Bug 1824121

Summary: [OSP 13.0.12][[Workaround] Allow native LUKSv1 decryption to be disabled
Product: Red Hat OpenStack Reporter: Lee Yarwood <lyarwood>
Component: openstack-novaAssignee: Lee Yarwood <lyarwood>
Status: CLOSED ERRATA QA Contact: Paras Babbar <pbabbar>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 13.0 (Queens)CC: dasmith, egallen, eglynn, fiezzi, jhakimra, kchamart, nova-maint, pbabbar, sbauza, sgordon, stephenfin, vromanso
Target Milestone: z12Keywords: Patch, Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-nova-17.0.13-6.el7ost Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1824119 Environment:
Last Closed: 2020-06-24 11:52:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: Ussuri
Embargoed:
Bug Depends On: 1805666, 1824116, 1824119    
Bug Blocks:    

Comment 9 Paras Babbar 2020-06-04 16:14:00 UTC 
Hi Rhos-Compute,

Follwing QE steps would be good to verify this :

env: ceph backened with barbician enabled 

1. sudo crudini --set /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova/nova.conf workarounds disable_native_luksv1 true
Restart nova_compute to ensure these are picked up by the compute container:

2. $ sudo docker restart nova_compute

3. sudo docker exec -ti -u root nova_compute crudini --get /etc/nova/nova.conf workarounds disable_native_luksv1

4. Additionally we also need to set the following option in the /etc/ceph/ceph.conf of the controller running cinder-volume:

[global]
default features = 3

what is the best way to validate that this has not used luks_1 encryption but force it to use dm-crypt
based os-brick encryptor to decrypt the LUKSv1 volume ?

Is going to nova_virtlog container on hosted node and checking is good enough??
sudo cryptsetup status <crypt volume> ? to check the dm-crypt key is used or not??
Comment 10 Stephen Finucane 2020-06-08 13:34:01 UTC 
(In reply to Paras Babbar from comment #9)
> Hi Rhos-Compute,
> 
> Follwing QE steps would be good to verify this :
> 
> env: ceph backened with barbician enabled 
> 
> 1. sudo crudini --set
> /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova/nova.conf
> workarounds disable_native_luksv1 true
> Restart nova_compute to ensure these are picked up by the compute container:
> 
> 2. $ sudo docker restart nova_compute
> 
> 3. sudo docker exec -ti -u root nova_compute crudini --get
> /etc/nova/nova.conf workarounds disable_native_luksv1
> 
> 4. Additionally we also need to set the following option in the
> /etc/ceph/ceph.conf of the controller running cinder-volume:
> 
> [global]
> default features = 3

We don't need Ceph to validate this - that's covered by 1824120 and requires an additional configuration option, "[workarounds] rbd_volume_local_attach". You should configure with LVM. The suggested verification steps are otherwise correct.

> what is the best way to validate that this has not used luks_1 encryption
> but force it to use dm-crypt
> based os-brick encryptor to decrypt the LUKSv1 volume ?
>
> Is going to nova_virtlog container on hosted node and checking is good
> enough??
> sudo cryptsetup status <crypt volume> ? to check the dm-crypt key is used or
> not??

The combination of logs and 'cryptsetup status' output should suffice, yes.
Comment 14 errata-xmlrpc 2020-06-24 11:52:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2725