yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #96633
[Bug 2125030] Re: Revert resize of instance with vTPM to flavor also with vTPM fails with ERROR state when storage is not shared
Reviewed: https://review.opendev.org/c/openstack/nova/+/962007
Committed: https://opendev.org/openstack/nova/commit/787d2a130053bd369d35480d6534f01b07c2310d
Submitter: "Zuul (22348)"
Branch: master
commit 787d2a130053bd369d35480d6534f01b07c2310d
Author: melanie witt <melwittt@xxxxxxxxx>
Date: Mon Sep 22 08:34:47 2025 -0700
Move cleanup of vTPM secret from driver to compute
Currently, vTPM secrets are deleted from Barbican any time instance
disks are deleted when driver.destroy() is called. This is fine if the
instance is also being deleted but if it's not, such as during a resize
revert, it will fail with the following error:
nova.exception.Invalid: Refusing to create an emulated TPM with no
secret!
which will bubble up to the API as a HTTP 500.
This moves deletion of the vTPM secret from Barbican from the libvirt
driver destroy() path to the compute manager _delete_instance() path so
that the vTPM secret is deleted only if the instance is being deleted.
Closes-Bug: #2125030
Change-Id: I1a43dc0502e1e65b4ef0348610f5eddb43dbff02
Signed-off-by: melanie witt <melwittt@xxxxxxxxx>
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/2125030
Title:
Revert resize of instance with vTPM to flavor also with vTPM fails
with ERROR state when storage is not shared
Status in OpenStack Compute (nova):
Fix Released
Bug description:
I stumbled across this bug while working on vTPM live migration
functional tests and was able to also reproduce the failure in a
proposed whitebox tempest test patch [1].
When attempting to revert a resize of an instance with vTPM to a
flavor also with vTPM, the revert will fail with the following
traceback [2]:
ERROR nova.compute.manager [None req-009ffcaf-3dc4-4f22-b636-184cf2e0830a tempest-VTPMTest-1347189149 tempest-VTPMTest-1347189149-project-member] [instance: bd387843-0b5a-4340-859c-013f27e39e7a] Setting instance vm_state to ERROR: nova.exception.Invalid: Refusing to create an emulated TPM with no secret!
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] Traceback (most recent call last):
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/compute/manager.py", line 11546, in _error_out_instance_on_exception
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] yield
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/compute/manager.py", line 6046, in _finish_revert_resize
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] self.driver.finish_revert_migration(
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 12779, in finish_revert_migration
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] xml = self._get_guest_xml(context, instance, network_info, disk_info,
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 8047, in _get_guest_xml
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] conf = self._get_guest_config(instance, network_info, image_meta,
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 7571, in _get_guest_config
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] self._add_vtpm_device(guest, flavor, instance, image_meta)
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 6837, in _add_vtpm_device
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] raise exception.Invalid(
ERROR nova.compute.manager [instance: bd387843-0b5a-4340-859c-013f27e39e7a] nova.exception.Invalid: Refusing to create an emulated TPM with no secret!
The root cause appears to be the fact that the vTPM secret is always
deleted from Barbican when driver.destroy() is called, and
driver.destroy() is called as part of the revert resize code path [3].
I don't yet know the best way to fix this but I will be working on it
as part of the vTPM live migration effort.
[1] https://review.opendev.org/c/openstack/whitebox-tempest-plugin/+/961558
[2] https://zuul.opendev.org/t/openstack/build/091220ed15dc41dfab65b7ce6cb629de/log/compute-host/logs/screen-n-cpu.txt#91404
[3] https://github.com/openstack/nova/blob/1d317f043e03e06dc3bc25acb750efb586551572/nova/compute/manager.py#L5947
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/2125030/+subscriptions
References
