yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #33590
[Bug 1463525] [NEW] There is no volume encryption metadata for rbd-backed volumes
Public bug reported:
This came up as a discussion point in the nova IRC channel today because
someone was talking about adding encryption support to Ceph in Nova and
I pointed out that there is already a ceph job that runs the tempest
luks/cryptsetup encrypted volume tests successfully, so why aren't those
failing if it's not supported today?
We got looking at the code and logs and found that when nova tries to
get volume encryption metadata from cinder for rbd-backed instances,
nothing comes back so nova isn't doing anything with volume encryption
using it's providers (luks / cryptsetup).
Change https://review.openstack.org/#/c/189799/ in nova adds logging to
see this:
Confirmed that for LVM backed Cinder we get something back:
http://logs.openstack.org/99/189799/2/check/check-tempest-dsvm-
full/c3ee602/logs/screen-n-cpu.txt.gz#_2015-06-09_18_18_18_078
For Ceph we don't:
http://logs.openstack.org/99/189799/2/check/check-tempest-dsvm-full-
ceph/353db23/logs/screen-n-cpu.txt.gz#_2015-06-09_18_21_16_723
This might be working as designed, I'm not sure, but I'm opening the bug
to track the effort since if you think you have encrypted volumes when
using ceph and nova you're probably not, so there is a false sense of
security here which is a bug.
** Affects: cinder
Importance: Undecided
Status: New
** Affects: nova
Importance: Undecided
Status: New
** Tags: ceph volumes
** Also affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1463525
Title:
There is no volume encryption metadata for rbd-backed volumes
Status in Cinder:
New
Status in OpenStack Compute (Nova):
New
Bug description:
This came up as a discussion point in the nova IRC channel today
because someone was talking about adding encryption support to Ceph in
Nova and I pointed out that there is already a ceph job that runs the
tempest luks/cryptsetup encrypted volume tests successfully, so why
aren't those failing if it's not supported today?
We got looking at the code and logs and found that when nova tries to
get volume encryption metadata from cinder for rbd-backed instances,
nothing comes back so nova isn't doing anything with volume encryption
using it's providers (luks / cryptsetup).
Change https://review.openstack.org/#/c/189799/ in nova adds logging
to see this:
Confirmed that for LVM backed Cinder we get something back:
http://logs.openstack.org/99/189799/2/check/check-tempest-dsvm-
full/c3ee602/logs/screen-n-cpu.txt.gz#_2015-06-09_18_18_18_078
For Ceph we don't:
http://logs.openstack.org/99/189799/2/check/check-tempest-dsvm-full-
ceph/353db23/logs/screen-n-cpu.txt.gz#_2015-06-09_18_21_16_723
This might be working as designed, I'm not sure, but I'm opening the
bug to track the effort since if you think you have encrypted volumes
when using ceph and nova you're probably not, so there is a false
sense of security here which is a bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1463525/+subscriptions
Follow ups
References
