1434989 – block encrypted NFS volume creation

Bug 1434989 - block encrypted NFS volume creation

Summary: block encrypted NFS volume creation

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-cinder
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z7
Target Release:	10.0 (Newton)
Assignee:	Eric Harney
QA Contact:	Tzach Shefi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1454380
TreeView+	depends on / blocked

Reported:	2017-03-22 20:40 UTC by Eric Harney
Modified:	2017-12-08 22:04 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openstack-cinder-9.1.4-3.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1454380 (view as bug list)
Environment:
Last Closed:	2017-12-08 22:04:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1675469	None	None	None	2017-03-23 16:21:25 UTC
OpenStack gerrit	449205	'None'	MERGED	RemoteFS: prevent creation of encrypted volumes	2021-02-03 12:01:54 UTC
Red Hat Bugzilla	1305022	medium	ON_DEV	[RFE][cinder] Support volume encryption on NFS backends	2024-04-09 10:08:27 UTC

Internal Links: 1305022

Description Eric Harney 2017-03-22 20:40:57 UTC

Volume encryption does not yet work with the Cinder NFS driver.

However, Cinder will create volumes that appear to be encrypted.

This was fixed in the RBD driver here: https://review.openstack.org/#/c/386185/

We should apply a similar fix for the NFS driver.

Comment 2 Lon Hohberger 2017-11-28 19:19:50 UTC

According to our records, this should be resolved by openstack-cinder-9.1.4-12.el7ost.  This build is available now.

Comment 3 Tzach Shefi 2017-12-05 11:16:37 UTC

Verified on : 
openstack-cinder-9.1.4-12.el7ost.noarch

On a Cinder NFS backed system:

[stack@undercloud-0 ~]$ cinder service-list
+------------------+-----------------------+------+---------+-------+----------------------------+-----------------+
| Binary           | Host                  | Zone | Status  | State | Updated_at                 | Disabled Reason |
+------------------+-----------------------+------+---------+-------+----------------------------+-----------------+
| cinder-scheduler | hostgroup             | nova | enabled | up    | 2017-12-05T10:58:34.000000 | -               |
| cinder-volume    | hostgroup@tripleo_nfs | nova | enabled | up    | 2017-12-05T10:58:34.000000 | -               |
+------------------+-----------------------+------+---------+-------+----------------------------+-----------------+


Creating an encrypted nfs backed volume: 
$ cinder create --display-name 'encrNFSvol' --volume-type LUKS 1

Fails as expected:
$ cinder list
+--------------------------------------+--------+------------+------+-------------+----------+-------------+
| ID                                   | Status | Name       | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+--------+------------+------+-------------+----------+-------------+
| 02fb7b52-41b0-4106-a326-bc096e06f9ff | error  | encrNFSvol | 1    | LUKS        | false    |             |
+--------------------------------------+--------+------------+------+-------------+----------+-------------+


Cinder volume log's trace back raises expected error: 


2017-12-05 11:12:16.918 530208 ERROR cinder.volume.manager     raise exception.VolumeDriverException(message=message)
2017-12-05 11:12:16.918 530208 ERROR cinder.volume.manager VolumeDriverException: Volume driver reported an error: Encryption is not yet supported.
2017-12-05 11:12:16.918 530208 ERROR cinder.volume.manager

Note You need to log in before you can comment on or make changes to this bug.