Bug 1555271
Summary: | cinder encrypted volumes fail - configured to use barbican which itself is not configured | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Pavel Sedlák <psedlak> |
Component: | openstack-packstack | Assignee: | Alfredo Moralejo <amoralej> |
Status: | CLOSED ERRATA | QA Contact: | Frank Jansen <fjansen> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 13.0 (Queens) | CC: | abishop, augol, jjoyce, jschluet, mburns, srevivo |
Target Milestone: | beta | Keywords: | Automation, Triaged |
Target Release: | 13.0 (Queens) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-packstack-12.0.0-0.20180327155808.90cd9d5.el7ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-27 13:36:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pavel Sedlák
2018-03-14 11:23:33 UTC
I tracked the problem to infrared's packstack plugin, specifically the configure_services_post_install.yml playbook. There are tasks that configure Nova and Cinder to use the ConfKeyManager, but they're configuring the key_manager's api_class ([1] [2]), and that option has been deprecated. The tasks should be configuring the new 'backend' option. [1] https://github.com/redhat-openstack/infrared/blob/master/plugins/packstack/configure_services_post_install.yml#L33 [2] https://github.com/redhat-openstack/infrared/blob/master/plugins/packstack/configure_services_post_install.yml#L54 The puppet-cinder and puppet-nova code both default to setting the 'backend' to the ConfKeyManager [3], [4]. However, packstack overrides the 'backend' cinder [4]. [3] https://github.com/openstack/puppet-cinder/blob/master/manifests/api.pp#L210 [4] https://github.com/openstack/puppet-nova/blob/master/manifests/compute.pp#L186 [5] https://github.com/openstack/packstack/blob/master/packstack/puppet/modules/packstack/manifests/cinder.pp#L40 This leads to a situation where nova.conf has both api_class and backend options specifying the ConfKeyManager. But in cinder.conf, the api_class is ConfKeyManager and the backend is Barbican. The backend option supersedes the api_class, so that's how Cinder ends up trying to use Barbican. There is another problem with the way infrared is configuring encryption in cinder.conf. Like Nova, Cinder's ConfKeyManager requires the fixed_key be set. This is done for Nova [6] but it is not done for Cinder. [6] https://github.com/redhat-openstack/infrared/blob/master/plugins/packstack/configure_services_post_install.yml#L25 To summarize, the following changes need to be made to infrared's packstack plugin. The configure_services_post_install.yml playbook needs to be updated to: - Set the key_manager 'backend' and not the 'api_class' - Set the key_manager 'fixed_key' in cinder.conf (must be same as Nova value) Thanks for amazingly detailed answer even including infrared, will prepare patch for it. So tempest failure in our case is user misconfiguration (esp due to using deprecated api_class). But then, if default is barbican (and just for cinder?) should rest of it be configured correctly by packstack cinder manifest too? Different projects have their own notion of defaults. Castellan's key_manager defaults the backend to 'barbican' [7]. [7] https://github.com/openstack/castellan/blob/master/castellan/key_manager/__init__.py#L26 However, puppet-cinder and puppet-nova assign the ConfKeyManager as their default [3], [4]. Packstack relies on the puppet modules, but overrides the cinder configuration to specify barbican [5]. Then, infrared comes along and makes its own decision to use the ConfKeyManager [1], [2]. Packstack and infrared's packstack plugin are certainly free to use Barbican. However, additional work will be required to fully configure the whole deployment. As we see in this BZ's tempest logs, it's not a matter of simply configuring Nova's and Cinder's key_manager backend. The rest of the Barbican service would need to be configured, and the scope of that effort goes well beyond this BZ. Packstack does not support barbican, so it should never configure barbican backend for encryption. I'll fix in packstack to use ConfKeyManager. Thanks for both answers. That's kind of why I was asking - infrared generally should NOT touch any of such configs - unless they are out of scope of installer (regardless which), what was obviously case of fixed_key in nova.conf. And so I wanted to have it clarified if now infrared should start configuring required-user-inputs for barbican for cinder (and so request most of these to work by default) and such. If packstack is not supposed to support barbican by default and it will be changed back then that is what this bug is about then. (in addition to updating infrared for correct api_class=>backend + fixed_key in cinder.conf (when >=13 as afaik worked for <13) thanks again for that info) https://review.openstack.org/#/c/553317 should change key_manager/backend to cinder.keymgr.conf_key_mgr.ConfKeyManager Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086 |