Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1805666

Summary: [Workaround] Allow native LUKSv1 decryption to be disabled
Product: Red Hat OpenStack Reporter: Lee Yarwood <lyarwood>
Component: openstack-novaAssignee: Lee Yarwood <lyarwood>
Status: CLOSED ERRATA QA Contact: James Parker <jparker>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 17.0 (Wallaby)CC: andeshmu, dasmith, egallen, eglynn, jhakimra, jparker, kchamart, sbauza, sgordon, smooney, stephenfin, vromanso
Target Milestone: Upstream M3Keywords: Patch, Triaged
Target Release: 17.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-nova-23.0.3-0.20210908140341.e39bbdc.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1824116 (view as bug list) Environment:
Last Closed: 2022-09-21 12:09:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: Ussuri
Embargoed:
Bug Depends On:    
Bug Blocks: 1824116, 1824119, 1824121    

Description Lee Yarwood 2020-02-21 10:48:55 UTC 
Description of problem:

Since https://review.opendev.org/#/c/632507/ in stable/stein LUKSv1 volume are natively decrypted by QEMU. Performance issues have recently been identified within the libgcrypt library used by QEMU when natively decrypting LUKSv1 disks. As a result it would be useful to allow operators to switch back to the original dm-crypt based os-brick encryptor approach when decrypting these volumes.
Comment 15 errata-xmlrpc 2022-09-21 12:09:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543
Comment 18 smooney 2024-08-27 12:20:08 UTC 
noting this here for prosperity

```
[workarounds]
disable_native_luksv1 = true
```

requires `rbd_volume_local_attach=true`

so it must be

```
[workarounds]
disable_native_luksv1 = true
rbd_volume_local_attach=true
```

otherwise it will not work correctly.


this is discussed in the help text for both options

```
    cfg.BoolOpt(
        'disable_native_luksv1',
        default=False,
        deprecated_for_removal=True,
        deprecated_since='23.0.0',
        deprecated_reason="""
The underlying performance regression within libgcrypt that prompted this
workaround has been resolved as of 1.8.5
""",
        help="""
When attaching encrypted LUKSv1 Cinder volumes to instances the Libvirt driver
configures the encrypted disks to be natively decrypted by QEMU.

A performance issue has been discovered in the libgcrypt library used by QEMU
that serverly limits the I/O performance in this scenario.

For more information please refer to the following bug report:

RFE: hardware accelerated AES-XTS mode
https://bugzilla.redhat.com/show_bug.cgi?id=1762765

Enabling this workaround option will cause Nova to use the legacy dm-crypt
based os-brick encryptor to decrypt the LUKSv1 volume.

Note that enabling this option while using volumes that do not provide a host
block device such as Ceph will result in a failure to boot from or attach the
volume to an instance. See the ``[workarounds]/rbd_block_device`` option for a
way to avoid this for RBD.

Related options:

* ``compute_driver`` (libvirt)
* ``rbd_block_device`` (workarounds)
"""),
    cfg.BoolOpt(
        'rbd_volume_local_attach',
        default=False,
        deprecated_for_removal=True,
        deprecated_since='23.0.0',
        deprecated_reason="""
The underlying performance regression within libgcrypt that prompted this
workaround has been resolved as of 1.8.5
""",
        help="""
Attach RBD Cinder volumes to the compute as host block devices.

When enabled this option instructs os-brick to connect RBD volumes locally on
the compute host as block devices instead of natively through QEMU.

This workaround does not currently support extending attached volumes.

This can be used with the disable_native_luksv1 workaround configuration
option to avoid the recently discovered performance issues found within the
libgcrypt library.

This workaround is temporary and will be removed during the W release once
all impacted distributions have been able to update their versions of the
libgcrypt library.

Related options:

* ``compute_driver`` (libvirt)
* ``disable_qemu_native_luksv1`` (workarounds)
"""),
```


https://github.com/openstack/nova/blob/unmaintained/wallaby/nova/conf/workarounds.py#L274-L337
Comment 19 smooney 2024-08-27 12:54:38 UTC 
also, form a purely downstream perspective both options are unsupported by RedHat and require a support exception to use
with our product.

both options have been removed in the later release of OpenStack

we do not support using either on rhel 9 deployment as they were a tempory workaround for specific customers
on rhel 8.4 due to the non-backportable libgcrypt issue with qemu on rhel 8.