There is no volume encryption support for rbd-backed volumes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Undecided
|
Eric Harney | ||
OpenStack Compute (nova) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
This came up as a discussion point in the nova IRC channel today because someone was talking about adding encryption support to Ceph in Nova and I pointed out that there is already a ceph job that runs the tempest luks/cryptsetup encrypted volume tests successfully, so why aren't those failing if it's not supported today?
We got looking at the code and logs and found that when nova tries to get volume encryption metadata from cinder for rbd-backed instances, nothing comes back so nova isn't doing anything with volume encryption using it's providers (luks / cryptsetup).
Change https:/
Confirmed that for LVM backed Cinder we get something back:
For Ceph we don't:
This might be working as designed, I'm not sure, but I'm opening the bug to track the effort since if you think you have encrypted volumes when using ceph and nova you're probably not, so there is a false sense of security here which is a bug.
Changed in cinder: | |
assignee: | Matt Riedemann (mriedem) → nobody |
summary: |
- There is no volume encryption metadata for rbd-backed volumes + There is no volume encryption support for rbd-backed volumes |
Changed in nova: | |
assignee: | Zoltan Arnold Nagy (zoltan) → nobody |
status: | In Progress → Confirmed |
Changed in nova: | |
importance: | Undecided → Wishlist |
Changed in cinder: | |
assignee: | nobody → Eric Harney (eharney) |
Changed in nova: | |
assignee: | nobody → Eric Harney (eharney) |
Changed in nova: | |
assignee: | Eric Harney (eharney) → nobody |
Changed in nova: | |
status: | Confirmed → Fix Released |
I've dug through the cinder API as much as I know how and I'm not seeing anything volume driver-specific going on where the mapping between the encryption table and the volume_type (that tempest is creating) isn't being created properly, and I poked through the logs as much as I could but I'm not seeing where things are breaking down, but apparently cinder is not finding that mapping (or making that connection for the volume) so that when we query the cinder API we get nothing back.