yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #73802
[Bug 1463525] Re: There is no volume encryption support for rbd-backed volumes
** Changed in: nova
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1463525
Title:
There is no volume encryption support for rbd-backed volumes
Status in Cinder:
Fix Released
Status in OpenStack Compute (nova):
Fix Released
Bug description:
This came up as a discussion point in the nova IRC channel today
because someone was talking about adding encryption support to Ceph in
Nova and I pointed out that there is already a ceph job that runs the
tempest luks/cryptsetup encrypted volume tests successfully, so why
aren't those failing if it's not supported today?
We got looking at the code and logs and found that when nova tries to
get volume encryption metadata from cinder for rbd-backed instances,
nothing comes back so nova isn't doing anything with volume encryption
using it's providers (luks / cryptsetup).
Change https://review.openstack.org/#/c/189799/ in nova adds logging
to see this:
Confirmed that for LVM backed Cinder we get something back:
http://logs.openstack.org/99/189799/2/check/check-tempest-dsvm-
full/c3ee602/logs/screen-n-cpu.txt.gz#_2015-06-09_18_18_18_078
For Ceph we don't:
http://logs.openstack.org/99/189799/2/check/check-tempest-dsvm-full-
ceph/353db23/logs/screen-n-cpu.txt.gz#_2015-06-09_18_21_16_723
This might be working as designed, I'm not sure, but I'm opening the
bug to track the effort since if you think you have encrypted volumes
when using ceph and nova you're probably not, so there is a false
sense of security here which is a bug.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1463525/+subscriptions
References
