Bug 2073011
| Summary: | connect_volume encryption fixes | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Eric Harney <eharney> |
| Component: | python-os-brick | Assignee: | Eric Harney <eharney> |
| Status: | CLOSED ERRATA | QA Contact: | Tzach Shefi <tshefi> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 17.0 (Wallaby) | CC: | apevec, jschluet, lhh, ltoscano |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-os-brick-4.3.3-0.20220701160730.d09dc9e.el9ost | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-09-21 12:20:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2071819 | ||
| Bug Blocks: | |||
|
Description
Eric Harney
2022-04-07 13:15:39 UTC
*** Bug 2092942 has been marked as a duplicate of this bug. *** rdoinfo has os-brick pinned for stable/wallaby
source-branch: 4.3.3
Verified on:
python3-os-brick-4.3.3-0.20220701160730.d09dc9e.el9ost.noarch
On a deployment with Cinder using a netapp iSCSI backend.
Lets upload a cirros image and boot an instance:
[stack@undercloud-0 ~]$ nova list
+--------------------------------------+-------+--------+------------+-------------+-----------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-------+--------+------------+-------------+-----------------------------------+
| 0716c985-1d2d-49dd-bf15-208d7881942d | inst1 | ACTIVE | - | Running | internal=192.168.0.27, 10.0.0.223 |
+--------------------------------------+-------+--------+------------+-------------+-----------------------------------+
The test we need to execute is creating an encrypted volume from an image,
Confirming that we created the volume and that it is indeed encrypted.
Lets upload another image, just a bit bigger that the small Cirros image:
[stack@undercloud-0 ~]$ glance image-create --disk-format qcow2 --container-format bare --file rhel-server-7.9-update-12-x86_64-kvm.qcow2 --name MA_rhel7.9 --progress
[=============================>] 100%
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | f77fc7e3cf31a210a8244e486466ce34 |
| container_format | bare |
| created_at | 2022-07-17T08:07:08Z |
| direct_url | cinder://default_backend/c70c413e-8dbb-4c88-977f-b501088aa509 |
| disk_format | qcow2 |
| id | d911dc76-af9b-43f5-93b9-00d222912a00 |
| min_disk | 0 |
| min_ram | 0 |
| name | MA_rhel7.9 |
| os_hash_algo | sha512 |
| os_hash_value | 16f2afc236708b215b3dfb372e7414f1d410713b8352580313e582d6ebb96035edad4a9a4c9645df |
| | e6e1ab131286d183fd21592a9f9afa96cde03b4cab6dde55 |
| os_hidden | False |
| owner | e0a3325fe7194923917d341e0dd0e8f2 |
| protected | False |
| size | 838036992 |
| status | active |
| stores | default_backend |
| tags | [] |
| updated_at | 2022-07-17T08:07:27Z |
| virtual_size | 10737418240 |
| visibility | shared |
+------------------+----------------------------------------------------------------------------------+
Create an encrypted volume type:
[stack@undercloud-0 ~]$ cinder type-create LUKS
+--------------------------------------+------+-------------+-----------+
| ID | Name | Description | Is_Public |
+--------------------------------------+------+-------------+-----------+
| e06c04ca-b2f6-45a3-8b83-191e473b6617 | LUKS | - | True |
+--------------------------------------+------+-------------+-----------+
[stack@undercloud-0 ~]$ cinder encryption-type-create --cipher aes-xts-plain64 --key_size 256 --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| Volume Type ID | Provider | Cipher | Key Size | Control Location |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| e06c04ca-b2f6-45a3-8b83-191e473b6617 | nova.volume.encryptors.luks.LuksEncryptor | aes-xts-plain64 | 256 | front-end |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
[stack@undercloud-0 ~]$ cinder type-key LUKS set volume_backend_name=tripleo_netapp
[stack@undercloud-0 ~]$ cinder extra-specs-list
+--------------------------------------+-------------+-----------------------------------------------------------------------+
| ID | Name | extra_specs |
+--------------------------------------+-------------+-----------------------------------------------------------------------+
| 815bed31-82b6-4420-a75a-32240dd3c63e | tripleo | {} |
| e06c04ca-b2f6-45a3-8b83-191e473b6617 | LUKS | {'volume_backend_name': 'tripleo_netapp'} |
+--------------------------------------+-------------+-----------------------------------------------------------------------+
Lets create an encrypted volume from image:
Checking image save we need at least a 11G volume:
[stack@undercloud-0 ~]$ qemu-img info rhel-server-7.9-update-12-x86_64-kvm.qcow2
image: rhel-server-7.9-update-12-x86_64-kvm.qcow2
file format: qcow2
virtual size: 10 GiB (10737418240 bytes)
disk size: 799 MiB
cluster_size: 65536
Format specific information:
compat: 0.10
compression type: zlib
refcount bits: 16
Lets create such a volume:
[stack@undercloud-0 ~]$ cinder create 12 --volume-type LUKS --image d911dc76-af9b-43f5-93b9-00d222912a00 --name EncryptedVolFromImage2
+--------------------------------+--------------------------------------+
| Property | Value |
+--------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2022-07-17T08:46:08.000000 |
| description | None |
| encrypted | True |
| id | 3d1447f4-019a-4276-9459-038b59aa8dee |
| metadata | {} |
| migration_status | None |
| multiattach | False |
| name | EncryptedVolFromImage2 |
| os-vol-host-attr:host | None |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | e0a3325fe7194923917d341e0dd0e8f2 |
| replication_status | None |
| size | 12 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| updated_at | None |
| user_id | 5ec5d8fcf6084fb58a8012584f788c54 |
| volume_type | LUKS |
+--------------------------------+--------------------------------------+
Volume is created/avaliable:
[stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+------------------------+------+-------------+----------+--------------------------------------+
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+------------------------+------+-------------+----------+--------------------------------------+
| 3d1447f4-019a-4276-9459-038b59aa8dee | available | EncryptedVolFromImage2 | 12 | LUKS | true | |
Now lets attach it to the instance to confirm it's attached as an encrypted volume:
[stack@undercloud-0 ~]$ nova volume-attach inst1 3d1447f4-019a-4276-9459-038b59aa8dee
+-----------------------+--------------------------------------+
| Property | Value |
+-----------------------+--------------------------------------+
| delete_on_termination | False |
| device | /dev/vdb |
| id | 3d1447f4-019a-4276-9459-038b59aa8dee |
| serverId | 0716c985-1d2d-49dd-bf15-208d7881942d |
| tag | - |
| volumeId | 3d1447f4-019a-4276-9459-038b59aa8dee |
+-----------------------+--------------------------------------+
If we check the virsh dumpxml of this instance, we see the excepted:
<disk type='block' device='disk'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/disk/by-id/os-brick+dev+dm-7' index='4'/>
<backingStore/>
<target dev='vdb' bus='virtio'/>
<serial>3d1447f4-019a-4276-9459-038b59aa8dee</serial>
<encryption format='luks' engine='qemu'>
<secret type='passphrase' uuid='f0574be3-a3c6-4694-b9d8-0ad16b6b0556'/>
</encryption>
<alias name='virtio-disk1'/>
<address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
</disk>
If we check Cinder volume logs we will also the use of now the expected custom symlink reference " /dev/disk/by-id/os-brick+dev+dm-7".
Good to verify.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543 |