OpenStack Compute (nova)

swap volume not blocked between an unencrypted and encrypted volume while using QEMU to natively decrypt

Bug #1749418 reported by Lee Yarwood on 2018-02-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Lee Yarwood
	Queens	Fix Committed	Medium	Lee Yarwood

Bug Description

Description
===========
The original check [1] introduced in Queens only handles cases where we are swapping from an encrypted LUKS volume and does not handle swapping from an unencrypted volume into an encrypted LUKS volume. This still needs to be blocked pending additional QEMU/libvirt wiring to allow data to be rebased into an encrypted LUKS disk while using QEMU to natively read and write to the disk.

[1] https://review.openstack.org/#/c/523958/18/nova/virt/libvirt/driver.py@1487

Steps to reproduce
==================
Swap between an unencrypted volume to a LUKS encrypted volume in >=Queens with the native QEMU decryption requirements met (QEMU >=2.6 and Libvirt >=2.2.0 ).

Expected result
===============
This is blocked by n-cpu with a NotImplementedError raised.

Actual result
=============
This is allowed but ultimately fails due to Libvirt being unable to rebase into the encrypted disk.

See original description

Tags:

Lee Yarwood (lyarwood) on 2018-02-14

summary:

- swap volume not blocked between an decrypted and encrypted volume while
- using QEMU to natively decrypt
+ swap volume not blocked between an unencrypted and encrypted volume
+ while using QEMU to natively decrypt

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-14: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/544238

Changed in nova:
assignee:	nobody → Lee Yarwood (lyarwood)
status:	New → In Progress

Lee Yarwood (lyarwood) on 2018-02-14

description:

updated

Matt Riedemann (mriedem) on 2018-04-06

Changed in nova:
importance:	Undecided → Medium
tags:	added: libvirt volumes

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-09: Fix merged to nova (master)

Reviewed: https://review.openstack.org/544238
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=7ceccee056cb8f50cb5efebd5156cfc56d8e4af7
Submitter: Zuul
Branch: master

commit 7ceccee056cb8f50cb5efebd5156cfc56d8e4af7
Author: Lee Yarwood <email address hidden>
Date: Wed Feb 14 10:19:24 2018 +0000

libvirt: Block swapping to an encrypted volume when using QEMU to decrypt

    The original check in Ibfa64f18bbd2fb70db7791330ed1a64fe61c1355 only
    blocked swap volume _from_ an encrypted LUKS volume while using native
    QEMU decryption. This change expands that check to also block swap
    volume when swapping _to_ an encrypted LUKS volume while using native
    QEMU decryption, regardless of the original volume being encrypted.

Change-Id: I258127fdcd011ccec721d5ff62eb7f128f130336
Closes-bug: #1749418

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-10: Fix proposed to nova (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/559987

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-13: Fix merged to nova (stable/queens)

Reviewed: https://review.openstack.org/559987
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=546236e34516ee061146cebd426a67ea17be2a72
Submitter: Zuul
Branch: stable/queens

commit 546236e34516ee061146cebd426a67ea17be2a72
Author: Takashi NATSUME <email address hidden>
Date: Mon Apr 2 18:39:41 2018 +0900

libvirt: Block swapping to an encrypted volume when using QEMU to decrypt

NOTE(lyarwood): The trivial typo fix Ia1e34df5a7e88c252924c25736ffb6bcaea42bfe
is also squashed into this backport to avoid a conflict.

    Change-Id: I258127fdcd011ccec721d5ff62eb7f128f130336
    Closes-bug: #1749418
    (cherry picked from commit 7ceccee056cb8f50cb5efebd5156cfc56d8e4af7)