Bug 1801282 - Nova allows direct boot of an image created from an encrypted cinder volume
Summary: Nova allows direct boot of an image created from an encrypted cinder volume
Keywords:
Status: CLOSED DUPLICATE of bug 1801255
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 16.0 (Train)
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: ---
Assignee: Lee Yarwood
QA Contact: OSP DFG:Compute
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-10 14:53 UTC by Brian Rosmaita
Modified: 2023-03-21 19:30 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-14 11:37:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1801255 0 medium CLOSED [OSP 16.0.2] Volume encryption keys deleted when snapshotting instances created from images with cinder_encryption_key_i... 2023-03-21 19:32:19 UTC
Red Hat Issue Tracker OSP-23517 0 None None None 2023-03-21 19:30:54 UTC

Description Brian Rosmaita 2020-02-10 14:53:56 UTC 
Description of problem:
Cinder allows users to upload encrypted volumes as images.  Nova does not support direct boot of such images; the workflow is that such images should only be used for boot-from-volume.  If a user tries the unsupported path, however, Nova will boot an instance that goes 'active' and is unusable.  It would be better if the instance did not go 'active'.  (Ideally this could be rejected at the API layer as some kind of 4xx.)


Version-Release number of selected component (if applicable):
Observed in 16 (Train), 

How reproducible: always


Steps to Reproduce:
1. in cinder: create an volume V-1 of an encrypted volume type
2. in cinder: upload V-1 as an image to Glance; call this image I-1
3. in nova: boot an instance S-1 from I-1

Actual results:
S-1 goes 'active'

Expected results:
Since this isn't a supported action, S-1 should should not go 'active' (either by never being created, or by going to some other appropriate status).
Comment 1 Lee Yarwood 2020-02-14 11:37:21 UTC 
Lets continue to use bug 1801255 to track this.

*** This bug has been marked as a duplicate of bug 1801255 ***
Note You need to log in before you can comment on or make changes to this bug.