← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1463525] Re: There is no volume encryption support for rbd-backed volumes

 

** Changed in: nova
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1463525

Title:
  There is no volume encryption support for rbd-backed volumes

Status in Cinder:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  This came up as a discussion point in the nova IRC channel today
  because someone was talking about adding encryption support to Ceph in
  Nova and I pointed out that there is already a ceph job that runs the
  tempest luks/cryptsetup encrypted volume tests successfully, so why
  aren't those failing if it's not supported today?

  We got looking at the code and logs and found that when nova tries to
  get volume encryption metadata from cinder for rbd-backed instances,
  nothing comes back so nova isn't doing anything with volume encryption
  using it's providers (luks / cryptsetup).

  Change https://review.openstack.org/#/c/189799/ in nova adds logging
  to see this:

  Confirmed that for LVM backed Cinder we get something back:

  http://logs.openstack.org/99/189799/2/check/check-tempest-dsvm-
  full/c3ee602/logs/screen-n-cpu.txt.gz#_2015-06-09_18_18_18_078

  For Ceph we don't:

  http://logs.openstack.org/99/189799/2/check/check-tempest-dsvm-full-
  ceph/353db23/logs/screen-n-cpu.txt.gz#_2015-06-09_18_21_16_723

  This might be working as designed, I'm not sure, but I'm opening the
  bug to track the effort since if you think you have encrypted volumes
  when using ceph and nova you're probably not, so there is a false
  sense of security here which is a bug.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1463525/+subscriptions


References