Description of problem: Cinder does not properly handle encrypted volumes when uploading to images or creating from images. Steps to Reproduce: 1. Create an encrypted volume 2. Upload this volume to Glance 3. Create a new volume from the Glance image Based on bug 1388559 from OSP10.
Hi Eric, Having some issues, maybe I missed something. Created a LUKS volume [stack@undercloud-0 ~]$ cinder type-create LUKS +--------------------------------------+------+-------------+-----------+ | ID | Name | Description | Is_Public | +--------------------------------------+------+-------------+-----------+ | 773a7717-57b1-4b2a-ba04-293b39b6de90 | LUKS | - | True | +--------------------------------------+------+-------------+-----------+ [stack@undercloud-0 ~]$ cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 \ > --control_location front-end LUKS nova.volume.encryptors.luks.LuksEncryptor +--------------------------------------+-------------------------------------------+-----------------+----------+------------------+ | Volume Type ID | Provider | Cipher | Key Size | Control Location | +--------------------------------------+-------------------------------------------+-----------------+----------+------------------+ | 773a7717-57b1-4b2a-ba04-293b39b6de90 | nova.volume.encryptors.luks.LuksEncryptor | aes-xts-plain64 | 512 | front-end | +--------------------------------------+-------------------------------------------+-----------------+----------+------------------+ [stack@undercloud-0 ~]$ cinder type-list +--------------------------------------+------+-------------+-----------+ | ID | Name | Description | Is_Public | +--------------------------------------+------+-------------+-----------+ | 773a7717-57b1-4b2a-ba04-293b39b6de90 | LUKS | - | True | +--------------------------------------+------+-------------+-----------+ Created a volume of this type [stack@undercloud-0 ~]$ cinder list +--------------------------------------+-----------+---------+------+-------------+----------+--------------------------------------+ | ID | Status | Name | Size | Volume Type | Bootable | Attached to | +--------------------------------------+-----------+---------+------+-------------+----------+--------------------------------------+ | 570751f0-bae3-4f73-8c1c-f70fab105539 | available | enc_vol | 1 | LUKS | false | | | e047ebfd-5375-47c7-9668-dd72f9fd567d | in-use | rhel_7 | 1 | - | false | eba88342-a5f4-4470-a856-774b61adcd06 | +--------------------------------------+-----------+---------+------+-------------+----------+--------------------------------------+ Creating a image from this encrypted volume fails: [stack@undercloud-0 ~]$ cinder upload-to-image 570751f0-bae3-4f73-8c1c-f70fab105539 encrypted_image ERROR: The server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-9da8cafd-f960-4f11-91af-b6d502a296cd) If I detach the second (in-use) volume and make an image from it that works fine [stack@undercloud-0 ~]$ cinder upload-to-image e047ebfd-5375-47c7-9668-dd72f9fd567d uploadNoneEncVol --force [stack@undercloud-0 ~]$ glance image-list +--------------------------------------+------------------+ | ID | Name | +--------------------------------------+------------------+ | a104dfb7-4dbc-484c-9b8f-a8f2e838a118 | cirros | | 25b6b561-7efc-46ad-8f55-be681e24e6a8 | uploadNoneEncVol | +--------------------------------------+------------------+ Any ideas?
Created attachment 1293625 [details] Cinder and Glance logs
Verified on: openstack-cinder-10.0.3-2.el7ost.noarch 1. Created encrypted volume 1G, attached to instance. 2. Wrote data to volume 3. Detached volume 4. Created a Glance image from volume 5. Created a new encrypted volume from Glance image. 6. Compare data from original volume, all is still here looking good, verified. I can't explain why on a previous deployment (#8) exact same steps were used only to find on step6 that no data or even a partition was found on new volume. Any way to be 100% I redid steps 1-6 three times on this current system, each time adding more and more data to initial volume, looks good. A forth attempt with 7G worth of data also completed successfully.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1783