Bug 1409820 - Creating Encrypted Volumes with Cinder(Ceph backend) gives false positive
Summary: Creating Encrypted Volumes with Cinder(Ceph backend) gives false positive
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-cinder
Version: 7.0 (Kilo)
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: async
: 7.0 (Kilo)
Assignee: Eric Harney
QA Contact: Tzach Shefi
URL:
Whiteboard:
Depends On: 1380842 1401587
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-03 14:23 UTC by Eric Harney
Modified: 2017-02-15 23:00 UTC (History)
11 users (show)

Fixed In Version: openstack-cinder-2015.1.3-12.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1401587
Environment:
Last Closed: 2017-02-15 23:00:25 UTC
Target Upstream Version:


Attachments (Terms of Use)
Cinder verification volume.log (541.60 KB, text/plain)
2017-02-05 16:38 UTC, Tzach Shefi
no flags Details


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 386185 0 None MERGED RBD: prevent creation of encrypted volumes 2020-09-08 14:39:36 UTC
Red Hat Product Errata RHSA-2017:0282 0 normal SHIPPED_LIVE Moderate: openstack-cinder, openstack-glance, and openstack-nova security update 2017-02-16 03:52:44 UTC

Description Eric Harney 2017-01-03 14:23:56 UTC
+++ This bug was initially created as a clone of Bug #1401587 +++

+++ This bug was initially created as a clone of Bug #1380842 +++

Description of problem:
With OSP9 we can now create encrypted volumes using the Horizon dashboard. 

When you try the new feature with Ceph RDB as Cinder backed, and it works fine ie. It creates encrypted volumes using Horizon. Next, when you try to attach it to an instance it says it went through fine, but is not attached ie. a case of false positive.

On doing some research I found that Encryption support for RDB backend volumes was abandoned for Mitaka. 
https://review.openstack.org/#/c/239798/

I'm filing this bug as, when I tried to attach the encrypted volume to an instance it said it went through fine. It's only when you look into the instance, you see that the volume has not been attached.


Version-Release number of selected component (if applicable):


How reproducible:
Can be reproduced easily.

Steps to Reproduce:
1. Configure OpenStack with Ceph as Cinder backend.
2. Use Horizon to create an encrypted volume.
3. Attach the volume to an instance in OpenStack.
4. Log into the instance, and check if the volume is there.

Actual results:


Expected results:
If Encrypting Ceph volumes is not supported in Mitaka, then the creation of the encrypted Volume itself should fail. 

It allows the creation, and attaching the volume to the instance also goes through fine. It's only when you log into the instance, you see that the volume is not there.

Additional info:




+++++

The solution is to prevent creation of encrypted volumes on the RBD backend, since it does not yet support encrypted volumes.

Comment 2 Tzach Shefi 2017-02-05 16:37:31 UTC
Verified, 
I did however need to update rpms manually.

As the deployment I had installed (7-p 2017-02-03.1 ) this morning still had these un"fixed-in" versions:
python-cinderclient-1.2.1-1.el7ost.noarch
python-cinder-2015.1.2-5.el7ost.noarch
openstack-cinder-2015.1.2-5.el7ost.noarch

# cinder type-create LUKS
# cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor
# cinder create --display-name 'encrypted volume' --volume-type LUKS 1

Cinder debug=true

Cinder volume log didn't mention any expected errors like: 
ERROR cinder.volume.manager VolumeDriverException: Volume driver reported an error: Encryption is not yet supported.

Also volume status is available.
+--------------------------------------+-----------+------------------+------+-------------+----------+-------------+
|                  ID                  |   Status  |   Display Name   | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+------------------+------+-------------+----------+-------------+
| 22b49d44-3b70-4022-97e2-4d18922a2ebe | available |        -         |  1   |      -      |  false   |             |
| 7242be38-0e6a-43c3-9266-838017e78544 | available | encrypted volume |  1   |     LUKS    |  false   |             |
+--------------------------------------+-----------+------------------+------+-------------+----------+-------------+

Following update of rpms: 
openstack-cinder-2015.1.3-12.el7ost.noarch.rpm
openstack-cinder-doc-2015.1.3-12.el7ost.noarch.rpm
python-cinder-2015.1.3-12.el7ost.noarch.rpm
python-oslo-concurrency-1.8.2-2.el7ost.noarch.rpm
 
Reboot controller 
# rpm -qa | grep cinder    -> now the corrected fixed-in versions.
python-cinderclient-1.2.1-1.el7ost.noarch
python-cinder-2015.1.3-12.el7ost.noarch
openstack-cinder-2015.1.3-12.el7ost.noarch
openstack-cinder-doc-2015.1.3-12.el7ost.noarch

Retry to create another encrypted volume which as expected failed as can be seen below:

[stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+-------------------+------+-------------+----------+-------------+
|                  ID                  |   Status  |    Display Name   | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-------------------+------+-------------+----------+-------------+
| 22b49d44-3b70-4022-97e2-4d18922a2ebe | available |         -         |  1   |      -      |  false   |             |
| 7242be38-0e6a-43c3-9266-838017e78544 | available |  encrypted volume |  1   |     LUKS    |  false   |             |
| dab5fc3b-af12-4786-b631-ad758e25bec2 |   error   | encrypted volume2 |  1   |     LUKS    |  false   |             |
+--------------------------------------+-----------+-------------------+------+-------------+----------+-------------+

Cinder volume.log reported expected error. 

2017-02-05 16:29:11.632 8001 TRACE cinder.volume.manager VolumeDriverException: Volume driver reported an error: Encryption is not yet supported.
2017-02-05 16:29:11.633 8001 DEBUG taskflow.engines.action_engine.runner [req-99288110-89b6-48f9-8478-9589d06153fd d6cfc699c71e44d3a311dc1ea6bbfb91 cb16460318b84d9bb3f8956fe113144c - - -] Discarding failure 'Failure: cinder.exception.VolumeDriverException: Volume driver reported an error: Encryption is not yet supported.' (in response to event 'executed') under completion units request during completion of node 'cinder.volume.flows.manager.create_volume.CreateVolumeFromSpecTask;volume:create==1.0' (intention is to REVERT) analyze /usr/lib/python2.7/site-packages/taskflow/engines/action_engine/runner.py:181
2017-02-05 16:29:11.671 8001 DEBUG cinder.volume.flows.manager.create_volume [req-99288110-89b6-48f9-8478-9589d06153fd d6cfc699c71e44d3a311dc1ea6bbfb91 cb16460318b84d9bb3f8956fe113144c - - -] Volume dab5fc3b-af12-4786-b631-ad758e25bec2: re-scheduling SchedulerAPI.create_volume attempt 3 due to Volume driver reported an error: Encryption is not yet supported. _reschedule /usr/lib/python2.7/site-packages/cinder/volume/flows/manager/create_volume.py:108
2017-02-05 16:29:11.744 8001 ERROR oslo_messaging.rpc.dispatcher [req-99288110-89b6-48f9-8478-9589d06153fd d6cfc699c71e44d3a311dc1ea6bbfb91 cb16460318b84d9bb3f8956fe113144c - - -] Exception during message handling: Volume driver reported an error: Encryption is not yet supported.
2017-02-05 16:29:11.744 8001 TRACE oslo_messaging.rpc.dispatcher VolumeDriverException: Volume driver reported an error: Encryption is not yet supported.

Comment 3 Tzach Shefi 2017-02-05 16:38:23 UTC
Created attachment 1247822 [details]
Cinder verification volume.log

Comment 5 errata-xmlrpc 2017-02-15 23:00:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0282.html


Note You need to log in before you can comment on or make changes to this bug.