1380842 – Creating Encrypted Volumes with Cinder(Ceph backend) gives false positive

Bug 1380842 - Creating Encrypted Volumes with Cinder(Ceph backend) gives false positive

Summary: Creating Encrypted Volumes with Cinder(Ceph backend) gives false positive

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-cinder
Sub Component:
Version:	9.0 (Mitaka)
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	async
Target Release:	9.0 (Mitaka)
Assignee:	Jon Bernard
QA Contact:	lkuchlan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1401587 1409820
TreeView+	depends on / blocked

Reported:	2016-09-30 18:14 UTC by mshetty
Modified:	2018-09-04 13:15 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-cinder-8.1.1-4.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1401587 (view as bug list)
Environment:
Last Closed:	2016-12-07 22:20:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	386185	0	'None'	MERGED	RBD: prevent creation of encrypted volumes	2020-02-27 14:26:47 UTC
Red Hat Product Errata	RHSA-2016:2923	0	normal	SHIPPED_LIVE	Moderate: openstack-cinder and openstack-glance security update	2016-12-08 03:20:01 UTC

Description mshetty 2016-09-30 18:14:24 UTC

Description of problem:
With OSP9 we can now create encrypted volumes using the Horizon dashboard. 

When you try the new feature with Ceph RDB as Cinder backed, and it works fine ie. It creates encrypted volumes using Horizon. Next, when you try to attach it to an instance it says it went through fine, but is not attached ie. a case of false positive.

On doing some research I found that Encryption support for RDB backend volumes was abandoned for Mitaka. 
https://review.openstack.org/#/c/239798/

I'm filing this bug as, when I tried to attach the encrypted volume to an instance it said it went through fine. It's only when you look into the instance, you see that the volume has not been attached.


Version-Release number of selected component (if applicable):


How reproducible:
Can be reproduced easily.

Steps to Reproduce:
1. Configure OpenStack with Ceph as Cinder backend.
2. Use Horizon to create an encrypted volume.
3. Attach the volume to an instance in OpenStack.
4. Log into the instance, and check if the volume is there.

Actual results:


Expected results:
If Encrypting Ceph volumes is not supported in Mitaka, then the creation of the encrypted Volume itself should fail. 

It allows the creation, and attaching the volume to the instance also goes through fine. It's only when you log into the instance, you see that the volume is not there.

Additional info:

Comment 2 Paul Grist 2016-10-10 15:18:41 UTC

Changing this to cinder and will triage to confirm. Not sure if this use to fail as expected.

Comment 3 Jon Bernard 2016-10-11 15:36:36 UTC

Yeah, this is not awesome.  Since cinder doesn't manage the LUKS device, it just tags the volume with metadata that nova uses for encryption at attach-time.  I'll see if there's a clean way to catch this in the RBD cinder driver and stop this false positive.

Comment 4 Jon Bernard 2016-11-01 19:37:11 UTC

Patch merged upstream, will prepare a stable backport and downstream backports for osp 10 and 9 next.

Comment 7 lkuchlan 2016-12-05 14:35:19 UTC

Tested using:
openstack-cinder-8.1.1-4.el7ost.noarch

Verification flow:

[stack@undercloud-0 ~]$ cinder type-create LUKS
+--------------------------------------+------+-------------+-----------+
|                  ID                  | Name | Description | Is_Public |
+--------------------------------------+------+-------------+-----------+
| 3170734d-be86-4bf5-bdf0-f5cd1a8ec35c | LUKS |      -      |    True   |
+--------------------------------------+------+-------------+-----------+

[stack@undercloud-0 ~]$  cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 \
>   --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
|            Volume Type ID            |                  Provider                 |      Cipher     | Key Size | Control Location |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| 3170734d-be86-4bf5-bdf0-f5cd1a8ec35c | nova.volume.encryptors.luks.LuksEncryptor | aes-xts-plain64 |   512    |    front-end     |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+

[stack@undercloud-0 ~]$ cinder create --display-name 'encrypted volume' --volume-type LUKS 1
+--------------------------------+--------------------------------------+
|            Property            |                Value                 |
+--------------------------------+--------------------------------------+
|          attachments           |                  []                  |
|       availability_zone        |                 nova                 |
|            bootable            |                false                 |
|      consistencygroup_id       |                 None                 |
|           created_at           |      2016-12-05T14:25:49.000000      |
|          description           |                 None                 |
|           encrypted            |                 True                 |
|               id               | f436be8d-3f3f-4194-a54a-738f5a828608 |
|            metadata            |                  {}                  |
|        migration_status        |                 None                 |
|          multiattach           |                False                 |
|              name              |           encrypted volume           |
|     os-vol-host-attr:host      |                 None                 |
| os-vol-mig-status-attr:migstat |                 None                 |
| os-vol-mig-status-attr:name_id |                 None                 |
|  os-vol-tenant-attr:tenant_id  |   1f949d56da9f4c328955c0690296e88b   |
|       replication_status       |               disabled               |
|              size              |                  1                   |
|          snapshot_id           |                 None                 |
|          source_volid          |                 None                 |
|             status             |               creating               |
|           updated_at           |                 None                 |
|            user_id             |   6932e961f8fa4b409d4086c7b34d7f0a   |
|          volume_type           |                 LUKS                 |
+--------------------------------+--------------------------------------+

[stack@undercloud-0 ~]$ cinder list
+--------------------------------------+--------+------------------+------+-------------+----------+-------------+
|                  ID                  | Status |       Name       | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+--------+------------------+------+-------------+----------+-------------+
| f436be8d-3f3f-4194-a54a-738f5a828608 | error  | encrypted volume |  1   |     LUKS    |  false   |             |
+--------------------------------------+--------+------------------+------+-------------+----------+-------------+

From cinder/volume.log
-----------------------

Volume driver reported an error: Encryption is not yet supported.
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher Traceback (most recent call last):
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/oslo_messaging/rpc/dispatcher.py", line 138, in _dispatch_and_reply
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     incoming.message))
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/oslo_messaging/rpc/dispatcher.py", line 183, in _dispatch
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     return self._do_dispatch(endpoint, method, ctxt, args)
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/oslo_messaging/rpc/dispatcher.py", line 127, in _do_dispatch
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     result = func(ctxt, **new_args)
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/cinder/volume/manager.py", line 631, in create_volume
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     _run_flow()
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/cinder/volume/manager.py", line 618, in _run_flow
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     flow_engine.run()
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/taskflow/engines/action_engine/engine.py", line 230, in run
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     for _state in self.run_iter(timeout=timeout):
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/taskflow/engines/action_engine/engine.py", line 308, in run_iter
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     failure.Failure.reraise_if_any(fails)
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/taskflow/types/failure.py", line 336, in reraise_if_any
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     failures[0].reraise()
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/taskflow/types/failure.py", line 343, in reraise
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     six.reraise(*self._exc_info)
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/taskflow/engines/action_engine/executor.py", line 82, in _execute_task
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     result = task.execute(**arguments)
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/cinder/volume/flows/manager/create_volume.py", line 814, in execute
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     **volume_spec)
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/cinder/volume/flows/manager/create_volume.py", line 792, in _create_raw_volume
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     return self.driver.create_volume(volume_ref)
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher   File "/usr/lib/python2.7/site-packages/cinder/volume/drivers/rbd.py", line 538, in create_volume
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher     raise exception.VolumeDriverException(message=message)
2016-12-05 14:25:50.731 22470 ERROR oslo_messaging.rpc.dispatcher VolumeDriverException: Volume driver reported an error: Encryption is not yet supported.

Comment 9 errata-xmlrpc 2016-12-07 22:20:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2923.html

Note You need to log in before you can comment on or make changes to this bug.