Cinder

Upload encrypted volume to image

Bug #1485449 reported by Lisa Li
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Undecided
Eric Harney
Cinder pike-2

Bug Description

Run 'cinder upload-image' to upload an encrypted volume to images.
Currently, it just copies the encrypted data to images, and doesn't copy the encryption metadata to glance.
This is incorrect.
In the liberty release, as the feature is freezing soon, the bug is used to prevent the incorrect data generated.
Future implementation will be in bp https://blueprints.launchpad.net/cinder/+spec/encrypt-volume-with-image

Revision history for this message
Lisa Li (lisali) wrote :

https://review.openstack.org/#/c/213616/

Changed in cinder:
milestone: liberty-3 → ongoing
OpenStack Infra (hudson-openstack)
Changed in cinder:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on cinder (master)

Change abandoned by LisaLi (<email address hidden>) on branch: master
Review: https://review.openstack.org/213616
Reason: Abandon the change at this moment, I submitted the real fix patch https://review.openstack.org/#/c/216567/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by LisaLi (<email address hidden>) on branch: master
Review: https://review.openstack.org/217557
Reason: Upload by mistake.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Sean McGinnis (<email address hidden>) on branch: master
Review: https://review.openstack.org/213616
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Sean McGinnis (sean-mcginnis) wrote :

Is this still an issue?

Revision history for this message
Lisa Li (lisali) wrote :

This is still an issue.

In Newton release, we resolved the problem that creating an encrypted volume from unencrypted image.

This bug is related to the scenario uploading encrypted volume to image.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to cinder (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/453342

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/453343

OpenStack Infra (hudson-openstack)
Changed in cinder:
assignee: Lisa Li (lisali) → Eric Harney (eharney)
Eric Harney (eharney)
Changed in cinder:
milestone: ongoing → pike-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to cinder (master)

Reviewed: https://review.openstack.org/453342
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=d96e078f3719f86bbf40703ab5d68add5a743a35
Submitter: Jenkins
Branch: master

commit d96e078f3719f86bbf40703ab5d68add5a743a35
Author: Eric Harney <email address hidden>
Date: Tue Apr 4 15:27:43 2017 -0400

    Glance: attach volume encryption key id to image

    This is required to be able to handle encrypted volumes
    that have been uploaded to Glance.

    Clone the volume's encryption key, and store the new encryption
    key id in the image metadata in a property called
    "cinder_encryption_key_id". This allows the key to be retrieved
    when creating a new volume from this image.

    Related-Bug: #1485449
    Related bp: improve-encrypted-volume

    Change-Id: Ia1771817e6a06cc51c5357536915a2c5f9f6248e

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/453343
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=5c052440c44bc25e642a29c9e581664f457f3779
Submitter: Jenkins
Branch: master

commit 5c052440c44bc25e642a29c9e581664f457f3779
Author: Eric Harney <email address hidden>
Date: Tue Apr 4 16:36:03 2017 -0400

    Create volumes from encrypted images

    Volume encryption keys specified in Glance image
    metadata are copied to new keys for volumes cloned
    from that image.

    If the image key and volume key match (i.e. when using
    the conf key manager), the data is copied directly from
    the image to the volume.

    When creating a new volume in a Barbican environment, we
    will generate a new encryption key which is identical to
    the original key.

    If creating an unencrypted volume, the encrypted image data
    is copied into the volume. This is not directly usable
    without the encryption key, but may be useful for data transfer
    purposes.

    Closes-Bug: #1485449
    Related bp: improve-encrypted-volume

    Change-Id: I1f4ea35cd05f4c43a5ae07d8a541ff6495d5f8e9

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 11.0.0.0b2

This issue was fixed in the openstack/cinder 11.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.