Cinder

cinder wrote unencrypted data to encrypted volumes when creating from an image

Bug #1482464 reported by Lisa Li on 2015-08-07

This bug affects 3 people

	Status	Importance	Assigned to
Cinder	Fix Released	High	Lisa Li
Kilo	Fix Released	Undecided	Lisa Li
Liberty	Fix Released	Undecided	Unassigned
os-brick	Fix Released	Undecided	Lisa Li

Bug Description

Currently when cinder creates a encrypted volume from an image, it just reads the original data, and then writes it to the volume.
No encryption here.
As a result, when Nova boots from the volume, it thinks the data is encrypted and then accesses the data through encryption driver.
As a result, it fails to boot.

The work is decided to two parts:
1. Prevent creating encryption volumes through cinder create --image-id
Later,
2. Add the function to read encrypted data from image, encrypted it and then write to encrypted volume.

Tags:

Related branches

lp:~ubuntu-server-dev/cinder/liberty

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-07: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/210219

Changed in cinder:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-14: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/210219
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=19d5610f93850dd27cf3847135289eb243c64bd8
Submitter: Jenkins
Branch: master

commit 19d5610f93850dd27cf3847135289eb243c64bd8
Author: lisali <email address hidden>
Date: Fri Aug 7 14:35:27 2015 +0800

Prevent creating encrypted volume with image

    When creating an encrypted volume with a unencrypted image,
    cinder just copies the unencrypted data to the volume,
    which keeps unencrypted data in the volume.
    But when booting/attaching the volume to Nova, it thinks
    encrypted data on the volume. As a result, Nova reads
    the data incorrectly.

    The fix is to prevent such action. Later, we can
    implement to write encrypted data in encrypted volumes
    when creating from unencrypted image.

Change-Id: I0af8318222cee023451c38812bf83cdb4086faae
Closes-bug: #1482464

Changed in cinder:
status:	In Progress → Fix Committed

Jay Bryant (jsbryant) on 2015-08-19

Changed in cinder:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-26: Fix proposed to cinder (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/217365

Thierry Carrez (ttx) on 2015-09-03

Changed in cinder:
milestone:	none → liberty-3
status:	Fix Committed → Fix Released

Revision history for this message

Lisa Li (lisali) wrote on 2015-09-06:

The patch https://review.openstack.org/#/c/210219/ is just a workaround, and the patch https://review.openstack.org/#/c/216567/ is a right fix.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-14: Fix merged to cinder (stable/kilo)

Reviewed: https://review.openstack.org/217365
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=d836a8f6b0da95b09dc58d4d34e5ab0d5a357ceb
Submitter: Jenkins
Branch: stable/kilo

commit d836a8f6b0da95b09dc58d4d34e5ab0d5a357ceb
Author: lisali <email address hidden>
Date: Fri Aug 7 14:35:27 2015 +0800

Prevent creating encrypted volume with image

    The fix is to prevent such action. Later, we can
    implement to write encrypted data in encrypted volumes
    when creating from unencrypted image.

    The test case file had conflicts due to tests moving from
    cinder/tests to cinder/tests/unit. I have resolved the
    issues for this cherry pick.

Conflicts: cinder/tests/test_create_volume_flow.py

    (cherry picked from commit: 19d5610f93850dd27c)
    Change-Id: I0af8318222cee023451c38812bf83cdb4086faae
    Closes-bug: #1482464

tags:

added: in-stable-kilo

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-24: Change abandoned on cinder (master)

Change abandoned by LisaLi (<email address hidden>) on branch: master
Review: https://review.openstack.org/217557
Reason: Upload by mistake.

Thierry Carrez (ttx) on 2015-10-15

Changed in cinder:
milestone:	liberty-3 → 7.0.0

Revision history for this message

Lisa Li (lisali) wrote on 2015-11-19:

This is fix for Mitaka.

Revision history for this message

Lisa Li (lisali) wrote on 2015-11-19:

#10

Copy nova/volume/encryptors to os-brick.

Changed in os-brick:
assignee:	nobody → Lisa Li (lisali)
status:	New → Confirmed

Lisa Li (lisali) on 2015-11-19

Changed in cinder:
milestone:	7.0.0 → ongoing
status:	Fix Released → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-19: Related fix proposed to os-brick (master)

#11

Related fix proposed to branch: master
Review: https://review.openstack.org/247372

OpenStack Infra (hudson-openstack) on 2015-11-19

Changed in cinder:
status:	Confirmed → In Progress

Revision history for this message

Eric Harney (eharney) wrote on 2015-11-19:

#12

This bug should remained marked as released for Liberty / 7.0.0. Please use a different bug if you need to track further changes.

Changed in cinder:
milestone:	ongoing → none
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-24: Change abandoned on cinder (master)

#13

Change abandoned by LisaLi (<email address hidden>) on branch: master
Review: https://review.openstack.org/217557

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-22:

#14

Change abandoned by Sean McGinnis (<email address hidden>) on branch: master
Review: https://review.openstack.org/216567
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message

Lisa Li (lisali) wrote on 2016-04-18:

#15

The problem exists when creating volumes from source volume, snapshot.

Changed in cinder:
status:	Fix Released → Triaged

OpenStack Infra (hudson-openstack) on 2016-05-13

Changed in cinder:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-08: Related fix merged to os-brick (master)

#16

Reviewed: https://review.openstack.org/247372
Committed: https://git.openstack.org/cgit/openstack/os-brick/commit/?id=05827810ca931dafafd19fa4e95143fbede1a3dc
Submitter: Jenkins
Branch: master

commit 05827810ca931dafafd19fa4e95143fbede1a3dc
Author: LisaLi <email address hidden>
Date: Thu Nov 19 08:55:36 2015 +0000

Copy encryptors from Nova to os-brick

    Currently, when creating an encrypted volume from an image, Cinder
    writes raw data to the encrypted volume. When Cinder uploads an
    encrypted volume to an image, it writes encrypted data to the image.
    As a result, Nova cannot use these images or volumes.
    To fix above problem, cinder needs to add encryptor attach/detach
    layers.
    As both Nova and Cinder needs to use the module, the fix is to
    move it to os-brick.
    It copies encryptors from Nova to os-brick, and keep all interfaces
    unchanged except initialization.

    Change-Id: I8044183ad02110c8b2468e20327d822c0437c772
    Implements: blueprint improve-encrypted-volume
    Related-bug: #1482464
    Related-bug: #1465656

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-30: Fix merged to cinder (master)

#17

Reviewed: https://review.openstack.org/216567
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=70b05dbe7ff9c33f981f2cca5687c228c2411894
Submitter: Jenkins
Branch: master

commit 70b05dbe7ff9c33f981f2cca5687c228c2411894
Author: lisali <email address hidden>
Date: Fri May 13 03:02:41 2016 +0000

Create encrypted volumes from images

    Currently, when creating an encrypted volume from an image, Cinder
    writes raw data to the encrypted volume.
    As a result, Nova can't use these volumes.

    This patch is to implement following function:
    When creating an encrypted volume from an image, it encrypts the
    data and writes to the volume.

This patch adds a new interface copy_image_to_encrypted_volume in
driver's API, vendor company can implement it by itself.

    Change-Id: I213459193550198c570615e381797db5e08e2cce
    Implements: blueprint improve-encrypted-volume
    Closes-bug: #1482464
    Closes-bug: #1465656

Changed in cinder:
status:	In Progress → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-09-02: Fix included in openstack/cinder 9.0.0.0b3

#18

This issue was fixed in the openstack/cinder 9.0.0.0b3 development milestone.

Revision history for this message

Sean McGinnis (sean-mcginnis) wrote on 2016-10-12:

#19

I believe the work for os-brick was complete with the inclusion of the encryptors. LisaLi, if there is more work that needs to be done in os-brick, please reopen.

Changed in os-brick:
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1465656

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.