OpenStack Compute (nova)

Emulated Trusted Platform Module (vTPM) in nova

Bug #2050837 reported by Noel Ashford on 2024-01-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Incomplete	Undecided	Unassigned

Bug Description

This bug tracker is for errors with the documentation, use the following as a template and remove or add fields as you see fit. Convert [ ] into [x] to check boxes:

- [x] This doc is inaccurate in this way: There is no resource provider command + the compute nodes do not seem to register these traits (assumed)
- [ ] This is a doc addition request.
- [ ] I have a fix to the document that I can paste below including example: input and output.

If you have a troubleshooting or support issue, use the following resources:

- The mailing list: https://lists.openstack.org
- IRC: 'openstack' channel on OFTC

-----------------------------------
Release: 28.1.0.dev183 on 2021-02-22 15:44:45
SHA: e03d3dab063fa8a525beeb1cdfa4390c90530210
Source: https://opendev.org/openstack/nova/src/doc/source/admin/emulated-tpm.rst
URL: https://docs.openstack.org/nova/latest/admin/emulated-tpm.html

Tags:

Revision history for this message

Elod Illes (elod-illes) wrote on 2024-01-23:

Hi Noel, i think this is a configuration issue. If the environment plus the openstack client is configured properly, then the command should be there. example:

# openstack resource provider list
+--------------------------------------+------------+------------+--------------------------------------+----------------------+
| uuid | name | generation | root_provider_uuid | parent_provider_uuid |
+--------------------------------------+------------+------------+--------------------------------------+----------------------+
| 9c588496-57df-49e9-9f56-bdae11075fa2 | devstackvm | 2 | 9c588496-57df-49e9-9f56-bdae11075fa2 | None |
+--------------------------------------+------------+------------+--------------------------------------+----------------------+

Can you please elaborate what is the exact issue?

Changed in nova:
status:	New → Incomplete

Revision history for this message

Noel Ashford (nashford77) wrote on 2024-01-24:

Revision history for this message

Noel Ashford (nashford77) wrote on 2024-01-24:

Sorry, i hit enter too quickly.... I also tried via CURL API calls, same - I use Kolla Ansible.

(kolla-2023.1) root@cube-server:~# openstack resource provider list
openstack: 'resource provider list' is not an openstack command. See 'openstack --help'.
Did you mean one of these?
  service create
  service delete
  service list
  service provider create
  service provider delete
  service provider list
  service provider set
  service provider show
  service set
  service show

Revision history for this message

Noel Ashford (nashford77) wrote on 2024-01-24:

I was assuming this was deprecated in 2023.1 ? https://docs.openstack.org/python-openstackclient/latest/ shows 6.4 to be current. How are you seeing the above ? are yo on an older build ?

Revision history for this message

Noel Ashford (nashford77) wrote on 2024-01-24:

Download full text (3.5 KiB)

https://bugzilla.redhat.com/show_bug.cgi?id=1876798 Ah ... Is there a plugin ?! :)

Installing collected packages: osc-placement
Successfully installed osc-placement-4.2.0
(kolla-2023.1) root@cube-server:~#

It isn't listed on the requirements for kolla-ansible & vTPM ;0

(kolla-2023.1) root@cube-server:~# openstack resource provider list
+--------------------------------------+----------------------+------------+--------------------------------------+----------------------+
| uuid | name | generation | root_provider_uuid | parent_provider_uuid |
+--------------------------------------+----------------------+------------+--------------------------------------+----------------------+
| 11c10425-d19d-482d-a4bc-e1892e07d575 | tunninet-server-noel | 47 | 11c10425-d19d-482d-a4bc-e1892e07d575 | None |
+--------------------------------------+----------------------+------------+--------------------------------------+----------------------+
(kolla-2023.1) root@cube-server:~# openstack resource provider trait list 11c10425-d19d-482d-a4bc-e1892e07d575 | grep SECURITY_TPM
| COMPUTE_SECURITY_TPM_2_0 |
| COMPUTE_SECURITY_TPM_1_2 |

However when i try to use this now.... IT does not seem to boot ...

(kolla-2023.1) root@cube-server:~# openstack flavor set ee9b48f9-fb55-49c8-b13d-48d232e8ea21 --property hw:tpm_version=2.0 --property hw:tpm_model=tpm-crb

I then try to create a VM with this trait and no go....

Error: Failed to perform requested operation on instance "Test", the instance has an error status: Please try again later [Error: Exceeded maximum number of retries. Exhausted all hosts available for retrying build failures for instance 7647a767-897b-4075-9552-71073ed62456.].

"libvirt.libvirtError: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/instance-0000001e-swtpm.log'

The TPM's state will be encrypted using a key derived from a passphrase (fd).
Starting vTPM manufacturing as tss:tss @ Tue 23 Jan 2024 09:03:51 PM EST
Successfully created RSA 2048 EK with handle 0x81010001.
Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek b4d31dd5c8150e76b03764c69d989f880a9aca35ed9662cda61c3c7226042d3446857b603da0241c11194fd72280e7b405313d843f30c27d269523560ed5ce2d9e350243568321e98b337f8ad19f814549d0297b4855fb644ce43f140539a2f51c86ff1effb574233cd6f29bf2ce0fb6185aaa52af71424cc48f3937bb7e2dc06dd713c8d72598aec85799c93f49ce14faed14cdd121824d1c626230cf5e94a31a1057b66d180d2772dd729bde7fd40b7bfefa07dd6f67e7474ad93dda3000f21c5147e38807c5e814806606d9db6754e6aafe04a0c32ebfec2dd8090824d066c90ebd579907d457c3f1327d46276df7c942100a34c6e7efd6ba96d25af2294b --dir /var/lib/libvirt/swtpm/7647a767-897b-4075-9552-71073ed62456/tpm2 --logfile /var/log/swtpm/libvirt/qemu/instance-0000001e-swtpm.log --vmid instance-0000001e:7647a767-897b-4075-9552-71073ed62456 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.optio...

https://bugzilla.redhat.com/show_bug.cgi?id=1876798 Ah ... Is there a plugin ?!  :)

Installing collected packages: osc-placement
Successfully installed osc-placement-4.2.0
(kolla-2023.1) root@cube-server:~#

It isn't listed on the requirements for kolla-ansible & vTPM ;0

(kolla-2023.1) root@cube-server:~# openstack resource provider list
+--------------------------------------+----------------------+------------+--------------------------------------+----------------------+
| uuid                                 | name                 | generation | root_provider_uuid                   | parent_provider_uuid |
+--------------------------------------+----------------------+------------+--------------------------------------+----------------------+
| 11c10425-d19d-482d-a4bc-e1892e07d575 | tunninet-server-noel |         47 | 11c10425-d19d-482d-a4bc-e1892e07d575 | None                 |
+--------------------------------------+----------------------+------------+--------------------------------------+----------------------+
(kolla-2023.1) root@cube-server:~# openstack resource provider trait list 11c10425-d19d-482d-a4bc-e1892e07d575 | grep SECURITY_TPM
| COMPUTE_SECURITY_TPM_2_0              |
| COMPUTE_SECURITY_TPM_1_2              |

However when i try to use this now.... IT does not seem to boot ...

(kolla-2023.1) root@cube-server:~# openstack flavor set ee9b48f9-fb55-49c8-b13d-48d232e8ea21 --property hw:tpm_version=2.0 --property hw:tpm_model=tpm-crb

I then try to create a VM with this trait and no go....

"libvirt.libvirtError: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/instance-0000001e-swtpm.log'

The TPM's state will be encrypted using a key derived from a passphrase (fd).
Starting vTPM manufacturing as tss:tss @ Tue 23 Jan 2024 09:03:51 PM EST
Successfully created RSA 2048 EK with handle 0x81010001.
  Invoking /usr/lib/x86_64-linux-gnu/swtpm/swtpm-localca --type ek --ek b4d31dd5c8150e76b03764c69d989f880a9aca35ed9662cda61c3c7226042d3446857b603da0241c11194fd72280e7b405313d843f30c27d269523560ed5ce2d9e350243568321e98b337f8ad19f814549d0297b4855fb644ce43f140539a2f51c86ff1effb574233cd6f29bf2ce0fb6185aaa52af71424cc48f3937bb7e2dc06dd713c8d72598aec85799c93f49ce14faed14cdd121824d1c626230cf5e94a31a1057b66d180d2772dd729bde7fd40b7bfefa07dd6f67e7474ad93dda3000f21c5147e38807c5e814806606d9db6754e6aafe04a0c32ebfec2dd8090824d066c90ebd579907d457c3f1327d46276df7c942100a34c6e7efd6ba96d25af2294b --dir /var/lib/libvirt/swtpm/7647a767-897b-4075-9552-71073ed62456/tpm2 --logfile /var/log/swtpm/libvirt/qemu/instance-0000001e-swtpm.log --vmid instance-0000001e:7647a767-897b-4075-9552-71073ed62456 --tpm-spec-family 2.0 --tpm-spec-level 0 --tpm-spec-revision 164 --tpm-manufacturer id:00001014 --tpm-model swtpm --tpm-version id:20191023 --tpm2 --configfile /etc/swtpm-localca.conf --optsfile /etc/swtpm-localca.options
Need read/write rights on statedir /var/lib/swtpm-localca for user tss.
swtpm-localca exit with status 1:
An error occurred. Authoring the TPM state failed.
Ending vTPM manufacturing @ Tue 23 Jan 2024 09:03:51 PM EST

Think I foudn the issue.... Kolla Ansible has a bad image, i will need to rebuild libvirt's image it looks like (i run containerized)

will advise once it is fixed (if so)

Revision history for this message

Noel Ashford (nashford77) wrote on 2024-01-24:

OK, after chowning to TSS:TSS on the dir above, success.... another bug in the kolla images. How do I do an MR and where to correct their images on Quay? I want to get this added to master to help others using kolla ansible with this issue

Revision history for this message

Noel Ashford (nashford77) wrote on 2024-01-24:

it had swtpm as the owner out of the box btw with their images... and root group vs tss:tss

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

redhat-bugs #1876798 Edit

Bug watches keep track of this bug in other bug trackers.