Bug 1889228
| Summary: | A cloned encrypted volume cannot be attached | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Masayuki Igawa <migawa> |
| Component: | openstack-cinder | Assignee: | Eric Harney <eharney> |
| Status: | CLOSED ERRATA | QA Contact: | Tzach Shefi <tshefi> |
| Severity: | high | Docs Contact: | Chuck Copello <ccopello> |
| Priority: | high | ||
| Version: | 16.1 (Train) | CC: | abishop, acanan, bkopilov, dasmith, eglynn, eharney, igallagh, jhakimra, jvisser, kchamart, lyarwood, pgrist, sbauza, senrique, sgordon, tshefi, vromanso |
| Target Milestone: | z4 | Keywords: | Regression, Triaged, ZStream |
| Target Release: | 16.1 (Train on RHEL 8.2) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-cinder-15.3.1-6.el8ost | Doc Type: | Bug Fix |
| Doc Text: |
Before this update, cloned encrypted volumes were inaccessible when using the Block Storage (cinder) service with the Key Manager (barbican) service. With this update, cloned encrypted volumes are now accessible when using the Block Storage service with the Key Manager service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-17 15:33:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Masayuki Igawa
2020-10-19 05:48:28 UTC
This smells like a c-vol bug when cloning the volume, maybe using a new passphrase but still referencing the old secret uuid somewhere? n-cpu isn't involved at that point so I'm moving this over to openstack-cinder. adding regression keyword following comment #2 Verified on:
openstack-cinder-15.3.1-6.el8ost.noarch
Following reproduce steps:
0. Create an encrypted volume type:
(overcloud) [stack@undercloud-0 ~]$ cinder type-create LUKS
+--------------------------------------+------+-------------+-----------+
| ID | Name | Description | Is_Public |
+--------------------------------------+------+-------------+-----------+
| 0c007642-e949-44eb-b016-ad0489987a81 | LUKS | - | True |
+--------------------------------------+------+-------------+-----------+
(overcloud) [stack@undercloud-0 ~]$ cinder encryption-type-create --cipher aes-xts-plain64 --key_size 256 --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| Volume Type ID | Provider | Cipher | Key Size | Control Location |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| 0c007642-e949-44eb-b016-ad0489987a81 | nova.volume.encryptors.luks.LuksEncryptor | aes-xts-plain64 | 256 | front-end |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
(overcloud) [stack@undercloud-0 ~]$ cinder type-key LUKS set volume_backend_name=tripleo_iscsi
1. Create an encrypted volume:
(overcloud) [stack@undercloud-0 ~]$ cinder create 4 --volume-type LUKS --name EncVol1
+--------------------------------+--------------------------------------+
| Property | Value |
+--------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2021-01-21T11:27:04.000000 |
| description | None |
| encrypted | True |
| id | 01978948-6f94-4927-96e2-6193e888cf8a |
| metadata | {} |
| migration_status | None |
| multiattach | False |
| name | EncVol1 |
| os-vol-host-attr:host | None |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | 890bdf68e1fb4e2cad562c477cc57df4 |
| replication_status | None |
| size | 4 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| updated_at | None |
| user_id | 31ad1a04179a4d658c581d172ddd0999 |
| volume_type | LUKS |
+--------------------------------+--------------------------------------+
(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+---------+------+-------------+----------+-------------+
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+---------+------+-------------+----------+-------------+
| 01978948-6f94-4927-96e2-6193e888cf8a | available | EncVol1 | 4 | LUKS | false | |
+--------------------------------------+-----------+---------+------+-------------+----------+-------------+
2. Attach the volume to an instance:
(overcloud) [stack@undercloud-0 ~]$ nova volume-attach inst1 01978948-6f94-4927-96e2-6193e888cf8a auto
+-----------------------+--------------------------------------+
| Property | Value |
+-----------------------+--------------------------------------+
| delete_on_termination | False |
| device | /dev/vdb |
| id | 01978948-6f94-4927-96e2-6193e888cf8a |
| serverId | d6bf97c8-ed9f-42c7-9f8a-c0b15ac265b1 |
| tag | - |
| volumeId | 01978948-6f94-4927-96e2-6193e888cf8a |
+-----------------------+--------------------------------------+
Make FS/write some data on attached volume
3. Detach the volume from the instance:
(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+--------+---------+------+-------------+----------+--------------------------------------+
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+--------+---------+------+-------------+----------+--------------------------------------+
| 01978948-6f94-4927-96e2-6193e888cf8a | in-use | EncVol1 | 4 | LUKS | false | d6bf97c8-ed9f-42c7-9f8a-c0b15ac265b1 |
+--------------------------------------+--------+---------+------+-------------+----------+--------------------------------------+
(overcloud) [stack@undercloud-0 ~]$ nova volume-detach inst1 01978948-6f94-4927-96e2-6193e888cf8a
(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+---------+------+-------------+----------+-------------+
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+---------+------+-------------+----------+-------------+
| 01978948-6f94-4927-96e2-6193e888cf8a | available | EncVol1 | 4 | LUKS | false | |
+--------------------------------------+-----------+---------+------+-------------+----------+-------------+
4. Clone the encrypted volume:
(overcloud) [stack@undercloud-0 ~]$ openstack volume create --source EncVol1 EncVolClone --type LUKS
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2021-01-21T11:53:52.000000 |
| description | None |
| encrypted | True |
| id | d2ac4d17-a5e9-468f-a083-47f68d1763b8 |
| migration_status | None |
| multiattach | False |
| name | EncVolClone |
| properties | |
| replication_status | None |
| size | 4 |
| snapshot_id | None |
| source_volid | 01978948-6f94-4927-96e2-6193e888cf8a |
| status | creating |
| type | LUKS |
| updated_at | None |
| user_id | 31ad1a04179a4d658c581d172ddd0999 |
+---------------------+--------------------------------------+
(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+-------------+------+-------------+----------+-------------+
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-------------+------+-------------+----------+-------------+
| 01978948-6f94-4927-96e2-6193e888cf8a | available | EncVol1 | 4 | LUKS | false | |
| d2ac4d17-a5e9-468f-a083-47f68d1763b8 | available | EncVolClone | 4 | LUKS | false | |
+--------------------------------------+-----------+-------------+------+-------------+----------+-------------+
5. Attach the second (cloned) encrypted volume to the same instance
(overcloud) [stack@undercloud-0 ~]$ nova volume-attach inst1 d2ac4d17-a5e9-468f-a083-47f68d1763b8 auto
+-----------------------+--------------------------------------+
| Property | Value |
+-----------------------+--------------------------------------+
| delete_on_termination | False |
| device | /dev/vdb |
| id | d2ac4d17-a5e9-468f-a083-47f68d1763b8 |
| serverId | d6bf97c8-ed9f-42c7-9f8a-c0b15ac265b1 |
| tag | - |
| volumeId | d2ac4d17-a5e9-468f-a083-47f68d1763b8 |
+-----------------------+--------------------------------------+
6. The volume status is changed to "available" after all:
(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+-------------+------+-------------+----------+--------------------------------------+
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-------------+------+-------------+----------+--------------------------------------+
| 01978948-6f94-4927-96e2-6193e888cf8a | available | EncVol1 | 4 | LUKS | false | |
| d2ac4d17-a5e9-468f-a083-47f68d1763b8 | in-use | EncVolClone | 4 | LUKS | false | d6bf97c8-ed9f-42c7-9f8a-c0b15ac265b1 |
+--------------------------------------+-----------+-------------+------+-------------+----------+--------------------------------------+
This now works as expected, volume failed to attached before this fix.
The cloned encrypted volume is successfully attached to original instance.
Adding an extra validation step, confirm data was cloned.
Inside Cirros instance:
# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 253:0 0 1G 0 disk
|-vda1 253:1 0 1015M 0 part /
`-vda15 253:15 0 8M 0 part
vdb 253:16 0 4G 0 disk
#
# mount /dev/vdb mnt/
[ 703.289963] EXT4-fs (vdb): couldn't mount as ext3 due to feature incompatibilities
[ 703.321525] EXT4-fs (vdb): couldn't mount as ext2 due to feature incompatibilities
#
# cat mnt/tshefi.txt
Hello -> confirming original data is present on cloned volume.
Good to verify, we also added automation test case which will soon be added.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.1.4 director bug fix advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0817 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.1.4 director bug fix advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0817 |