yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1895696] Re: unable to boot instance from encrypted volume created from a glance image of an encrypted volume

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1895696@xxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Sep 2020 19:59:51 -0000
Reply-to: Bug 1895696 <1895696@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/752090
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f9b67893acf94c06fd41be36b80b99788dc77e48
Submitter: Zuul
Branch:    master

commit f9b67893acf94c06fd41be36b80b99788dc77e48
Author: Lee Yarwood <lyarwood@xxxxxxxxxx>
Date:   Tue Sep 15 18:17:04 2020 +0100

    compute: Skip cinder_encryption_key_id check when booting from volume
    
    Idf84ccff254d26fa13473fe9741ddac21cbcf321 added this check in order for
    Nova to avoid booting encrypted images created by Cinder as there is
    currently no support for using such images (rotating keys etc).
    
    The check however missed the slightly convoluted use case where this
    image property is found against a volume after the volume in question is
    created using an encrypted image created by cinder from an encrypted
    volume. In other words:
    
    - Cinder creates an encrypted volume A
    - Glance creates an encrypted image A from volume A
    - Cinder creates an encrypted volume B from image A
    - Nova attempts to boot an instance using volume B
    
    Note that Nova may request the creation of volume B or a user could also
    do this directly through Cinder.
    
    As such this change simply ensures that the instance isn't booting from
    a volume when preforming the check as it is only valid when booting from
    an image.
    
    Closes-Bug: #1895696
    Change-Id: Ic92cab7362fa25050e5bbef5c3e360108365b5c7


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1895696

Title:
  unable to boot instance from encrypted volume created from a glance
  image of an encrypted volume

Status in Cinder:
  New
Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Description
  ===========
  What the title says, plus see "steps to reproduce" below.
  This is a regression caused by the fix for https://bugs.launchpad.net/nova/+bug/1852106

  Steps to Reproduce
  ==================
  1. Let Image-1 be a "regular" (non-encrypted, bootable) image in Glance (like the cirros image).
  2. Create volume V-1 in Cinder from Image-1 specifying encrypted volume-type T-1.
  3. Boot an instance from V-1 (make sure delete-on-terminate is false).  Works fine.  Delete the instance to free up the volume.
  4. Call cinder upload-to-image on V-1 to create Image-2.
  5. Create volume V-2 in Cinder specifying encrypted volume-type T-1 from Image-2.
  6. Boot an instance from V-2.

  Expected result
  ===============
  Working instance booted from volume.

  Actual result
  =============
  ERROR (BadRequest): Image None is unacceptable: Direct booting of an image uploaded from an encrypted volume is unsupported. (HTTP 400)

  
  Note:
  If we bypass the check at https://review.opendev.org/#/c/707738/3/nova/compute/api.py@894, the instance goes 'active' and is operable (you can ssh into it).  (Of course, we don't want to bypass the check, it just needs to be made aware that we are booting from a volume, not trying to boot from an image.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1895696/+subscriptions

References

[Bug 1895696] [NEW] unable to boot instance from encrypted volume created from a glance image of an encrypted volume
From: Brian Rosmaita, 2020-09-15