yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1470142] Re: Nova volume encryptors attach volume fails for NFS and FC (rootwrap)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Tue, 28 Jul 2015 09:08:41 -0000
Reply-to: Bug 1470142 <1470142@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: nova
       Status: Fix Committed => Fix Released

** Changed in: nova
    Milestone: None => liberty-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1470142

Title:
  Nova volume encryptors attach volume fails for NFS and FC (rootwrap)

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Tempest scenario TestEncryptedCinderVolumes has been silently skipped when run with NFS cinder drivers that did not
  set the 'encrypted' key in the connection_info['data'] dict in their initialize_connection methods.  Change
  https://review.openstack.org/#/c/193673/ - which sets the encrypted flag generically, in the VolumeManager's
  initialize_connection, on the basis of the volume.encryption_key_id value - causes this test to actually run its encryption
  providers and exposes a problem in LuksEncryptor:attach_volume() for NFS exported volumes.

  At
  https://github.com/openstack/nova/blob/master/nova/volume/encryptors/luks.py#L119
  we have:

          # modify the original symbolic link to refer to the decrypted device
          utils.execute('ln', '--symbolic', '--force',
                        '/dev/mapper/%s' % self.dev_name, self.symlink_path,
                        run_as_root=True, check_exit_code=True)

  but in TestEncryptedCinderVolumes we get the following exception:

  2015-06-29 06:44:06.353 DEBUG oslo_concurrency.processutils [req-35a458fe-8bfc-4570-ac8e-388e8b74d4ea TestEncryptedCinderVolumes-1523565967 TestEncryptedCinderVolumes-1577400956] u'sudo nova-rootwrap /etc/nova/rootwrap.conf ln --symbolic --force /dev/mapper/volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc /opt/stack/data/nova/mnt/21dd48babac42ae884d1192b8697a041/volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc' failed. Not Retrying. execute /usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py:293
  2015-06-29 06:44:06.353 ERROR nova.virt.libvirt.driver [req-35a458fe-8bfc-4570-ac8e-388e8b74d4ea TestEncryptedCinderVolumes-1523565967 TestEncryptedCinderVolumes-1577400956] [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8] Failed to attach volume at mountpoint: /dev/vdb
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8] Traceback (most recent call last):
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8]   File "/opt/stack/new/nova/nova/virt/libvirt/driver.py", line 1082, in attach_volume
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8]     encryptor.attach_volume(context, **encryption)
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8]   File "/opt/stack/new/nova/nova/volume/encryptors/luks.py", line 121, in attach_volume
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8]     run_as_root=True, check_exit_code=True)
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8]   File "/opt/stack/new/nova/nova/utils.py", line 229, in execute
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8]     return processutils.execute(*cmd, **kwargs)
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8]   File "/usr/local/lib/python2.7/dist-packages/oslo_concurrency/processutils.py", line 260, in execute
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8]     cmd=sanitized_cmd)
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8] ProcessExecutionError: Unexpected error while running command.
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8] Command: sudo nova-rootwrap /etc/nova/rootwrap.conf ln --symbolic --force /dev/mapper/volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc /opt/stack/data/nova/mnt/21dd48babac42ae884d1192b8697a041/volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8] Exit code: 99
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8] Stdout: u''
  2015-06-29 06:44:06.353 13140 ERROR nova.virt.libvirt.driver [instance: b285fed7-6d65-4b57-9ab0-8c17ce0cf6a8] Stderr: u'/usr/local/bin/nova-rootwrap: Unauthorized command: ln --symbolic --force /dev/mapper/volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc /opt/stack/data/nova/mnt/21dd48babac42ae884d1192b8697a041/volume-f5684ecc-959f-4de8-8d62-a8adf4bdb4cc (no filter matched)\n'

  The cause is evidently the rootwrap filter at
  https://github.com/openstack/nova/blob/master/etc/nova/rootwrap.d/compute.filters#L215, namely:

  ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip
  -.*-iscsi-iqn.*, /dev/disk/by-path/ip-.*-iscsi-iqn.*

  which only allows for iscsi paths.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1470142/+subscriptions
References

[Bug 1470142] [NEW] LuksEncryptor attach volume fails for NFS
From: Tom Barron, 2015-06-30