1926761 – Live migration (retype) of an attached encrypted volume(netapp/iscsi) to an encrypted(ceph) fails

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Bug 1926761 - Live migration (retype) of an attached encrypted volume(netapp/iscsi) to an encrypted(ceph) fails

Summary: Live migration (retype) of an attached encrypted volume(netapp/iscsi) to an e...

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-cinder
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Cinder Bugs List
QA Contact:	Evelina Shames
Docs Contact:	RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-09 12:20 UTC by Tzach Shefi
Modified:	2025-01-08 14:08 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2025-01-08 14:07:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
c-vol log (65.62 KB, application/gzip) 2021-02-09 12:23 UTC, Tzach Shefi	no flags	Details
c-vol log (65.62 KB, text/plain) 2021-02-09 12:23 UTC, Tzach Shefi	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-2220	None	None	None	2022-11-24 08:44:21 UTC
Red Hat Issue Tracker	OSP-33358	None	None	None	2025-01-08 14:08:55 UTC
Red Hat Issue Tracker	OSPRH-12791	None	None	None	2025-01-08 14:07:41 UTC

Description Tzach Shefi 2021-02-09 12:20:41 UTC

Description of problem: When I try to live migrate (retype) an attached encrypted volume from a netapp(iscsi) backend to Ceph backend, migration doesn't do anything volume remains on netapp backend, no notification\warning on cli. 


Version-Release number of selected component (if applicable):
puppet-cinder-15.4.1-1.20200831153423.el8ost.noarch
openstack-cinder-15.3.1-5.el8ost.noarch
python3-cinder-15.3.1-5.el8ost.noarch
python3-cinderclient-5.0.1-1.20200326150227.8fa0882.el8ost.noarch


How reproducible:
I suspect every time


Steps to Reproduce:
1. Create both types/backend:

(overcloud) [stack@undercloud-0 ~]$ cinder type-create encnetapp
+--------------------------------------+-----------+-------------+-----------+
| ID                                   | Name      | Description | Is_Public |
+--------------------------------------+-----------+-------------+-----------+
| 65baeac5-69fa-4780-be9a-c9265da58e25 | encnetapp | -           | True      |
+--------------------------------------+-----------+-------------+-----------+
(overcloud) [stack@undercloud-0 ~]$ cinder type-create encceph
+--------------------------------------+---------+-------------+-----------+
| ID                                   | Name    | Description | Is_Public |
+--------------------------------------+---------+-------------+-----------+
| bcf9e784-b5c1-406d-a232-0b14c092ea73 | encceph | -           | True      |
+--------------------------------------+---------+-------------+-----------+
(overcloud) [stack@undercloud-0 ~]$ cinder encryption-type-create --cipher aes-xts-plain64 --key_size 256   --control_location front-end encnetapp nova.volume.encryptors.luks.LuksEncryptor
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| Volume Type ID                       | Provider                                  | Cipher          | Key Size | Control Location |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| 65baeac5-69fa-4780-be9a-c9265da58e25 | nova.volume.encryptors.luks.LuksEncryptor | aes-xts-plain64 | 256      | front-end        |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
(overcloud) [stack@undercloud-0 ~]$ cinder encryption-type-create --cipher aes-xts-plain64 --key_size 256   --control_location front-end encceph nova.volume.encryptors.luks.LuksEncryptor
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| Volume Type ID                       | Provider                                  | Cipher          | Key Size | Control Location |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
| bcf9e784-b5c1-406d-a232-0b14c092ea73 | nova.volume.encryptors.luks.LuksEncryptor | aes-xts-plain64 | 256      | front-end        |
+--------------------------------------+-------------------------------------------+-----------------+----------+------------------+
(overcloud) [stack@undercloud-0 ~]$ cinder service-list
+------------------+---------------------------+------+---------+-------+----------------------------+-----------------+
| Binary           | Host                      | Zone | Status  | State | Updated_at                 | Disabled Reason |
+------------------+---------------------------+------+---------+-------+----------------------------+-----------------+
| cinder-backup    | controller-1              | nova | enabled | up    | 2021-02-09T10:29:58.000000 | -               |
| cinder-scheduler | controller-0              | nova | enabled | up    | 2021-02-09T10:29:54.000000 | -               |
| cinder-scheduler | controller-1              | nova | enabled | up    | 2021-02-09T10:30:02.000000 | -               |
| cinder-scheduler | controller-2              | nova | enabled | up    | 2021-02-09T10:29:56.000000 | -               |
| cinder-volume    | hostgroup@tripleo_ceph    | nova | enabled | up    | 2021-02-09T10:29:56.000000 | -               |
| cinder-volume    | hostgroup@tripleo_netapp2 | nova | enabled | up    | 2021-02-09T10:29:53.000000 | -               |
+------------------+---------------------------+------+---------+-------+----------------------------+-----------------+

(overcloud) [stack@undercloud-0 ~]$ cinder type-key encceph set volume_backend_name=tripleo_ceph
(overcloud) [stack@undercloud-0 ~]$ cinder type-key encnetapp set volume_backend_name=tripleo_netapp2

2. Create an encrypted netapp backed volume:

(overcloud) [stack@undercloud-0 ~]$ cinder create 1 --name encnetappvol1   --volume-type encnetapp 
+--------------------------------+--------------------------------------+
| Property                       | Value                                |
+--------------------------------+--------------------------------------+
| attachments                    | []                                   |
| availability_zone              | nova                                 |
| bootable                       | false                                |
| consistencygroup_id            | None                                 |
| created_at                     | 2021-02-09T10:35:43.000000           |
| description                    | None                                 |
| encrypted                      | True                                 |
| id                             | 9426bce0-889f-4319-a6b6-c5347351d108 |
| metadata                       | {}                                   |
| migration_status               | None                                 |
| multiattach                    | False                                |
| name                           | encnetappvol1                        |
| os-vol-host-attr:host          | None                                 |
| os-vol-mig-status-attr:migstat | None                                 |
| os-vol-mig-status-attr:name_id | None                                 |
| os-vol-tenant-attr:tenant_id   | 85f44a372e6d49b489829bb6389c85fa     |
| replication_status             | None                                 |
| size                           | 1                                    |
| snapshot_id                    | None                                 |
| source_volid                   | None                                 |
| status                         | creating                             |
| updated_at                     | None                                 |
| user_id                        | 45c2199f364d485f986b6d341c512819     |
| volume_type                    | encnetapp                            |
+--------------------------------+--------------------------------------+
(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+---------------+------+-------------+----------+--------------------------------------+
| ID                                   | Status    | Name          | Size | Volume Type | Bootable | Attached to                          |
+--------------------------------------+-----------+---------------+------+-------------+----------+--------------------------------------+
| 9426bce0-889f-4319-a6b6-c5347351d108 | available | encnetappvol1 | 1    | encnetapp   | false    |                                      |

3. Attach volume to instance:

(overcloud) [stack@undercloud-0 ~]$ nova volume-attach 7137e3a2-9745-4457-bbf4-60cc3c07fb92 9426bce0-889f-4319-a6b6-c5347351d108
+-----------------------+--------------------------------------+
| Property              | Value                                |
+-----------------------+--------------------------------------+
| delete_on_termination | False                                |
| device                | /dev/vde                             |
| id                    | 9426bce0-889f-4319-a6b6-c5347351d108 |
| serverId              | 7137e3a2-9745-4457-bbf4-60cc3c07fb92 |
| tag                   | -                                    |
| volumeId              | 9426bce0-889f-4319-a6b6-c5347351d108 |
+-----------------------+--------------------------------------+

(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+---------------+------+-------------+----------+--------------------------------------+                                                                                                  
| ID                                   | Status    | Name          | Size | Volume Type | Bootable | Attached to                          |                                                                                                  
+--------------------------------------+-----------+---------------+------+-------------+----------+--------------------------------------
| 9426bce0-889f-4319-a6b6-c5347351d108 | in-use    | encnetappvol1 | 1    | encnetapp   | false    | 7137e3a2-9745-4457-bbf4-60cc3c07fb92 


4. Issue the retype command:

(overcloud) [stack@undercloud-0 ~]$ cinder retype  9426bce0-889f-4319-a6b6-c5347351d108 ceph --migration-policy on-demand

Notice no error or warning. 

5. Volume remains on source/netapp backend:

(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+---------------+------+-------------+----------+--------------------------------------+
| ID                                   | Status    | Name          | Size | Volume Type | Bootable | Attached to                          |
+--------------------------------------+-----------+---------------+------+-------------+----------+--------------------------------------+
| 9426bce0-889f-4319-a6b6-c5347351d108 | in-use    | encnetappvol1 | 1    | encnetapp   | false    | 7137e3a2-9745-4457-bbf4-60cc3c07fb92 |


Actual results:
Volume doesn't migrate.

Expected results:
if supported, volume should migrate,
else we should block/warn user of trying this. 

Additional info:

Comment 1 Tzach Shefi 2021-02-09 12:23:04 UTC

Created attachment 1755923 [details]
c-vol log

Comment 2 Tzach Shefi 2021-02-09 12:23:43 UTC

Created attachment 1755924 [details]
c-vol log

Comment 4 Eric Harney 2021-02-11 20:53:56 UTC

This scenario is not supported.

Related errors from nova-compute:
2021-02-11 15:49:43.897 6 ERROR nova.compute.manager [instance: 08bd33cb-c06d-41ab-8f53-e638f3791731] NotImplementedError: Swap volume is not supported for encrypted volumes when native LUKS decryption is enabled.

Related nova code that restricts this:
https://opendev.org/openstack/nova/commit/f8e24c3

Comment 5 Luigi Toscano 2021-02-16 15:12:08 UTC

Thanks Eric! 
We are most likely going to need a documentation bug, so keeping this bug open as it may be retargeted for that purpose.

Note You need to log in before you can comment on or make changes to this bug.