Bug 1273466 - Nova volume encryptors attach volume fails for NFS and FC (rootwrap)
Nova volume encryptors attach volume fails for NFS and FC (rootwrap)
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova (Show other bugs)
7.0 (Kilo)
x86_64 Linux
medium Severity medium
: z3
: 7.0 (Kilo)
Assigned To: Lee Yarwood
Prasanth Anbalagan
: ZStream
: 1272884 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-20 09:35 EDT by Lee Yarwood
Modified: 2015-12-21 12:07 EST (History)
16 users (show)

See Also:
Fixed In Version: openstack-nova-2015.1.2-2.el7ost
Doc Type: Bug Fix
Doc Text:
Previously, nova's rootwrap filters restricted an `ln` command used by the volume encryption providers to a specific iSCSI related target path. As a consequence, iSER, NFS and FC volumes encountered failures as the `ln` command was rejected by nova's rootwrap filters. This update makes Nova's rootwrap filters more generic when calling `ln` allowing the volume encryption providers to succeed. As a result, both the cryptsetup and luks encryption providers now work with iSER, NFS, and FC based volumes.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-21 12:07:33 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1470142 None None None Never

  None (edit)
Description Lee Yarwood 2015-10-20 09:35:41 EDT
Description of problem:

Nova volume encryptors attach volume fails for NFS and FC (rootwrap)
https://bugs.launchpad.net/nova/+bug/1470142

As hit in the following RHBZ :

volume attach failed with iser 
https://bugzilla.redhat.com/show_bug.cgi?id=1268051

~~~
21982 2015-10-08 10:58:39.597 3415 TRACE oslo_messaging.rpc.dispatcher ProcessExecutionError: Unexpected error while running command.
21983 2015-10-08 10:58:39.597 3415 TRACE oslo_messaging.rpc.dispatcher Command: sudo nova-rootwrap /etc/nova/rootwrap.conf ln --symbolic --force /dev/mapper/pci-0000:02:00.0-ip-1.1.1.1:3260-iscsi-iqn.2010-10.org.openstack:volume-b21ab8b2-745c-4992-a29f-88993a9b591b-lun-0  /dev/disk/by-path/pci-0000:02:00.0-ip-1.1.1.1:3260-iscsi-iqn.2010-10.org.openstack:volume-b21ab8b2-745c-4992-a29f-88993a9b591b-lun-0
21984 2015-10-08 10:58:39.597 3415 TRACE oslo_messaging.rpc.dispatcher Exit code: 99
21985 2015-10-08 10:58:39.597 3415 TRACE oslo_messaging.rpc.dispatcher Stdout: u''
21986 2015-10-08 10:58:39.597 3415 TRACE oslo_messaging.rpc.dispatcher Stderr: u'/usr/bin/nova-rootwrap: Unauthorized command: ln --symbolic --force /dev/mapper/pci-0000:02:00.0-ip-1.1.1.1:3260-iscsi-iqn.2010-10.org.openstack:volume-b21ab8b2-745c-4992-a29f-88993a9b591b-lun-0 /dev/disk/by-path/pci-0000:02:00.0-ip-1.1.1.1:3260-iscsi-iqn.2010-10.org.openstack:volume-b21ab8b2-745c-4992-a29f-88993a9b591b-lun-0 (no filter matched)\n'
~~~


Version-Release number of selected component (if applicable):


How reproducible:
Always.

Steps to Reproduce:
1. tempest.scenario.test_encrypted_cinder_volumes.TestEncryptedCinderVolumes 

Actual results:
Nova volume encryptors attach volume fails.

Expected results:
Nova volume encryptors attach volume succeeds.

Additional info:
Comment 2 Lee Yarwood 2015-11-02 04:26:11 EST
*** Bug 1272884 has been marked as a duplicate of this bug. ***
Comment 4 Prasanth Anbalagan 2015-12-09 11:06:11 EST
Verified as follows,

************
Version
************

^C[root@seal17 ~(keystone_admin)]# yum list installed | grep  nova
openstack-nova-api.noarch            2015.1.2-7.el7ost       @rhelosp-7.0-puddle
openstack-nova-cert.noarch           2015.1.2-7.el7ost       @rhelosp-7.0-puddle
openstack-nova-common.noarch         2015.1.2-7.el7ost       @rhelosp-7.0-puddle
openstack-nova-compute.noarch        2015.1.2-7.el7ost       @rhelosp-7.0-puddle
openstack-nova-conductor.noarch      2015.1.2-7.el7ost       @rhelosp-7.0-puddle
openstack-nova-console.noarch        2015.1.2-7.el7ost       @rhelosp-7.0-puddle
openstack-nova-novncproxy.noarch     2015.1.2-7.el7ost       @rhelosp-7.0-puddle
openstack-nova-scheduler.noarch      2015.1.2-7.el7ost       @rhelosp-7.0-puddle

*************
Logs
*************

[root@seal17 ~(keystone_admin)]# cinder type-create LUKS
+--------------------------------------+------+
|                  ID                  | Name |
+--------------------------------------+------+
| eee5cf90-83e9-4c42-bd4a-5ec48c2f472f | LUKS |
+--------------------------------------+------+
[root@seal17 ~(keystone_admin)]# cinder type-list
+--------------------------------------+-------+
|                  ID                  |  Name |
+--------------------------------------+-------+
| 57028ba3-64c9-488e-8cb5-de2f34d00df4 |  nfs  |
| eee5cf90-83e9-4c42-bd4a-5ec48c2f472f |  LUKS |
| fbbf0bb5-0698-4cdd-8876-dfde95cce478 | iscsi |
+--------------------------------------+-------+
[root@seal17 ~(keystone_admin)]# cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
|            Volume Type ID            |                  Provider                 |      Cipher     | Key Size | Control Location |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| eee5cf90-83e9-4c42-bd4a-5ec48c2f472f | nova.volume.encryptors.luks.LuksEncryptor | aes-xts-plain64 |   512    |    front-end     |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
[root@seal17 ~(keystone_admin)]# cinder create --display-name 'encrypted volume' --volume-type LUKS 1
+---------------------+--------------------------------------+
|       Property      |                Value                 |
+---------------------+--------------------------------------+
|     attachments     |                  []                  |
|  availability_zone  |                 nova                 |
|       bootable      |                false                 |
|      created_at     |      2015-12-09T16:01:40.455493      |
| display_description |                 None                 |
|     display_name    |           encrypted volume           |
|      encrypted      |                 True                 |
|          id         | 001efa06-fbda-4c7f-bdfd-999b5b533923 |
|       metadata      |                  {}                  |
|     multiattach     |                false                 |
|         size        |                  1                   |
|     snapshot_id     |                 None                 |
|     source_volid    |                 None                 |
|        status       |               creating               |
|     volume_type     |                 LUKS                 |
+---------------------+--------------------------------------+
[root@seal17 ~(keystone_admin)]# cinder list
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
|                  ID                  |   Status  |   Display Name   | Size | Volume Type | Bootable |             Attached to              |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
| 001efa06-fbda-4c7f-bdfd-999b5b533923 | available | encrypted volume |  1   |     LUKS    |  false   |                                      |
| 156fdd02-00ca-427e-a7be-4ca245f352d5 |   in-use  |       vol1       |  1   |      -      |  false   | 6e56ec06-3287-4d02-90db-69905ecda71f |
| 2dde0a96-8d53-4a9f-8ffa-8ae04da9b1a0 |   error   |     nfsvol1      |  1   |     nfs     |  false   |                                      |
| 899809dd-5415-4f17-9fba-d0cc2846d838 |   error   |     nfsvol1      |  1   |     nfs     |  false   |                                      |
| e4a9778e-ccac-49c1-8bc2-095f4f99af0f | available |     nfsvol1      |  1   |      -      |  false   |                                      |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
[root@seal17 ~(keystone_admin)]# nova list
+--------------------------------------+------+--------+------------+-------------+------------------+
| ID                                   | Name | Status | Task State | Power State | Networks         |
+--------------------------------------+------+--------+------------+-------------+------------------+
| 6e56ec06-3287-4d02-90db-69905ecda71f | vm1  | ACTIVE | -          | Running     | private=10.0.0.4 |
+--------------------------------------+------+--------+------------+-------------+------------------+
[root@seal17 ~(keystone_admin)]# nova volume-attach vm1 001efa06-fbda-4c7f-bdfd-999b5b533923
+----------+--------------------------------------+
| Property | Value                                |
+----------+--------------------------------------+
| device   | /dev/vdc                             |
| id       | 001efa06-fbda-4c7f-bdfd-999b5b533923 |
| serverId | 6e56ec06-3287-4d02-90db-69905ecda71f |
| volumeId | 001efa06-fbda-4c7f-bdfd-999b5b533923 |
+----------+--------------------------------------+
[root@seal17 ~(keystone_admin)]# nova list
+--------------------------------------+------+--------+------------+-------------+------------------+
| ID                                   | Name | Status | Task State | Power State | Networks         |
+--------------------------------------+------+--------+------------+-------------+------------------+
| 6e56ec06-3287-4d02-90db-69905ecda71f | vm1  | ACTIVE | -          | Running     | private=10.0.0.4 |
+--------------------------------------+------+--------+------------+-------------+------------------+
[root@seal17 ~(keystone_admin)]# cinder list
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
|                  ID                  |   Status  |   Display Name   | Size | Volume Type | Bootable |             Attached to              |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
| 001efa06-fbda-4c7f-bdfd-999b5b533923 |   in-use  | encrypted volume |  1   |     LUKS    |  false   | 6e56ec06-3287-4d02-90db-69905ecda71f |
| 156fdd02-00ca-427e-a7be-4ca245f352d5 |   in-use  |       vol1       |  1   |      -      |  false   | 6e56ec06-3287-4d02-90db-69905ecda71f |
| 2dde0a96-8d53-4a9f-8ffa-8ae04da9b1a0 |   error   |     nfsvol1      |  1   |     nfs     |  false   |                                      |
| 899809dd-5415-4f17-9fba-d0cc2846d838 |   error   |     nfsvol1      |  1   |     nfs     |  false   |                                      |
| e4a9778e-ccac-49c1-8bc2-095f4f99af0f | available |     nfsvol1      |  1   |      -      |  false   |                                      |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
[root@seal17 ~(keystone_admin)]# 
[root@seal17 ~(keystone_admin)]# 
[root@seal17 ~(keystone_admin)]# nova volume-detach vm1 001efa06-fbda-4c7f-bdfd-999b5b533923
[root@seal17 ~(keystone_admin)]# cinder list
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
|                  ID                  |   Status  |   Display Name   | Size | Volume Type | Bootable |             Attached to              |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
| 001efa06-fbda-4c7f-bdfd-999b5b533923 | available | encrypted volume |  1   |     LUKS    |  false   |                                      |
| 156fdd02-00ca-427e-a7be-4ca245f352d5 |   in-use  |       vol1       |  1   |      -      |  false   | 6e56ec06-3287-4d02-90db-69905ecda71f |
| 2dde0a96-8d53-4a9f-8ffa-8ae04da9b1a0 |   error   |     nfsvol1      |  1   |     nfs     |  false   |                                      |
| 899809dd-5415-4f17-9fba-d0cc2846d838 |   error   |     nfsvol1      |  1   |     nfs     |  false   |                                      |
| e4a9778e-ccac-49c1-8bc2-095f4f99af0f | available |     nfsvol1      |  1   |      -      |  false   |                                      |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
Comment 6 errata-xmlrpc 2015-12-21 12:07:33 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:2673

Note You need to log in before you can comment on or make changes to this bug.