Bug 1273466
| Summary: | Nova volume encryptors attach volume fails for NFS and FC (rootwrap) | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Lee Yarwood <lyarwood> |
| Component: | openstack-nova | Assignee: | Lee Yarwood <lyarwood> |
| Status: | CLOSED ERRATA | QA Contact: | Prasanth Anbalagan <panbalag> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 (Kilo) | CC: | berrange, dasmith, eglynn, kchamart, lennyb, moshele, ndipanov, pbrady, rbiba, sbauza, sferdjao, sgordon, vromanso, yeylon |
| Target Milestone: | z3 | Keywords: | ZStream |
| Target Release: | 7.0 (Kilo) | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-nova-2015.1.2-2.el7ost | Doc Type: | Bug Fix |
| Doc Text: |
Previously, nova's rootwrap filters restricted an `ln` command used by the volume encryption providers to a specific iSCSI related target path. As a consequence, iSER, NFS and FC volumes encountered failures as the `ln` command was rejected by nova's rootwrap filters. This update makes Nova's rootwrap filters more generic when calling `ln` allowing the volume encryption providers to succeed. As a result, both the cryptsetup and luks encryption providers now work with iSER, NFS, and FC based volumes.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-12-21 17:07:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Lee Yarwood
2015-10-20 13:35:41 UTC
*** Bug 1272884 has been marked as a duplicate of this bug. *** Verified as follows,
************
Version
************
^C[root@seal17 ~(keystone_admin)]# yum list installed | grep nova
openstack-nova-api.noarch 2015.1.2-7.el7ost @rhelosp-7.0-puddle
openstack-nova-cert.noarch 2015.1.2-7.el7ost @rhelosp-7.0-puddle
openstack-nova-common.noarch 2015.1.2-7.el7ost @rhelosp-7.0-puddle
openstack-nova-compute.noarch 2015.1.2-7.el7ost @rhelosp-7.0-puddle
openstack-nova-conductor.noarch 2015.1.2-7.el7ost @rhelosp-7.0-puddle
openstack-nova-console.noarch 2015.1.2-7.el7ost @rhelosp-7.0-puddle
openstack-nova-novncproxy.noarch 2015.1.2-7.el7ost @rhelosp-7.0-puddle
openstack-nova-scheduler.noarch 2015.1.2-7.el7ost @rhelosp-7.0-puddle
*************
Logs
*************
[root@seal17 ~(keystone_admin)]# cinder type-create LUKS
+--------------------------------------+------+
| ID | Name |
+--------------------------------------+------+
| eee5cf90-83e9-4c42-bd4a-5ec48c2f472f | LUKS |
+--------------------------------------+------+
[root@seal17 ~(keystone_admin)]# cinder type-list
+--------------------------------------+-------+
| ID | Name |
+--------------------------------------+-------+
| 57028ba3-64c9-488e-8cb5-de2f34d00df4 | nfs |
| eee5cf90-83e9-4c42-bd4a-5ec48c2f472f | LUKS |
| fbbf0bb5-0698-4cdd-8876-dfde95cce478 | iscsi |
+--------------------------------------+-------+
[root@seal17 ~(keystone_admin)]# cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| Volume Type ID | Provider | Cipher | Key Size | Control Location |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| eee5cf90-83e9-4c42-bd4a-5ec48c2f472f | nova.volume.encryptors.luks.LuksEncryptor | aes-xts-plain64 | 512 | front-end |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
[root@seal17 ~(keystone_admin)]# cinder create --display-name 'encrypted volume' --volume-type LUKS 1
+---------------------+--------------------------------------+
| Property | Value |
+---------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| created_at | 2015-12-09T16:01:40.455493 |
| display_description | None |
| display_name | encrypted volume |
| encrypted | True |
| id | 001efa06-fbda-4c7f-bdfd-999b5b533923 |
| metadata | {} |
| multiattach | false |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| volume_type | LUKS |
+---------------------+--------------------------------------+
[root@seal17 ~(keystone_admin)]# cinder list
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
| ID | Status | Display Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
| 001efa06-fbda-4c7f-bdfd-999b5b533923 | available | encrypted volume | 1 | LUKS | false | |
| 156fdd02-00ca-427e-a7be-4ca245f352d5 | in-use | vol1 | 1 | - | false | 6e56ec06-3287-4d02-90db-69905ecda71f |
| 2dde0a96-8d53-4a9f-8ffa-8ae04da9b1a0 | error | nfsvol1 | 1 | nfs | false | |
| 899809dd-5415-4f17-9fba-d0cc2846d838 | error | nfsvol1 | 1 | nfs | false | |
| e4a9778e-ccac-49c1-8bc2-095f4f99af0f | available | nfsvol1 | 1 | - | false | |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
[root@seal17 ~(keystone_admin)]# nova list
+--------------------------------------+------+--------+------------+-------------+------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------+--------+------------+-------------+------------------+
| 6e56ec06-3287-4d02-90db-69905ecda71f | vm1 | ACTIVE | - | Running | private=10.0.0.4 |
+--------------------------------------+------+--------+------------+-------------+------------------+
[root@seal17 ~(keystone_admin)]# nova volume-attach vm1 001efa06-fbda-4c7f-bdfd-999b5b533923
+----------+--------------------------------------+
| Property | Value |
+----------+--------------------------------------+
| device | /dev/vdc |
| id | 001efa06-fbda-4c7f-bdfd-999b5b533923 |
| serverId | 6e56ec06-3287-4d02-90db-69905ecda71f |
| volumeId | 001efa06-fbda-4c7f-bdfd-999b5b533923 |
+----------+--------------------------------------+
[root@seal17 ~(keystone_admin)]# nova list
+--------------------------------------+------+--------+------------+-------------+------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------+--------+------------+-------------+------------------+
| 6e56ec06-3287-4d02-90db-69905ecda71f | vm1 | ACTIVE | - | Running | private=10.0.0.4 |
+--------------------------------------+------+--------+------------+-------------+------------------+
[root@seal17 ~(keystone_admin)]# cinder list
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
| ID | Status | Display Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
| 001efa06-fbda-4c7f-bdfd-999b5b533923 | in-use | encrypted volume | 1 | LUKS | false | 6e56ec06-3287-4d02-90db-69905ecda71f |
| 156fdd02-00ca-427e-a7be-4ca245f352d5 | in-use | vol1 | 1 | - | false | 6e56ec06-3287-4d02-90db-69905ecda71f |
| 2dde0a96-8d53-4a9f-8ffa-8ae04da9b1a0 | error | nfsvol1 | 1 | nfs | false | |
| 899809dd-5415-4f17-9fba-d0cc2846d838 | error | nfsvol1 | 1 | nfs | false | |
| e4a9778e-ccac-49c1-8bc2-095f4f99af0f | available | nfsvol1 | 1 | - | false | |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
[root@seal17 ~(keystone_admin)]#
[root@seal17 ~(keystone_admin)]#
[root@seal17 ~(keystone_admin)]# nova volume-detach vm1 001efa06-fbda-4c7f-bdfd-999b5b533923
[root@seal17 ~(keystone_admin)]# cinder list
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
| ID | Status | Display Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
| 001efa06-fbda-4c7f-bdfd-999b5b533923 | available | encrypted volume | 1 | LUKS | false | |
| 156fdd02-00ca-427e-a7be-4ca245f352d5 | in-use | vol1 | 1 | - | false | 6e56ec06-3287-4d02-90db-69905ecda71f |
| 2dde0a96-8d53-4a9f-8ffa-8ae04da9b1a0 | error | nfsvol1 | 1 | nfs | false | |
| 899809dd-5415-4f17-9fba-d0cc2846d838 | error | nfsvol1 | 1 | nfs | false | |
| e4a9778e-ccac-49c1-8bc2-095f4f99af0f | available | nfsvol1 | 1 | - | false | |
+--------------------------------------+-----------+------------------+------+-------------+----------+--------------------------------------+
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:2673 |