Bug 1401587

Summary: Creating Encrypted Volumes with Cinder(Ceph backend) gives false positive
Product: Red Hat OpenStack Reporter: Eric Harney <eharney>
Component: openstack-cinderAssignee: Eric Harney <eharney>
Status: CLOSED ERRATA QA Contact: Tzach Shefi <tshefi>
Severity: low Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: ddomingo, eharney, jdurgin, jobernar, jomurphy, lhh, lkuchlan, mshetty, nlevine, pgrist, srevivo
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 8.0 (Liberty)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-cinder-7.0.3-3.el7ost Doc Type: Bug Fix
Doc Text:
Ceph/RBD does not support encrypted volumes. However, in previous releases, the Block Storage service did not properly account for this fact. As a result, when attempting to create an encrypted volume through the RBD driver a non-encrypted volume would actually be created. This release adds a check to the Block Storage RBD driver which will fail volume creation if the user attempts to create an encrypted volume.
 Story Points: ---
Clone Of: 1380842
: 1409820 (view as bug list) Environment:
Last Closed: 2017-02-01 14:17:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1380842    
Bug Blocks: 1409820    
Attachments:
Description Flags
Cinder logs none

Description Eric Harney 2016-12-05 15:48:21 UTC 
+++ This bug was initially created as a clone of Bug #1380842 +++

Description of problem:
With OSP9 we can now create encrypted volumes using the Horizon dashboard. 

When you try the new feature with Ceph RDB as Cinder backed, and it works fine ie. It creates encrypted volumes using Horizon. Next, when you try to attach it to an instance it says it went through fine, but is not attached ie. a case of false positive.

On doing some research I found that Encryption support for RDB backend volumes was abandoned for Mitaka. 
https://review.openstack.org/#/c/239798/

I'm filing this bug as, when I tried to attach the encrypted volume to an instance it said it went through fine. It's only when you look into the instance, you see that the volume has not been attached.


Version-Release number of selected component (if applicable):


How reproducible:
Can be reproduced easily.

Steps to Reproduce:
1. Configure OpenStack with Ceph as Cinder backend.
2. Use Horizon to create an encrypted volume.
3. Attach the volume to an instance in OpenStack.
4. Log into the instance, and check if the volume is there.

Actual results:


Expected results:
If Encrypting Ceph volumes is not supported in Mitaka, then the creation of the encrypted Volume itself should fail. 

It allows the creation, and attaching the volume to the instance also goes through fine. It's only when you log into the instance, you see that the volume is not there.

Additional info:




+++++

The solution is to prevent creation of encrypted volumes on the RBD backend, since it does not yet support encrypted volumes.
Comment 2 Tzach Shefi 2017-01-10 21:34:06 UTC 
Verified, 

Tested on a system (pre fixed-in) was able to create an encrypted volume, volume status available.
I Then updated openstack-cinder and python-cinder, restarted services.
openstack-cinder-7.0.3-3.el7ost.noarch
python-cinder-7.0.3-3.el7ost.noarch

Now Cinder create an encrypted volume, fails status=error. 



Cinder list shows volumes and status, first one available two following ones status error. 

#cinder list
+--------------------------------------+-----------+------------------+----------------------------------------+------+-------------+----------+-------------+-------------+
|                  ID                  |   Status  | Migration Status |                  Name                  | Size | Volume Type | Bootable | Multiattach | Attached to |
+--------------------------------------+-----------+------------------+----------------------------------------+------+-------------+----------+-------------+-------------+
| 322c7212-2822-497c-acaf-ba27773b6cc2 | available |        -         |            encrypted volume            |  1   |     LUKS    |  false   |    False    |             |
| 44f95eb2-e014-4fe5-821a-5f47e68c5427 |   error   |        -         |   encrypted volumePostUpgradeCinder    |  1   |     LUKS    |  false   |    False    |             |
| 4658ed7b-3afb-4791-9880-8efb98e8a8af |   error   |        -         |   encrypted volume2PostUpgradeCinder   |  1   |     LUKS    |  false   |    False    |             |


Cinder volume.log (debug=true)
Reports expected error -> VolumeDriverException: Volume driver reported an error: Encryption is not yet supported.


Task;volume:create' (77b7f230-7df4-4265-b934-4915cc479f75) transitioned into state 'SUCCESS' from state 'RUNNING' with result '{'status': u'creating', 'volume_size': 1, 'volume_name': u'volume-4658ed7b-3afb-4791-9880-8efb98e8a8af', 'type': 'raw', 'volume_id': u'4658ed7b-3afb-4791-9880-8efb98e8a8af'}' _task_receiver /usr/lib/python2.7/site-packages/taskflow/listeners/logging.py:178
.....
create_volume
2017-01-10 21:20:35.653 11169 ERROR cinder.volume.manager     raise exception.VolumeDriverException(message=message)
2017-01-10 21:20:35.653 11169 ERROR cinder.volume.manager VolumeDriverException: Volume driver reported an error: Encryption is not yet supported.
2017-01-10 21:20:35.653 11169 ERROR cinder.volume.manager
2017-01-10 21:20:35.657 11169 DEBUG cinder.volume.manager [req-2ec453f3-0c83-4de4-8f02-445f3ec5f60d 74ffb7e17ea74c2992add5634d930551 9a93bc8f5a204e62855

Attaching Cinder logs in case needed.
Comment 3 Tzach Shefi 2017-01-10 21:37:47 UTC 
Created attachment 1239261 [details]
Cinder logs

If any ones wants to review verification Cinder logs. 

Look for this volume ID  4658ed7b-3afb-4791-9880-8efb98e8a8af
Comment 6 errata-xmlrpc 2017-02-01 14:17:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0227.html