Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1668213

Summary: [RFE]: support for glance encrypted image with keys managed by barbican.
Product: Red Hat OpenStack Reporter: Pierre Amadio <pamadio>
Component: openstack-cinderAssignee: Brian Rosmaita <brian.rosmaita>
Status: CLOSED CURRENTRELEASE QA Contact: bkopilov <bkopilov>
Severity: medium Docs Contact: Tana <tberry>
Priority: medium    
Version: 13.0 (Queens)CC: bkopilov, brian.rosmaita, eglynn, eharney, fduthill, fherrman, gcharot, gfidente, gregraka, jamsmith, ltoscano, marjones, nwolf, pamadio, pgrist, pmorey, scohen, tenobreg
Target Milestone: z2Keywords: FutureFeature, Reopened, TestOnly, Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-cinder-15.0.1-0.20191114132949.b91f514.el8ost Doc Type: Enhancement
Doc Text:
This update introduces support for encrypted images with keys managed by the Key Manager service (barbican). + For some secure workflows in which at-rest data must remain encrypted, you can upload carefully prepared encrypted images into the Image service (glance) for consumption by the Block Storage service (cinder).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 10:52:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1481814, 1879190, 1900539    
Bug Blocks:    

Comment 1 Cyril Roelandt 2019-02-12 17:42:06 UTC 
So, we might want some actual commands from step 2 to 7 here. Multiple reasons for that:


1) It helps us understand what you need;
2) It helps QE, since they will be needing specific commands to run tests and verify the feature;
3) Should the whole Glance team get hit by a bus, it will make it easier for our replacements to pick up this bug report.


2) Get key and ID from 1/
So, probably using "openstack secret order list/get", right?

3/ Generate encrypted image with 2/ as LUKS key.
How do you do this?

4) Upload the image into glance
$ openstack image create --disk-format qcow2 --file <encrypted-image> --property cinder_encryption_key_id=$ID_KEY_BARBICAN

5) Create volume from image
$ openstack volume create --image <image-id from step 4>

6) Attach volume to instance
$ nova volume-attach <instance-id> <volume-id> auto

7) VM mount the volume.
$ mount /dev/whatever /media/my-volume  # After SSHing the nova instance

Are the commands above what you had in mind?

I'll talk to upstream Cinder/Glance and see whether this is something we can support in the near future. I think right now, we can only use Barbican to sign images, but we do not support encryption/booting from an encrypted image.
Comment 18 Lon Hohberger 2020-02-13 11:40:21 UTC 
According to our records, this should be resolved by openstack-cinder-15.0.2-0.20200123220928.900f769.el8ost.  This build is available now.
Comment 22 Luigi Toscano 2020-03-20 13:25:53 UTC 
Reopening: there is still work to do to verify this. I'll try to summarize the status.

This feature is about uploading pre-encrypted images intended to be written as volume.

Two possible workflows can be potentially taken into account:

1) have barbican provide the key/secret, encrypt the image offline using that key, upload it to glance and update its metadata to refer to the key.
2) create a key offline, use it to encrypt the image, then upload the key to barbican and the image to glance.

The case 1) should receive more attention. It should be investigated whether and under which conditions case 2) may work.
Comment 25 Gregory Charot 2020-04-14 09:14:31 UTC 
*** Bug 1644787 has been marked as a duplicate of this bug. ***
Comment 29 Gregory Charot 2020-09-15 16:37:15 UTC 
Moving to z3 because of https://bugzilla.redhat.com/show_bug.cgi?id=1879190

Latest status:

- Creating a secret in barbican, retrieve the key - WORKS
- Build an encrypted image file with the key retrieve in previous step, upload it to glance - WORKS
- Attaching a volume from an (pre)encrypted image to a running VMs - WORKS
- Booting a VM with a volume from an (pre)encrypted image - FAILS because of BZ#1879190
Comment 31 Gregory Charot 2020-09-21 13:55:22 UTC 
BZ#1879190 has been accepted as exception for 16.1.2. Reverting RFE TM to 16.1.2.

RFE will move to verified if the bug fix indeed solves the issue and QE is able to verify it in time.
Comment 32 bkopilov 2020-09-29 05:56:31 UTC 
Verified
Comment 36 James Smith 2020-10-15 19:20:11 UTC 
Thanks, Greg and Brian!