1824121 – [OSP 13.0.12][[Workaround] Allow native LUKSv1 decryption to be disabled

Bug 1824121 - [OSP 13.0.12][[Workaround] Allow native LUKSv1 decryption to be disabled

Summary: [OSP 13.0.12][[Workaround] Allow native LUKSv1 decryption to be disabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	13.0 (Queens)
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	z12
Target Release:	13.0 (Queens)
Assignee:	Lee Yarwood
QA Contact:	Paras Babbar
Docs Contact:
URL:
Whiteboard:
Depends On:	1805666 1824116 1824119
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-15 11:06 UTC by Lee Yarwood
Modified:	2020-06-24 11:52 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openstack-nova-17.0.13-6.el7ost
Doc Type:	Enhancement
Doc Text:
Clone Of:	1824119
Environment:
Last Closed:	2020-06-24 11:52:31 UTC
Target Upstream Version:	Ussuri
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:2725	0	None	None	None	2020-06-24 11:52:48 UTC

Comment 9 Paras Babbar 2020-06-04 16:14:00 UTC

Hi Rhos-Compute,

Follwing QE steps would be good to verify this :

env: ceph backened with barbician enabled 

1. sudo crudini --set /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova/nova.conf workarounds disable_native_luksv1 true
Restart nova_compute to ensure these are picked up by the compute container:

2. $ sudo docker restart nova_compute

3. sudo docker exec -ti -u root nova_compute crudini --get /etc/nova/nova.conf workarounds disable_native_luksv1

4. Additionally we also need to set the following option in the /etc/ceph/ceph.conf of the controller running cinder-volume:

[global]
default features = 3

what is the best way to validate that this has not used luks_1 encryption but force it to use dm-crypt
based os-brick encryptor to decrypt the LUKSv1 volume ?

Is going to nova_virtlog container on hosted node and checking is good enough??
sudo cryptsetup status <crypt volume> ? to check the dm-crypt key is used or not??

Comment 10 Stephen Finucane 2020-06-08 13:34:01 UTC

(In reply to Paras Babbar from comment #9)
> Hi Rhos-Compute,
> 
> Follwing QE steps would be good to verify this :
> 
> env: ceph backened with barbician enabled 
> 
> 1. sudo crudini --set
> /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova/nova.conf
> workarounds disable_native_luksv1 true
> Restart nova_compute to ensure these are picked up by the compute container:
> 
> 2. $ sudo docker restart nova_compute
> 
> 3. sudo docker exec -ti -u root nova_compute crudini --get
> /etc/nova/nova.conf workarounds disable_native_luksv1
> 
> 4. Additionally we also need to set the following option in the
> /etc/ceph/ceph.conf of the controller running cinder-volume:
> 
> [global]
> default features = 3

We don't need Ceph to validate this - that's covered by 1824120 and requires an additional configuration option, "[workarounds] rbd_volume_local_attach". You should configure with LVM. The suggested verification steps are otherwise correct.

> what is the best way to validate that this has not used luks_1 encryption
> but force it to use dm-crypt
> based os-brick encryptor to decrypt the LUKSv1 volume ?
>
> Is going to nova_virtlog container on hosted node and checking is good
> enough??
> sudo cryptsetup status <crypt volume> ? to check the dm-crypt key is used or
> not??

The combination of logs and 'cryptsetup status' output should suffice, yes.

Comment 14 errata-xmlrpc 2020-06-24 11:52:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2725

Note You need to log in before you can comment on or make changes to this bug.