[SRU] nova rbd auth fallback uses cinder user with libvirt secret
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Corey Bryant | ||
Ocata |
Fix Released
|
Medium
|
Unassigned | ||
Pike |
Fix Released
|
Medium
|
Unassigned | ||
Queens |
Fix Released
|
Medium
|
Corey Bryant | ||
Rocky |
Fix Released
|
Medium
|
Corey Bryant | ||
Ubuntu Cloud Archive |
Fix Released
|
High
|
Unassigned | ||
Ocata |
Fix Released
|
High
|
Unassigned | ||
Pike |
Fix Released
|
High
|
Unassigned | ||
Queens |
Fix Released
|
High
|
Unassigned | ||
Rocky |
Fix Released
|
High
|
Unassigned | ||
Stein |
Fix Released
|
High
|
Unassigned | ||
nova (Ubuntu) |
Fix Released
|
High
|
Corey Bryant | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Cosmic |
Fix Released
|
High
|
Unassigned | ||
Disco |
Fix Released
|
High
|
Corey Bryant |
Bug Description
[Impact]
From David Ames (thedac), originally posted to https:/
Updating this bug. We may decide to move this elsewhere it at some point.
We have a deployment that was upgraded through to pike at which point it was noticed that nova instances with ceph backed volumes would not start.
The cinder key was manually added to the nova-compute nodes in /etc/ceph and with:
sudo virsh secret-define --file /tmp/cinder.secret
However, this did not resolve the problem. It appeared libvirt was trying to use a mixed pair of usernames and keys. It was using the cinder username but the nova-compute key.
Looking at nova's code it falls back to nova.conf when it does not have a secret_uuid from cinder but it was not setting the username correctly.
https:/
The following seems to mitigate this as a temporary fix on nova-compute until we can come up with a complete plan:
https:/
diff --git a/nova/
index cec43ce93b.
--- a/nova/
+++ b/nova/
@@ -71,6 +71,7 @@ class LibvirtNetVolum
else:
+ conf.auth_username = CONF.libvirt.
# secret_type is always hard-coded to 'ceph' in cinder
Apply to /usr/lib/
We still need a migration plan to get from the topology with nova-compute directly related to ceph to the topology with cinder-ceph related to nova-compute using ceph-access which would populate cinder's secret_uuid.
It is possible we will need to carry the patch for existing instances. It may be worth getting that upstream as master has the same problem.
[Test Case]
Upgrade a juju-deployed cloud with ceph backend for nova and cinder from pre-ocata to ocata or above. Ensure that nova instances with ceph backed volumes successfully start.
[Regression Potential]
The fix is minimal and will not be fixed in Ubuntu until it has been approved upstream.
Changed in nova (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Critical |
assignee: | nobody → Corey Bryant (corey.bryant) |
Changed in nova (Ubuntu Disco): | |
importance: | Critical → High |
Changed in nova (Ubuntu Cosmic): | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in nova (Ubuntu Bionic): | |
status: | New → Triaged |
importance: | Undecided → High |
summary: |
- nova rbd auth fallback attempts to use cinder auth_username with libvirt - secret_uuid + nova rbd auth fallback attempts to use cinder user with libvirt secret |
summary: |
- nova rbd auth fallback attempts to use cinder user with libvirt secret + [SRU] nova rbd auth fallback attempts to use cinder user with libvirt + secret |
summary: |
- [SRU] nova rbd auth fallback attempts to use cinder user with libvirt - secret + [SRU] nova rbd auth fallback uses cinder user with libvirt secret |
description: | updated |
tags: | added: ceph libvirt volumes |
Changed in nova: | |
importance: | Undecided → Medium |
Changed in nova: | |
assignee: | Corey Bryant (corey.bryant) → Matt Riedemann (mriedem) |
Changed in nova: | |
assignee: | Matt Riedemann (mriedem) → Corey Bryant (corey.bryant) |
tags: | added: canonical-bootstack |
Fix proposed to branch: master /review. openstack. org/626897
Review: https:/