OpenStack Compute (nova)

Use auth_username when probing encrypted rbd volumes while extending them

Bug #1913575 reported by Lee Yarwood
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Lee Yarwood
Ussuri
Fix Released
Undecided
Lee Yarwood
Victoria
Fix Released
Undecided
Lee Yarwood

Bug Description

Description
===========

I0c3f14100a18107f7e416293f3d4fcc641ce5e55 introduced new logic around resizing encrypted LUKSv1 volumes that probed the volume using qemu-img to determine the LUKSv1 header size and to take this into account during the resize. The use of qemu-img however assumes access to the admin rbd keyring as a username isn't provided. This isn't always available in all environment so the options `id:$username` need to be appended on the rbd URI provided to qemu-img.

Steps to reproduce
==================

Attempt to resize an encrypted LUKSv1 volume on a compute without access to the admin keyring.

Expected result
===============

The URI provided to qemu-img includes the username (and thus local keyring) to use.

Actual result
=============

qemu-img fails as it can't find the default admin keyring.

Environment
===========
1. Exact version of OpenStack you are running. See the following
  list for all releases: http://docs.openstack.org/releases/

  master

2. Which hypervisor did you use?
   (For example: Libvirt + KVM, Libvirt + XEN, Hyper-V, PowerKVM, ...)
   What's the version of that?

   libvirt + KVM

2. Which storage type did you use?
   (For example: Ceph, LVM, GPFS, ...)
   What's the version of that?

   c-vol ceph

3. Which networking type did you use?
   (For example: nova-network, Neutron with OpenVSwitch, ...)

   N/A

Logs & Configs
==============

3e004ad2953a4aa7a2f9022be3ffc7cd - default default] [instance: 8d640d15-30dd-4e72-a9ba-d9f7cf11b1ec] Unknown error when attempting to find the payload_offset for LUKSv1 encrypted disk rbd:volumes/volume-d721825d-038a-42f6-8127-aaec171e5c39.: nova.exception.InvalidDiskInfo: Disk info file is invalid: qemu-img failed to execute on rbd:volumes/volume-d721825d-038a-42f6-8127-aaec171e5c39 : Unexpected error while running command.
Command: /usr/libexec/platform-python -m oslo_concurrency.prlimit --as=1073741824 --cpu=30 -- env LC_ALL=C LANG=C qemu-img info rbd:volumes/volume-d721825d-038a-42f6-8127-aaec171e5c39 --output=json --force-share
Exit code: 1
Stdout: ''
Stdout: ''
Stderr: "qemu-img: Could not open 'rbd:volumes/volume-d721825d-038a-42f6-8127-aaec171e5c39': error connecting: Permission denied\n"

Tags: ceph volumes
Revision history for this message
Lee Yarwood (lyarwood) wrote :

https://review.opendev.org/c/openstack/nova/+/772869

Revision history for this message
Lee Yarwood (lyarwood) wrote :

https://bugzilla.redhat.com/show_bug.cgi?id=1921623 downstream bug for this.

Revision history for this message
Balazs Gibizer (balazs-gibizer) wrote :

The patch has been merged to master and backports has been proposed to stable/victoria and stable ussuri
https://review.opendev.org/q/Ia6d6dcdd7042f2aef6b3abeb5cd0f7525678a3b7

Changed in nova:
status: New → Fix Released
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 23.0.0.0rc1

This issue was fixed in the openstack/nova 23.0.0.0rc1 release candidate.

Revision history for this message
melanie witt (melwitt) wrote :

https://review.opendev.org/c/openstack/nova/+/773443 has merged to stable/victoria

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 21.2.1

This issue was fixed in the openstack/nova 21.2.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 22.2.1

This issue was fixed in the openstack/nova 22.2.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.