tripleo

Encrypted volume attachment fails when nova-compute is containerized

Bug #1729419 reported by Eric Harney on 2017-11-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Critical	Emilien Macchi	tripleo queens-2

Bug Description

Encrypted volume attachment fails when nova-compute is running in a container (Pike). The compute service runs "cryptsetup luksOpen" which hangs waiting for some udev device creation to complete. This never finishes and the command hangs.

Changing the nova compute service to run with "--ipc=host" allows devicemapper in the container to see the udev device process finish, and resolves this issue.

This will be needed for any services attaching encrypted Cinder volumes: nova compute and cinder volume at a minimum.

Tags:

Revision history for this message

Eric Harney (eharney) wrote on 2017-11-01:

Some info from Kolla here: https://www.redhat.com/archives/linux-lvm/2016-March/msg00019.html

Changed in tripleo:
assignee:	nobody → Eric Harney (eharney)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-01: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/517096

Changed in tripleo:
status:	New → In Progress

Emilien Macchi (emilienm) on 2017-11-02

Changed in tripleo:
milestone:	none → queens-2
importance:	Undecided → Critical

OpenStack Infra (hudson-openstack) on 2017-11-02

Changed in tripleo:
assignee:	Eric Harney (eharney) → Emilien Macchi (emilienm)

Bogdan Dobrelya (bogdando) on 2017-11-02

tags:

added: pike-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-02: Fix proposed to tripleo-heat-templates (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/517209

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-04: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/517096
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=05b61472463d5dbde3f1b1285819044409a80e2e
Submitter: Zuul
Branch: master

commit 05b61472463d5dbde3f1b1285819044409a80e2e
Author: Eric Harney <email address hidden>
Date: Wed Nov 1 15:47:01 2017 -0400

Set ipc=host for services attaching encrypted volumes

    Without ipc=host set, cryptsetup/devicemapper will never
    see devices created when running "cryptsetup luksOpen",
    causing the command to hang.

This is required for attaching encrypted Cinder volumes.

Closes-Bug: #1729419
Change-Id: Ic7184b1fbbafea266f8ec1e7974d0a4a2cf4d750

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-09: Fix merged to tripleo-heat-templates (stable/pike)

Reviewed: https://review.openstack.org/517209
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=4d5686b6ad85d52c8359885bc8fc74cb525f6f76
Submitter: Zuul
Branch: stable/pike

commit 4d5686b6ad85d52c8359885bc8fc74cb525f6f76
Author: Eric Harney <email address hidden>
Date: Wed Nov 1 15:47:01 2017 -0400

Set ipc=host for services attaching encrypted volumes

    Without ipc=host set, cryptsetup/devicemapper will never
    see devices created when running "cryptsetup luksOpen",
    causing the command to hang.

This is required for attaching encrypted Cinder volumes.

    Closes-Bug: #1729419
    Change-Id: Ic7184b1fbbafea266f8ec1e7974d0a4a2cf4d750
    (cherry picked from commit 05b61472463d5dbde3f1b1285819044409a80e2e)