← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #82272

[Bug 1869182] Re: Poor LUKSv1 performance when using native QEMU decryption

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/708030
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=dbb58e964ad1821e96f3e6758b3add747339d052
Submitter: Zuul
Branch:    master

commit dbb58e964ad1821e96f3e6758b3add747339d052
Author: Lee Yarwood <lyarwood@xxxxxxxxxx>
Date:   Sat Feb 15 11:33:48 2020 +0000

    workarounds: Add option to disable native LUKSv1 decryption by QEMU
    
    Recently discovered performance issues with the libgcrypt library [1]
    mean that operators may wish to avoid the now default native decryption
    of LUKSv1 volumes as of I5a0de814f2868f1a4980a69b72b45ee829cedb94.
    
    This change introduces a ``[workarounds]/disable_native_luksv1``
    option to disable this native decryption by QEMU, allowing Nova to
    fallback to the dm-crypt based os-brick encryptors.
    
    This workaround is temporary and will be removed during the W release
    once all impacted distributions have been able to update their
    versions of the libgcrypt library.
    
    The _is_luks_v1 method previously used to confirm if a LUKSv1 encryption
    provider is being used has been renamed _allow_native_luksv1 and
    repurposed to determine if native LUKSv1 decryption by QEMU is allowed.
    
    [1] https://bugzilla.redhat.com/show_bug.cgi?id=1762765
    
    Closes-Bug: #1869182
    Change-Id: Ia500eb614cf575ab846f64f4b69c9068274c8c1f


** Changed in: nova
       Status: In Progress => Fix Released

** Bug watch added: Red Hat Bugzilla #1762765
   https://bugzilla.redhat.com/show_bug.cgi?id=1762765

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1869182

Title:
  Poor LUKSv1 performance when using native QEMU decryption

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Description
  ===========

  LUKSv1 encrypted volumes have been natively decrypted by QEMU since
  I5a0de814f2868f1a4980a69b72b45ee829cedb94. This behaviour is not
  optional at present.

  Recently discovered performance issues within the libgcrypt library
  [1] used by QEMU to decrypt LUKSv1 disks mean that some users may wish
  to disable this feature within the libvirt driver.

  Disabling native decryption by QEMU should result in the original dm-
  crypt approach being taken using encryptors provided from os-brick.

  [1] https://bugzilla.redhat.com/show_bug.cgi?id=1762765

  Steps to reproduce
  ==================

  * Attach a LUKSv1 encrypted volume to an instance
  * Test I/O performance within the instance to the volume.

  Expected result
  ===============

  Performance is close to baremetal performance using dm-crypt.

  Actual result
  =============

  Performance is severely degraded if the libgcrypt issue [1] is not
  resolved on the host.

  Environment
  ===========
  1. Exact version of OpenStack you are running. See the following
    list for all releases: http://docs.openstack.org/releases/

     Master.

  2. Which hypervisor did you use?
     (For example: Libvirt + KVM, Libvirt + XEN, Hyper-V, PowerKVM, ...)
     What's the version of that?

     libvirt + QEMU/KVM

  2. Which storage type did you use?
     (For example: Ceph, LVM, GPFS, ...)
     What's the version of that?

     N/A - LUKSv1 encryption used.

  3. Which networking type did you use?
     (For example: nova-network, Neutron with OpenVSwitch, ...)

     N/A

  Logs & Configs
  ==============

  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1869182/+subscriptions

References

  Thread PreviousDate PreviousThread Next