1362512 – [9.0.z] Unable to attach multipath backed encrypted volumes to instances

Bug 1362512 - [9.0.z] Unable to attach multipath backed encrypted volumes to instances

Summary: [9.0.z] Unable to attach multipath backed encrypted volumes to instances

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	9.0 (Mitaka)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	9.0 (Mitaka)
Assignee:	Lee Yarwood
QA Contact:	Prasanth Anbalagan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1362514 1362515 1362518
TreeView+	depends on / blocked

Reported:	2016-08-02 12:17 UTC by Lee Yarwood
Modified:	2019-09-09 14:35 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-nova-13.1.0-6.el7ost
Doc Type:	Bug Fix
Doc Text:	Previously, the cryptsetup tool would attempt to reuse multi-path device names when creating a dm-crypt device. This would cause the tool to fail because the device would already exist in the host, which would cause the attachment of a multi-path backed encrypted volume to also fail. With this update, the cryptsetup tool now uses a unique device name, allowing it to create the dm-crypt device successfully, and the attachment of multi-path backed encrypted volumes to succeed.
Clone Of:
Clones:	1362514 (view as bug list)
Environment:
Last Closed:	2016-08-24 12:57:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1758	0	normal	SHIPPED_LIVE	openstack-nova bug fix advisory	2016-08-24 16:50:11 UTC

Description Lee Yarwood 2016-08-02 12:17:55 UTC

Description of problem:

The following failure is seen when attempting to attach multipath backed encrypted volumes to an instance :

2016-08-01 18:27:32.081 13629 DEBUG nova.openstack.common.processutils [req-945b0e6f-b1ed-47b1-9fec-86058d8a2225 ] Running cmd (subprocess): sudo nova-rootwrap /etc/nova/rootwrap.conf cryptsetup luksOpen --key-file=- /dev/dm-8 3600a098038303365763f476c63634758 execute /usr/lib/python2.7/site-packages/nova/openstack/common/processutils.py:171

This is due to a 3600a098038303365763f476c63634758 device already present and in-use on the host. The following change recently corrected this against master :

Fix multipath iSCSI encrypted volume attach failure
https://review.openstack.org/#/c/196482/

This is only present in OSP 6 and 7 with the following Cinder bugfix :

Cinder volume encryption with iSCSI backend doesn't work
https://bugzilla.redhat.com/show_bug.cgi?id=1359197


Version-Release number of selected component (if applicable):
OSP 6,7,8,9

How reproducible:
Always

Steps to Reproduce:
1. Attempt to attach a multipath backed encrypted volume to an instance.

Actual results:
`cryptsetup luksOpen` fails.

Expected results:
`cryptsetup luksOpen` succeeds and the volume is correctly attached.

Additional info:

Comment 2 Prasanth Anbalagan 2016-08-15 18:25:50 UTC

Verified as follow - attached 5 encrypted volumes w/ multipath to an instance.

***********
VERSION
***********
[root@serverA]# yum list installed | grep openstack-nova
openstack-nova-api.noarch            1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-cert.noarch           1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-common.noarch         1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-compute.noarch        1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-conductor.noarch      1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-console.noarch        1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-novncproxy.noarch     1:13.1.1-1.el7ost       @rhelosp-9.0-puddle
openstack-nova-scheduler.noarch      1:13.1.1-1.el7ost       @rhelosp-9.0-puddle


*******
LOGS
*******
[root@serverA]# cinder encryption-type-list
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
|            Volume Type ID            |                  Provider                 |      Cipher     | Key Size | Control Location |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| a3c10847-cd23-4587-96ab-e8246dc3d2f0 | nova.volume.encryptors.luks.LuksEncryptor | aes-xts-plain64 |   512    |    front-end     |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+


[root@serverA]# cinder show vol1 | grep encrypted
|           encrypted            |                 True                 |
[root@serverA]# cinder show vol2 | grep encrypted
|           encrypted            |                 True                 |
[root@serverA]# cinder show vol3 | grep encrypted
|           encrypted            |                 True                 |
[root@serverA]# cinder show vol4 | grep encrypted
|           encrypted            |                 True                 |
[root@serverA]# cinder show vol5 | grep encrypted
|           encrypted            |                 True                 |


[root@serverA]# nova list
+--------------------------------------+------+--------+------------+-------------+---------------------+
| ID                                   | Name | Status | Task State | Power State | Networks            |
+--------------------------------------+------+--------+------------+-------------+---------------------+
| 8d044b32-5dd2-4057-a6a2-8c48037c7566 | vm1  | ACTIVE | -          | Running     | public=172.24.4.238 |
+--------------------------------------+------+--------+------------+-------------+---------------------+
[root@serverA]# 


[root@serverA]# cinder list
+--------------------------------------+--------+------+------+-------------+----------+--------------------------------------+
|                  ID                  | Status | Name | Size | Volume Type | Bootable |             Attached to              |
+--------------------------------------+--------+------+------+-------------+----------+--------------------------------------+
| 3861519a-d05e-4e91-ae10-e1e5cfca2e51 | in-use | vol1 |  1   |    iscsi    |  false   | 8d044b32-5dd2-4057-a6a2-8c48037c7566 |
| 3fca2f93-5725-49bb-a137-ece57c8970d3 | in-use | vol4 |  1   |    iscsi    |  false   | 8d044b32-5dd2-4057-a6a2-8c48037c7566 |
| 50ce84bd-9883-46b5-bf65-529dffd44dda | in-use | vol3 |  1   |    iscsi    |  false   | 8d044b32-5dd2-4057-a6a2-8c48037c7566 |
| 8b1ac8db-19b5-4ddf-838e-2145ad1a5e92 | in-use | vol2 |  1   |    iscsi    |  false   | 8d044b32-5dd2-4057-a6a2-8c48037c7566 |
| d459d166-b85d-4b27-8263-146fe94c0d77 | in-use | vol5 |  1   |    iscsi    |  false   | 8d044b32-5dd2-4057-a6a2-8c48037c7566 |
+--------------------------------------+--------+------+------+-------------+----------+--------------------------------------+

[root@serverA]# multipath -ll
36001405648c3d7f5c60469f8d459dca4 dm-5 LIO-ORG ,IBLOCK          
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 26:0:0:0 sdb 8:16  active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 27:0:0:0 sdc 8:32  active ready running
360014052c49f4e3d72c4190be6fe54c6 dm-7 LIO-ORG ,IBLOCK          
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 28:0:0:0 sdd 8:48  active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 29:0:0:0 sde 8:64  active ready running
3600140559f26a031a304eaca65dc3992 dm-13 LIO-ORG ,IBLOCK          
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 34:0:0:0 sdj 8:144 active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 35:0:0:0 sdk 8:160 active ready running
3600140542339871e7a543148f79a3285 dm-9 LIO-ORG ,IBLOCK          
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 30:0:0:0 sdf 8:80  active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 31:0:0:0 sdg 8:96  active ready running
360014059ab72759d9d042d7849d6098f dm-11 LIO-ORG ,IBLOCK          
size=1.0G features='0' hwhandler='0' wp=rw
|-+- policy='service-time 0' prio=1 status=active
| `- 32:0:0:0 sdh 8:112 active ready running
`-+- policy='service-time 0' prio=1 status=enabled
  `- 33:0:0:0 sdi 8:128 active ready running
[root@seal56 ~(keystone_admin)]#

Comment 4 errata-xmlrpc 2016-08-24 12:57:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1758.html

Note You need to log in before you can comment on or make changes to this bug.