eric Harney <eharney>
Status: CLOSED ERRATA QA Contact: Avi Avraham <aavraham>
Severity: high Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: acanan, berrange, brault, cschwede, dasmith, ealcaniz, eglynn, eharney, jdonohue, jmelvin, jobernar, jschluet, kchamart, lyarwood, nlevine, pablo.iranzo, panbalag, pbrady, pgrist, sbauza, scohen, sferdjao, sgordon, srevivo, tshefi, vromanso, yaron.aboodaga, yves.brissette
Target Milestone: Upstream M2Keywords: FutureFeature, Triaged
Target Release: 12.0 (Pike)Flags: scohen: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-cinder-11.0.0-0.20170611191457.3dacd2a.el7ost Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1471627 (view as bug list) Environment:
Last Closed: 2017-12-13 20:37:32 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1302261, 1406802, 1487920    
Bug Blocks: 1230402, 1262120, 1389435, 1389441, 1442136, 1471627    

Comment 3 Lee Yarwood 2015-12-04 16:14:33 UTC 
(In reply to Jeremy from comment #0)
> Description of problem: Can not boot instance from encrypted volume
> 
> Version-Release number of selected component (if applicable):
> 
> instance : uuid=99ea08e5-97b8-4b30-9dd3-abe0f6cbcce4
> volume-80fdf401-f069-4ee5-8686-3f4e00cb375f

Can we confirm how the customer is creating the image, volume and instance here?

I think the issue is that Cinder is copying the image data into the volume unencrypted causing Nova to re-encrypt the volume prior to use. 

This is covered in the following Nova bug and recently associated Cinder spec :

Booting encrypted volume with whole image fails
https://bugs.launchpad.net/nova/+bug/1465656

Convert encrypted data to encrypted volumes with encrypted image
https://blueprints.launchpad.net/cinder/+spec/encrypt-volume-with-image
Comment 4 Lee Yarwood 2015-12-04 16:32:29 UTC 
The ability for users to even create encrypted volumes from images is now being blocked by cinder-api with the following changes :

master - Prevent creating encrypted volume with image
https://review.openstack.org/#/c/210219/

stable/kilo - Prevent creating encrypted volume with image
https://review.openstack.org/#/c/217365/
Comment 6 Lee Yarwood 2015-12-22 09:59:12 UTC 
I'm closing this out as CANTFIX as the fault here is with Cinder and not Nova. I suggest that we create a Cinder RFE to follow the progress of the encryption improvements in M :

Improvement about encrypted volume
https://blueprints.launchpad.net/cinder/+spec/improve-encrypted-volume
Comment 12 Lee Yarwood 2016-05-09 09:55:10 UTC 
*** Bug 1262121 has been marked as a duplicate of this bug. ***
Comment 21 Sean Cohen 2016-12-05 16:15:05 UTC 
*** Bug 1230402 has been marked as a duplicate of this bug. ***
Comment 32 Avi Avraham 2017-11-13 10:16:26 UTC 
verified 
Package installed 
openstack-tripleo-heat-templates-7.0.3-0.20171024200825.el7ost.noarch
openstack-cinder-11.0.0-0.20170611191457.3dacd2a.el7ost

successfully create an encrypted volume from image,
boot instance from encrypted volume and ssh login to the instance.
Comment 35 errata-xmlrpc 2017-12-13 20:37:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462