Attempting to start or hard reboot a users instance as an admin with encrypted volumes leaves the instance unbootable when [workarounds]disable_native_luksv1 is enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Lee Yarwood | ||
Wallaby |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Description
===========
$subject, by default admins do not have access to user created barbican secrets. As a result admins cannot hard reboot or stop/start instances as this deletes local libvirt secrets, refetches secrets from Barbican and recreates the local secrets.
However this initial attempt by an admin will destroy the local secrets *before* failing to access anything in Barbican.
As a result any request by the owner of the instance to hard reboot or stop/start the instance can fail as the _detach_encryptor logic fails to find any local secret and assumes that native LUKSv1 encryption isn't being used. This causes the os-brick encryptors to be loaded that can fail if the underlying volume type isn't supported, such as rbd.
Steps to reproduce
==================
1. As an non-admin user create an instance with encrypted rbd volumes attached
2. Attempt to hard reboot or stop/start the instance as an admin
3. Attempt to hard reboot or stop/start the instance as the owner
Expected result
===============
The request by the admin to hard reboot or stop/start the instance fails.
The request by the owner to hard reboot or stop/start the instance fails due to os_brick.
Actual result
=============
The request by the admin to hard reboot or stop/start the instance fails.
The request by the owner to hard reboot or stop/start the instance succeeds.
Environment
===========
1. Exact version of OpenStack you are running. See the following
list for all releases: http://
master
2. Which hypervisor did you use?
(For example: Libvirt + KVM, Libvirt + XEN, Hyper-V, PowerKVM, ...)
What's the version of that?
libvirt
2. Which storage type did you use?
(For example: Ceph, LVM, GPFS, ...)
What's the version of that?
N/A
3. Which networking type did you use?
(For example: nova-network, Neutron with OpenVSwitch, ...)
N/A
Logs & Configs
==============
https:/
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
2021-02-23 17:07:50.453 7 ERROR oslo_messaging.
description: | updated |
summary: |
Attempting to start or hard reboot a users instance as an admin with - encrypted volumes leaves the instance unbootable + encrypted volumes leaves the instance unbootable when + [workarounds]disable_native_luksv1 is enabled |
Changed in nova: | |
status: | In Progress → Fix Released |
Fix is proposed on master https:/ /review. opendev. org/c/openstack /nova/+ /778463