yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2007697] [NEW] Validation of memory encryption constraints fails as img properties are not present

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Samuel Kunkel <2007697@xxxxxxxxxxxxxxxxxx>
Date: Fri, 17 Feb 2023 14:26:33 -0000
Reply-to: Bug 2007697 <2007697@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Description
===========
Creating a VM with AMD SEV attached to it fails during get_mem_encryption_constraint.

During the creation process of the vm nova-compute runs twice into
get_mem_encryption_constraint. Within this function nova evaluates if
all preconditions for AMD SEV are met for the selected flavor and image.
(e.g. machine_type=q35, hw_firmware_type=uefi)

During the second time get_mem_encryption_constraint is triggered from
scheduler_utils. In this state nova-compute does not have any
information about the image (expected as its called by
get_flags_by_flavor_specs ->
scheduler_utils.ResourceRequest.from_request_spec ->
translate_memory_encryption).

As no image informations are present, from_request_spec generates an
instance of objects.ImageMeta(properties=objects.ImageMetaProps()),
which is basically an "empty image shell".

Further down the chain, during _check_mem_encryption_uses_uefi_image
this fails as the image does not contain any information at all.

This check was already validated by nova-compute beforehand (with the image information present).
Therefore this second iteration through _check_mem_encryption_uses_uefi_image  is not needed and fails there anyway.

Steps to reproduce
==================
Have an image with property hw_firmware_type=uefi set.
Have a flavor with property hw:mem_encryption=true set
Have the hypervisor properly set up for SEV.
Schedule a VM.

Expected result
===============
The VM should be created properly and be running after creation.

Actual result
=============
The second run through _check_mem_encryption_uses_uefi_image fails as there are no image informations present at all.

Environment
===========
Hypervisor: Libvirt/KVM
OS: Ubuntu 22.04 LTS (Jammy Jellyfish)
Openstack Release: Yoga

Logs & Configs
==============
Traceback (most recent call last):,
File /usr/local/lib/python3.10/dist-packages/nova/compute/manager.py, line 2503, in _build_and_run_instance,
  self.driver.spawn(context, instance, image_meta,,
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py, line 4328, in spawn,
  xml = self._get_guest_xml(context, instance, network_info,,
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py, line 7299, in _get_guest_xml,
  conf = self._get_guest_config(instance, network_info, image_meta,,
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py, line 6876, in _get_guest_config,
  guest.cpu = self._get_guest_cpu_config(,
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py, line 5311, in _get_guest_cpu_config,
  cpu = self._get_guest_cpu_model_config(flavor, arch),
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py, line 5258, in _get_guest_cpu_model_config,
  flags = libvirt_utils.get_flags_by_flavor_specs(flavor),
File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/utils.py, line 600, in get_flags_by_flavor_specs,
  resource_request = scheduler_utils.ResourceRequest.from_request_spec(,
File /usr/local/lib/python3.10/dist-packages/nova/scheduler/utils.py, line 188, in from_request_spec,
  res_req._translate_memory_encryption(request_spec.flavor, image),
File /usr/local/lib/python3.10/dist-packages/nova/scheduler/utils.py, line 298, in _translate_memory_encryption,
  if not hardware.get_mem_encryption_constraint(flavor, image):,
File /usr/local/lib/python3.10/dist-packages/nova/virt/hardware.py, line 1198, in get_mem_encryption_constraint,
  _check_mem_encryption_uses_uefi_image(requesters, image_meta),
File /usr/local/lib/python3.10/dist-packages/nova/virt/hardware.py, line 1245, in _check_mem_encryption_uses_uefi_image,
  raise exception.FlavorImageConflict(emsg % data), nova.exception.FlavorImageConflict: Memory encryption requested by hw:mem_encryption extra spec in m1a.8d-sev flavor but image None doesn't have 'hw_firmware_type' property set to 'uefi' or volume-backed instance was requested

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2007697

Title:
  Validation of memory encryption constraints fails as img properties
  are not present

Status in OpenStack Compute (nova):
  New

Bug description:
  Description
  ===========
  Creating a VM with AMD SEV attached to it fails during get_mem_encryption_constraint.

  During the creation process of the vm nova-compute runs twice into
  get_mem_encryption_constraint. Within this function nova evaluates if
  all preconditions for AMD SEV are met for the selected flavor and
  image. (e.g. machine_type=q35, hw_firmware_type=uefi)

  During the second time get_mem_encryption_constraint is triggered from
  scheduler_utils. In this state nova-compute does not have any
  information about the image (expected as its called by
  get_flags_by_flavor_specs ->
  scheduler_utils.ResourceRequest.from_request_spec ->
  translate_memory_encryption).

  As no image informations are present, from_request_spec generates an
  instance of objects.ImageMeta(properties=objects.ImageMetaProps()),
  which is basically an "empty image shell".

  Further down the chain, during _check_mem_encryption_uses_uefi_image
  this fails as the image does not contain any information at all.

  This check was already validated by nova-compute beforehand (with the image information present).
  Therefore this second iteration through _check_mem_encryption_uses_uefi_image  is not needed and fails there anyway.

  Steps to reproduce
  ==================
  Have an image with property hw_firmware_type=uefi set.
  Have a flavor with property hw:mem_encryption=true set
  Have the hypervisor properly set up for SEV.
  Schedule a VM.

  Expected result
  ===============
  The VM should be created properly and be running after creation.

  Actual result
  =============
  The second run through _check_mem_encryption_uses_uefi_image fails as there are no image informations present at all.

  Environment
  ===========
  Hypervisor: Libvirt/KVM
  OS: Ubuntu 22.04 LTS (Jammy Jellyfish)
  Openstack Release: Yoga

  Logs & Configs
  ==============
  Traceback (most recent call last):,
  File /usr/local/lib/python3.10/dist-packages/nova/compute/manager.py, line 2503, in _build_and_run_instance,
    self.driver.spawn(context, instance, image_meta,,
  File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py, line 4328, in spawn,
    xml = self._get_guest_xml(context, instance, network_info,,
  File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py, line 7299, in _get_guest_xml,
    conf = self._get_guest_config(instance, network_info, image_meta,,
  File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py, line 6876, in _get_guest_config,
    guest.cpu = self._get_guest_cpu_config(,
  File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py, line 5311, in _get_guest_cpu_config,
    cpu = self._get_guest_cpu_model_config(flavor, arch),
  File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/driver.py, line 5258, in _get_guest_cpu_model_config,
    flags = libvirt_utils.get_flags_by_flavor_specs(flavor),
  File /usr/local/lib/python3.10/dist-packages/nova/virt/libvirt/utils.py, line 600, in get_flags_by_flavor_specs,
    resource_request = scheduler_utils.ResourceRequest.from_request_spec(,
  File /usr/local/lib/python3.10/dist-packages/nova/scheduler/utils.py, line 188, in from_request_spec,
    res_req._translate_memory_encryption(request_spec.flavor, image),
  File /usr/local/lib/python3.10/dist-packages/nova/scheduler/utils.py, line 298, in _translate_memory_encryption,
    if not hardware.get_mem_encryption_constraint(flavor, image):,
  File /usr/local/lib/python3.10/dist-packages/nova/virt/hardware.py, line 1198, in get_mem_encryption_constraint,
    _check_mem_encryption_uses_uefi_image(requesters, image_meta),
  File /usr/local/lib/python3.10/dist-packages/nova/virt/hardware.py, line 1245, in _check_mem_encryption_uses_uefi_image,
    raise exception.FlavorImageConflict(emsg % data), nova.exception.FlavorImageConflict: Memory encryption requested by hw:mem_encryption extra spec in m1a.8d-sev flavor but image None doesn't have 'hw_firmware_type' property set to 'uefi' or volume-backed instance was requested

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2007697/+subscriptions