yahoo-eng-team team mailing list archive

[Lee Yarwood <lyarwood@xxxxxxxxxx>]

Public bug reported:

Description
===========

LUKSv1 encrypted volumes have been natively decrypted by QEMU since
I5a0de814f2868f1a4980a69b72b45ee829cedb94. This behaviour is not
optional at present.

Recently discovered performance issues within the libgcrypt library [1]
used by QEMU to decrypt LUKSv1 disks mean that some users may wish to
disable this feature within the libvirt driver.

Disabling native decryption by QEMU should result in the original dm-
crypt approach being taken using encryptors provided from os-brick.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1762765

Steps to reproduce
==================

* Attach a LUKSv1 encrypted volume to an instance
* Test I/O performance within the instance to the volume.

Expected result
===============

Performance is close to baremetal performance using dm-crypt.

Actual result
=============

Performance is severely degraded if the libgcrypt issue [1] is not
resolved on the host.

Environment
===========
1. Exact version of OpenStack you are running. See the following
  list for all releases: http://docs.openstack.org/releases/

   Master.

2. Which hypervisor did you use?
   (For example: Libvirt + KVM, Libvirt + XEN, Hyper-V, PowerKVM, ...)
   What's the version of that?

   libvirt + QEMU/KVM

2. Which storage type did you use?
   (For example: Ceph, LVM, GPFS, ...)
   What's the version of that?

   N/A - LUKSv1 encryption used.

3. Which networking type did you use?
   (For example: nova-network, Neutron with OpenVSwitch, ...)

   N/A

Logs & Configs
==============

N/A

** Affects: nova
     Importance: High
         Status: New

** Changed in: nova
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1869182

Title:
  Poor LUKSv1 performance when using native QEMU decryption

Status in OpenStack Compute (nova):
  New

Bug description:
  Description
  ===========

  LUKSv1 encrypted volumes have been natively decrypted by QEMU since
  I5a0de814f2868f1a4980a69b72b45ee829cedb94. This behaviour is not
  optional at present.

  Recently discovered performance issues within the libgcrypt library
  [1] used by QEMU to decrypt LUKSv1 disks mean that some users may wish
  to disable this feature within the libvirt driver.

  Disabling native decryption by QEMU should result in the original dm-
  crypt approach being taken using encryptors provided from os-brick.

  [1] https://bugzilla.redhat.com/show_bug.cgi?id=1762765

  Steps to reproduce
  ==================

  * Attach a LUKSv1 encrypted volume to an instance
  * Test I/O performance within the instance to the volume.

  Expected result
  ===============

  Performance is close to baremetal performance using dm-crypt.

  Actual result
  =============

  Performance is severely degraded if the libgcrypt issue [1] is not
  resolved on the host.

  Environment
  ===========
  1. Exact version of OpenStack you are running. See the following
    list for all releases: http://docs.openstack.org/releases/

     Master.

  2. Which hypervisor did you use?
     (For example: Libvirt + KVM, Libvirt + XEN, Hyper-V, PowerKVM, ...)
     What's the version of that?

     libvirt + QEMU/KVM

  2. Which storage type did you use?
     (For example: Ceph, LVM, GPFS, ...)
     What's the version of that?

     N/A - LUKSv1 encryption used.

  3. Which networking type did you use?
     (For example: nova-network, Neutron with OpenVSwitch, ...)

     N/A

  Logs & Configs
  ==============

  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1869182/+subscriptions