1967606 – [OSP 16.2] Unable to boot SEV based instances from blank volume

Bug 1967606 - [OSP 16.2] Unable to boot SEV based instances from blank volume

Summary: [OSP 16.2] Unable to boot SEV based instances from blank volume

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	unspecified
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Alex Stupnikov
QA Contact:	OSP DFG:Compute
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-06-03 13:10 UTC by Lee Yarwood
Modified:	2023-03-21 19:43 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-02-28 20:32:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	2006952	None	None	None	2023-02-10 16:28:52 UTC
OpenStack gerrit	873388	None	NEW	Fix logging in MemEncryption-related checks	2023-02-10 16:28:30 UTC
Red Hat Issue Tracker	OSP-4365	None	None	None	2022-01-04 11:06:40 UTC

Description Lee Yarwood 2021-06-03 13:10:48 UTC

Description of problem:

More image_meta.name use in hardware.py causing failures when presented with an empty ImageMeta object:

$ openstack flavor show  m1.sev_med
+----------------------------+--------------------------------------+
| Field                      | Value                                |
+----------------------------+--------------------------------------+
| OS-FLV-DISABLED:disabled   | False                                |
| OS-FLV-EXT-DATA:ephemeral  | 0                                    |
| access_project_ids         | None                                 |
| description                | None                                 |
| disk                       | 2                                    |
| extra_specs                | {'hw:mem_encryption': 'True'}        |
| id                         | 3952db4d-e71a-4669-9bb7-666adaef6c36 |
| name                       | m1.sev_med                           |
| os-flavor-access:is_public | True                                 |
| properties                 | hw:mem_encryption='True'             |
| ram                        | 2048                                 |
| rxtx_factor                | 1.0                                  |
| swap                       | 0                                    |
| vcpus                      | 4                                    |
+----------------------------+--------------------------------------+
$ openstack volume create --bootable --size 1 blank
$ openstack server create --volume blank --flavor m1.sev_med --network private test
Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.
<class 'NotImplementedError'> (HTTP 500) (Request-ID: req-c6d1a319-b4b0-4d1f-869c-dcbec2fd2554)

2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi [req-c6d1a319-b4b0-4d1f-869c-dcbec2fd2554 cd40fe796ff84e3a8ba5e473a6d61f05 025f8a0d412642f693782ae20ba415ec - default default] Unexpected exception in API method: NotImplementedError: Cannot load 'name' in the base class
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi Traceback (most recent call last):
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/api/openstack/wsgi.py", line 671, in wrapped
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     return f(*args, **kwargs)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/api/validation/__init__.py", line 110, in wrapper
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     return func(*args, **kwargs)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/api/validation/__init__.py", line 110, in wrapper
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     return func(*args, **kwargs)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/api/validation/__init__.py", line 110, in wrapper
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     return func(*args, **kwargs)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   [Previous line repeated 9 more times]
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/api/openstack/compute/servers.py", line 712, in create
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     **create_kwargs)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/hooks.py", line 154, in inner
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     rv = f(*args, **kwargs)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/compute/api.py", line 1932, in create
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     requested_hypervisor_hostname=requested_hypervisor_hostname)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/compute/api.py", line 1411, in _create_instance
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     block_device_mapping.root_bdm(), validate_numa=False)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/compute/api.py", line 912, in _checks_for_create_and_rebuild
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     validate_numa=validate_numa)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/compute/api.py", line 577, in _validate_flavor_image
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     root_bdm, validate_numa)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/compute/api.py", line 723, in _validate_flavor_image_nostatus
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     validate_pci=validate_pci)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/compute/api.py", line 747, in _validate_flavor_image_numa_pci
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     API._validate_flavor_image_mem_encryption(instance_type, image_meta)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/compute/api.py", line 778, in _validate_flavor_image_mem_encryption
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     hardware.get_mem_encryption_constraint(instance_type, image)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/virt/hardware.py", line 1273, in get_mem_encryption_constraint
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     _check_mem_encryption_uses_uefi_image(requesters, image_meta)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/nova/virt/hardware.py", line 1310, in _check_mem_encryption_uses_uefi_image
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     'image_name': image_meta.name}
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/oslo_versionedobjects/base.py", line 67, in getter
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     self.obj_load_attr(name)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi   File "/usr/lib/python3.6/site-packages/oslo_versionedobjects/base.py", line 603, in obj_load_attr
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi     _("Cannot load '%s' in the base class") % attrname)
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi NotImplementedError: Cannot load 'name' in the base class
2021-06-03 12:29:28.207 12 ERROR nova.api.openstack.wsgi


Version-Release number of selected component (if applicable):
OSP 16.2

How reproducible:
Always.

Steps to Reproduce:
1. Attempt to boot a SEV based instance from a blank volume.

Actual results:

n-api returns 500 after a NotImplementedError is raised.

Expected results:

This shouldn't technically work as hw_firmware_type=uefi is required in the embedded image metadata of the volume but at the same time we shouldn't return 500.

Additional info:

Comment 3 Alex Stupnikov 2023-02-10 15:53:56 UTC

This problem is rather cosmetic: memory encryption is only supported for instances with ephemeral root disks created from images.

Documentation: https://docs.openstack.org/nova/latest/admin/sev.html

Quote:

In all cases, SEV instances can only be booted from images which have the hw_firmware_type property set to uefi, and only when the machine type is set to q35. This can be set per image by setting the image property hw_machine_type=q35, or per compute node by the operator via libvirt.hw_machine_type as explained above.


As a result, we are talking about flavor/image check not being able to handle cinder volume-based image objects properly, but affected operations itsself should have failed anyway. This is not high-severity problem and looks like ambiguous error message to me.

Note You need to log in before you can comment on or make changes to this bug.