Bug 1383377

Summary: Disable encrypted volume in the tempest-deployer-input.conf
Product: Red Hat OpenStack Reporter: Attila Fazekas <afazekas>
Component: openstack-tripleoAssignee: Arx Cruz <acruz>
Status: CLOSED EOL QA Contact: Arik Chernetsky <achernet>
Severity: medium Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: acruz, afazekas, aschultz, chkumar, dsariel, emacchi, jschluet, mburns, mkopec, whayutin
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: ---Flags: mkopec: needinfo-
mkopec: needinfo-
mkopec: needinfo-
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-26 21:25:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Attila Fazekas 2016-10-10 13:38:19 UTC
The volume encryption feature would require a working and configured key manager like barbican,
and it also requires a volume backend which supporters the related api calls. ceph/rdb does not supports it.

If you just want to see the tempest test passing, you can use the (demo) lvm backend with the simple key manager with a hard-coded key in both nova and cinder config.

barbican is not packaged for Red Hat OpenStack, so please add 
tempest-deployer-input.conf [compute-feature-enabled] attach_encrypted_volume false .


The related tempest tests in the: tempest/scenario/test_encrypted_cinder_volumes.py

Comment 1 Alex Schultz 2017-09-08 21:17:06 UTC
This file should be removed and replaced with documentation on how to generate your own. This file probably hasn't worked in a long time.

Comment 3 Chandan Kumar 2018-06-12 16:36:56 UTC
https://review.openstack.org/#/c/570157/ -> implements the auto discovery of compute-feature-enabled.attach_encrypted_volume in python-tempestconf, I think this review might help.

Comment 5 Arx Cruz 2018-08-09 15:13:04 UTC
Even though in tripleo client we are not setting this to false, in python-tempestconf we have now a way to identify if encryption is enabled or not and so set it to False or True properly, I believe this solve the problem, since both upstream and downstream uses python-tempestconf to configure the tempest.conf file.

Comment 8 Matt Young 2018-08-27 15:42:55 UTC
moving release target to Rocky per tempest squad scrum.

Comment 10 Martin Kopec 2018-08-27 16:06:50 UTC
The feature implemented in python-tempestconf by [1] will be part of python-tempestconf-2.0.0. package which, unfortunately, will not be available for RHOS10. It will be available in RHOS11 and higher.

I see two ways how to move on with this and I have two questions regarding that:
    1. Is it possible to backport the feature [1] to tools/config_tempest.py in tempest version available for RHOS10?
    2. The bug is opened for openstack-tripleo, so, does openstack-tripleo handle or can handle this situation?

[1] https://review.openstack.org/#/c/570157/

Comment 11 Martin Kopec 2018-08-28 08:07:15 UTC
I believe Wes wanted to point to this [1] part of code, which is responsible for generating the deployer-input file. If compute-feature-enabled.attach_encrypted_volume is set to false there, it will solve the issue as Attila has pointed out.

Arx can we send a patch to tripleoclient or it will break something I don't see?

[1] https://github.com/openstack/python-tripleoclient/blob/285b887da6ef06e449864a46d5471a95d22e6754/tripleoclient/utils.py#L200

Comment 12 Arx Cruz 2018-11-20 15:05:40 UTC
Well, this should not be on tripleoclient, and this part of generate the deployer input file is wrong, if that is still needed, we might need to backport it to tempestconf / tools/config_tempest.py for RHOS10

Comment 15 Mike Burns 2020-08-26 21:25:28 UTC
This Release is retired.  If this bug is still relevant, please reopen and retarget to an open release.