yahoo-eng-team team mailing list archive

[OpenStack Infra <1869184@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/708029
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=7c7a25aa1eda9b1815f12cce25dda0a840d562f1
Submitter: Zuul
Branch:    master

commit 7c7a25aa1eda9b1815f12cce25dda0a840d562f1
Author: Lee Yarwood <lyarwood@xxxxxxxxxx>
Date:   Sat Feb 15 12:24:11 2020 +0000

    workarounds: Add option to locally attach RBD volumes on compute hosts
    
    Building on the ``[workarounds]/disable_native_luksv1``
    configurable introduced in Ia500eb614cf575ab846f64f4b69c9068274c8c1f
    this change introduces another workaround configurable that when enabled
    will connect RBD volumes to the compute host as block devices using
    os-brick.
    
    When used togther both options allow operators to workaround recently
    discovered performance issues in the libgcrypt library used by QEMU when
    natively decrypting LUKSv1 encrypted disks.
    
    For now the extend_volume method raises a NotImplemented error in-line
    with the underlying method in os-brick. Future work will be required to
    both support this in os-brick and wire up the required calls in the
    volume driver.
    
    This workaround is temporary and will be removed during the W release
    once all impacted distributions have been able to update their versions
    of the libgcrypt library.
    
    Finally os-brick 3.0.1 is now required as it provides the
    Id507109df80391699074773f4787f74507c4b882 fix when attempting to
    diconnect locally attached RBD volumes.
    
    Closes-Bug: #1869184
    Change-Id: Ied3732042738a6194b635c55e0304d71a6fb66e3


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1869184

Title:
  Poor LUKSv1 performance when using native QEMU decryption and RBD
  volumes

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Description
  ===========

  This bug specifically covers the RBD use case when dealing with bug
  #1869182.

  In addition to allowing operators to switch to the os-brick encryptors
  when decrypting LUKSv1 volumes RBD users will also need to use the RBD
  connector also provided by os-brick.

  This will connect the RBD volume to the host and provide it as a host
  block device, allowing the os-brick encryptors to be layered on top of
  it as with other volume types.

  Steps to reproduce
  ==================

  * Attach a LUKSv1 RBD encrypted volume to an instance
  * Test I/O performance within the instance to the volume.

  Expected result
  ===============

  Performance is close to baremetal performance using dm-crypt.

  Actual result
  =============

  Performance is severely degraded if the libgcrypt issue [1] is not
  resolved on the host.

  Environment
  ===========
  1. Exact version of OpenStack you are running. See the following
    list for all releases: http://docs.openstack.org/releases/

     Master.

  2. Which hypervisor did you use?
     (For example: Libvirt + KVM, Libvirt + XEN, Hyper-V, PowerKVM, ...)
     What's the version of that?

     libvirt + QEMU/KVM

  2. Which storage type did you use?
     (For example: Ceph, LVM, GPFS, ...)
     What's the version of that?

     RBD - LUKSv1 encryption used.

  3. Which networking type did you use?
     (For example: nova-network, Neutron with OpenVSwitch, ...)

     N/A

  Logs & Configs
  ==============

  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1869184/+subscriptions