yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1917498] [NEW] Cold migration/resize failure with encrypted volumes can leave instance in error and volumes attaching

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Mark Goddard <1917498@xxxxxxxxxxxxxxxxxx>
Date: Tue, 02 Mar 2021 17:26:41 -0000
Reply-to: Bug 1917498 <1917498@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Description
===========
Due to the differences in nova, cinder and barbican policies described in bug 1895848, a user cannot migrate an instance with an encrypted volume (using barbican) that belongs to a user in a different project. Furthermore, if a cold migration or resize is attempted and fails when accessing the encryption key, the instance will go to an 'error' state, and the volumes will get stuck in the 'attaching' state.

Steps to reproduce
==================
Prerequisites: users A & B, where B has the admin role.

As user A in project A, create an instance with an encrypted volume.
As user B in project B, attempt to cold migrate the instance.

Expected result
===============
Cold migration is unsuccessful. Instance remains active with volume attached.

Actual result
=============
Cold migration is unsuccessful. Instance is in ERROR state and shutoff. The volume appears to be attached from the nova perspective, but in Cinder its status is attaching. The volume has lost the attachment record.

Environment
===========
Seen in Stein, CentOS 7, deployed via Kolla Ansible.

Logs
====
Will follow up with more info.

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1917498

Title:
  Cold migration/resize failure with encrypted volumes can leave
  instance in error and volumes attaching

Status in OpenStack Compute (nova):
  New

Bug description:
  Description
  ===========
  Due to the differences in nova, cinder and barbican policies described in bug 1895848, a user cannot migrate an instance with an encrypted volume (using barbican) that belongs to a user in a different project. Furthermore, if a cold migration or resize is attempted and fails when accessing the encryption key, the instance will go to an 'error' state, and the volumes will get stuck in the 'attaching' state.

  Steps to reproduce
  ==================
  Prerequisites: users A & B, where B has the admin role.

  As user A in project A, create an instance with an encrypted volume.
  As user B in project B, attempt to cold migrate the instance.

  Expected result
  ===============
  Cold migration is unsuccessful. Instance remains active with volume attached.

  Actual result
  =============
  Cold migration is unsuccessful. Instance is in ERROR state and shutoff. The volume appears to be attached from the nova perspective, but in Cinder its status is attaching. The volume has lost the attachment record.

  Environment
  ===========
  Seen in Stein, CentOS 7, deployed via Kolla Ansible.

  Logs
  ====
  Will follow up with more info.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1917498/+subscriptions