Bug 2078008
| Summary: | [RHOS16.2] encrypted volumes can only be uploaded as raw, but the api lets you try to convert on upload and fail | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Brian Rosmaita <brian.rosmaita> |
| Component: | openstack-cinder | Assignee: | Brian Rosmaita <brian.rosmaita> |
| Status: | CLOSED ERRATA | QA Contact: | Tzach Shefi <tshefi> |
| Severity: | low | Docs Contact: | Andy Stillman <astillma> |
| Priority: | low | ||
| Version: | 16.0 (Train) | CC: | bkopilov, eharney, gfidente, ltoscano, tshefi |
| Target Milestone: | z4 | Keywords: | Triaged, ZStream |
| Target Release: | 16.2 (Train on RHEL 8.4) | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-cinder-15.6.1-2.20220818134749.f3340ec.el8ost | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1798890 | Environment: | |
| Last Closed: | 2022-12-07 19:22:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1798890 | ||
|
Description
Brian Rosmaita
2022-04-22 19:57:43 UTC
Verified on:
openstack-cinder-15.6.1-2.20220818134749.f3340ec.el8ost.noarch
On a Ceph backed deployment, lets follow the reproduce steps.
1. Upload an image to glance from a file:
(overcloud) [stack@undercloud-0 ~]$ glance image-create --disk-format raw --container-format bare --file cirros-0.4.0-x86_64-disk.raw --name cirros.raw
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | ba3cd24377dde5dfdd58728894004abb |
| container_format | bare |
| created_at | 2022-09-07T10:57:19Z |
| direct_url | rbd://6ba3c51e-359d-49db- |
| | af30-ad92b9b037cb/images/839aed48-c6d3-4edd-9e04-05e5f6cbc94c/snap |
| disk_format | raw |
| id | 839aed48-c6d3-4edd-9e04-05e5f6cbc94c |
| locations | [{"url": "rbd://6ba3c51e-359d-49db- |
| | af30-ad92b9b037cb/images/839aed48-c6d3-4edd-9e04-05e5f6cbc94c/snap", "metadata": |
| | {"store": "default_backend"}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros.raw |
| os_hash_algo | sha512 |
| os_hash_value | b795f047a1b10ba0b7c95b43b2a481a59289dc4cf2e49845e60b194a911819d3ada03767bbba4143 |
| | b44c93fd7f66c96c5a621e28dff51d1196dae64974ce240e |
| os_hidden | False |
| owner | 1fadff65f8b74b9aaf2144739f25123b |
| protected | False |
| size | 46137344 |
| status | active |
| stores | default_backend |
| tags | [] |
| updated_at | 2022-09-07T10:57:21Z |
| virtual_size | Not available |
| visibility | shared |
+------------------+----------------------------------------------------------------------------------+
Lets confirm an instance can bootup from this image:
(overcloud) [stack@undercloud-0 ~]$ nova boot FirstInstance --flavor tiny --image cirros.raw --nic net-id=2e2e6133-8106-46f9-88b0-68a2650809df
+--------------------------------------+---------------------------------------------------+
| Property | Value |
+--------------------------------------+---------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | - |
| OS-EXT-SRV-ATTR:hostname | firstinstance |
| OS-EXT-SRV-ATTR:hypervisor_hostname | - |
| OS-EXT-SRV-ATTR:instance_name | |
| OS-EXT-SRV-ATTR:kernel_id | |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | |
| OS-EXT-SRV-ATTR:reservation_id | r-oajt54zg |
| OS-EXT-SRV-ATTR:root_device_name | - |
| OS-EXT-SRV-ATTR:user_data | - |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
....
.. |
| tenant_id | 1fadff65f8b74b9aaf2144739f25123b |
| trusted_image_certificates | - |
| updated | 2022-09-07T11:02:11Z |
| user_id | 9d9c74f8fa5644598990efa83cc3f140 |
+--------------------------------------+---------------------------------------------------+
Yep image is OK and instance is alive:
(overcloud) [stack@undercloud-0 ~]$ nova list
+--------------------------------------+---------------+--------+------------+-------------+------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+---------------+--------+------------+-------------+------------------------------------------+
| c7cee8fd-04b0-4559-9635-8b60fa73cb99 | FirstInstance | ACTIVE | - | Running | nova=2620:52:0:13b8::1000:42, 10.0.0.215 |
2. Create an encrypted volume from said image
(overcloud) [stack@undercloud-0 ~]$ cinder create 3 --image cirros.raw --volume-type LUKS --name EncVolFromImage
+--------------------------------+--------------------------------------+
| Property | Value |
+--------------------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2022-09-07T11:06:36.000000 |
| description | None |
| encrypted | True |
| id | 92e21799-3c29-4efc-8a90-ff5356bdf1c6 |
| metadata | {} |
| migration_status | None |
| multiattach | False |
| name | EncVolFromImage |
| os-vol-host-attr:host | None |
| os-vol-mig-status-attr:migstat | None |
| os-vol-mig-status-attr:name_id | None |
| os-vol-tenant-attr:tenant_id | 1fadff65f8b74b9aaf2144739f25123b |
| replication_status | None |
| size | 3 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| updated_at | None |
| user_id | 9d9c74f8fa5644598990efa83cc3f140 |
| volume_type | LUKS |
+--------------------------------+--------------------------------------+
(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+-----------------+------+-----------------+----------+--------------------------------------+
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-----------------+------+-----------------+----------+--------------------------------------+
| 92e21799-3c29-4efc-8a90-ff5356bdf1c6 | available | EncVolFromImage | 3 | LUKS | true | |
Volume was successfully created.
3. Create a new image using upload-to-image from the new encrypted volume
(overcloud) [stack@undercloud-0 ~]$ cinder upload-to-image EncVolFromImage ImageFromEncVolume
+---------------------+--------------------------------------+
| Property | Value |
+---------------------+--------------------------------------+
| container_format | bare |
| disk_format | raw |
| display_description | None |
| id | 92e21799-3c29-4efc-8a90-ff5356bdf1c6 |
| image_id | e773e926-8f04-44b8-9eda-7816c8bf0a03 |
| image_name | ImageFromEncVolume |
| protected | False |
| size | 3 |
| status | uploading |
| updated_at | 2022-09-07T11:06:57.000000 |
| visibility | shared |
| volume_type | LUKS |
+---------------------+--------------------------------------+
(overcloud) [stack@undercloud-0 ~]$ glance image-show e773e926-8f04-44b8-9eda-7816c8bf0a03
+---------------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+---------------------------------------+----------------------------------------------------------------------------------+
| checksum | a3bf12e4b63e1020fa1b91cad1fb36a7 |
| cinder_encryption_key_deletion_policy | on_image_deletion |
| cinder_encryption_key_id | 181be706-b9e5-41b3-9d56-79357c1259ed |
| container_format | bare |
| created_at | 2022-09-07T11:10:05Z |
| direct_url | rbd://6ba3c51e-359d-49db- |
| | af30-ad92b9b037cb/images/e773e926-8f04-44b8-9eda-7816c8bf0a03/snap |
| disk_format | raw |
| id | e773e926-8f04-44b8-9eda-7816c8bf0a03 |
| locations | [{"url": "rbd://6ba3c51e-359d-49db- |
| | af30-ad92b9b037cb/images/e773e926-8f04-44b8-9eda-7816c8bf0a03/snap", "metadata": |
| | {"store": "default_backend"}}] |
| min_disk | 0 |
| min_ram | 0 |
| name | ImageFromEncVolume |
| os_hash_algo | sha512 |
| os_hash_value | 45ab5b10f746b753941ccc3814cca524df2626570b130ac723319ed9397a76aeed90d1a4ea8a41f7 |
| | 8f60b5fd4f70ad61abc95214e8b0061148cde59a0cbd18cb |
| os_hidden | False |
| owner | 1fadff65f8b74b9aaf2144739f25123b |
| protected | False |
| signature_verified | False |
| size | 3221225472 |
| status | active |
| stores | default_backend |
| tags | [] |
| updated_at | 2022-09-07T11:10:40Z |
| virtual_size | Not available |
| visibility | shared |
+---------------------------------------+----------------------------------------------------------------------------------+
We proved that an encrypted volume was successfully uploaded to Glance,
when using the default allowed raw/bare combination,
as they are defaults I didn't even mention them during upload to image.
Now lets try uploading to Glance as qcow2/bare, it should fail as it isn't supported.
(overcloud) [stack@undercloud-0 ~]$ cinder upload-to-image EncVolFromImage ImageFromEncVolumeTake2 --disk-format qcow2 --container-format bare
ERROR: An encrypted volume uploaded as an image must use 'raw' disk_format and 'bare' container_format, which are the defaults for these options. (HTTP 400) (Request-ID: req-1025dc45-18c9-445c-94f9-8537b3b76524)
We failed as expected and got a meaningful explanation as to why, good to verify.
Test LGTM. Thanks, Tzach! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 16.2.4), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8794 |