cinder wrote unencrypted data to encrypted volumes when creating from an image

Bug #1482464 reported by Lisa Li
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Cinder
High
Lisa Li
Kilo
Undecided
Lisa Li
Liberty
Undecided
Unassigned
os-brick
Undecided
Lisa Li

Bug Description

Currently when cinder creates a encrypted volume from an image, it just reads the original data, and then writes it to the volume.
No encryption here.
As a result, when Nova boots from the volume, it thinks the data is encrypted and then accesses the data through encryption driver.
As a result, it fails to boot.

The work is decided to two parts:
1. Prevent creating encryption volumes through cinder create --image-id
Later,
2. Add the function to read encrypted data from image, encrypted it and then write to encrypted volume.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/210219

Changed in cinder:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/210219
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=19d5610f93850dd27cf3847135289eb243c64bd8
Submitter: Jenkins
Branch: master

commit 19d5610f93850dd27cf3847135289eb243c64bd8
Author: lisali <email address hidden>
Date: Fri Aug 7 14:35:27 2015 +0800

    Prevent creating encrypted volume with image

    When creating an encrypted volume with a unencrypted image,
    cinder just copies the unencrypted data to the volume,
    which keeps unencrypted data in the volume.
    But when booting/attaching the volume to Nova, it thinks
    encrypted data on the volume. As a result, Nova reads
    the data incorrectly.

    The fix is to prevent such action. Later, we can
    implement to write encrypted data in encrypted volumes
    when creating from unencrypted image.

    Change-Id: I0af8318222cee023451c38812bf83cdb4086faae
    Closes-bug: #1482464

Changed in cinder:
status: In Progress → Fix Committed
Jay Bryant (jsbryant)
Changed in cinder:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/217365

Thierry Carrez (ttx)
Changed in cinder:
milestone: none → liberty-3
status: Fix Committed → Fix Released
Revision history for this message
Lisa Li (lisali) wrote :

The patch https://review.openstack.org/#/c/210219/ is just a workaround, and the patch https://review.openstack.org/#/c/216567/ is a right fix.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/kilo)

Reviewed: https://review.openstack.org/217365
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=d836a8f6b0da95b09dc58d4d34e5ab0d5a357ceb
Submitter: Jenkins
Branch: stable/kilo

commit d836a8f6b0da95b09dc58d4d34e5ab0d5a357ceb
Author: lisali <email address hidden>
Date: Fri Aug 7 14:35:27 2015 +0800

    Prevent creating encrypted volume with image

    When creating an encrypted volume with a unencrypted image,
    cinder just copies the unencrypted data to the volume,
    which keeps unencrypted data in the volume.
    But when booting/attaching the volume to Nova, it thinks
    encrypted data on the volume. As a result, Nova reads
    the data incorrectly.

    The fix is to prevent such action. Later, we can
    implement to write encrypted data in encrypted volumes
    when creating from unencrypted image.

    The test case file had conflicts due to tests moving from
    cinder/tests to cinder/tests/unit. I have resolved the
    issues for this cherry pick.

    Conflicts: cinder/tests/test_create_volume_flow.py

    (cherry picked from commit: 19d5610f93850dd27c)
    Change-Id: I0af8318222cee023451c38812bf83cdb4086faae
    Closes-bug: #1482464

tags: added: in-stable-kilo
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on cinder (master)

Change abandoned by LisaLi (<email address hidden>) on branch: master
Review: https://review.openstack.org/217557
Reason: Upload by mistake.

Thierry Carrez (ttx)
Changed in cinder:
milestone: liberty-3 → 7.0.0
Revision history for this message
Lisa Li (lisali) wrote :

This is fix for Mitaka.

Revision history for this message
Lisa Li (lisali) wrote :

Copy nova/volume/encryptors to os-brick.

Changed in os-brick:
assignee: nobody → Lisa Li (lisali)
status: New → Confirmed
Lisa Li (lisali)
Changed in cinder:
milestone: 7.0.0 → ongoing
status: Fix Released → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to os-brick (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/247372

Changed in cinder:
status: Confirmed → In Progress
Revision history for this message
Eric Harney (eharney) wrote :

This bug should remained marked as released for Liberty / 7.0.0. Please use a different bug if you need to track further changes.

Changed in cinder:
milestone: ongoing → none
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on cinder (master)

Change abandoned by LisaLi (<email address hidden>) on branch: master
Review: https://review.openstack.org/217557

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Sean McGinnis (<email address hidden>) on branch: master
Review: https://review.openstack.org/216567
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Lisa Li (lisali) wrote :

The problem exists when creating volumes from source volume, snapshot.

Changed in cinder:
status: Fix Released → Triaged
Changed in cinder:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to os-brick (master)

Reviewed: https://review.openstack.org/247372
Committed: https://git.openstack.org/cgit/openstack/os-brick/commit/?id=05827810ca931dafafd19fa4e95143fbede1a3dc
Submitter: Jenkins
Branch: master

commit 05827810ca931dafafd19fa4e95143fbede1a3dc
Author: LisaLi <email address hidden>
Date: Thu Nov 19 08:55:36 2015 +0000

    Copy encryptors from Nova to os-brick

    Currently, when creating an encrypted volume from an image, Cinder
    writes raw data to the encrypted volume. When Cinder uploads an
    encrypted volume to an image, it writes encrypted data to the image.
    As a result, Nova cannot use these images or volumes.
    To fix above problem, cinder needs to add encryptor attach/detach
    layers.
    As both Nova and Cinder needs to use the module, the fix is to
    move it to os-brick.
    It copies encryptors from Nova to os-brick, and keep all interfaces
    unchanged except initialization.

    Change-Id: I8044183ad02110c8b2468e20327d822c0437c772
    Implements: blueprint improve-encrypted-volume
    Related-bug: #1482464
    Related-bug: #1465656

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/216567
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=70b05dbe7ff9c33f981f2cca5687c228c2411894
Submitter: Jenkins
Branch: master

commit 70b05dbe7ff9c33f981f2cca5687c228c2411894
Author: lisali <email address hidden>
Date: Fri May 13 03:02:41 2016 +0000

    Create encrypted volumes from images

    Currently, when creating an encrypted volume from an image, Cinder
    writes raw data to the encrypted volume.
    As a result, Nova can't use these volumes.

    This patch is to implement following function:
    When creating an encrypted volume from an image, it encrypts the
    data and writes to the volume.

    This patch adds a new interface copy_image_to_encrypted_volume in
    driver's API, vendor company can implement it by itself.

    Change-Id: I213459193550198c570615e381797db5e08e2cce
    Implements: blueprint improve-encrypted-volume
    Closes-bug: #1482464
    Closes-bug: #1465656

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/cinder 9.0.0.0b3

This issue was fixed in the openstack/cinder 9.0.0.0b3 development milestone.

Revision history for this message
Sean McGinnis (sean-mcginnis) wrote :

I believe the work for os-brick was complete with the inclusion of the encryptors. LisaLi, if there is more work that needs to be done in os-brick, please reopen.

Changed in os-brick:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers