Bug 1285089 - [RFE] Boot instance from encrypted volume [iSCSI]
Summary: [RFE] Boot instance from encrypted volume [iSCSI]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-cinder
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Upstream M2
: 12.0 (Pike)
Assignee: Eric Harney
QA Contact: Avi Avraham
URL:
Whiteboard:
: 1262121 (view as bug list)
Depends On: 1302261 1406802 1487920
Blocks: 1230402 1262120 1389435 1389441 1442136 1471627
TreeView+ depends on / blocked
 
Reported: 2015-11-24 21:05 UTC by Jeremy
Modified: 2022-03-13 14:08 UTC (History)
28 users (show)

Fixed In Version: openstack-cinder-11.0.0-0.20170611191457.3dacd2a.el7ost
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1471627 (view as bug list)
Environment:
Last Closed: 2017-12-13 20:37:32 UTC
Target Upstream Version:
Embargoed:
scohen: needinfo+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 247372 0 None MERGED Copy encryptors from Nova to os-brick 2020-11-03 09:04:05 UTC
Red Hat Bugzilla 1388559 0 urgent CLOSED RHBA-2016-1618 Regression, re-encryption of encrypted image 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker OSP-13533 0 None None None 2022-03-13 14:08:36 UTC
Red Hat Knowledge Base (Solution) 2137751 0 None None None 2016-01-27 10:34:34 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Internal Links: 1388559

Comment 3 Lee Yarwood 2015-12-04 16:14:33 UTC 
(In reply to Jeremy from comment #0)
> Description of problem: Can not boot instance from encrypted volume
> 
> Version-Release number of selected component (if applicable):
> 
> instance : uuid=99ea08e5-97b8-4b30-9dd3-abe0f6cbcce4
> volume-80fdf401-f069-4ee5-8686-3f4e00cb375f

Can we confirm how the customer is creating the image, volume and instance here?

I think the issue is that Cinder is copying the image data into the volume unencrypted causing Nova to re-encrypt the volume prior to use. 

This is covered in the following Nova bug and recently associated Cinder spec :

Booting encrypted volume with whole image fails
https://bugs.launchpad.net/nova/+bug/1465656

Convert encrypted data to encrypted volumes with encrypted image
https://blueprints.launchpad.net/cinder/+spec/encrypt-volume-with-image
Comment 4 Lee Yarwood 2015-12-04 16:32:29 UTC 
The ability for users to even create encrypted volumes from images is now being blocked by cinder-api with the following changes :

master - Prevent creating encrypted volume with image
https://review.openstack.org/#/c/210219/

stable/kilo - Prevent creating encrypted volume with image
https://review.openstack.org/#/c/217365/
Comment 6 Lee Yarwood 2015-12-22 09:59:12 UTC 
I'm closing this out as CANTFIX as the fault here is with Cinder and not Nova. I suggest that we create a Cinder RFE to follow the progress of the encryption improvements in M :

Improvement about encrypted volume
https://blueprints.launchpad.net/cinder/+spec/improve-encrypted-volume
Comment 12 Lee Yarwood 2016-05-09 09:55:10 UTC 
*** Bug 1262121 has been marked as a duplicate of this bug. ***
Comment 21 Sean Cohen 2016-12-05 16:15:05 UTC 
*** Bug 1230402 has been marked as a duplicate of this bug. ***
Comment 32 Avi Avraham 2017-11-13 10:16:26 UTC 
verified 
Package installed 
openstack-tripleo-heat-templates-7.0.3-0.20171024200825.el7ost.noarch
openstack-cinder-11.0.0-0.20170611191457.3dacd2a.el7ost

successfully create an encrypted volume from image,
boot instance from encrypted volume and ssh login to the instance.
Comment 35 errata-xmlrpc 2017-12-13 20:37:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462
Note You need to log in before you can comment on or make changes to this bug.